Thread: CIDR address in pg_hba.conf
Hi, http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html > An IP address is specified in standard dotted decimal notation with > a CIDR mask length. The mask length indicates the number of > high-order bits of the client IP address that must match. Bits to the > right of this must be zero in the given IP address. Is the last statement correct? When I specified the following setting in pg_hba.conf, I could not find any problem in PostgreSQL. host all all 192.168.1.99/24 trust As far as I read the code, those bits seem not to need to be zero. Attached patch just removes that statement. Regards, -- Fujii Masao NIPPON TELEGRAPH AND TELEPHONE CORPORATION NTT Open Source Software Center
Attachment
Fujii Masao <masao.fujii@gmail.com> writes: > http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html >> An IP address is specified in standard dotted decimal notation with >> a CIDR mask length. The mask length indicates the number of >> high-order bits of the client IP address that must match. Bits to the >> right of this must be zero in the given IP address. > Is the last statement correct? When I specified the following setting > in pg_hba.conf, I could not find any problem in PostgreSQL. > host all all 192.168.1.99/24 trust > As far as I read the code, those bits seem not to need to be zero. > Attached patch just removes that statement. Even if it happens to work that way at the moment, do we want to encourage people to depend on such an implementation artifact? IOW, if you read "must" as "if you want to trust it to work in future versions, you must", the advice is perfectly sound. regards, tom lane
On Tue, Jun 7, 2011 at 1:56 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Fujii Masao <masao.fujii@gmail.com> writes: >> http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html >>> An IP address is specified in standard dotted decimal notation with >>> a CIDR mask length. The mask length indicates the number of >>> high-order bits of the client IP address that must match. Bits to the >>> right of this must be zero in the given IP address. > >> Is the last statement correct? When I specified the following setting >> in pg_hba.conf, I could not find any problem in PostgreSQL. > >> host all all 192.168.1.99/24 trust > >> As far as I read the code, those bits seem not to need to be zero. >> Attached patch just removes that statement. > > Even if it happens to work that way at the moment, do we want to > encourage people to depend on such an implementation artifact? > > IOW, if you read "must" as "if you want to trust it to work in future > versions, you must", the advice is perfectly sound. Okay. Sounds reasonable. I drop the patch. Regards, -- Fujii Masao NIPPON TELEGRAPH AND TELEPHONE CORPORATION NTT Open Source Software Center
Tom Lane wrote: > Fujii Masao <masao.fujii@gmail.com> writes: > > http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html > >> An IP address is specified in standard dotted decimal notation with > >> a CIDR mask length. The mask length indicates the number of > >> high-order bits of the client IP address that must match. Bits to the > >> right of this must be zero in the given IP address. > > > Is the last statement correct? When I specified the following setting > > in pg_hba.conf, I could not find any problem in PostgreSQL. > > > host all all 192.168.1.99/24 trust > > > As far as I read the code, those bits seem not to need to be zero. > > Attached patch just removes that statement. > > Even if it happens to work that way at the moment, do we want to > encourage people to depend on such an implementation artifact? > > IOW, if you read "must" as "if you want to trust it to work in future > versions, you must", the advice is perfectly sound. Should we use "should"? > >> right of this should be zero in the given IP address. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Thu, Jun 9, 2011 at 8:42 PM, Bruce Momjian <bruce@momjian.us> wrote: > Tom Lane wrote: >> Fujii Masao <masao.fujii@gmail.com> writes: >> > http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html >> >> An IP address is specified in standard dotted decimal notation with >> >> a CIDR mask length. The mask length indicates the number of >> >> high-order bits of the client IP address that must match. Bits to the >> >> right of this must be zero in the given IP address. >> >> > Is the last statement correct? When I specified the following setting >> > in pg_hba.conf, I could not find any problem in PostgreSQL. >> >> > host all all 192.168.1.99/24 trust >> >> > As far as I read the code, those bits seem not to need to be zero. >> > Attached patch just removes that statement. >> >> Even if it happens to work that way at the moment, do we want to >> encourage people to depend on such an implementation artifact? >> >> IOW, if you read "must" as "if you want to trust it to work in future >> versions, you must", the advice is perfectly sound. > > Should we use "should"? +1. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Robert Haas wrote: > On Thu, Jun 9, 2011 at 8:42 PM, Bruce Momjian <bruce@momjian.us> wrote: > > Tom Lane wrote: > >> Fujii Masao <masao.fujii@gmail.com> writes: > >> > http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html > >> >> An IP address is specified in standard dotted decimal notation with > >> >> a CIDR mask length. The mask length indicates the number of > >> >> high-order bits of the client IP address that must match. Bits to the > >> >> right of this must be zero in the given IP address. > >> > >> > Is the last statement correct? When I specified the following setting > >> > in pg_hba.conf, I could not find any problem in PostgreSQL. > >> > >> > ? ? host ?all ?all ?192.168.1.99/24 ?trust > >> > >> > As far as I read the code, those bits seem not to need to be zero. > >> > Attached patch just removes that statement. > >> > >> Even if it happens to work that way at the moment, do we want to > >> encourage people to depend on such an implementation artifact? > >> > >> IOW, if you read "must" as "if you want to trust it to work in future > >> versions, you must", the advice is perfectly sound. > > > > Should we use "should"? > > +1. Thanks for the feedback. Patched in head and 9.1. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +