SINGLESOCK - How much to strip away?
Hal Murray
hmurray at megapathdsl.net
Wed May 30 06:48:50 UTC 2018
We can filter by IP Address using the restrict command. We may have to add a
new flag that says don't poke any holes in me.
Case ALPHA:
> Nothing visible changes. Packet filtering by interface name is still
> supported by using IP_PKTINFO to get the interface of incoming packets.
recvmsg() gets you the interface index, not name. If you want to filter by
name, you have to maintain a index to name array. Doing that once is
probably reasonably clean. Keeping it up to date might get interesting.
Is there a clean way to get notified when an interface comes or goes? If
not, we have to poll. I assume the poll code will be clean but polling is
ugly.
Case OMEGA:
> -I, -L, and the interface config directive all go away. The daemon listens
> on all interfaces all the time. Packet filtering is entirely outsourced to
> the kernel packet filter and-or dedicated firewalls. Attempting to invoke
> the old features fails loudly.
"listens on all interfaces" it misleading to me. It sounds like you mean one
socket per interface when I think you really want to say wildcard.
> This is where we land if we take Mark's distrust of external packet
> filtering and his argument for do-one-thing-well seriously. I like this one
> because it results in maximum code removal and complexity reductions.
Did you really mean external in "distrust of external packet filtering"? I
thought the idea was to trust somebody else because a good admin wouldn't
trust us (aka internal).
Case GAMMA:
> The entire interface directive goes away, failing loudly. The -I and -L
> options stay.
That combination doesn't make any sense to me.
Both -I and -L are already deprecated with a suggestion to use the interface
command in the configurationfile. Why would we keep them when deleting the
thing users are supposed to switch to?
--------
The man page for ntp.conf says:
Default restriction list entries with the flags ignore, interface,
ntpport, for each of the local host's interface addresses are
inserted into the table at startup to prevent the server from
attempting to synchronize to its own time.
Has anybody confirmed that the current code maintains that when interfaces
change?
Does that mean that we need to maintain the ability to track interface
changes no matter how many interfaces we listen on.
It also says:
interface commands are disabled if any of the -I, --interface,-L,
or --novirtualips command-line options are used.
That seems suspicious as in asking for security bugs. An admin could easily
add -I xxx to block traffic from an interface and accidentally unblock
interfaces blocked in the config file.
I fixed something a while ago that involved the interaction with command line
and config file, but I forget what case that was. I think this one should be
easy to fix.
--
These are my opinions. I hate spam.
More information about the devel
mailing list