Interface filter

[Hal Murray]

esr at thyrsus.com said:
>> Could that feature be moved to a packet filter?  I think most
>> OSes support some form of kernel level packet filtering.  I'm not
>> familiar with any details.
> It could be.  That would move control of it out of the ntp.conf file,
> though, which I think would count as dropping the feature. 

The parser could call out to a shell script that would check to see if the 
filter was in place and/or add it to the filtering list.

That might need a separate script for each OS.  I'm not plugged into that 
area.  I think a lot of sites installed a packet filter rather than update 
their ntpd or ntp.conf to fix the DDoS mess from a year or 3 ago.  Maybe at 
the border router.




-- 
These are my opinions.  I hate spam.