From: | Reinhard Max <max(at)suse(dot)de> |
---|---|
To: | "David M(dot) Kaplan" <dmkaplan(at)ucdavis(dot)edu> |
Cc: | pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: pg_hba.conf confusion |
Date: | 2002-06-18 16:51:57 |
Message-ID: | Pine.LNX.4.44L0.0206181829470.24868-100000@wotan.suse.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Tue, 18 Jun 2002 at 09:28, David M. Kaplan wrote:
> Thanks, that did fix that problem. Now I have another one. The line:
>
> host all 192.168.1.2 255.255.255.128 password
>
> matches all ip addresses of the form 192.168.1.x. If I change the mask
> to 255.255.255.255 it no longer matches all addresses.
I wasn't talking about that entry. Your mask here was correct.
> Although this fixes the problem, it seems strange to me that it
> works this way. Basically, if mask is something other than
> 255.255.255.255, you might as well put 0's in your id address.
> This doesnt seem to be how subnet masks normally work and it seems
> redundant to me.
>
> Is there something I don't understand?
It seems so, or I don't understand what you mean.
Let me repeat your initial configuration:
host all 127.0.0.1 0.0.0.0 ident sameuser
host all 192.168.1.2 255.255.255.128 password
As the entries in pg_hba.conf are processed on a top-to-bottom,
first-match-wins basis, the first entry here catches any connection
attempt, because the 0.0.0.0 subnet mask covers the whole IPv4 address
space.
If you want an entry to match a single IP address only (e.g. the
loopback address), it has to have all bits 1 in the mask:
host all 127.0.0.1 255.255.255.255 ident sameuser
host all 192.168.1.2 255.255.255.128 password
It would even work with
host all 127.0.0.1 255.0.0.0 ident sameuser
host all 192.168.1.2 255.255.255.128 password
because the whole 127.0.0.0/8 network is reserved for the loopback
device. If you now connect e.g. from 192.168.1.1 PostgreSQL evaluates
(127.0.0.1 & 255.0.0.0) == (192.168.1.1 & 255.0.0.0)
127.0.0.0 == 192.0.0.0
... which is obviously false. For the second entry, the equation looks
like this:
(192.168.1.2 & 255.255.255.128) == (192.168.1.1 & 255.255.255.128)
192.168.1.0 == 192.168.1.0
... which is true, and therefore the second entry is being used.
If now the mask in the first entry is 0.0.0.0, any IP adress matches:
(127.0.0.1 & 0.0.0.0) == (192.168.1.1 & 0.0.0.0)
0.0.0.0 == 0.0.0.0
... and therefore the second entry is never being checked.
cu
Reinhard
From | Date | Subject | |
---|---|---|---|
Next Message | Попов Андрей | 2002-06-19 13:06:13 | I have problem with pg_dump in PostgreSQL 7.1.2 |
Previous Message | Bruce Momjian | 2002-06-18 16:42:36 | Re: pg_hba.conf confusion |