Andrew Dunstan <andrew@dunslane.net> writes:
> Tom Lane wrote:
>> In this case what particularly scares me is the idea that 'samenet'
>> might be interpreted to let in a larger subnet than the user expected,
>> eg 10/8 instead of 10.0.0/24. You'd likely not notice the problem until
>> after you'd been broken into ...
> I haven't looked at this "feature" at all, but I'd be inclined, on the
> grounds you quite reasonably cite, to require a netmask with "samenet",
> rather than just ask the interface for its netmask.
I was just thinking the same thing. Could we then unify samehost and
samenet into one thing? sameaddr/24 or something like that, with
samehost just being the limiting case of all bits used. I am not
sure though if this works nicely for IPv6 as well as IPv4.
regards, tom lane