Participants
Fujii Masao
Fujii Masao
Bruce Momjian
Bruce Momjian
Tom Lane
Tom Lane
Robert Haas
Robert Haas
Attachments
Download Latest Patchset
+3-3
Show all attachments
Thread Outline
#1...#2
Fujii MasaoTom Lane
Jun 06, 2011
#1Fujii MasaoFujii Masao
Jun 06, 2011
#2Tom LaneTom Laneto Fujii Masao (#1)
Jun 06, 2011
#3Fujii MasaoFujii Masaoto Tom Lane (#2)
Jun 06, 2011
#4...#6
Bruce MomjianRobert Haas
to Tom Lane (#2)
Jun 10, 2011
#4Bruce MomjianBruce Momjianto Tom Lane (#2)
Jun 10, 2011
#5Robert HaasRobert Haasto Bruce Momjian (#4)
Jun 13, 2011
#6Bruce MomjianBruce Momjianto Robert Haas (#5)
Jun 14, 2011

CIDR address in pg_hba.conf

Started by Fujii Masaoalmost 15 years ago6 messagesdocs
Jump to latest
#1Fujii Masao
Fujii Masao
masao.fujii@gmail.com

Hi,

http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html

An IP address is specified in standard dotted decimal notation with
a CIDR mask length. The mask length indicates the number of
high-order bits of the client IP address that must match. Bits to the
right of this must be zero in the given IP address.

Is the last statement correct? When I specified the following setting
in pg_hba.conf, I could not find any problem in PostgreSQL.

host all all 192.168.1.99/24 trust

As far as I read the code, those bits seem not to need to be zero.
Attached patch just removes that statement.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Attachments:

hba_v1.patchtext/x-diff; charset=US-ASCII; name=hba_v1.patchDownload+3-3
#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Fujii Masao (#1)
Re: CIDR address in pg_hba.conf

Fujii Masao <masao.fujii@gmail.com> writes:

http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html

An IP address is specified in standard dotted decimal notation with
a CIDR mask length. The mask length indicates the number of
high-order bits of the client IP address that must match. Bits to the
right of this must be zero in the given IP address.

Is the last statement correct? When I specified the following setting
in pg_hba.conf, I could not find any problem in PostgreSQL.

host all all 192.168.1.99/24 trust

As far as I read the code, those bits seem not to need to be zero.
Attached patch just removes that statement.

Even if it happens to work that way at the moment, do we want to
encourage people to depend on such an implementation artifact?

IOW, if you read "must" as "if you want to trust it to work in future
versions, you must", the advice is perfectly sound.

regards, tom lane

#3Fujii Masao
Fujii Masao
masao.fujii@gmail.com
In reply to: Tom Lane (#2)
Re: CIDR address in pg_hba.conf

On Tue, Jun 7, 2011 at 1:56 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Fujii Masao <masao.fujii@gmail.com> writes:

http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html

An IP address is specified in standard dotted decimal notation with
a CIDR mask length. The mask length indicates the number of
high-order bits of the client IP address that must match. Bits to the
right of this must be zero in the given IP address.

Is the last statement correct? When I specified the following setting
in pg_hba.conf, I could not find any problem in PostgreSQL.

    host  all  all  192.168.1.99/24  trust

As far as I read the code, those bits seem not to need to be zero.
Attached patch just removes that statement.

Even if it happens to work that way at the moment, do we want to
encourage people to depend on such an implementation artifact?

IOW, if you read "must" as "if you want to trust it to work in future
versions, you must", the advice is perfectly sound.

Okay. Sounds reasonable. I drop the patch.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

#4Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Tom Lane (#2)
Re: CIDR address in pg_hba.conf

Tom Lane wrote:

Fujii Masao <masao.fujii@gmail.com> writes:

http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html

An IP address is specified in standard dotted decimal notation with
a CIDR mask length. The mask length indicates the number of
high-order bits of the client IP address that must match. Bits to the
right of this must be zero in the given IP address.

Is the last statement correct? When I specified the following setting
in pg_hba.conf, I could not find any problem in PostgreSQL.

host all all 192.168.1.99/24 trust

As far as I read the code, those bits seem not to need to be zero.
Attached patch just removes that statement.

Even if it happens to work that way at the moment, do we want to
encourage people to depend on such an implementation artifact?

IOW, if you read "must" as "if you want to trust it to work in future
versions, you must", the advice is perfectly sound.

Should we use "should"?

right of this should be zero in the given IP address.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +

#5Robert Haas
Robert Haas
robertmhaas@gmail.com
In reply to: Bruce Momjian (#4)
Re: CIDR address in pg_hba.conf

On Thu, Jun 9, 2011 at 8:42 PM, Bruce Momjian <bruce@momjian.us> wrote:

Tom Lane wrote:

Fujii Masao <masao.fujii@gmail.com> writes:

http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html

An IP address is specified in standard dotted decimal notation with
a CIDR mask length. The mask length indicates the number of
high-order bits of the client IP address that must match. Bits to the
right of this must be zero in the given IP address.

Is the last statement correct? When I specified the following setting
in pg_hba.conf, I could not find any problem in PostgreSQL.

    host  all  all  192.168.1.99/24  trust

As far as I read the code, those bits seem not to need to be zero.
Attached patch just removes that statement.

Even if it happens to work that way at the moment, do we want to
encourage people to depend on such an implementation artifact?

IOW, if you read "must" as "if you want to trust it to work in future
versions, you must", the advice is perfectly sound.

Should we use "should"?

+1.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

#6Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Robert Haas (#5)
Re: CIDR address in pg_hba.conf

Robert Haas wrote:

On Thu, Jun 9, 2011 at 8:42 PM, Bruce Momjian <bruce@momjian.us> wrote:

Tom Lane wrote:

Fujii Masao <masao.fujii@gmail.com> writes:

http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html

An IP address is specified in standard dotted decimal notation with
a CIDR mask length. The mask length indicates the number of
high-order bits of the client IP address that must match. Bits to the
right of this must be zero in the given IP address.

Is the last statement correct? When I specified the following setting
in pg_hba.conf, I could not find any problem in PostgreSQL.

? ? host ?all ?all ?192.168.1.99/24 ?trust

As far as I read the code, those bits seem not to need to be zero.
Attached patch just removes that statement.

Even if it happens to work that way at the moment, do we want to
encourage people to depend on such an implementation artifact?

IOW, if you read "must" as "if you want to trust it to work in future
versions, you must", the advice is perfectly sound.

Should we use "should"?

+1.

Thanks for the feedback. Patched in head and 9.1.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +

← Back to Topics