Interface filter

Hal Murray hmurray at
Mon May 28 02:10:31 UTC 2018

esr at said:
>> Could that feature be moved to a packet filter?  I think most
>> OSes support some form of kernel level packet filtering.  I'm not
>> familiar with any details.
> It could be.  That would move control of it out of the ntp.conf file,
> though, which I think would count as dropping the feature. 

The parser could call out to a shell script that would check to see if the 
filter was in place and/or add it to the filtering list.

That might need a separate script for each OS.  I'm not plugged into that 
area.  I think a lot of sites installed a packet filter rather than update 
their ntpd or ntp.conf to fix the DDoS mess from a year or 3 ago.  Maybe at 
the border router.

These are my opinions.  I hate spam.

More information about the devel mailing list