NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitd068609

committed

Remove code to match IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses.

In investigating yesterday's crash report from Hugo Osvaldo Barrera, I onlylooked back as far as commitf3aec2c where the breakage occurred(which is why I thought the IPv4-in-IPv6 business was undocumented). Butactually the logic dates back to commit3c9bb88 and was simplybroken by erroneous refactoring in the later commit. A bit of archivesexcavation shows that we added the whole business in response to a reportthat some 2003-era Linux kernels would report IPv4 connections as havingIPv4-in-IPv6 addresses. The fact that we've had no complaints since 9.0seems to be sufficient confirmation that no modern kernels do that, solet's just rip it all out rather than trying to fix it.Do this in the back branches too, thus essentially deciding that oureffective behavior since 9.0 is correct. If there are any platforms onwhich the kernel reports IPv4-in-IPv6 addresses as such, yesterday's fixwould have made for a subtle and potentially security-sensitive change inthe effective meaning of IPv4 pg_hba.conf entries, which does not seem likea good thing to do in minor releases. So let's let the post-9.0 behaviorstand, and change the documentation to match it.In passing, I failed to resist the temptation to wordsmith the descriptionof pg_hba.conf IPv4 and IPv6 address entries a bit. A lot of this texthasn't been touched since we were IPv4-only.

1 parent319406c commitd068609Copy full SHA for d068609

File tree

4 files changed

+26

-130

lines changed

doc/src/sgml
- client-auth.sgml
src
- backend/libpq
  - hba.c
  - ip.c
- include/libpq
  - ip.h

4 files changed

+26

-130

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 20 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -229,14 +229,15 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>`
`229`	`229`	`<term><replaceable>address</replaceable></term>`
`230`	`230`	`<listitem>`
`231`	`231`	`<para>`
`232`		`- Specifies the client machineaddresses that this record`
	`232`	`+ Specifies the client machineaddress(es) that this record`
`233`	`233`	`matches. This field can contain either a host name, an IP`
`234`	`234`	`address range, or one of the special key words mentioned below.`
`235`	`235`	`</para>`
`236`	`236`
`237`	`237`	`<para>`
`238`		`- An IP address is specified in standard dotted decimal`
`239`		`- notation with a <acronym>CIDR</> mask length. The mask`
	`238`	`+ An IP address range is specified using standard numeric notation`
	`239`	`+ for the range's starting address, then a slash (<literal>/</literal>)`
	`240`	`+ and a <acronym>CIDR</> mask length. The mask`
`240`	`241`	`length indicates the number of high-order bits of the client`
`241`	`242`	`IP address that must match. Bits to the right of this should`
`242`	`243`	`be zero in the given IP address.`
`@@ -245,25 +246,27 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>`
`245`	`246`	`</para>`
`246`	`247`
`247`	`248`	`<para>`
`248`		`- Typical examples of anIP address range specified this way are`
	`249`	`+ Typical examples of anIPv4 address range specified this way are`
`249`	`250`	`<literal>172.20.143.89/32</literal> for a single host, or`
`250`	`251`	`<literal>172.20.143.0/24</literal> for a small network, or`
`251`	`252`	`<literal>10.6.0.0/16</literal> for a larger one.`
	`253`	`+ An IPv6 address range might look like <literal>::1/128</literal>`
	`254`	`+ for a single host (in this case the IPv6 loopback address) or`
	`255`	`+ <literal>fe80::7a31:c1ff:0000:0000/96</literal> for a small`
	`256`	`+ network.`
`252`	`257`	`<literal>0.0.0.0/0</literal> represents all`
`253`		`- IPv4 addresses, and <literal>::/0</literal> represents`
	`258`	`+ IPv4 addresses, and <literal>::0/0</literal> represents`
`254`	`259`	`all IPv6 addresses.`
`255`		`- To specify a single host, use aCIDRmask of 32 for IPv4 or`
	`260`	`+ To specify a single host, use a mask length of 32 for IPv4 or`
`256`	`261`	`128 for IPv6. In a network address, do not omit trailing zeroes.`
`257`	`262`	`</para>`
`258`	`263`
`259`	`264`	`<para>`
`260`		`- An IP address given in IPv4 format will match IPv6 connections that`
`261`		`- have the corresponding address, for example <literal>127.0.0.1</>`
`262`		`- will match the IPv6 address <literal>::ffff:127.0.0.1</>. An entry`
`263`		`- given in IPv6 format will match only IPv6 connections, even if the`
`264`		`- represented address is in the IPv4-in-IPv6 range. Note that entries`
`265`		`- in IPv6 format will be rejected if the system's C library does not have`
`266`		`- support for IPv6 addresses.`
	`265`	`+ An entry given in IPv4 format will match only IPv4 connections,`
	`266`	`+ and an entry given in IPv6 format will match only IPv6 connections,`
	`267`	`+ even if the represented address is in the IPv4-in-IPv6 range.`
	`268`	`+ Note that entries in IPv6 format will be rejected if the system's`
	`269`	`+ C library does not have support for IPv6 addresses.`
`267`	`270`	`</para>`
`268`	`271`
`269`	`272`	`<para>`
`@@ -275,7 +278,7 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>`
`275`	`278`
`276`	`279`	`<para>`
`277`	`280`	`If a host name is specified (anything that is not an IP address`
`278`		`- or a special key word isprocessed as a potential host name),`
	`281`	`+rangeor a special key word istreated as a host name),`
`279`	`282`	`that name is compared with the result of a reverse name`
`280`	`283`	`resolution of the client's IP address (e.g., reverse DNS`
`281`	`284`	`lookup, if DNS is used). Host name comparisons are case`
`@@ -353,8 +356,9 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>`
`353`	`356`	`<term><replaceable>IP-mask</replaceable></term>`
`354`	`357`	`<listitem>`
`355`	`358`	`<para>`
`356`		`- These fields can be used as an alternative to the`
`357`		`- <replaceable>CIDR-address</replaceable> notation. Instead of`
	`359`	`+ These two fields can be used as an alternative to the`
	`360`	`+ <replaceable>IP-address</><literal>/</><replaceable>mask-length</>`
	`361`	`+ notation. Instead of`
`358`	`362`	`specifying the mask length, the actual mask is specified in a`
`359`	`363`	`separate column. For example, <literal>255.0.0.0</> represents an IPv4`
`360`	`364`	`CIDR mask length of 8, and <literal>255.255.255.255</> represents a`

`‎src/backend/libpq/hba.c`

Lines changed: 6 additions & 36 deletions

Original file line number	Diff line number	Diff line change
`@@ -653,42 +653,12 @@ check_hostname(hbaPort port, const char hostname)`
`653`	`653`	`staticbool`
`654`	`654`	`check_ip(SockAddrraddr,structsockaddraddr,structsockaddr*mask)`
`655`	`655`	`{`
`656`		`-if (raddr->addr.ss_family==addr->sa_family)`
`657`		`-{`
`658`		`-/* Same address family */`
`659`		`-if (!pg_range_sockaddr(&raddr->addr,`
`660`		`- (structsockaddr_storage*)addr,`
`661`		`- (structsockaddr_storage*)mask))`
`662`		`-return false;`
`663`		`-}`
`664`		`-#ifdefHAVE_IPV6`
`665`		`-elseif (addr->sa_family==AF_INET&&`
`666`		`-raddr->addr.ss_family==AF_INET6)`
`667`		`-{`
`668`		`-/*`
`669`		`- * If we're connected on IPv6 but the file specifies an IPv4 address`
`670`		`- * to match against, promote the latter to an IPv6 address before`
`671`		`- * trying to match the client's address.`
`672`		`- */`
`673`		`-structsockaddr_storageaddrcopy,`
`674`		`-maskcopy;`
`675`		`-`
`676`		`-memcpy(&addrcopy,addr,sizeof(addrcopy));`
`677`		`-memcpy(&maskcopy,mask,sizeof(maskcopy));`
`678`		`-pg_promote_v4_to_v6_addr(&addrcopy);`
`679`		`-pg_promote_v4_to_v6_mask(&maskcopy);`
`680`		`-`
`681`		`-if (!pg_range_sockaddr(&raddr->addr,&addrcopy,&maskcopy))`
`682`		`-return false;`
`683`		`-}`
`684`		`-#endif/* HAVE_IPV6 */`
`685`		`-else`
`686`		`-{`
`687`		`-/* Wrong address family, no IPV6 */`
`688`		`-return false;`
`689`		`-}`
`690`		`-`
`691`		`-return true;`
	`656`	`+if (raddr->addr.ss_family==addr->sa_family&&`
	`657`	`+pg_range_sockaddr(&raddr->addr,`
	`658`	`+ (structsockaddr_storage*)addr,`
	`659`	`+ (structsockaddr_storage*)mask))`
	`660`	`+return true;`
	`661`	`+return false;`
`692`	`662`	`}`
`693`	`663`
`694`	`664`	`/*`

`‎src/backend/libpq/ip.c`

Lines changed: 0 additions & 73 deletions

Original file line number	Diff line number	Diff line change
`@@ -407,79 +407,6 @@ pg_sockaddr_cidr_mask(struct sockaddr_storage * mask, char *numbits, int family)`
`407`	`407`	`}`
`408`	`408`
`409`	`409`
`410`		`-#ifdefHAVE_IPV6`
`411`		`-`
`412`		`-/*`
`413`		`- * pg_promote_v4_to_v6_addr --- convert an AF_INET addr to AF_INET6, using`
`414`		`- *the standard convention for IPv4 addresses mapped into IPv6 world`
`415`		`- *`
`416`		`- * The passed addr is modified in place; be sure it is large enough to`
`417`		`- * hold the result! Note that we only worry about setting the fields`
`418`		`- * that pg_range_sockaddr will look at.`
`419`		`- */`
`420`		`-void`
`421`		`-pg_promote_v4_to_v6_addr(structsockaddr_storage*addr)`
`422`		`-{`
`423`		`-structsockaddr_inaddr4;`
`424`		`-structsockaddr_in6addr6;`
`425`		`-uint32ip4addr;`
`426`		`-`
`427`		`-memcpy(&addr4,addr,sizeof(addr4));`
`428`		`-ip4addr=ntohl(addr4.sin_addr.s_addr);`
`429`		`-`
`430`		`-memset(&addr6,0,sizeof(addr6));`
`431`		`-`
`432`		`-addr6.sin6_family=AF_INET6;`
`433`		`-`
`434`		`-addr6.sin6_addr.s6_addr[10]=0xff;`
`435`		`-addr6.sin6_addr.s6_addr[11]=0xff;`
`436`		`-addr6.sin6_addr.s6_addr[12]= (ip4addr >>24)&0xFF;`
`437`		`-addr6.sin6_addr.s6_addr[13]= (ip4addr >>16)&0xFF;`
`438`		`-addr6.sin6_addr.s6_addr[14]= (ip4addr >>8)&0xFF;`
`439`		`-addr6.sin6_addr.s6_addr[15]= (ip4addr)&0xFF;`
`440`		`-`
`441`		`-memcpy(addr,&addr6,sizeof(addr6));`
`442`		`-}`
`443`		`-`
`444`		`-/*`
`445`		`- * pg_promote_v4_to_v6_mask --- convert an AF_INET netmask to AF_INET6, using`
`446`		`- *the standard convention for IPv4 addresses mapped into IPv6 world`
`447`		`- *`
`448`		`- * This must be different from pg_promote_v4_to_v6_addr because we want to`
`449`		`- * set the high-order bits to 1's not 0's.`
`450`		`- *`
`451`		`- * The passed addr is modified in place; be sure it is large enough to`
`452`		`- * hold the result! Note that we only worry about setting the fields`
`453`		`- * that pg_range_sockaddr will look at.`
`454`		`- */`
`455`		`-void`
`456`		`-pg_promote_v4_to_v6_mask(structsockaddr_storage*addr)`
`457`		`-{`
`458`		`-structsockaddr_inaddr4;`
`459`		`-structsockaddr_in6addr6;`
`460`		`-uint32ip4addr;`
`461`		`-inti;`
`462`		`-`
`463`		`-memcpy(&addr4,addr,sizeof(addr4));`
`464`		`-ip4addr=ntohl(addr4.sin_addr.s_addr);`
`465`		`-`
`466`		`-memset(&addr6,0,sizeof(addr6));`
`467`		`-`
`468`		`-addr6.sin6_family=AF_INET6;`
`469`		`-`
`470`		`-for (i=0;i<12;i++)`
`471`		`-addr6.sin6_addr.s6_addr[i]=0xff;`
`472`		`-`
`473`		`-addr6.sin6_addr.s6_addr[12]= (ip4addr >>24)&0xFF;`
`474`		`-addr6.sin6_addr.s6_addr[13]= (ip4addr >>16)&0xFF;`
`475`		`-addr6.sin6_addr.s6_addr[14]= (ip4addr >>8)&0xFF;`
`476`		`-addr6.sin6_addr.s6_addr[15]= (ip4addr)&0xFF;`
`477`		`-`
`478`		`-memcpy(addr,&addr6,sizeof(addr6));`
`479`		`-}`
`480`		`-#endif/* HAVE_IPV6 */`
`481`		`-`
`482`		`-`
`483`	`410`	`/*`
`484`	`411`	`* Run the callback function for the addr/mask, after making sure the`
`485`	`412`	`* mask is sane for the addr.`

`‎src/include/libpq/ip.h`

Lines changed: 0 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -46,11 +46,6 @@ extern int pg_range_sockaddr(const struct sockaddr_storage * addr,`
`46`	`46`	`externintpg_sockaddr_cidr_mask(structsockaddr_storage*mask,`
`47`	`47`	`char*numbits,intfamily);`
`48`	`48`
`49`		`-#ifdefHAVE_IPV6`
`50`		`-externvoidpg_promote_v4_to_v6_addr(structsockaddr_storage*addr);`
`51`		`-externvoidpg_promote_v4_to_v6_mask(structsockaddr_storage*addr);`
`52`		`-#endif`
`53`		`-`
`54`	`49`	`externintpg_foreach_ifaddr(PgIfAddrCallbackcallback,void*cb_data);`
`55`	`50`
`56`	`51`	`#endif/* IP_H */`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd068609

File tree

4 files changed

4 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎src/backend/libpq/hba.c`

`‎src/backend/libpq/ip.c`

`‎src/include/libpq/ip.h`

0 commit comments