To prevent NTP service listen on all existing interface, it would be good to implement cli options to configure interfaces for ntp service, for example to add int ntp.conf:
interface ignore wildcard interface listen 127.0.0.1 interface listen ::1
To prevent NTP service listen on all existing interface, it would be good to implement cli options to configure interfaces for ntp service, for example to add int ntp.conf:
interface ignore wildcard interface listen 127.0.0.1 interface listen ::1
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | FEATURE REQUEST | c-po | T599 Bind NTP service to specific interface | ||
Resolved | BUG | jestabro | T1803 Unbind NTP while it's not requested |
We already have set system ntp allow-clients address 172.16.0.0/12 which can become a brother to a new command named set system ntp listen-on.
@dmbaturin @syncer may I raise the question why this is unter system and not service tree?
@syncer we do offer NTP as service (unfortunately it's unter the system tree instead of service.
cpo@LR1# set system ntp Possible completions: > allow-clients Network Time Protocol (NTP) server options +> server Network Time Protocol (NTP) server
We support several servers and also an allow-client feature where only clients listes as IP networks are allowed to query. NTP server listenes at all interfaces right now. NTP is also already re-written as XML style interface definition (T623). The question here is for extending the CLI and bind NTP to a specific IP (we should add this).
that is weird,
i was under impression that we have it as client.
So it perfectly make sense have it under service
As soon as someone sets set system ntp allow-clients address 172.16.0.0/12 we act as NTP server for this network,too. It's a bit odd that this node is under system but ... it is as it is.
If this node is set we listen on every interface:
# sudo netstat -vaun | grep 123 udp 0 0 172.16.37.241:123 0.0.0.0:* udp 0 0 172.16.254.36:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp6 0 0 fe80::250:56ff:feaa:123 :::* udp6 0 0 ::1:123 :::* udp6 0 0 :::123 :::*
You can test this e.g. unter windows w/ $ w32tm /stripchart /computer:<ipaddress> /dataonly /samples:100
I propose:
set system ntp listen-address Possible completions: <x.x.x.x> Domain Name Server (DNS) IPv4 address <h:h:h:h:h:h:h:h> Domain Name Server (DNS) IPv6 address
b/c NTPd uses IP addresses for listen connections and not interfaces.
It looks pretty clear from configuration point of view. Actually this request was made to avoid potential security breach if somebody doesn't have correct acl on wan facing interface.
show system ntp allow-clients { address 192.168.100.0/24 } server 10.255.0.1 { prefer } netstat -vaun | grep 123 udp 0 0 127.0.0.1:123 0.0.0.0:* udp6 0 0 ::1:123 :::*
And in config file there is:
#Do not listen on any interface address by default interface ignore wildcard
I think that it's mistake, "interface ignore wildcard" should come into confige only when "set system ntp listen-address" configured...
What do you think?
While "interface ignore wildcard" configured, we got:
ntpq -c lpeer remote refid st t when poll reach delay offset jitter ============================================================================== 10.255.0.1 .INIT. 16 u - 64 0 0.000 0.000 0.000
This is confusing. While NTP used to work (listen on all interfaces) without any listen-address set, now it doesn't. This means any old config without listen-address set will now have a non-working NTP without any warning. There was no migration script to migrate the old behavior to the new. ntp should have a mandatory listen-address if this new behavior is kept.
Of course this is incompatible with the default configuration with only a DHCP client interface. NTP needs to listen on the interface used to connect to the upstream server to work, so it won't even work as a client if it doesn't listen on that interface. This means ntpd needs to listen on the DHCP interface, it that interface is used to connect to servers.
*Correction: this is not true: if ntpd listens on any private address and there is a src-nat masquerade rule to the DHCP interface, it will work, if there is no masquerade rule, it won't. For example IPv6, there is usually no masquerade rule*
I also don't see the reason to limit ourselves to listening addresses as ntp.conf's "interface" definition takes either interface names or addresses. Take for example a case where an interface address changes (either in config or through DHCP client), that won't be reflected in ntp.conf and NTP on that interface will stop working.
I propose a configuration node 'listen {interface abc; address a.b.c.d;})' and a way to specify listening on all interfaces.
Additionally "show ntp" doesn't work due to error "localhost: timed out, nothing received". I've tried adding listen-address 127.0.0.1 with no change. ntpq -p works fine.