mirror of
https://github.com/postgres/postgres.git
synced 2025-08-30 06:01:21 +03:00
Remove code to match IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses.
In investigating yesterday's crash report from Hugo Osvaldo Barrera, I only looked back as far as commitf3aec2c7f5where the breakage occurred (which is why I thought the IPv4-in-IPv6 business was undocumented). But actually the logic dates back to commit3c9bb8886dand was simply broken by erroneous refactoring in the later commit. A bit of archives excavation shows that we added the whole business in response to a report that some 2003-era Linux kernels would report IPv4 connections as having IPv4-in-IPv6 addresses. The fact that we've had no complaints since 9.0 seems to be sufficient confirmation that no modern kernels do that, so let's just rip it all out rather than trying to fix it. Do this in the back branches too, thus essentially deciding that our effective behavior since 9.0 is correct. If there are any platforms on which the kernel reports IPv4-in-IPv6 addresses as such, yesterday's fix would have made for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases. So let's let the post-9.0 behavior stand, and change the documentation to match it. In passing, I failed to resist the temptation to wordsmith the description of pg_hba.conf IPv4 and IPv6 address entries a bit. A lot of this text hasn't been touched since we were IPv4-only.
This commit is contained in:
Tom Lane
@@ -680,42 +680,12 @@ check_hostname(hbaPort *port, const char *hostname)
|
||||
static bool
|
||||
check_ip(SockAddr *raddr, struct sockaddr * addr, struct sockaddr * mask)
|
||||
{
|
||||
if (raddr->addr.ss_family == addr->sa_family)
|
||||
{
|
||||
/* Same address family */
|
||||
if (!pg_range_sockaddr(&raddr->addr,
|
||||
(struct sockaddr_storage *) addr,
|
||||
(struct sockaddr_storage *) mask))
|
||||
return false;
|
||||
}
|
||||
#ifdef HAVE_IPV6
|
||||
else if (addr->sa_family == AF_INET &&
|
||||
raddr->addr.ss_family == AF_INET6)
|
||||
{
|
||||
/*
|
||||
* If we're connected on IPv6 but the file specifies an IPv4 address
|
||||
* to match against, promote the latter to an IPv6 address before
|
||||
* trying to match the client's address.
|
||||
*/
|
||||
struct sockaddr_storage addrcopy,
|
||||
maskcopy;
|
||||
|
||||
memcpy(&addrcopy, addr, sizeof(addrcopy));
|
||||
memcpy(&maskcopy, mask, sizeof(maskcopy));
|
||||
pg_promote_v4_to_v6_addr(&addrcopy);
|
||||
pg_promote_v4_to_v6_mask(&maskcopy);
|
||||
|
||||
if (!pg_range_sockaddr(&raddr->addr, &addrcopy, &maskcopy))
|
||||
return false;
|
||||
}
|
||||
#endif /* HAVE_IPV6 */
|
||||
else
|
||||
{
|
||||
/* Wrong address family, no IPV6 */
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
if (raddr->addr.ss_family == addr->sa_family &&
|
||||
pg_range_sockaddr(&raddr->addr,
|
||||
(struct sockaddr_storage *) addr,
|
||||
(struct sockaddr_storage *) mask))
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
Reference in New Issue
Block a user