SINGLESOCK - How much to strip away?

Gary E. Miller gem at rellim.com
Sat Jun 2 03:19:57 UTC 2018


Yo Mark!

On Fri, 1 Jun 2018 20:06:44 -0700
Mark Atwood via devel <devel at ntpsec.org> wrote:

> But I do understand the pushback against that from GEM, and have been
> thinking about it for the past few days.

I'm all for iptables, or at least the modern equivalent.  But iptables
does not adress the issue of binding to some local IPs, and not
others.

> As I type and think: one of the fundamental problems with having
> longrunner daemons try to keep track of addresses, address masks, and
> interface names is that interfaces can go down, come up, get renamed,
> and have address masks added and removed from each, and trying to
> keep track of that in userspace is a nightmare.

If a server is renaming your ethernet ports then you got bigger problems
that we can solve.

> As I type and think more, I ask, "What does Chrony do?", and I look
> at [ https://chrony.tuxfamily.org/doc/3.3/chrony.conf.html].  It has a
> "bindaddress" directive, which uses IP address, not interface name.

I guess I have been conflating interface name with IP address.  You are
right, it is the IP address that is key, not the interface.

> And only one bind address can be specified.  It freely admits that
> that means Chrony is not the correct solution for serving down
> multiple controlled interfaces at once.   Very simplifying, but not
> what we want.

So allow binding to more than one IP address.  At a minimum most
will want two: IPv4 and IPv6.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180601/9786dec0/attachment.bin>


More information about the devel mailing list