Ntp and interface binding

  • LAYER 8 Global Moderator

    So about the listening on interfaces thing.

    So from here

    About a question of only listening on specific interfaces.

    I see this

    This is fixed in newer versions, I suggest you try 4.2.6p5 or ntp-dev.
    Support for truly restricting listening interfaces with "interface"
    (AKA "nic") in ntp.conf was introduced late in the 4.2.5 cycle.
    Something like the following should work for you:

    interface ignore all
    interface listen eth0

    That should result in ntpd using only v4/v6 localhost and eth0's v4/v6

    But I show the version of ntpd we are using as 4.2.4p5-a – why can we not just upgrade the binary?

    I show
    ntp-4.2.6p5.tbz 2012-Mar-09 11:38:18 1.5M application/x-bzip-compressed-tar
    ntp-4.2.7p255.tbz 2012-Mar-09 11:39:42 1.7M application/x-bzip-compressed-tar

    Available for 8.3

    so I just installed the 4.2.7p255

    killall ntpd

    interface ignore all
    interface em0

    to my ntp.conf and restarted the 4.2.7p255 binary in /usr/local/sbin

    now it seems to be only listening on my lan interface em0.

    May 15 16:43:27 ntpd[51993]: peers refreshed
    May 15 16:43:27 ntpd[51993]: Listen normally on 6 lo0 [::1]:123
    May 15 16:43:27 ntpd[51993]: Listen normally on 5 lo0
    May 15 16:43:27 ntpd[51993]: Listen normally on 4 em0 [2001:470:<snipped>:b85::1]:123
    May 15 16:43:27 ntpd[51993]: Listen normally on 3 em0 [fe80::250:56ff:fe00:2%1]:123
    May 15 16:43:27 ntpd[51993]: Listen normally on 2 em0
    May 15 16:43:27 ntpd[51993]: Listen and drop on 1 v6wildcard [::]:123
    May 15 16:43:27 ntpd[51993]: Listen and drop on 0 v4wildcard
    May 15 16:43:27 ntpd[51993]: proto: precision = 1.955 usec (-19)
    May 15 16:43:27 ntpd[51712]: ntpd 4.2.7p255@1.2483-o Fri Mar 9 16:39:06 UTC 2012 (1)</snipped>

  • LAYER 8 Global Moderator

    see my edit – just installed the 4.2.7 and the interface commands work from what I can tell.


    interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name | address[/prefixlen]]
        This command controls which network addresses ntpd opens, and whether input is dropped without processing. The first parameter determines the action for addresses which match the second parameter. That parameter specifies a class of addresses, or a specific interface name, or an address. In the address case, prefixlen determines how many bits must match for this rule to apply. ignore prevents opening matching addresses, drop causes ntpd to open the address and drop all received packets without examination. Multiple interface commands can be used. The last rule which matches a particular address determines the action for it. interface commands are disabled if any -I, –interface, -L, or --novirtualips command-line options are used. If none of those options are used and no interface actions are specified in the configuration file, all available network addresses are opened. The nic command is an alias for interface.

  • Rebel Alliance Developer Netgate

    Looks promising, though if it works in 4.2.6p5 that would be preferable as their site labels 4.2.7 as development and 4.2.6 as production.

  • Rebel Alliance Developer Netgate

    Added ntp 4.2.6p5 to the snapshots, didn't active it yet in the gui, we'll see what happens when they come out and I can experiment.

  • Rebel Alliance Developer Netgate

    ok, selective interface binding is back! It may not show up until tomorrow's snapshots because one was already building when I committed it. But a gitsync would pull it in.

    Might need some testing to ensure it's doing the right thing. From the logs and sockstat output it appeared to be working as expected, but some other input would be helpful.

    It would also be helpful to know if, under Status > NTP, you get an active peer with interface binding setup. I still did, but I'm curious to know if anyone has issues.

Log in to reply