Page MenuHomeVyOS Platform

Bind NTP service to specific interface
Closed, ResolvedPublicFEATURE REQUEST


To prevent NTP service listen on all existing interface, it would be good to implement cli options to configure interfaces for ntp service, for example to add int ntp.conf:

interface ignore wildcard
interface listen
interface listen ::1


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close

Event Timeline

We already have set system ntp allow-clients address which can become a brother to a new command named set system ntp listen-on.

@dmbaturin @syncer may I raise the question why this is unter system and not service tree?

syncer triaged this task as Normal priority.May 27 2018, 10:01 AM

@c-po i think we not offer ntp service as of now, but i think maybe we should?

@syncer we do offer NTP as service (unfortunately it's unter the system tree instead of service.

cpo@LR1# set system ntp
Possible completions:
 > allow-clients
                Network Time Protocol (NTP) server options
+> server       Network Time Protocol (NTP) server

We support several servers and also an allow-client feature where only clients listes as IP networks are allowed to query. NTP server listenes at all interfaces right now. NTP is also already re-written as XML style interface definition (T623). The question here is for extending the CLI and bind NTP to a specific IP (we should add this).

that is weird,
i was under impression that we have it as client.
So it perfectly make sense have it under service

As soon as someone sets set system ntp allow-clients address we act as NTP server for this network,too. It's a bit odd that this node is under system but ... it is as it is.

If this node is set we listen on every interface:

# sudo netstat -vaun | grep 123
udp        0      0*
udp        0      0*
udp        0      0 *
udp        0      0   *
udp6       0      0 fe80::250:56ff:feaa:123 :::*
udp6       0      0 ::1:123                 :::*
udp6       0      0 :::123                  :::*

You can test this e.g. unter windows w/ $ w32tm /stripchart /computer:<ipaddress> /dataonly /samples:100

I propose:

set system ntp listen-address
Possible completions:
   <x.x.x.x>         Domain Name Server (DNS) IPv4 address
   <h:h:h:h:h:h:h:h> Domain Name Server (DNS) IPv6 address

b/c NTPd uses IP addresses for listen connections and not interfaces.

It looks pretty clear from configuration point of view. Actually this request was made to avoid potential security breach if somebody doesn't have correct acl on wan facing interface.

 show system ntp
 allow-clients {
 server {

netstat -vaun | grep 123
udp        0      0 *                          
udp6       0      0 ::1:123                 :::*

And in config file there is:

#Do not listen on any interface address by default
interface ignore wildcard

I think that it's mistake, "interface ignore wildcard" should come into confige only when "set system ntp listen-address" configured...
What do you think?

While "interface ignore wildcard" configured, we got:

ntpq -c lpeer
 remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================      .INIT.          16 u    -   64    0    0.000    0.000   0.000

This is confusing. While NTP used to work (listen on all interfaces) without any listen-address set, now it doesn't. This means any old config without listen-address set will now have a non-working NTP without any warning. There was no migration script to migrate the old behavior to the new. ntp should have a mandatory listen-address if this new behavior is kept.

Of course this is incompatible with the default configuration with only a DHCP client interface. NTP needs to listen on the interface used to connect to the upstream server to work, so it won't even work as a client if it doesn't listen on that interface. This means ntpd needs to listen on the DHCP interface, it that interface is used to connect to servers.
*Correction: this is not true: if ntpd listens on any private address and there is a src-nat masquerade rule to the DHCP interface, it will work, if there is no masquerade rule, it won't. For example IPv6, there is usually no masquerade rule*

I also don't see the reason to limit ourselves to listening addresses as ntp.conf's "interface" definition takes either interface names or addresses. Take for example a case where an interface address changes (either in config or through DHCP client), that won't be reflected in ntp.conf and NTP on that interface will stop working.

I propose a configuration node 'listen {interface abc; address a.b.c.d;})' and a way to specify listening on all interfaces.

Additionally "show ntp" doesn't work due to error "localhost: timed out, nothing received". I've tried adding listen-address with no change. ntpq -p works fine.