From 24b29ca8f9dc4a5e5f873f0fcb56438c526700f6 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Sun, 24 Oct 2010 15:54:00 +0300 Subject: Support suffix matching of host names in pg_hba.conf A name starting with a dot can be used to match a suffix of the actual host name (e.g., .example.com matches foo.example.com). --- src/backend/libpq/hba.c | 22 +++++++++++++++++++++- src/backend/libpq/pg_hba.conf.sample | 3 ++- 2 files changed, 23 insertions(+), 2 deletions(-) (limited to 'src/backend/libpq') diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 17363599626..d9d11d81b9d 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -564,6 +564,26 @@ ipv6eq(struct sockaddr_in6 *a, struct sockaddr_in6 *b) #endif /* HAVE_IPV6 */ +/* + * Check whether host name matches pattern. + */ +static bool +hostname_match(const char *pattern, const char *actual_hostname) +{ + if (pattern[0] == '.') /* suffix match */ + { + size_t plen = strlen(pattern); + size_t hlen = strlen(actual_hostname); + + if (hlen < plen) + return false; + + return (pg_strcasecmp(pattern, actual_hostname + (hlen - plen)) == 0); + } + else + return (pg_strcasecmp(pattern, actual_hostname) == 0); +} + /* * Check to see if a connecting IP matches a given host name. */ @@ -588,7 +608,7 @@ check_hostname(hbaPort *port, const char *hostname) port->remote_hostname = pstrdup(remote_hostname); } - if (pg_strcasecmp(port->remote_hostname, hostname) != 0) + if (!hostname_match(hostname, port->remote_hostname)) return false; /* Lookup IP from host name and check against original IP */ diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index 87fed80eedf..87f84991bca 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -32,7 +32,8 @@ # ADDRESS specifies the set of hosts the record matches. It can be a # host name, or it is made up of an IP address and a CIDR mask that is # an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that -# specifies the number of significant bits in the mask. +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. # Alternatively, you can write an IP address and netmask in separate # columns to specify the set of hosts. Instead of a CIDR-address, you # can write "samehost" to match any of the server's own IP addresses, -- cgit v1.2.3