PATCH: Disallow a netmask of zero unless the IP is also all zeroes

Greg Sabino Mullane <htamfids@gmail.com>

From: Greg Sabino Mullane <htamfids@gmail.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-02-11T20:05:33Z
Lists: pgsql-hackers

Attachments

I ran into this alarming mistake again the other day. Luckily it was on a
dev system. Someone sees an entry in a pg_hba.conf that looks like this:

host all all 0.0.0.0/0 md5

They are gobsmacked when they learn this means to let everyone in. So they
fix it by adding new entries that look like this:

host all all 10.2.55.4/0 md5
host all all 10.2.55.5/0 md5
host all all 10.2.55.6/0 md5

It should, of course, be:
host all all 10.2.55.4/32 md5

I say "of course" but few people (even tech ones) know the distinction.
(Nor should they have to! But that's for a nearby thread). This patch aims
to prevent this very bad footgun by only allowing a /0 if the IP consists
of only zeroes. It works for ipv4 and ipv6.

Cheers,
Greg

--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support