allow any ip4 or ip6 loopback address to match in default pg_hba.conf - Mailing list pgsql-patches
From | Andrew Dunstan |
---|---|
Subject | allow any ip4 or ip6 loopback address to match in default pg_hba.conf |
Date | |
Msg-id | 3F564AD5.3040507@dunslane.net Whole thread Raw |
List | pgsql-patches |
Here's a patch that does what has been discussed on Hackers to allow a default setting in pg_hba.conf for loopback addresses, and should cause no problems no matter what style of ipv6 is or isn't configured. If it's wanted I'll document it, if not I won't :-) BTW, I notice that the sample doesn't seem to contain anything about hostnossl lines. cheers andrew Index: src/backend/libpq/hba.c =================================================================== RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/hba.c,v retrieving revision 1.111 diff -c -w -r1.111 hba.c *** src/backend/libpq/hba.c 4 Aug 2003 02:39:59 -0000 1.111 --- src/backend/libpq/hba.c 3 Sep 2003 20:01:03 -0000 *************** *** 595,600 **** --- 595,628 ---- if (!IS_AF_UNIX(port->raddr.addr.ss_family)) return; } + else if (strcmp(token, "loopback") == 0) + { + /* Get the database. */ + line = lnext(line); + if (!line) + goto hba_syntax; + db = lfirst(line); + + /* Get the user. */ + line = lnext(line); + if (!line) + goto hba_syntax; + user = lfirst(line); + + line = lnext(line); + if (!line) + goto hba_syntax; + + /* Read the rest of the line. */ + parse_hba_auth(line, &port->auth_method, &port->auth_arg, error_p); + if (*error_p) + goto hba_syntax; + + /* Check if we match any loopback addr for IP4, IP4 over IP6, or IP6 */ + if (!is_loopback_addr(&port->raddr.addr)) + return; + + } else if (strcmp(token, "host") == 0 || strcmp(token, "hostssl") == 0 || strcmp(token, "hostnossl") == 0) Index: src/backend/libpq/ip.c =================================================================== RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/ip.c,v retrieving revision 1.19 diff -c -w -r1.19 ip.c *** src/backend/libpq/ip.c 4 Aug 2003 02:39:59 -0000 1.19 --- src/backend/libpq/ip.c 3 Sep 2003 20:01:04 -0000 *************** *** 389,391 **** --- 389,438 ---- } #endif + + bool + is_loopback_addr(const struct sockaddr_storage * addr) + { + /* 127.0.0.1 in network order */ + long ip4addr = htonl(0x7f000001L); + + #ifdef HAVE_IPV6 + + /* 16 octets in network order (most significant on left) */ + + /* ::ffff:127.0.0.1 */ + char * ip4ip6addr = "\0\0\0\0\0\0\0\0\0\0\xff\xff\x7f\0\0\x01"; + + /* ::1 */ + char * ip6addr = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01"; + + #endif + + if (addr->ss_family == AF_INET) + { + if (ip4addr == ((struct sockaddr_in *)addr)->sin_addr.s_addr) + return true; + } + + #ifdef HAVE_IPV6 + + else if (addr->ss_family == AF_INET6) + { + if ( memcmp(ip4ip6addr, + ((struct sockaddr_in6 *)addr)->sin6_addr.s6_addr, + 16) == 0 + || + memcmp(ip6addr, + ((struct sockaddr_in6 *)addr)->sin6_addr.s6_addr, + 16) == 0 + ) + { + return true; + } + } + + #endif + + return false; + } + Index: src/backend/libpq/pg_hba.conf.sample =================================================================== RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v retrieving revision 1.44 diff -c -w -r1.44 pg_hba.conf.sample *** src/backend/libpq/pg_hba.conf.sample 1 Aug 2003 23:40:10 -0000 1.44 --- src/backend/libpq/pg_hba.conf.sample 3 Sep 2003 20:01:04 -0000 *************** *** 7,15 **** # # This file controls: which hosts are allowed to connect, how clients # are authenticated, which PostgreSQL user names they can use, which ! # databases they can access. Records take one of five forms: # # local DATABASE USER METHOD [OPTION] # host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] # hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] # host DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] --- 7,16 ---- # # This file controls: which hosts are allowed to connect, how clients # are authenticated, which PostgreSQL user names they can use, which ! # databases they can access. Records take one of six forms: # # local DATABASE USER METHOD [OPTION] + # loopback DATABASE USER METHOD [OPTION] # host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] # hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] # host DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] *************** *** 51,58 **** # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD local all all trust ! host all all 127.0.0.1 255.255.255.255 trust - # uncomment these to support IPv6 localhost connections - # host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust - # host all all ::ffff:127.0.0.1/128 trust --- 52,56 ---- # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD local all all trust ! loopback all all trust Index: src/include/libpq/ip.h =================================================================== RCS file: /projects/cvsroot/pgsql-server/src/include/libpq/ip.h,v retrieving revision 1.10 diff -c -w -r1.10 ip.h *** src/include/libpq/ip.h 4 Aug 2003 00:43:31 -0000 1.10 --- src/include/libpq/ip.h 3 Sep 2003 20:01:06 -0000 *************** *** 33,38 **** --- 33,40 ---- extern int SockAddr_cidr_mask(struct sockaddr_storage ** mask, char *numbits, int family); + extern bool is_loopback_addr(const struct sockaddr_storage * addr); + #ifdef HAVE_UNIX_SOCKETS #define IS_AF_UNIX(fam) ((fam) == AF_UNIX) #else
pgsql-patches by date: