Applies all of the applicable network rules for a host and returns the governing record for the identified host.
The returned rule is chosen by identifying which rules apply to the host based on the provided Instance related parameters and then limiting the return to the rule with the highest precedence. Currently the precedence is defined as:
Disallowed Hosts: Globally disallowed or “banned” hosts are always checked first and no later rule can override the denial. Only removing the host from the syst_disallowed_hosts table can reverse this denial.
Global Rules: These are rules applied to all Instances without exception.
Instance Rules: Rules defined by Instance Owners and are the most granular rule level available (p_instance_id).
Instance Owner Rules: Applied to all Instances owned by the identified Owner (p_instance_owner_id).
Global Implied Default Rule: When no explicitly defined network has been found for a host this rule will apply implicitly. The current rule grants access from any host.
Parameters
p_host_addr :: Required? True; Default: ( No Default )
The host IP address for which to retrieve a network rule to apply.
p_instance_id :: Required? False; Default: NULL
The record id of the Instance that the host is attempting to access.
Note that NULL is a valid value subject to the conditions in the function description.
p_instance_owner_id :: Required? False; Default: NULL
The record id value of the Owner record which owns the Instance.
Note that NULL is a valid value subject to the conditions in the function description.
General Usage
This function returns the best matching rule for the provided parameters. This means that when p_host_addr is provided but neither of p_instance_id or p_instance_owner_id are provided, the host can only be evaluated against the Disallowed Hosts and the Global Network Rules which isn’t sufficient for a complete validation of a host’s access to an Instance; such incomplete checks can be useful to avoid more expensive authentication processes later if the host is just going to be denied access due to global network rules.
Providing only p_instance_owner_id will include the Global and Owner defined rules, but not the Instance specific rules. If p_instance_id is provided that is sufficient that is sufficient for testing all the applicable rules since the Instance Owner ID can be derived using just p_instance_id parameter.
| Name | Type | Mode |
|---|---|---|
| p_host_addr | inet | IN |
| p_instance_id | uuid | IN |
| p_instance_owner_id | uuid | IN |
| precedence | text | TABLE |
| network_rule_id | uuid | TABLE |
| functional_type | text | TABLE |
| ip_host_or_network | inet | TABLE |
| ip_host_range_lower | inet | TABLE |
| ip_host_range_upper | inet | TABLE |