SINGLESOCK - How much to strip away?

Hal Murray hmurray at
Wed May 30 06:48:50 UTC 2018

We can filter by IP Address using the restrict command.  We may have to add a 
new flag that says don't poke any holes in me.

> Nothing visible changes.  Packet filtering by interface name is still
> supported by using IP_PKTINFO to get the interface of incoming packets. 

recvmsg() gets you the interface index, not name.  If you want to filter by 
name, you have to maintain a index to name array.  Doing that once is 
probably reasonably clean.  Keeping it up to date might get interesting.

Is there a clean way to get notified when an interface comes or goes?  If 
not, we have to poll.  I assume the poll code will be clean but polling is 

> -I, -L, and the interface config directive all go away.  The daemon listens
> on all interfaces all the time.  Packet filtering is entirely outsourced to
> the kernel packet filter and-or dedicated firewalls. Attempting to invoke
> the old features fails loudly. 

"listens on all interfaces" it misleading to me.  It sounds like you mean one 
socket per interface when I think you really want to say wildcard.

> This is where we land if we take Mark's distrust of external packet
> filtering and his argument for do-one-thing-well seriously.  I like this one
> because it results in maximum code removal and complexity reductions. 

Did you really mean external in "distrust of external packet filtering"?  I 
thought the idea was to trust somebody else because a good admin wouldn't 
trust us (aka internal).

> The entire interface directive goes away, failing loudly.  The -I and -L
> options stay. 

That combination doesn't make any sense to me.

Both -I and -L are already deprecated with a suggestion to use the interface 
command in the configurationfile.  Why would we keep them when deleting the 
thing users are supposed to switch to?


The man page for ntp.conf says:
           Default restriction list entries with the flags ignore, interface,
           ntpport, for each of the local host's interface addresses are
           inserted into the table at startup to prevent the server from
           attempting to synchronize to its own time.

Has anybody confirmed that the current code maintains that when interfaces 

Does that mean that we need to maintain the ability to track interface 
changes no matter how many interfaces we listen on.

It also says:
           interface commands are disabled if any of the -I, --interface,-L,
           or --novirtualips command-line options are used.

That seems suspicious as in asking for security bugs.  An admin could easily 
add -I xxx to block traffic from an interface and accidentally unblock 
interfaces blocked in the config file.

I fixed something a while ago that involved the interaction with command line 
and config file, but I forget what case that was.  I think this one should be 
easy to fix.

These are my opinions.  I hate spam.

More information about the devel mailing list