Matching Client Addresses and Host Names

In a network address, do not omit trailing zeroes. </para> <para> An entry given in IPv4 format will match only IPv4 connections, and an entry given in IPv6 format will match only IPv6 connections, even if the represented address is in the IPv4-in-IPv6 range. </para> <para> You can also write <literal>all</literal> to match any IP address, <literal>samehost</literal> to match any of the server's own IP addresses, or <literal>samenet</literal> to match any address in any subnet that the server is directly connected to. </para> <para> If a host name is specified (anything that is not an IP address range or a special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client's IP address (e.g., reverse DNS lookup, if DNS is used). Host name comparisons are case insensitive. If there is a match, then a forward name resolution (e.g., forward DNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client's IP address. If both directions match, then the entry is considered to match. (The host name that is used in <filename>pg_hba.conf</filename> should be the one that address-to-name resolution of the client's IP address returns, otherwise the line won't be matched. Some host name databases allow associating an IP address with multiple host names, but the operating system will only return one host name when asked to resolve an IP address.) </para> <para> A host name specification that starts with a dot (<literal>.</literal>) matches a suffix of the actual host name. So <literal>.example.com</literal> would match <literal>foo.example.com</literal> (but not just <literal>example.com</literal>). </para> <para> When host names are specified in <filename>pg_hba.conf</filename>, you should make sure that name resolution is reasonably fast. It can be of advantage to set up a local name resolution cache such as <command>nscd</command>. Also, you may wish to enable the configuration parameter <varname>log_hostname</varname> to see the client's host name instead of the IP address in the log. </para> <para> These fields do not apply to <literal>local</literal> records. </para> <note> <para> Users sometimes wonder why host names are handled in this seemingly complicated way, with two name resolutions including a reverse lookup of the client's IP address. This complicates use of the feature in case the client's reverse DNS entry is not set up or yields some undesirable host name. It is done primarily for efficiency: this way, a connection attempt requires at most two resolver lookups, one reverse and one forward. If there is a resolver problem with some address, it becomes only that client's problem. A hypothetical alternative implementation that only did forward lookups would have to resolve every host name mentioned in <filename>pg_hba.conf</filename> during every connection attempt. That could be quite slow if many names are listed. And if there is a resolver problem with one of the host names, it becomes everyone's problem. </para> <para> Also, a reverse lookup is necessary to implement the suffix matching feature, because the actual client host name needs to be known in order to match it against the pattern. </para> <para> Note that this behavior is consistent with other popular implementations of host name-based access control, such as the Apache HTTP Server and TCP Wrappers.

The address field in pg_hba.conf can match IP addresses, host names, or special key words like 'all', 'samehost', and 'samenet'. Host name matching involves reverse and forward DNS lookups, and is case-insensitive. A host name specification starting with a dot matches a suffix of the actual host name. The use of host names in pg_hba.conf requires efficient name resolution, and users can set up a local name resolution cache or enable the log_hostname configuration parameter for better logging.