Re: TCP/IP with 7.4 beta2 broken? - Mailing list pgsql-hackers
| From | Andreas Pflug |
|---|---|
| Subject | Re: TCP/IP with 7.4 beta2 broken? |
| Date | |
| Msg-id | 3F5481BD.8010301@pse-consulting.de Whole thread Raw |
| In response to | Re: TCP/IP with 7.4 beta2 broken? (Tom Lane <tgl@sss.pgh.pa.us>) |
| Responses |
Re: TCP/IP with 7.4 beta2 broken?
|
| List | pgsql-hackers |
Tom Lane wrote:
>Andreas Pflug <pgadmin@pse-consulting.de> writes:
>
>
>>How about silently creating a IPV6 style host internally for every IPV4
>>pg_hba.conf entry? It won't make any sense to handle a real IPV4 address
>>different from an IPV4 address converted to IPV6 address space.
>>
>>
>
>Hmm. I could go for that, if it weren't that there seem to be several
>different conventions for embedding IPv4 in IPv6. Should we auto-create
>pg_hba.conf entries for all of the possibly equivalent addresses?
>
AFAICS RFC2253 states that an IPV4 node connecting should get the
Address ::ffff:<IPV4addr>, so this should be sufficient.
>What if that creates conflicts?
>
If there's a conflict, it isn't created by this automatic entry, but
revealed because it was already there.
host 192.168.0.0/24
host ::ffff:102.168.0.0/125
This is already a conflict, not getting better or worse if we add
host ::ffff:102.168.0.0/120
as IPV6 duplicate for the first line.
I created a patch to hba.c which uses IPV4 entries as IPV6 entries if
running on a IPV6 system (which is detected from a port coming in as
AF_INET6)
Regards,
Andreas
? hba.conf.diff
Index: hba.c
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/hba.c,v
retrieving revision 1.111
diff -c -r1.111 hba.c
*** hba.c 4 Aug 2003 02:39:59 -0000 1.111
--- hba.c 2 Sep 2003 11:07:10 -0000
***************
*** 673,708 ****
if (cidr_slash)
*cidr_slash = '/';
! if (file_ip_addr->ai_family != port->raddr.addr.ss_family)
{
! /* Wrong address family. */
freeaddrinfo_all(hints.ai_family, file_ip_addr);
- return;
- }
! /* Get the netmask */
! if (cidr_slash)
{
! if (SockAddr_cidr_mask(&mask, cidr_slash + 1,
! file_ip_addr->ai_family) < 0)
! goto hba_syntax;
}
else
{
! /* Read the mask field. */
! line = lnext(line);
! if (!line)
! goto hba_syntax;
! token = lfirst(line);
!
! ret = getaddrinfo_all(token, NULL, &hints, &file_ip_mask);
! if (ret || !file_ip_mask)
! goto hba_syntax;
!
! mask = (struct sockaddr_storage *) file_ip_mask->ai_addr;
!
! if (file_ip_addr->ai_family != mask->ss_family)
! goto hba_syntax;
}
/* Read the rest of the line. */
--- 673,761 ----
if (cidr_slash)
*cidr_slash = '/';
! if (file_ip_addr->ai_family == AF_INET && port->raddr.addr.ss_family == AF_INET6)
{
! /* port got a IPV6 address, but the current line is IPV4.
! * We'll make a IPV6 entry from this line, to check if by chance the connecting port
! * is a converted IPV4 address. */
!
! char *v6addr=palloc(strlen(token)+8);
! char *v6mask;
!
freeaddrinfo_all(hints.ai_family, file_ip_addr);
! if (cidr_slash)
! *cidr_slash = 0;
! sprintf(v6addr, "::ffff:%s", token);
! if (cidr_slash)
! *cidr_slash = '/';
!
! ret = getaddrinfo_all(v6addr, NULL, &hints, &file_ip_addr);
! if (ret || !file_ip_addr)
! {
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("could not interpret converted IP address \"%s\" in config file: %s",
! token, gai_strerror(ret))));
! }
! if (cidr_slash)
! {
! v6mask = palloc(20);
! sprintf(v6mask, "%d", atoi(cidr_slash+1)+96);
! if (SockAddr_cidr_mask(&mask, v6mask, file_ip_addr->ai_family) < 0)
! goto hba_syntax;
! }
! else
! {
! line = lnext(line);
! if (!line)
! goto hba_syntax;
! token = lfirst(line);
! v6mask = palloc(strlen(token)+32);
! sprintf(v6mask, "ffff:ffff:ffff:ffff:ffff:ffff:%s", token);
!
! ret = getaddrinfo_all(v6mask, NULL, &hints, &file_ip_mask);
! if (ret || !file_ip_mask)
! goto hba_syntax;
!
! mask = (struct sockaddr_storage *) file_ip_mask->ai_addr;
!
! if (file_ip_addr->ai_family != mask->ss_family)
! goto hba_syntax;
! }
! }
! else if (file_ip_addr->ai_family != port->raddr.addr.ss_family)
{
! /* Wrong address family. */
! freeaddrinfo_all(hints.ai_family, file_ip_addr);
! return;
}
else
{
! /* Get the netmask */
! if (cidr_slash)
! {
! if (SockAddr_cidr_mask(&mask, cidr_slash + 1,
! file_ip_addr->ai_family) < 0)
! goto hba_syntax;
! }
! else
! {
! /* Read the mask field. */
! line = lnext(line);
! if (!line)
! goto hba_syntax;
! token = lfirst(line);
!
! ret = getaddrinfo_all(token, NULL, &hints, &file_ip_mask);
! if (ret || !file_ip_mask)
! goto hba_syntax;
!
! mask = (struct sockaddr_storage *) file_ip_mask->ai_addr;
!
! if (file_ip_addr->ai_family != mask->ss_family)
! goto hba_syntax;
! }
}
/* Read the rest of the line. */
pgsql-hackers by date: