On Thu, Feb 11, 2010 at 16:36, Mark Mielke <m...@mark.mielke.cc> wrote:
> On 02/11/2010 08:13 AM, Bart Samwel wrote: > ISSUE #2: Reverse lookup? > > There was a suggestion on the TODO list on the wiki, which basically said > that maybe we could use reverse lookup to find "the" hostname and then check > for that hostname in the list. I think that won't work, since IPs can go by > many names and may not support reverse lookup for some hostnames (/etc/hosts > anybody?). Furthermore, due to the top-to-bottom processing of pg_hba.conf, > you CANNOT SKIP entries that might possibly match. For instance, if the > third line is for host "foo.example.com" and the fifth line is for " > bar.example.com", both lines may apply to the same IP, and you still HAVE > to check the first one, even if reverse lookup turns up the second host > name. So it doesn't save you any lookups, it just costs an extra one. > > > I don't see a need to do a reverse lookup. Reverse lookups are sometimes > done as a verification check, in the sense that it's cheap to get a map from > NAME -> IP, but sometimes it is much harder to get the reverse map from IP > -> NAME. However, it's not a reliable check as many legitimate users have > trouble getting a reverse map from IP -> NAME. It also doesn't same anything > as IP -> NAME lookups are a completely different set of name servers, and > these name servers are not always optimized for speed as IP -> NAME lookups > are less common than NAME -> IP. Finally, if one finds a map from IP -> > NAME, that doesn't prove that a map from NAME -> IP exists, so using *any* > results from IP -> NAME is questionable. > > I think reverse lookups are unnecessary and undesirable. > > > ISSUE #3: Multiple hostnames? > > Currently, a pg_hba entry lists an IP / netmask combination. I would > suggest allowing lists of hostnames in the entries, so that you can at least > mimic the "match multiple hosts by a single rule". Any reason not to do > this? > > > I'm mixed. In some situations, I've wanted to put multiple IP/netmask. I > would say that if multiple names are supported, then multiple IP/netmask > should be supported. But, this does make the lines unwieldy beyond two or > three. This direction leans towards the capability to define "host classes", > where the rules allows the host class, and the host class can have a list of > hostnames. > Yes, but before you know it people will ask for being able to specify multiple host classes. :-) Quite simply put, with a single subnet you can allow multiple hosts in. Allowing only a single hostname is a step backward from that, so adding support for multiple hostnames could be useful if somebody is replacing subnets with hostname-based configuration. Two other aspects I don't see mentioned: > > 1) What will you do for hostnames that have multiple IP addresses? Will you > accept all IP addresses as being valid? > Yes, all addresses returned by (pg_)getaddrinfo will be considered valid. Most importantly, this ensures that if a host has an IPv4 and an IPv6 address they are both accepted. Plus, if there are multiple addresses, we have no clue of figuring out which address is "the" address. :-) > 2) What will you do if they specify a hostname and a netmask? This seems > like a convenient way of saying "everybody on the same subnet as NAME." > Not supported. Either an IP address / netmask combo, or a hostname, but not both. I wouldn't want to recommend hardcoding something such as netmasks (which are definitely subnet dependent) in combination with something as volatile as a host name -- move it to a different subnet, and you might allow a whole bigger subnet than you intended. If they want to specify a netmask, then they should just use hardcoded IPs as well. Cheers, Bart