Remove code to match IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses.

In investigating yesterday's crash report from Hugo Osvaldo Barrera, I only
looked back as far as commit f3aec2c7f51904e7 where the breakage occurred
(which is why I thought the IPv4-in-IPv6 business was undocumented).  But
actually the logic dates back to commit 3c9bb8886df7d56a and was simply
broken by erroneous refactoring in the later commit.  A bit of archives
excavation shows that we added the whole business in response to a report
that some 2003-era Linux kernels would report IPv4 connections as having
IPv4-in-IPv6 addresses.  The fact that we've had no complaints since 9.0
seems to be sufficient confirmation that no modern kernels do that, so
let's just rip it all out rather than trying to fix it.

Do this in the back branches too, thus essentially deciding that our
effective behavior since 9.0 is correct.  If there are any platforms on
which the kernel reports IPv4-in-IPv6 addresses as such, yesterday's fix
would have made for a subtle and potentially security-sensitive change in
the effective meaning of IPv4 pg_hba.conf entries, which does not seem like
a good thing to do in minor releases.  So let's let the post-9.0 behavior
stand, and change the documentation to match it.

In passing, I failed to resist the temptation to wordsmith the description
of pg_hba.conf IPv4 and IPv6 address entries a bit.  A lot of this text
hasn't been touched since we were IPv4-only.

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index b3de982a02e4064ee089a779090b8f8c4fe10856..d698dbd96f239a73c2df7b357a143537b9d0e80a 100644 (file)
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -250,13 +250,11 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
       </para>
 
       <para>
-       An IP address given in IPv4 format will match IPv6 connections that
-       have the corresponding address, for example <literal>127.0.0.1</>
-       will match the IPv6 address <literal>::ffff:127.0.0.1</>.  An entry
-       given in IPv6 format will match only IPv6 connections, even if the
-       represented address is in the IPv4-in-IPv6 range.  Note that entries
-       in IPv6 format will be rejected if the system's C library does not have
-       support for IPv6 addresses.
+       An entry given in IPv4 format will match only IPv4 connections,
+       and an entry given in IPv6 format will match only IPv6 connections,
+       even if the represented address is in the IPv4-in-IPv6 range.
+       Note that entries in IPv6 format will be rejected if the system's
+       C library does not have support for IPv6 addresses.
       </para>
 
       <para>

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 87fd2db5450ab9548e178c6385483cffad434655..dd8f9a038fc0e99163ddb430decb2bfe63b8e946 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -549,42 +549,12 @@ check_db(const char *dbname, const char *role, Oid roleid, char *param_str)
 static bool
 check_ip(SockAddr *raddr, struct sockaddr * addr, struct sockaddr * mask)
 {
-       if (raddr->addr.ss_family == addr->sa_family)
-       {
-               /* Same address family */
-               if (!pg_range_sockaddr(&raddr->addr,
-                                                          (struct sockaddr_storage *) addr,
-                                                          (struct sockaddr_storage *) mask))
-                       return false;
-       }
-#ifdef HAVE_IPV6
-       else if (addr->sa_family == AF_INET &&
-                        raddr->addr.ss_family == AF_INET6)
-       {
-               /*
-                * If we're connected on IPv6 but the file specifies an IPv4 address
-                * to match against, promote the latter to an IPv6 address before
-                * trying to match the client's address.
-                */
-               struct sockaddr_storage addrcopy,
-                                       maskcopy;
-
-               memcpy(&addrcopy, addr, sizeof(addrcopy));
-               memcpy(&maskcopy, mask, sizeof(maskcopy));
-               pg_promote_v4_to_v6_addr(&addrcopy);
-               pg_promote_v4_to_v6_mask(&maskcopy);
-
-               if (!pg_range_sockaddr(&raddr->addr, &addrcopy, &maskcopy))
-                       return false;
-       }
-#endif   /* HAVE_IPV6 */
-       else
-       {
-               /* Wrong address family, no IPV6 */
-               return false;
-       }
-
-       return true;
+       if (raddr->addr.ss_family == addr->sa_family &&
+               pg_range_sockaddr(&raddr->addr,
+                                                 (struct sockaddr_storage *) addr,
+                                                 (struct sockaddr_storage *) mask))
+               return true;
+       return false;
 }
 
 /*

diff --git a/src/backend/libpq/ip.c b/src/backend/libpq/ip.c
index 0491d16643a7bf211d9629fa39e9a163bd2604e2..2308400796e6eb3fa19a95612a1ca7220b6a7256 100644 (file)
--- a/src/backend/libpq/ip.c
+++ b/src/backend/libpq/ip.c
@@ -412,79 +412,6 @@ pg_sockaddr_cidr_mask(struct sockaddr_storage * mask, char *numbits, int family)
 }
 
 
-#ifdef HAVE_IPV6
-
-/*
- * pg_promote_v4_to_v6_addr --- convert an AF_INET addr to AF_INET6, using
- *             the standard convention for IPv4 addresses mapped into IPv6 world
- *
- * The passed addr is modified in place; be sure it is large enough to
- * hold the result!  Note that we only worry about setting the fields
- * that pg_range_sockaddr will look at.
- */
-void
-pg_promote_v4_to_v6_addr(struct sockaddr_storage * addr)
-{
-       struct sockaddr_in addr4;
-       struct sockaddr_in6 addr6;
-       uint32          ip4addr;
-
-       memcpy(&addr4, addr, sizeof(addr4));
-       ip4addr = ntohl(addr4.sin_addr.s_addr);
-
-       memset(&addr6, 0, sizeof(addr6));
-
-       addr6.sin6_family = AF_INET6;
-
-       addr6.sin6_addr.s6_addr[10] = 0xff;
-       addr6.sin6_addr.s6_addr[11] = 0xff;
-       addr6.sin6_addr.s6_addr[12] = (ip4addr >> 24) & 0xFF;
-       addr6.sin6_addr.s6_addr[13] = (ip4addr >> 16) & 0xFF;
-       addr6.sin6_addr.s6_addr[14] = (ip4addr >> 8) & 0xFF;
-       addr6.sin6_addr.s6_addr[15] = (ip4addr) & 0xFF;
-
-       memcpy(addr, &addr6, sizeof(addr6));
-}
-
-/*
- * pg_promote_v4_to_v6_mask --- convert an AF_INET netmask to AF_INET6, using
- *             the standard convention for IPv4 addresses mapped into IPv6 world
- *
- * This must be different from pg_promote_v4_to_v6_addr because we want to
- * set the high-order bits to 1's not 0's.
- *
- * The passed addr is modified in place; be sure it is large enough to
- * hold the result!  Note that we only worry about setting the fields
- * that pg_range_sockaddr will look at.
- */
-void
-pg_promote_v4_to_v6_mask(struct sockaddr_storage * addr)
-{
-       struct sockaddr_in addr4;
-       struct sockaddr_in6 addr6;
-       uint32          ip4addr;
-       int                     i;
-
-       memcpy(&addr4, addr, sizeof(addr4));
-       ip4addr = ntohl(addr4.sin_addr.s_addr);
-
-       memset(&addr6, 0, sizeof(addr6));
-
-       addr6.sin6_family = AF_INET6;
-
-       for (i = 0; i < 12; i++)
-               addr6.sin6_addr.s6_addr[i] = 0xff;
-
-       addr6.sin6_addr.s6_addr[12] = (ip4addr >> 24) & 0xFF;
-       addr6.sin6_addr.s6_addr[13] = (ip4addr >> 16) & 0xFF;
-       addr6.sin6_addr.s6_addr[14] = (ip4addr >> 8) & 0xFF;
-       addr6.sin6_addr.s6_addr[15] = (ip4addr) & 0xFF;
-
-       memcpy(addr, &addr6, sizeof(addr6));
-}
-#endif   /* HAVE_IPV6 */
-
-
 /*
  * Run the callback function for the addr/mask, after making sure the
  * mask is sane for the addr.

diff --git a/src/include/libpq/ip.h b/src/include/libpq/ip.h
index b6ab7827ed7547f5d800e1ee8dfe972e27f2254e..21db321627db122b35e1b74e2c84c7717d8044ed 100644 (file)
--- a/src/include/libpq/ip.h
+++ b/src/include/libpq/ip.h
@@ -46,11 +46,6 @@ extern int pg_range_sockaddr(const struct sockaddr_storage * addr,
 extern int pg_sockaddr_cidr_mask(struct sockaddr_storage * mask,
                                          char *numbits, int family);
 
-#ifdef HAVE_IPV6
-extern void pg_promote_v4_to_v6_addr(struct sockaddr_storage * addr);
-extern void pg_promote_v4_to_v6_mask(struct sockaddr_storage * addr);
-#endif
-
 extern int     pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data);
 
 #endif   /* IP_H */