Design proposal for a better ACL language

Daniel Franke dfoxfranke at gmail.com
Tue Jun 14 18:46:01 UTC 2016


On 6/14/16, Achim Gratz <Stromeko at nexgo.de> wrote:
> Sorry for the sidetracking, but while you mention iptables: if we can
> presume the existence of a packet filter in the OS, would it perhaps
> make sense to not implement that part of the filtering in ntpd and leave
> it to that filter?

No, because most of the time you're going to want to filter on the
contents of the NTP packet and/or the state of your association with a
peer, not just on the UDP/IP headers. iptables generally can't do
that, barring various crude hacks involving the U32 target and/or
connection tracking.


More information about the devel mailing list