Wildcard-socket simplification hits a wall

Gary E. Miller gem at rellim.com
Fri Mar 31 19:31:09 UTC 2017


Yo Mark!

On Fri, 31 Mar 2017 19:19:04 +0000
Mark Atwood <fallenpegasus at gmail.com> wrote:

> I would like some discussion about this, however, my inclination is
> to drop it.

Drop the discussion, drop the old feature, or drop the work to drop the old
feature?

> It is my belief that when a sysadmin is going to do sophisticated
> filtering based on MAC or by interface id, they will do it in their
> switch or they will do locally with the ipfw or iptables feature, and
> would not trust the daemon process they are trying to protect to get
> it right.    Every Linux-like and modern POSIX-like OS has a kernel
> level table filter feature like iptables or ipfw, and doing such
> filtering there is the Right Place to do it.

Or the newest toy: nftables.  My personal beliefe is every sysadmin
should be managing his entire system from the one tool, but defense
in depth is also good.

> I specifically would like GEM and Hal to chime on this.  Am I correct?

My main concern is if anyone actually uses this option.  If so, they
are the more advanced users, and I'd rather not annoy them when we want
them to switch to NTPsec.

OTOH, if no one is actually using the option, then we can remove the 
option.  My totally unsubstantiated gut feel is that this is a newish
feature that is not used by many sysadmins, if any.

So, sadly, my answer is a non-answer.  When I kill off esr's suffix's
I'd be happy to dig into this.  I have now looked at more than a 
hundred current and popular ways to dor .d directories.  Esr's take
is very much an outlier.  But more on that later, in a different 
thread.

Maybe someone could ask on the NTP list is anyone uses the feature?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20170331/73aeeea2/attachment.bin>


More information about the devel mailing list