Hostnames in pg_hba.conf

Hi there,<br /><br />I've been working on a patch to add hostname support to pg_hba.conf. It's not ready for public
displayyet, but I would just like to run a couple of issues / discussion points past everybody.<br /><br /> ISSUE #1:
Performance/ caching<br /><br />At present, I've simply not added caching. The reasoning for this is as follows:<br
/>(a)getaddrinfo doesn't tell us about expiry, so when do you refresh?<br />(b) If you put the cache in the postmaster,
itwill not work for exec-based backends as opposed to fork-based backends, since those read pg_hba.conf every time they
areexec'ed.<br /> (c) If you put this in the postmaster, the postmaster will have to update the cache every once in a
while,which may be slow and which may prevent new connections while the cache update takes place.<br />(d) Outdated
cacheentries may inexplicably and without any logging choose the wrong rule for some clients. Big aargh: people will
startusing this to specify 'deny' rules based on host names.<br /><br />If you COULD get expiry info out of getaddrinfo
youcould potentially store this info in a table or something like that, and have it updated by the backends? But that's
wayover my head for now. ISTM that this stuff may better be handled by a locally-running caching DNS server, if people
haveperformance issues with the lack of caching. These local caching DNS servers can also handle expiry correctly,
etcetera.<br/><br />We should of course still take care to look up a given hostname only once for each connection
request.<br/><br />ISSUE #2: Reverse lookup?<br /><br />There was a suggestion on the TODO list on the wiki, which
basicallysaid that maybe we could use reverse lookup to find "the" hostname and then check for that hostname in the
list.I think that won't work, since IPs can go by many names and may not support reverse lookup for some hostnames
(/etc/hostsanybody?). Furthermore, due to the top-to-bottom processing of pg_hba.conf, you CANNOT SKIP entries that
mightpossibly match. For instance, if the third line is for host "<a href="http://foo.example.com">foo.example.com</a>"
andthe fifth line is for "<a href="http://bar.example.com">bar.example.com</a>", both lines may apply to the same IP,
andyou still HAVE to check the first one, even if reverse lookup turns up the second host name. So it doesn't save you
anylookups, it just costs an extra one.<br /><br />ISSUE #3: Multiple hostnames?<br /><br />Currently, a pg_hba entry
listsan IP / netmask combination. I would suggest allowing lists of hostnames in the entries, so that you can at least
mimicthe "match multiple hosts by a single rule". Any reason not to do this?<br /><br />Comments / bright ideas are
welcome,especially regarding issue #1.<br /><br />Cheers,<br />Bart<br />