allow any ip4 or ip6 loopback address to match in default pg_hba.conf - Mailing list pgsql-patches

From Andrew Dunstan
Subject allow any ip4 or ip6 loopback address to match in default pg_hba.conf
Date
Msg-id 3F564AD5.3040507@dunslane.net
Whole thread Raw
List pgsql-patches
Here's a patch that does what has been discussed on Hackers to allow a
default setting in pg_hba.conf for loopback addresses, and should cause
no problems no matter what style of ipv6 is or isn't configured.

If it's wanted I'll document it, if not I won't :-)

BTW, I notice that the sample doesn't seem to contain anything about
hostnossl lines.

cheers

andrew


Index: src/backend/libpq/hba.c
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/hba.c,v
retrieving revision 1.111
diff -c -w -r1.111 hba.c
*** src/backend/libpq/hba.c    4 Aug 2003 02:39:59 -0000    1.111
--- src/backend/libpq/hba.c    3 Sep 2003 20:01:03 -0000
***************
*** 595,600 ****
--- 595,628 ----
          if (!IS_AF_UNIX(port->raddr.addr.ss_family))
              return;
      }
+     else if (strcmp(token, "loopback") == 0)
+     {
+         /* Get the database. */
+         line = lnext(line);
+         if (!line)
+             goto hba_syntax;
+         db = lfirst(line);
+
+         /* Get the user. */
+         line = lnext(line);
+         if (!line)
+             goto hba_syntax;
+         user = lfirst(line);
+
+         line = lnext(line);
+         if (!line)
+             goto hba_syntax;
+
+         /* Read the rest of the line. */
+         parse_hba_auth(line, &port->auth_method, &port->auth_arg, error_p);
+         if (*error_p)
+             goto hba_syntax;
+
+         /* Check if we match any loopback addr for IP4, IP4 over IP6, or IP6 */
+         if (!is_loopback_addr(&port->raddr.addr))
+             return;
+
+     }
      else if (strcmp(token, "host") == 0
               || strcmp(token, "hostssl") == 0
               || strcmp(token, "hostnossl") == 0)
Index: src/backend/libpq/ip.c
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/ip.c,v
retrieving revision 1.19
diff -c -w -r1.19 ip.c
*** src/backend/libpq/ip.c    4 Aug 2003 02:39:59 -0000    1.19
--- src/backend/libpq/ip.c    3 Sep 2003 20:01:04 -0000
***************
*** 389,391 ****
--- 389,438 ----
  }

  #endif
+
+ bool
+ is_loopback_addr(const struct sockaddr_storage * addr)
+ {
+     /* 127.0.0.1  in network order */
+     long ip4addr = htonl(0x7f000001L);
+
+ #ifdef HAVE_IPV6
+
+     /* 16 octets in network order (most significant on left) */
+
+     /* ::ffff:127.0.0.1 */
+     char * ip4ip6addr = "\0\0\0\0\0\0\0\0\0\0\xff\xff\x7f\0\0\x01";
+
+     /* ::1 */
+     char * ip6addr = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01";
+
+ #endif
+
+     if (addr->ss_family == AF_INET)
+     {
+         if (ip4addr == ((struct sockaddr_in *)addr)->sin_addr.s_addr)
+             return true;
+     }
+
+ #ifdef HAVE_IPV6
+
+     else if (addr->ss_family == AF_INET6)
+     {
+         if ( memcmp(ip4ip6addr,
+                     ((struct sockaddr_in6 *)addr)->sin6_addr.s6_addr,
+                     16) == 0
+              ||
+              memcmp(ip6addr,
+                     ((struct sockaddr_in6 *)addr)->sin6_addr.s6_addr,
+                     16) == 0
+             )
+         {
+             return true;
+         }
+     }
+
+ #endif
+
+     return false;
+ }
+
Index: src/backend/libpq/pg_hba.conf.sample
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.44
diff -c -w -r1.44 pg_hba.conf.sample
*** src/backend/libpq/pg_hba.conf.sample    1 Aug 2003 23:40:10 -0000    1.44
--- src/backend/libpq/pg_hba.conf.sample    3 Sep 2003 20:01:04 -0000
***************
*** 7,15 ****
  #
  # This file controls: which hosts are allowed to connect, how clients
  # are authenticated, which PostgreSQL user names they can use, which
! # databases they can access.  Records take one of five forms:
  #
  # local    DATABASE  USER  METHOD  [OPTION]
  # host     DATABASE  USER  IP-ADDRESS  IP-MASK   METHOD  [OPTION]
  # hostssl  DATABASE  USER  IP-ADDRESS  IP-MASK   METHOD  [OPTION]
  # host     DATABASE  USER  IP-ADDRESS/CIDR-MASK  METHOD  [OPTION]
--- 7,16 ----
  #
  # This file controls: which hosts are allowed to connect, how clients
  # are authenticated, which PostgreSQL user names they can use, which
! # databases they can access.  Records take one of six forms:
  #
  # local    DATABASE  USER  METHOD  [OPTION]
+ # loopback DATABASE  USER  METHOD  [OPTION]
  # host     DATABASE  USER  IP-ADDRESS  IP-MASK   METHOD  [OPTION]
  # hostssl  DATABASE  USER  IP-ADDRESS  IP-MASK   METHOD  [OPTION]
  # host     DATABASE  USER  IP-ADDRESS/CIDR-MASK  METHOD  [OPTION]
***************
*** 51,58 ****
  # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD

  local   all         all                                             trust
! host    all         all         127.0.0.1         255.255.255.255   trust

- # uncomment these to support IPv6 localhost connections
- # host  all         all         ::1               ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff        trust
- # host  all         all         ::ffff:127.0.0.1/128                trust
--- 52,56 ----
  # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD

  local   all         all                                             trust
! loopback all        all                                             trust

Index: src/include/libpq/ip.h
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/include/libpq/ip.h,v
retrieving revision 1.10
diff -c -w -r1.10 ip.h
*** src/include/libpq/ip.h    4 Aug 2003 00:43:31 -0000    1.10
--- src/include/libpq/ip.h    3 Sep 2003 20:01:06 -0000
***************
*** 33,38 ****
--- 33,40 ----
  extern int SockAddr_cidr_mask(struct sockaddr_storage ** mask,
                     char *numbits, int family);

+ extern bool is_loopback_addr(const struct sockaddr_storage * addr);
+
  #ifdef    HAVE_UNIX_SOCKETS
  #define IS_AF_UNIX(fam) ((fam) == AF_UNIX)
  #else

pgsql-patches by date:

Previous
From: Tom Lane
Date:
Subject: Re: 7.3: [BUGS] to_timestamp not stable if date string shorter than
Next
From: Bruce Momjian
Date:
Subject: Re: [BUGS] PgSQL74b2: initdb fails (max_connections)