Support "samehost" and "samenet" specifications in pg_hba.conf,

by enumerating the machine's IP interfaces to look for a match.

Stef Walter

configure

@@ -9691,7 +9691,10 @@ done
 
 
 
-for ac_header in crypt.h dld.h fp_class.h getopt.h ieeefp.h langinfo.h poll.h pwd.h sys/ipc.h sys/poll.h sys/pstat.h sys/resource.h sys/select.h sys/sem.h sys/socket.h sys/shm.h sys/tas.h sys/time.h sys/un.h termios.h ucred.h utime.h wchar.h wctype.h kernel/OS.h kernel/image.h SupportDefs.h
+
+
+
+for ac_header in crypt.h dld.h fp_class.h getopt.h ieeefp.h ifaddrs.h langinfo.h poll.h pwd.h sys/ioctl.h sys/ipc.h sys/poll.h sys/pstat.h sys/resource.h sys/select.h sys/sem.h sys/shm.h sys/socket.h sys/sockio.h sys/tas.h sys/time.h sys/un.h termios.h ucred.h utime.h wchar.h wctype.h kernel/OS.h kernel/image.h SupportDefs.h
 do
 as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
@@ -9842,6 +9845,75 @@ fi
 done
 
 
+# On BSD, cpp test for net/if.h will fail unless sys/socket.h
+# is included first.
+
+for ac_header in net/if.h
+do
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+as_val=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+   if test "x$as_val" = x""yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
 # At least on IRIX, cpp test for netinet/tcp.h will fail unless
 # netinet/in.h is included first.
 
@@ -17327,7 +17399,8 @@ fi
 
 
 
-for ac_func in cbrt dlopen fcvt fdatasync getpeereid getpeerucred getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs
+
+for ac_func in cbrt dlopen fcvt fdatasync getifaddrs getpeereid getpeerucred getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs
 do
 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5

configure.in

 dnl Process this file with autoconf to produce a configure script.
-dnl $PostgreSQL: pgsql/configure.in,v 1.611 2009/09/13 22:18:22 tgl Exp $
+dnl $PostgreSQL: pgsql/configure.in,v 1.612 2009/10/01 01:58:57 tgl Exp $
 dnl
 dnl Developers, please strive to achieve this order:
 dnl
@@ -969,7 +969,16 @@ AC_SUBST(OSSP_UUID_LIBS)
 ##
 
 dnl sys/socket.h is required by AC_FUNC_ACCEPT_ARGTYPES
-AC_CHECK_HEADERS([crypt.h dld.h fp_class.h getopt.h ieeefp.h langinfo.h poll.h pwd.h sys/ipc.h sys/poll.h sys/pstat.h sys/resource.h sys/select.h sys/sem.h sys/socket.h sys/shm.h sys/tas.h sys/time.h sys/un.h termios.h ucred.h utime.h wchar.h wctype.h kernel/OS.h kernel/image.h SupportDefs.h])
+AC_CHECK_HEADERS([crypt.h dld.h fp_class.h getopt.h ieeefp.h ifaddrs.h langinfo.h poll.h pwd.h sys/ioctl.h sys/ipc.h sys/poll.h sys/pstat.h sys/resource.h sys/select.h sys/sem.h sys/shm.h sys/socket.h sys/sockio.h sys/tas.h sys/time.h sys/un.h termios.h ucred.h utime.h wchar.h wctype.h kernel/OS.h kernel/image.h SupportDefs.h])
+
+# On BSD, cpp test for net/if.h will fail unless sys/socket.h
+# is included first.
+AC_CHECK_HEADERS(net/if.h, [], [],
+[AC_INCLUDES_DEFAULT
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+])
 
 # At least on IRIX, cpp test for netinet/tcp.h will fail unless
 # netinet/in.h is included first.
@@ -1148,7 +1157,7 @@ PGAC_VAR_INT_TIMEZONE
 AC_FUNC_ACCEPT_ARGTYPES
 PGAC_FUNC_GETTIMEOFDAY_1ARG
 
-AC_CHECK_FUNCS([cbrt dlopen fcvt fdatasync getpeereid getpeerucred getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs])
+AC_CHECK_FUNCS([cbrt dlopen fcvt fdatasync getifaddrs getpeereid getpeerucred getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs])
 
 # posix_fadvise() is a no-op on Solaris, so don't incur function overhead
 # by calling it, 2009-04-02

doc/src/sgml/client-auth.sgml

-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.123 2009/06/24 13:46:32 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.124 2009/10/01 01:58:57 tgl Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -225,6 +225,13 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        <literal>/</literal>, and the CIDR mask length.
       </para>
 
+      <para>
+       Instead of a <replaceable>CIDR-address</replaceable>, you can write
+       <literal>samehost</literal> to match any of the server's own IP
+       addresses, or <literal>samenet</literal> to match any address in any
+       subnet that the server is directly connected to.
+      </para>
+
       <para>
        Typical examples of a <replaceable>CIDR-address</replaceable> are
        <literal>172.20.143.89/32</literal> for a single host, or

src/backend/libpq/pg_hba.conf.sample

@@ -33,6 +33,9 @@
 # (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
 # the number of significant bits in the mask.  Alternatively, you can write
 # an IP address and netmask in separate columns to specify the set of hosts.
+# Instead of a CIDR-address, you can write "samehost" to match any of the 
+# server's own IP addresses, or "samenet" to match any address in any subnet
+# that the server is directly connected to.
 #
 # METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", "krb5",
 # "ident", "pam", "ldap" or "cert".  Note that "password" sends passwords

src/include/libpq/hba.h

@@ -4,7 +4,7 @@
  *	  Interface to hba.c
  *
  *
- * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.58 2009/09/01 03:53:08 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.59 2009/10/01 01:58:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -30,6 +30,13 @@ typedef enum UserAuth
 	uaCert
 } UserAuth;
 
+typedef enum IPCompareMethod
+{
+	ipCmpMask,
+	ipCmpSameHost,
+	ipCmpSameNet
+} IPCompareMethod;
+
 typedef enum ConnType
 {
 	ctLocal,
@@ -46,6 +53,7 @@ typedef struct
 	char	   *role;
 	struct sockaddr_storage addr;
 	struct sockaddr_storage mask;
+	IPCompareMethod ip_cmp_method;
 	UserAuth	auth_method;
 
 	char	   *usermap;

src/include/libpq/ip.h

@@ -8,7 +8,7 @@
  *
  * Copyright (c) 2003-2009, PostgreSQL Global Development Group
  *
- * $PostgreSQL: pgsql/src/include/libpq/ip.h,v 1.21 2009/01/01 17:23:59 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/ip.h,v 1.22 2009/10/01 01:58:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -19,6 +19,16 @@
 #include "libpq/pqcomm.h"
 
 
+#ifdef	HAVE_UNIX_SOCKETS
+#define IS_AF_UNIX(fam) ((fam) == AF_UNIX)
+#else
+#define IS_AF_UNIX(fam) (0)
+#endif
+
+typedef void (*PgIfAddrCallback) (struct sockaddr *addr,
+								  struct sockaddr *netmask,
+								  void *cb_data);
+
 extern int pg_getaddrinfo_all(const char *hostname, const char *servname,
 				   const struct addrinfo * hintp,
 				   struct addrinfo ** result);
@@ -41,10 +51,6 @@ extern void pg_promote_v4_to_v6_addr(struct sockaddr_storage * addr);
 extern void pg_promote_v4_to_v6_mask(struct sockaddr_storage * addr);
 #endif
 
-#ifdef	HAVE_UNIX_SOCKETS
-#define IS_AF_UNIX(fam) ((fam) == AF_UNIX)
-#else
-#define IS_AF_UNIX(fam) (0)
-#endif
+extern int pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data);
 
 #endif   /* IP_H */

src/include/pg_config.h.in

@@ -179,6 +179,9 @@
 /* Define to 1 if you have the `gethostbyname_r' function. */
 #undef HAVE_GETHOSTBYNAME_R
 
+/* Define to 1 if you have the `getifaddrs' function. */
+#undef HAVE_GETIFADDRS
+
 /* Define to 1 if you have the `getopt' function. */
 #undef HAVE_GETOPT
 
@@ -221,6 +224,9 @@
 /* Define to 1 if you have the <ieeefp.h> header file. */
 #undef HAVE_IEEEFP_H
 
+/* Define to 1 if you have the <ifaddrs.h> header file. */
+#undef HAVE_IFADDRS_H
+
 /* Define to 1 if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
 
@@ -336,6 +342,9 @@
 /* Define to 1 if you have the <netinet/tcp.h> header file. */
 #undef HAVE_NETINET_TCP_H
 
+/* Define to 1 if you have the <net/if.h> header file. */
+#undef HAVE_NET_IF_H
+
 /* Define to 1 if you have the `on_exit' function. */
 #undef HAVE_ON_EXIT
 
@@ -523,6 +532,9 @@
 /* Define to 1 if you have the syslog interface. */
 #undef HAVE_SYSLOG
 
+/* Define to 1 if you have the <sys/ioctl.h> header file. */
+#undef HAVE_SYS_IOCTL_H
+
 /* Define to 1 if you have the <sys/ipc.h> header file. */
 #undef HAVE_SYS_IPC_H
 
@@ -547,6 +559,9 @@
 /* Define to 1 if you have the <sys/socket.h> header file. */
 #undef HAVE_SYS_SOCKET_H
 
+/* Define to 1 if you have the <sys/sockio.h> header file. */
+#undef HAVE_SYS_SOCKIO_H
+
 /* Define to 1 if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H
 

src/tools/ifaddrs/Makefile

+#-------------------------------------------------------------------------
+#
+# Makefile for src/tools/ifaddrs
+#
+# Copyright (c) 2003-2009, PostgreSQL Global Development Group
+#
+# $PostgreSQL: pgsql/src/tools/ifaddrs/Makefile,v 1.1 2009/10/01 01:58:58 tgl Exp $
+#
+#-------------------------------------------------------------------------
+
+subdir = src/tools/ifaddrs
+top_builddir = ../../..
+include $(top_builddir)/src/Makefile.global
+
+libpq_backend_dir = $(top_builddir)/src/backend/libpq
+
+override CPPFLAGS := -I$(libpq_backend_dir) $(CPPFLAGS)
+
+OBJS = test_ifaddrs.o
+
+all: test_ifaddrs
+
+test_ifaddrs: test_ifaddrs.o $(libpq_backend_dir)/ip.o
+	$(CC) $(CFLAGS) test_ifaddrs.o $(libpq_backend_dir)/ip.o $(LDFLAGS) $(LIBS) -o $@$(X)
+
+clean distclean maintainer-clean:
+	rm -f test_ifaddrs$(X) $(OBJS)

src/tools/ifaddrs/README

+$PostgreSQL: pgsql/src/tools/ifaddrs/README,v 1.1 2009/10/01 01:58:58 tgl Exp $
+
+test_ifaddrs
+============
+
+This program prints the addresses and netmasks of all the IPv4 and IPv6
+interfaces on the local machine.  It is useful for testing that this
+functionality works on various platforms.  If "samehost" and "samenet"
+in pg_hba.conf don't seem to work right, run this program to see what
+is happening.
+
+Usage:	test_ifaddrs

src/tools/ifaddrs/test_ifaddrs.c

+/*
+ * $PostgreSQL: pgsql/src/tools/ifaddrs/test_ifaddrs.c,v 1.1 2009/10/01 01:58:58 tgl Exp $
+ *
+ *
+ *	test_ifaddrs.c
+ *		test pg_foreach_ifaddr()
+ */
+
+#include "postgres.h"
+
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include "libpq/ip.h"
+
+
+static void
+print_addr(struct sockaddr *addr)
+{
+	char buffer[256];
+	int ret, len;
+
+	switch (addr->sa_family)
+	{
+		case AF_INET:
+			len = sizeof(struct sockaddr_in);
+			break;
+#ifdef HAVE_IPV6
+		case AF_INET6:
+			len = sizeof(struct sockaddr_in6);
+			break;
+#endif
+		default:
+			len = sizeof(struct sockaddr_storage);
+			break;
+	}
+
+	ret = getnameinfo(addr, len, buffer, sizeof(buffer), NULL, 0,
+					  NI_NUMERICHOST);
+	if (ret != 0)
+		printf("[unknown: family %d]", addr->sa_family);
+	else
+		printf("%s", buffer);
+}
+
+static void
+callback(struct sockaddr *addr, struct sockaddr *mask, void *unused)
+{
+	printf("addr: ");
+	print_addr(addr);
+	printf("  mask: ");
+	print_addr(mask);
+	printf("\n");
+}
+
+int
+main(int argc, char *argv[])
+{
+#ifdef WIN32
+	WSADATA wsaData;
+
+	if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
+	{
+		fprintf(stderr, "WSAStartup failed\n");
+		return 1;
+	}
+#endif
+
+	if (pg_foreach_ifaddr(callback, NULL) < 0)
+		fprintf(stderr, "pg_foreach_ifaddr failed: %s\n", strerror(errno));
+	return 0;
+}

src/tools/msvc/Mkvcbuild.pm

@@ -3,7 +3,7 @@ package Mkvcbuild;
 #
 # Package that generates build files for msvc build
 #
-# $PostgreSQL: pgsql/src/tools/msvc/Mkvcbuild.pm,v 1.42 2009/08/07 20:50:22 petere Exp $
+# $PostgreSQL: pgsql/src/tools/msvc/Mkvcbuild.pm,v 1.43 2009/10/01 01:58:58 tgl Exp $
 #
 use Carp;
 use Win32;
@@ -147,6 +147,7 @@ sub mkvcbuild
     $libpq->AddIncludeDir('src\port');
     $libpq->AddLibrary('wsock32.lib');
     $libpq->AddLibrary('secur32.lib');
+    $libpq->AddLibrary('ws2_32.lib');
     $libpq->AddLibrary('wldap32.lib') if ($solution->{options}->{ldap});
     $libpq->UseDef('src\interfaces\libpq\libpqdll.def');
     $libpq->ReplaceFile('src\interfaces\libpq\libpqrc.c','src\interfaces\libpq\libpq.rc');