Design proposal for a better ACL language

Gary E. Miller gem at
Tue Jun 14 18:46:09 UTC 2016

Yo Achim!

On Tue, 14 Jun 2016 20:39:35 +0200
Achim Gratz <Stromeko at> wrote:

> Daniel Franke writes:
> >> Are there other good ACL languages that we can steal the spec or
> >> implementation from  
> >
> > Most of the features we want to match on (basically everything
> > except IP/port) are NTP-specific, so not directly. But a lot of my
> > design was inspired by iptables.  
> Sorry for the sidetracking, but while you mention iptables: if we can
> presume the existence of a packet filter in the OS, would it perhaps
> make sense to not implement that part of the filtering in ntpd and
> leave it to that filter?

I would use iptables, but iptables are a large burden on an embedded
system.  I certainly do not want to have to manage iptables on my
old RasPi B.  Or any of my RasPi's.

My head would hurt if I had to write an iptables rule that would allow
remote requests, but not remote peering.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at  Tel:+1 541 382 8588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the devel mailing list