From: Bruce Momjian <bruce@momjian.us>
Message-Id: <201106100042.p5A0gAw27314@momjian.us>
Subject: Re: CIDR address in pg_hba.conf
In-Reply-To: <8795.1307379385@sss.pgh.pa.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Date: Thu, 9 Jun 2011 20:42:10 -0400 (EDT)
CC: Fujii Masao <masao.fujii@gmail.com>,
 pgsql-docs <pgsql-docs@postgresql.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"

Tom Lane wrote:
> Fujii Masao <masao.fujii@gmail.com> writes:
> > http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html
> >> An IP address is specified in standard dotted decimal notation with
> >> a CIDR mask length. The mask length indicates the number of
> >> high-order bits of the client IP address that must match. Bits to the
> >> right of this must be zero in the given IP address.
> 
> > Is the last statement correct? When I specified the following setting
> > in pg_hba.conf, I could not find any problem in PostgreSQL.
> 
> >     host  all  all  192.168.1.99/24  trust
> 
> > As far as I read the code, those bits seem not to need to be zero.
> > Attached patch just removes that statement.
> 
> Even if it happens to work that way at the moment, do we want to
> encourage people to depend on such an implementation artifact?
> 
> IOW, if you read "must" as "if you want to trust it to work in future
> versions, you must", the advice is perfectly sound.

Should we use "should"?

> >> right of this should be zero in the given IP address.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +