The end of the beginning is in sight

Hal Murray hmurray at megapathdsl.net
Sat Jan 7 05:30:57 UTC 2017


esr at thyrsus.com said:
>>> and the other is ripping out all
>>> the interface-scanning stuff so we lose the dependency on
>>> getifaddrs(3) and use wildcard interfaces only.

>> Are you sure this is going to work? As far as I know there are (or
>> were) good reasons to do this, but I can't remember them
>> currently. But it's at least something that's specific to UDP.

> If you can remember a blocker, please tell us about it before I put a large
> amount of work into this. 

There is an interface command in ntp.conf, and the man page refers to -I and 
-L command line options, both deprecated.

I think we need to be careful here.  Unless we understand what's really going 
on we are likely to break something, and it might be security related.

We should probably setup some test cases.  Several Raspberry Pis with USB 
Ethernets are probably good enough.  With 2 you don't need a switch.  Is 2 
enough?

I don't know what happens if a packet with a forged destination address 
arrives on the wrong interface.  If the system is a router, I'd expect it to 
"arrive" on the right interface.  I don't know what happens if it's not a 
router.  That seems like a possibly common case - running ntpd on a firewall 
or proxy or some other system with one foot in the DMZ and another in the 
internal network.


There is also the case of virtual interfaces.  I haven't worked with them.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list