database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-18 17:42:25 +03:00
Code Activity

Remove code to match IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses.

Browse Source 
In investigating yesterday's crash report from Hugo Osvaldo Barrera, I only
looked back as far as commit f3aec2c7f5 where the breakage occurred
(which is why I thought the IPv4-in-IPv6 business was undocumented).  But
actually the logic dates back to commit 3c9bb8886d and was simply
broken by erroneous refactoring in the later commit.  A bit of archives
excavation shows that we added the whole business in response to a report
that some 2003-era Linux kernels would report IPv4 connections as having
IPv4-in-IPv6 addresses.  The fact that we've had no complaints since 9.0
seems to be sufficient confirmation that no modern kernels do that, so
let's just rip it all out rather than trying to fix it.

Do this in the back branches too, thus essentially deciding that our
effective behavior since 9.0 is correct.  If there are any platforms on
which the kernel reports IPv4-in-IPv6 addresses as such, yesterday's fix
would have made for a subtle and potentially security-sensitive change in
the effective meaning of IPv4 pg_hba.conf entries, which does not seem like
a good thing to do in minor releases.  So let's let the post-9.0 behavior
stand, and change the documentation to match it.

In passing, I failed to resist the temptation to wordsmith the description
of pg_hba.conf IPv4 and IPv6 address entries a bit.  A lot of this text
hasn't been touched since we were IPv4-only.
This commit is contained in:
Tom Lane
2015-02-17 12:49:18 -05:00
parent c99ef9aff1
commit e48ce4f33d
4 changed files with 11 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
doc/src/sgml/client-auth.sgml
View File

@ -250,13 +250,11 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</para>
<para>
An IP address given in IPv4 format will match IPv6 connections that
have the corresponding address, for example <literal>127.0.0.1</>
will match the IPv6 address <literal>::ffff:127.0.0.1</>. An entry
given in IPv6 format will match only IPv6 connections, even if the
represented address is in the IPv4-in-IPv6 range. Note that entries
in IPv6 format will be rejected if the system's C library does not have
support for IPv6 addresses.
An entry given in IPv4 format will match only IPv4 connections,
and an entry given in IPv6 format will match only IPv6 connections,
even if the represented address is in the IPv4-in-IPv6 range.
Note that entries in IPv6 format will be rejected if the system's
C library does not have support for IPv6 addresses.
</para>
<para>