Design proposal for a better ACL language

Mark Atwood fallenpegasus at gmail.com
Tue Jun 14 20:28:06 UTC 2016 

It is possible to write an iptables kernel loadable module that can do
application level filtering, and the ntp packet format even lends itself to
it.

However, we will not go down that route.  It would be Linux-only, it would
be outside of our remit and outside of our current hot skill-set, it would
be yet another moving part, it would be difficult to package, and difficult
to get many installations to install, as they get very strict about which
KLMs they will install, and all for very little if any performance increase.

We will put the ntp application level packet filter in user space in the
ntpsec implementation, not in the kernel.

..m

On Tue, Jun 14, 2016 at 11:47 AM Gary E. Miller <gem at rellim.com> wrote:

> Yo Achim!
>
> On Tue, 14 Jun 2016 20:39:35 +0200
> Achim Gratz <Stromeko at nexgo.de> wrote:
>
> > Daniel Franke writes:
> > >> Are there other good ACL languages that we can steal the spec or
> > >> implementation from
> > >
> > > Most of the features we want to match on (basically everything
> > > except IP/port) are NTP-specific, so not directly. But a lot of my
> > > design was inspired by iptables.
> >
> > Sorry for the sidetracking, but while you mention iptables: if we can
> > presume the existence of a packet filter in the OS, would it perhaps
> > make sense to not implement that part of the filtering in ntpd and
> > leave it to that filter?
>
> I would use iptables, but iptables are a large burden on an embedded
> system.  I certainly do not want to have to manage iptables on my
> old RasPi B.  Or any of my RasPi's.
>
> My head would hurt if I had to write an iptables rule that would allow
> remote requests, but not remote peering.
>
> RGDS
> GARY
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>         gem at rellim.com  Tel:+1 541 382 8588
> _______________________________________________
> devel mailing list
> devel at ntpsec.org
> http://lists.ntpsec.org/mailman/listinfo/devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/devel/attachments/20160614/c0f8a02d/attachment.html>

More information about the devel mailing list