[Git][NTPsec/ntpsec][master] Dispel murkiness about the configurator restrict operation.

Eric S. Raymond gitlab at mg.gitlab.com
Fri Aug 11 10:49:45 UTC 2017 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
659b18de by Eric S. Raymond at 2017-08-11T06:44:46-04:00
Dispel murkiness about the configurator restrict operation.

- - - - -


1 changed file:

- docs/access.txt


Changes:

=====================================
docs/access.txt
=====================================
--- a/docs/access.txt
+++ b/docs/access.txt
@@ -61,12 +61,22 @@ of campus. Let's assume (not true!) that subnet 128.4.1 homes critical
 services like class rosters and spread sheets. A suitable ACL might look
 like this:
 
-----------------------------------------------------------------------------------
+------------------------------------------------------------------------------
 restrict default nopeer                 # deny new associations
 restrict 128.175.0.0 mask 255.255.0.0       # allow campus access
 restrict 128.4.1.0 mask 255.255.255.0 notrust # require authentication on subnet 1
 restrict time.nist.gov                      # allow access
-----------------------------------------------------------------------------------
+------------------------------------------------------------------------------
+
+Note that by design the 'restrict' declaration can only add
+restrictions to an IP range that has already been the subject of a
+previous restriction, not remove them.
+
+If the behavior of multiple restricts with identical or overlapping
+ranges seems confusing, bear in mind that each restrict creates an
+internal table entry associated with its subject IP range, and the table
+entries are checked in sequence when the flags applying to a
+particular IP need to be computed.
 
 While this facility may be useful for keeping unwanted, broken or
 malicious clients from congesting innocent servers, it should not be



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/659b18dee1c6dc22e818d1c4dba9087a07795fe1

---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/659b18dee1c6dc22e818d1c4dba9087a07795fe1
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170811/83bdc527/attachment.html>

More information about the vc mailing list