From a271c9260fa4a12007083a4343cf27ac1309ef0d Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 17 Feb 2015 12:49:18 -0500 Subject: Remove code to match IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses. In investigating yesterday's crash report from Hugo Osvaldo Barrera, I only looked back as far as commit f3aec2c7f51904e7 where the breakage occurred (which is why I thought the IPv4-in-IPv6 business was undocumented). But actually the logic dates back to commit 3c9bb8886df7d56a and was simply broken by erroneous refactoring in the later commit. A bit of archives excavation shows that we added the whole business in response to a report that some 2003-era Linux kernels would report IPv4 connections as having IPv4-in-IPv6 addresses. The fact that we've had no complaints since 9.0 seems to be sufficient confirmation that no modern kernels do that, so let's just rip it all out rather than trying to fix it. Do this in the back branches too, thus essentially deciding that our effective behavior since 9.0 is correct. If there are any platforms on which the kernel reports IPv4-in-IPv6 addresses as such, yesterday's fix would have made for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases. So let's let the post-9.0 behavior stand, and change the documentation to match it. In passing, I failed to resist the temptation to wordsmith the description of pg_hba.conf IPv4 and IPv6 address entries a bit. A lot of this text hasn't been touched since we were IPv4-only. --- doc/src/sgml/client-auth.sgml | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 7704f73d962..d27dd491458 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -229,14 +229,15 @@ hostnossl database user address - Specifies the client machine addresses that this record + Specifies the client machine address(es) that this record matches. This field can contain either a host name, an IP address range, or one of the special key words mentioned below. - An IP address is specified in standard dotted decimal - notation with a CIDR mask length. The mask + An IP address range is specified using standard numeric notation + for the range's starting address, then a slash (/) + and a CIDR mask length. The mask length indicates the number of high-order bits of the client IP address that must match. Bits to the right of this should be zero in the given IP address. @@ -245,25 +246,27 @@ hostnossl database user - Typical examples of an IP address range specified this way are + Typical examples of an IPv4 address range specified this way are 172.20.143.89/32 for a single host, or 172.20.143.0/24 for a small network, or 10.6.0.0/16 for a larger one. + An IPv6 address range might look like ::1/128 + for a single host (in this case the IPv6 loopback address) or + fe80::7a31:c1ff:0000:0000/96 for a small + network. 0.0.0.0/0 represents all - IPv4 addresses, and ::/0 represents + IPv4 addresses, and ::0/0 represents all IPv6 addresses. - To specify a single host, use a CIDR mask of 32 for IPv4 or + To specify a single host, use a mask length of 32 for IPv4 or 128 for IPv6. In a network address, do not omit trailing zeroes. - An IP address given in IPv4 format will match IPv6 connections that - have the corresponding address, for example 127.0.0.1 - will match the IPv6 address ::ffff:127.0.0.1. An entry - given in IPv6 format will match only IPv6 connections, even if the - represented address is in the IPv4-in-IPv6 range. Note that entries - in IPv6 format will be rejected if the system's C library does not have - support for IPv6 addresses. + An entry given in IPv4 format will match only IPv4 connections, + and an entry given in IPv6 format will match only IPv6 connections, + even if the represented address is in the IPv4-in-IPv6 range. + Note that entries in IPv6 format will be rejected if the system's + C library does not have support for IPv6 addresses. @@ -275,7 +278,7 @@ hostnossl database user If a host name is specified (anything that is not an IP address - or a special key word is treated as a host name), + range or a special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client's IP address (e.g., reverse DNS lookup, if DNS is used). Host name comparisons are case @@ -354,8 +357,9 @@ hostnossl database user IP-mask - These fields can be used as an alternative to the - CIDR-address notation. Instead of + These two fields can be used as an alternative to the + IP-address/mask-length + notation. Instead of specifying the mask length, the actual mask is specified in a separate column. For example, 255.0.0.0 represents an IPv4 CIDR mask length of 8, and 255.255.255.255 represents a -- cgit v1.2.3