[Thanks for the heads up about the MessageID missing when posting this
previously. Was doing some mail filter development, and accidentally
left it in place... ]
Magnus Hagander wrote:
> 2009/8/25 Alvaro Herrera <[email protected]>:
>> Something to keep in mind -- my getifaddrs(3) manpage says that on BSD
>> it can return addresses that have ifa_addr set to NULL, which your code
>> doesn't seem to check.
Thanks for catching that. I've added a check, and attached a new patch.
> Eek. This is not defined by any standard, is it? I wonder how many
> different behaviours we can find there :(
I've checked AIX, Linux, BSD and Mac OS and NULL ifa_addr's are
documented in all of them.
Cheers,
Stef
diff --git a/configure.in b/configure.in
index e545a1f..b77ce2b 100644
*** a/configure.in
--- b/configure.in
*************** AC_SUBST(OSSP_UUID_LIBS)
*** 969,975 ****
##
dnl sys/socket.h is required by AC_FUNC_ACCEPT_ARGTYPES
! AC_CHECK_HEADERS([crypt.h dld.h fp_class.h getopt.h ieeefp.h langinfo.h poll.h pwd.h sys/ipc.h sys/poll.h sys/pstat.h sys/resource.h sys/select.h sys/sem.h sys/socket.h sys/shm.h sys/tas.h sys/time.h sys/un.h termios.h ucred.h utime.h wchar.h wctype.h kernel/OS.h kernel/image.h SupportDefs.h])
# At least on IRIX, cpp test for netinet/tcp.h will fail unless
# netinet/in.h is included first.
--- 969,975 ----
##
dnl sys/socket.h is required by AC_FUNC_ACCEPT_ARGTYPES
! AC_CHECK_HEADERS([crypt.h dld.h fp_class.h getopt.h ieeefp.h langinfo.h poll.h pwd.h sys/ipc.h sys/poll.h sys/pstat.h sys/resource.h sys/select.h sys/sem.h sys/socket.h sys/shm.h sys/tas.h sys/time.h sys/un.h termios.h ucred.h utime.h wchar.h wctype.h kernel/OS.h kernel/image.h SupportDefs.h ifaddrs.h])
# At least on IRIX, cpp test for netinet/tcp.h will fail unless
# netinet/in.h is included first.
*************** PGAC_VAR_INT_TIMEZONE
*** 1148,1154 ****
AC_FUNC_ACCEPT_ARGTYPES
PGAC_FUNC_GETTIMEOFDAY_1ARG
! AC_CHECK_FUNCS([cbrt dlopen fcvt fdatasync getpeereid getpeerucred getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs])
# posix_fadvise() is a no-op on Solaris, so don't incur function overhead
# by calling it, 2009-04-02
--- 1148,1154 ----
AC_FUNC_ACCEPT_ARGTYPES
PGAC_FUNC_GETTIMEOFDAY_1ARG
! AC_CHECK_FUNCS([cbrt dlopen fcvt fdatasync getpeereid getpeerucred getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs getifaddrs])
# posix_fadvise() is a no-op on Solaris, so don't incur function overhead
# by calling it, 2009-04-02
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index ad4d084..e88c796 100644
*** a/doc/src/sgml/client-auth.sgml
--- b/doc/src/sgml/client-auth.sgml
*************** hostnossl <replaceable>database</replac
*** 244,249 ****
--- 244,256 ----
support for IPv6 addresses.
</para>
+ <para>Instead of an <replaceable>CIDR-address</replaceable>, you can specify
+ the values <literal>samehost</literal> or <literal>samenet</literal>. To
+ match any address on the subnets connected to the local machine, specify
+ <literal>samenet</literal>. By specifying <literal>samehost</literal>, any
+ addresses present on the network interfaces of local machine will match.
+ </para>
+
<para>
This field only applies to <literal>host</literal>,
<literal>hostssl</literal>, and <literal>hostnossl</> records.
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index e6f7db2..c2da3a0 100644
*** a/src/backend/libpq/hba.c
--- b/src/backend/libpq/hba.c
*************** check_db(const char *dbname, const char
*** 512,517 ****
--- 512,608 ----
return false;
}
+ /*
+ * Check to see if a connecting IP matches the address and netmask.
+ */
+ static bool
+ check_ip (SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
+ {
+ if (raddr->addr.ss_family == addr->sa_family)
+ {
+ /* Same address family */
+ if (!pg_range_sockaddr(&raddr->addr, (struct sockaddr_storage*)addr,
+ (struct sockaddr_storage*)mask))
+ return false;
+ }
+ #ifdef HAVE_IPV6
+ else if (addr->sa_family == AF_INET &&
+ raddr->addr.ss_family == AF_INET6)
+ {
+ /*
+ * Wrong address family. We allow only one case: if the file
+ * has IPv4 and the port is IPv6, promote the file address to
+ * IPv6 and try to match that way.
+ */
+ struct sockaddr_storage addrcopy,
+ maskcopy;
+
+ memcpy(&addrcopy, &addr, sizeof(addrcopy));
+ memcpy(&maskcopy, &mask, sizeof(maskcopy));
+ pg_promote_v4_to_v6_addr(&addrcopy);
+ pg_promote_v4_to_v6_mask(&maskcopy);
+
+ if (!pg_range_sockaddr(&raddr->addr, &addrcopy, &maskcopy))
+ return false;
+ }
+ #endif /* HAVE_IPV6 */
+ else
+ {
+ /* Wrong address family, no IPV6 */
+ return false;
+ }
+
+ return true;
+ }
+
+ typedef struct CheckNetwork {
+ NetMethod method;
+ SockAddr *raddr;
+ bool result;
+ } CheckNetwork;
+
+ static void
+ callback_check_network (struct sockaddr *addr, struct sockaddr *netmask, void *data)
+ {
+ CheckNetwork *cn = data;
+ struct sockaddr_storage mask;
+
+ /* Already found a match */
+ if (cn->result)
+ return;
+
+ /* Make a fully 1's netmask of appropriate length */
+ if (cn->method == nmSameHost)
+ {
+ pg_sockaddr_cidr_mask (&mask, NULL, addr->sa_family);
+ cn->result = check_ip (cn->raddr, addr, (struct sockaddr*)&mask);
+ }
+
+ /* Use the netmask of the interface itself */
+ else
+ {
+ cn->result = check_ip (cn->raddr, addr, netmask);
+ }
+ }
+
+ static bool
+ check_same_host_or_net (SockAddr *raddr, NetMethod method)
+ {
+ CheckNetwork cn;
+ cn.method = method;
+ cn.raddr = raddr;
+ cn.result = false;
+
+ if (pg_foreach_ifaddr (callback_check_network, &cn) < 0)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_WARNING),
+ errmsg("Error enumerating network interfaces")));
+ return false;
+ }
+
+ return cn.result;
+ }
/*
* Macros used to check and report on invalid configuration options.
*************** parse_hba_line(List *line, int line_num,
*** 658,756 ****
line_num, HbaFileName)));
return false;
}
- token = pstrdup(lfirst(line_item));
! /* Check if it has a CIDR suffix and if so isolate it */
! cidr_slash = strchr(token, '/');
! if (cidr_slash)
! *cidr_slash = '\0';
!
! /* Get the IP address either way */
! hints.ai_flags = AI_NUMERICHOST;
! hints.ai_family = PF_UNSPEC;
! hints.ai_socktype = 0;
! hints.ai_protocol = 0;
! hints.ai_addrlen = 0;
! hints.ai_canonname = NULL;
! hints.ai_addr = NULL;
! hints.ai_next = NULL;
! ret = pg_getaddrinfo_all(token, NULL, &hints, &gai_result);
! if (ret || !gai_result)
{
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("invalid IP address \"%s\": %s",
! token, gai_strerror(ret)),
! errcontext("line %d of configuration file \"%s\"",
! line_num, HbaFileName)));
! if (cidr_slash)
! *cidr_slash = '/';
! if (gai_result)
! pg_freeaddrinfo_all(hints.ai_family, gai_result);
! return false;
}
! if (cidr_slash)
! *cidr_slash = '/';
!
! memcpy(&parsedline->addr, gai_result->ai_addr, gai_result->ai_addrlen);
! pg_freeaddrinfo_all(hints.ai_family, gai_result);
!
! /* Get the netmask */
! if (cidr_slash)
{
! if (pg_sockaddr_cidr_mask(&parsedline->mask, cidr_slash + 1,
! parsedline->addr.ss_family) < 0)
! {
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("invalid CIDR mask in address \"%s\"",
! token),
! errcontext("line %d of configuration file \"%s\"",
! line_num, HbaFileName)));
! return false;
! }
}
else
{
! /* Read the mask field. */
! line_item = lnext(line_item);
! if (!line_item)
! {
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("end-of-line before netmask specification"),
! errcontext("line %d of configuration file \"%s\"",
! line_num, HbaFileName)));
! return false;
! }
! token = lfirst(line_item);
ret = pg_getaddrinfo_all(token, NULL, &hints, &gai_result);
if (ret || !gai_result)
{
ereport(LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("invalid IP mask \"%s\": %s",
token, gai_strerror(ret)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
if (gai_result)
pg_freeaddrinfo_all(hints.ai_family, gai_result);
return false;
}
! memcpy(&parsedline->mask, gai_result->ai_addr, gai_result->ai_addrlen);
pg_freeaddrinfo_all(hints.ai_family, gai_result);
! if (parsedline->addr.ss_family != parsedline->mask.ss_family)
{
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("IP address and mask do not match in file \"%s\" line %d",
! HbaFileName, line_num)));
! return false;
}
}
} /* != ctLocal */
--- 749,868 ----
line_num, HbaFileName)));
return false;
}
! /* Is it equal to 'samehost' or 'samenet'? */
! token = lfirst(line_item);
! /* Any IP on this host is allowed to connect */
! if (strcmp (token, "samehost") == 0)
{
! parsedline->net_method = nmSameHost;
}
! /* Any IP on the host's subnets is allowed to connect */
! else if (strcmp (token, "samenet") == 0)
{
! parsedline->net_method = nmSameNet;
}
+
+ /* IP and netmask are specified */
else
{
! parsedline->net_method = nmCompare;
! token = pstrdup(token);
!
! /* Check if it has a CIDR suffix and if so isolate it */
! cidr_slash = strchr(token, '/');
! if (cidr_slash)
! *cidr_slash = '\0';
!
! /* Get the IP address either way */
! hints.ai_flags = AI_NUMERICHOST;
! hints.ai_family = PF_UNSPEC;
! hints.ai_socktype = 0;
! hints.ai_protocol = 0;
! hints.ai_addrlen = 0;
! hints.ai_canonname = NULL;
! hints.ai_addr = NULL;
! hints.ai_next = NULL;
ret = pg_getaddrinfo_all(token, NULL, &hints, &gai_result);
if (ret || !gai_result)
{
ereport(LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("invalid IP address \"%s\": %s",
token, gai_strerror(ret)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ if (cidr_slash)
+ *cidr_slash = '/';
if (gai_result)
pg_freeaddrinfo_all(hints.ai_family, gai_result);
return false;
}
! if (cidr_slash)
! *cidr_slash = '/';
!
! memcpy(&parsedline->addr, gai_result->ai_addr, gai_result->ai_addrlen);
pg_freeaddrinfo_all(hints.ai_family, gai_result);
! /* Get the netmask */
! if (cidr_slash)
{
! if (pg_sockaddr_cidr_mask(&parsedline->mask, cidr_slash + 1,
! parsedline->addr.ss_family) < 0)
! {
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("invalid CIDR mask in address \"%s\"",
! token),
! errcontext("line %d of configuration file \"%s\"",
! line_num, HbaFileName)));
! return false;
! }
! }
! else
! {
! /* Read the mask field. */
! line_item = lnext(line_item);
! if (!line_item)
! {
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("end-of-line before netmask specification"),
! errcontext("line %d of configuration file \"%s\"",
! line_num, HbaFileName)));
! return false;
! }
! token = lfirst(line_item);
!
! ret = pg_getaddrinfo_all(token, NULL, &hints, &gai_result);
! if (ret || !gai_result)
! {
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("invalid IP mask \"%s\": %s",
! token, gai_strerror(ret)),
! errcontext("line %d of configuration file \"%s\"",
! line_num, HbaFileName)));
! if (gai_result)
! pg_freeaddrinfo_all(hints.ai_family, gai_result);
! return false;
! }
!
! memcpy(&parsedline->mask, gai_result->ai_addr, gai_result->ai_addrlen);
! pg_freeaddrinfo_all(hints.ai_family, gai_result);
!
! if (parsedline->addr.ss_family != parsedline->mask.ss_family)
! {
! ereport(LOG,
! (errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("IP address and mask do not match in file \"%s\" line %d",
! HbaFileName, line_num)));
! return false;
! }
}
}
} /* != ctLocal */
*************** check_hba(hbaPort *port)
*** 1096,1131 ****
continue;
#endif
! /* Check IP address */
! if (port->raddr.addr.ss_family == hba->addr.ss_family)
{
! if (!pg_range_sockaddr(&port->raddr.addr, &hba->addr, &hba->mask))
continue;
! }
! #ifdef HAVE_IPV6
! else if (hba->addr.ss_family == AF_INET &&
! port->raddr.addr.ss_family == AF_INET6)
! {
! /*
! * Wrong address family. We allow only one case: if the file
! * has IPv4 and the port is IPv6, promote the file address to
! * IPv6 and try to match that way.
! */
! struct sockaddr_storage addrcopy,
! maskcopy;
!
! memcpy(&addrcopy, &hba->addr, sizeof(addrcopy));
! memcpy(&maskcopy, &hba->mask, sizeof(maskcopy));
! pg_promote_v4_to_v6_addr(&addrcopy);
! pg_promote_v4_to_v6_mask(&maskcopy);
!
! if (!pg_range_sockaddr(&port->raddr.addr, &addrcopy, &maskcopy))
continue;
! }
! #endif /* HAVE_IPV6 */
! else
! /* Wrong address family, no IPV6 */
continue;
} /* != ctLocal */
/* Check database and role */
--- 1208,1228 ----
continue;
#endif
! switch (hba->net_method)
{
! case nmCompare:
! if (!check_ip (&port->raddr, (struct sockaddr*)&hba->addr,
! (struct sockaddr*)&hba->mask))
continue;
! break;
! case nmSameHost:
! case nmSameNet:
! if (!check_same_host_or_net (&port->raddr, hba->net_method))
continue;
! break;
! default:
continue;
+ }
} /* != ctLocal */
/* Check database and role */
diff --git a/src/backend/libpq/ip.c b/src/backend/libpq/ip.c
index 0c35ddd..cc40879 100644
*** a/src/backend/libpq/ip.c
--- b/src/backend/libpq/ip.c
*************** range_sockaddr_AF_INET6(const struct soc
*** 333,338 ****
--- 333,340 ----
* pg_sockaddr_cidr_mask - make a network mask of the appropriate family
* and required number of significant bits
*
+ * numbits can be null, in which case the mask is fully set.
+ *
* The resulting mask is placed in *mask, which had better be big enough.
*
* Return value is 0 if okay, -1 if not.
*************** pg_sockaddr_cidr_mask(struct sockaddr_st
*** 343,352 ****
long bits;
char *endptr;
! bits = strtol(numbits, &endptr, 10);
!
! if (*numbits == '\0' || *endptr != '\0')
! return -1;
switch (family)
{
--- 345,360 ----
long bits;
char *endptr;
! if (numbits == NULL)
! {
! bits = (family == AF_INET) ? 32 : 128;
! }
! else
! {
! bits = strtol(numbits, &endptr, 10);
! if (*numbits == '\0' || *endptr != '\0')
! return -1;
! }
switch (family)
{
*************** pg_promote_v4_to_v6_mask(struct sockaddr
*** 476,478 ****
--- 484,603 ----
}
#endif /* HAVE_IPV6 */
+
+ #ifdef HAVE_GETIFADDRS
+
+ #include <ifaddrs.h>
+
+ static int
+ foreach_ifaddr_getifaddrs(PgIfAddrCallback callback, void * cb_data)
+ {
+ struct ifaddrs *ifa, *l;
+
+ if (getifaddrs (&ifa) < 0)
+ return -1;
+
+ for (l = ifa; l; l = l->ifa_next)
+ {
+ if (l->ifa_addr && l->ifa_netmask)
+ (callback) (l->ifa_addr, l->ifa_netmask, cb_data);
+ }
+
+ freeifaddrs (ifa);
+ return 0;
+ }
+
+ #endif /* HAVE_GETIFADDRS */
+
+ #ifdef WIN32
+
+ #include <winsock2.h>
+ #include <ws2tcpip.h>
+
+ static int
+ foreach_ifaddr_win32(PgIfAddrCallback callback, void * cb_data)
+ {
+ INTERFACE_INFO ii[64];
+ unsigned long length, i;
+ SOCKET sock;
+
+ sock = WSASocket(AF_INET, SOCK_DGRAM, 0, 0, 0, 0);
+ if (sock == SOCKET_ERROR)
+ return -1;
+
+ if (WSAIoctl(sock, SIO_GET_INTERFACE_LIST, 0, 0, &ii,
+ sizeof (ii), &length, 0, 0) == SOCKET_ERROR)
+ {
+ closesocket(sock);
+ return -1;
+ }
+
+ for (i = 0; i < length / sizeof (INTERFACE_INFO); ++i)
+ (callback)((struct sockaddr*)&ii[i].iiAddress,
+ (struct sockaddr*)&ii[i].iiNetmask, cb_data);
+
+ closesocket(sock);
+ return 0;
+ }
+
+ #else /* !WIN32 */
+
+ #include <sys/ioctl.h>
+ #include <net/if.h>
+
+ static int
+ foreach_ifaddr_ifconf(PgIfAddrCallback callback, void * cb_data)
+ {
+ struct ifconf ifc;
+ struct ifreq addr, mask;
+ char buffer[10240];
+ int sock;
+ int i, total;
+
+ sock = socket(AF_INET, SOCK_DGRAM, 0);
+ if (sock == -1)
+ return -1;
+
+ ifc.ifc_buf = buffer;
+ ifc.ifc_len = sizeof(buffer);
+
+ if (ioctl(sock, SIOCGIFCONF, &ifc) < 0)
+ {
+ close(sock);
+ return -1;
+ }
+
+ total = ifc.ifc_len / sizeof(struct ifreq);
+
+ for (i = 0; i < total; ++i)
+ {
+ memset (&addr, 0, sizeof (addr));
+ memcpy (addr.ifr_name, ifc.ifc_req[i].ifr_name, sizeof (addr.ifr_name));
+ memset (&mask, 0, sizeof (mask));
+ memcpy (mask.ifr_name, ifc.ifc_req[i].ifr_name, sizeof (mask.ifr_name));
+
+ if (ioctl(sock, SIOCGIFADDR, &addr, sizeof(addr)) == 0 &&
+ ioctl(sock, SIOCGIFNETMASK, &mask, sizeof(mask)) == 0)
+ (callback)(&addr.ifr_addr, &mask.ifr_netmask, cb_data);
+ }
+
+ close (sock);
+ return 0;
+ }
+
+ #endif
+
+ int
+ pg_foreach_ifaddr(PgIfAddrCallback callback, void * cb_data)
+ {
+ #ifdef WIN32
+ return foreach_ifaddr_win32(callback, cb_data);
+ #else /* !WIN32 */
+ #ifdef HAVE_GETIFADDRS
+ return foreach_ifaddr_getifaddrs(callback, cb_data);
+ #else /* !HAVE_GETIFADDRS */
+ return foreach_ifaddr_ifconf(callback, cb_data);
+ #endif
+ #endif /* !WIN32 */
+ }
+
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index f1c0457..c6775e6 100644
*** a/src/backend/libpq/pg_hba.conf.sample
--- b/src/backend/libpq/pg_hba.conf.sample
***************
*** 33,38 ****
--- 33,41 ----
# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
# the number of significant bits in the mask. Alternatively, you can write
# an IP address and netmask in separate columns to specify the set of hosts.
+ # You can also specify "samehost" to limit connections to those from addresses
+ # of the local machine. Or you can specify "samenet" to limit connections
+ # to addresses on the subnets of the local network.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", "krb5",
# "ident", "pam", "ldap" or "cert". Note that "password" sends passwords
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index b538ee4..5193f38 100644
*** a/src/include/libpq/hba.h
--- b/src/include/libpq/hba.h
*************** typedef enum UserAuth
*** 30,35 ****
--- 30,42 ----
uaCert
} UserAuth;
+ typedef enum NetMethod
+ {
+ nmCompare,
+ nmSameHost,
+ nmSameNet
+ } NetMethod;
+
typedef enum ConnType
{
ctLocal,
*************** typedef struct
*** 44,49 ****
--- 51,57 ----
ConnType conntype;
char *database;
char *role;
+ NetMethod net_method;
struct sockaddr_storage addr;
struct sockaddr_storage mask;
UserAuth auth_method;
diff --git a/src/include/libpq/ip.h b/src/include/libpq/ip.h
index 1934957..9bd562c 100644
*** a/src/include/libpq/ip.h
--- b/src/include/libpq/ip.h
*************** extern void pg_promote_v4_to_v6_mask(str
*** 47,50 ****
--- 47,56 ----
#define IS_AF_UNIX(fam) (0)
#endif
+ typedef void (*PgIfAddrCallback)(struct sockaddr * addr,
+ struct sockaddr * netmask,
+ void * cb_data);
+
+ extern int pg_foreach_ifaddr(PgIfAddrCallback callback, void * cb_data);
+
#endif /* IP_H */
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
