Access Control Commands and Options

From: Harlan Stenn Date: Mon, 22 Jan 2018 12:35:36 +0000 (+0000) Subject: Update the documentation for ippeerlimit and noepeer X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=845b276310304024d67bce4ccdc9ce2528df5b0d;p=thirdparty%2Fntp.git Update the documentation for ippeerlimit and noepeer bk: 5a65da98CxIIyJbIhre5Pw_fLkoONQ --- diff --git a/html/accopt.html b/html/accopt.html index 42cdacaa2..4417a8cca 100644 --- a/html/accopt.html +++ b/html/accopt.html @@ -3,91 +3,185 @@ -Access Control Commands and Options - +Access Control Commands and Options

Access Control Commands and Options

from Pogo, Walt Kelly + gif

from Pogo, +Walt Kelly

The skunk watches for intruders and sprays.

Last update: - 7-Jan-2018 23:56 - UTC

Last update: 7-Jan-2018 23:56 UTC

Commands and Options

Unless noted otherwise, further information about these ccommands is on the Access Control Support page.

Unless noted otherwise, further information about these ccommands is on +the Access Control Support page.

discard [ average avg ][ minimum min ] [ monitor prob ]

Set the parameters of the rate control facility which protects the server from client abuse. If the limited flag is present in the ACL, packets that violate these limits are discarded. If, in addition, the kod flag is present, a kiss-o'-death packet is returned. See the Rate Management page for further information. The options are: +

discard [ average avg ][ minimum min ] + [ monitor prob ]

Set the parameters of the rate control facility which protects the + server from client abuse. If the limited flag is present in the + ACL, packets that violate these limits are discarded. If, in addition, + the kod flag is present, a kiss-o'-death packet is + returned. See the Rate Management page for + further information. The options are:

average avg: Specify the minimum average interpacket spacing (minimum average headway - time) in log₂ s with default 3.; Specify the minimum average interpacket spacing (minimum average + headway time) in log₂ s with default 3.
minimum min: Specify the minimum interpacket spacing (guard time) in seconds with default 2.; Specify the minimum interpacket spacing (guard time) in seconds + with default 2.
monitor: Specify the probability of being recorded for packets that overflow the MRU list size limit set by mru maxmem or mru maxdepth. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.; Specify the probability of being recorded for packets that + overflow the MRU list size limit set by mru maxmem + or mru maxdepth. This is a performance optimization for + servers with aggregate arrivals of 1000 packets per second or + more.

restrict default [flag][...] - restrict source [flag][...] - restrict address [mask mask] [flag][...]

The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.

Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:

restrict [-4 | -6] default [ippeerlimit num] + [flag][...] restrict source [ippeerlimit num] + [flag][...] restrict address [mask mask] + [ippeerlimit num] [flag][...]

The address argument expressed in IPv4 or IPv6 numeric + address form is the address of a host or network. Alternatively, + the address argument can be a valid host DNS + name. The mask argument expressed in IPv4 or IPv6 + numeric address form defaults to all mask bits on, meaning that + the address is treated as the address of an individual + host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and + address :: mask :: for IPv6) is always the first entry in the + list. restrict default, with no mask option, modifies both IPv4 + and IPv6 default entries. restrict source configures a template + restriction automatically added at runtime for each association, whether + configured, ephemeral, or preemptible, and removed when the association + is demobilized.

The optional ippeerlimit takes a numeric argument that + indicates how many incoming (at present) peer requests will be permitted + for each IP, regardless of whether or not the request comes from an + authenticated source. A value of -1 means "unlimited", which is the + current default. A value of 0 means "none". Ordinarily one would + expect at most 1 of these sessions to exist per IP, however if the + remote side is operating thru a proxy there would be one association for + each remote peer at that IP.

Some flags have the effect to deny service, some have the effect to + enable service and some are conditioned by other flags. The flags are + not orthogonal, in that more restrictive flags will often make less + restrictive ones redundant. The flags that deny service are classed in + two categories, those that restrict time service and those that restrict + informational queries and attempts to do run-time reconfiguration of the + server. One or more of the following flags may be specified:

flake: Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's flakeway, which once did a similar thing for early Internet testing.; Discard received NTP packets with probability 0.1; that is, on + average drop one packet in ten. This is for testing and + amusement. The name comes from Bob Braden's flakeway, which + once did a similar thing for early Internet testing.
ignore: Deny packets of all kinds, including ntpq and ntpdc queries.; Deny packets of all kinds, including ntpq + and ntpdc queries.
kod: Send a kiss-o'-death (KoD) packet if the limited flag is present and a packet violates the rate limits established by the discard command. KoD packets are themselves rate limited for each source address separately. If the kod flag is used in a restriction which does not have the limited flag, no KoD responses will result.; Send a kiss-o'-death (KoD) packet if the limited flag is + present and a packet violates the rate limits established by + the discard command. KoD packets are themselves rate + limited for each source address separately. If the kod flag + is used in a restriction which does not have the limited + flag, no KoD responses will result.
limited: Deny time service if the packet violates the rate limits established by the discard command. This does not apply to ntpq and ntpdc queries.; Deny time service if the packet violates the rate limits + established by the discard command. This does not apply + to ntpq and ntpdc queries.
lowpriotrap: Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.; Declare traps set by matching hosts to be low priority. The number + of traps a server can maintain is limited (the current limit is + 3). Traps are usually assigned on a first come, first served basis, + with later trap requestors being denied service. This flag modifies + the assignment algorithm by allowing low priority traps to be + overridden by later requests for normal priority traps.
mssntp: Enable Microsoft Windows MS-SNTP authentication using Active Directory services. Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.; Enable Microsoft Windows MS-SNTP authentication using Active + Directory services. Note: Potential users + should be aware that these services involve a TCP connection to + another process that could potentially block, denying services to + other users. Therefore, this flag should be used only for a + dedicated server with no clients other than MS-SNTP.
noepeer: Deny packets that would mobilize an ephemeral peering association, + even if authenticated.
nomodify: Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.; Deny ntpq and ntpdc queries which attempt to + modify the state of the server (i.e., run time + reconfiguration). Queries which return information are + permitted.
noquery: Deny ntpq and ntpdc queries. Time service is not affected.; Deny ntpq and ntpdc queries. Time service is not + affected.
nopeer: Deny packets that might mobilize an association unless authenticated. This includes broadcast, symmetric-active and manycast server packets when a configured association does not exist. It also includes pool associations, so if you want to use servers from a pool directive and also want to use nopeer by default, you'll want a "restrict source ..." line as well that does not include the nopeer directive. Note that this flag does not apply to packets that do not attempt to mobilize an association.
noepeer: Deny packets that would mobilize an ephemeral peering association, even if authenticated.; Deny packets that might mobilize an association unless + authenticated. This includes broadcast, symmetric-active and + manycast server packets when a configured association does not + exist. It also includes pool associations, so if you want + to use servers from a pool directive and also want to + use nopeer by default, you'll want a "restrict source + ..." line as well that does not include + the nopeer directive. Note that this flag does not apply + to packets that do not attempt to mobilize an association.
noserve: Deny all packets except ntpq and ntpdc queries.; Deny all packets except ntpq and ntpdc + queries.
notrap: Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdc control message protocol which is intended for use by remote event logging programs.; Decline to provide mode 6 control message trap service to matching + hosts. The trap service is a subsystem of the ntpdc control + message protocol which is intended for use by remote event logging + programs.
notrust: Deny packets that are not cryptographically authenticated. Note carefully how this flag interacts with the auth option of the enable and disable commands. If auth is enabled, which is the default, authentication is required for all packets that might mobilize an association. If auth is disabled, but the notrust flag is not present, an association can be mobilized whether or not authenticated. If auth is disabled, but the notrust flag is present, authentication is required only for the specified address/mask range.; Deny packets that are not cryptographically authenticated. Note + carefully how this flag interacts with the auth option of + the enable and disable commands. If auth + is enabled, which is the default, authentication is required for all + packets that might mobilize an association. If auth is + disabled, but the notrust flag is not present, an + association can be mobilized whether or not + authenticated. If auth is disabled, but + the notrust flag is present, authentication is required + only for the specified address/mask range.
ntpport: This is actually a match algorithm modifier, rather than a restriction - flag. Its presence causes the restriction entry to be matched only if the - source port in the packet is the standard NTP UDP port (123). A restrict line - containing ntpport is considered more specific than one with the - same address and mask, but lacking ntpport.; This is actually a match algorithm modifier, rather than a + restriction flag. Its presence causes the restriction entry to be + matched only if the source port in the packet is the standard NTP + UDP port (123). A restrict line containing ntpport is + considered more specific than one with the same address and mask, + but lacking ntpport.
version: Deny packets that do not match the current NTP version.

Default restriction list entries with the flags ignore, ntpport, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).

Default restriction list entries with the flags ignore, + ntpport, for each of the local host's interface addresses are + inserted into the table at startup to prevent the server from + attempting to synchronize to its own time. A default entry is also + always present, though if it is otherwise unconfigured; no flags are + associated with the default entry (i.e., everything besides your own + NTP server is unrestricted).

- + diff --git a/ntpd/invoke-ntp.conf.texi b/ntpd/invoke-ntp.conf.texi index 3225cf59c..6aa0a2a62 100644 --- a/ntpd/invoke-ntp.conf.texi +++ b/ntpd/invoke-ntp.conf.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi) # -# It has been AutoGen-ed January 21, 2018 at 12:41:56 PM by AutoGen 5.18.5 +# It has been AutoGen-ed January 22, 2018 at 11:49:10 AM by AutoGen 5.18.5 # From the definitions ntp.conf.def # and the template file agtexi-file.tpl @end ignore @@ -1462,7 +1462,7 @@ The @code{monitor} subcommand specifies the probability of discard for packets that overflow the rate-control window. -@item @code{restrict} @code{address} @code{[@code{mask} @kbd{mask}]} @code{[@kbd{flag} @kbd{...}]} +@item @code{restrict} @code{address} @code{[@code{mask} @kbd{mask}]} @code{[@code{ippeerlimit} @kbd{int}]} @code{[@kbd{flag} @kbd{...}]} The @kbd{address} argument expressed in @@ -1486,6 +1486,15 @@ Note that text string @code{default}, with no mask option, may be used to indicate the default entry. +The +@code{ippeerlimit} +directive limits the number of peer requests for each IP to +@kbd{int}, +where a value of -1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, @code{flag} always @@ -1536,6 +1545,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +@item @code{noepeer} +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +@file{ntp.keys} +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +@code{noepeer} +to become the default in ntp-4.4. @item @code{nomodify} Deny @code{ntpq(1ntpqmdoc)} @@ -1570,9 +1591,6 @@ line as well that does include the @code{nopeer} directive. -@item @code{noepeer} -Deny packets that would mobilize an ephemeral peering association, -even if authenticated. @item @code{noserve} Deny all packets except @code{ntpq(1ntpqmdoc)} @@ -2521,9 +2539,7 @@ This option is useful for sites that run @code{ntpd(1ntpdmdoc)} on multiple hosts, with (mostly) common options (e.g., a restriction list). -@item @code{interface} -@code{[@code{listen} | @code{ignore} | @code{drop}]} -@code{[@code{all} | @code{ipv4} | @code{ipv6} | @code{wildcard} @kbd{name} | @kbd{address} @code{[@code{/} @kbd{prefixlen}]} +@item @code{interface} @code{[@code{listen} | @code{ignore} | @code{drop}]} @code{[@code{all} | @code{ipv4} | @code{ipv6} | @code{wildcard} @kbd{name} | @kbd{address} @code{[@code{/} @kbd{prefixlen}]}]} The @code{interface} directive controls which network addresses @@ -2676,8 +2692,7 @@ facility. This is the same operation as the @code{-l} command line option. -@item @code{mru} -@code{[@code{maxdepth} @kbd{count} | @code{maxmem} @kbd{kilobytes} | @code{mindepth} @kbd{count} | @code{maxage} @kbd{seconds} | @code{initialloc} @kbd{count} | @code{initmem} @kbd{kilobytes} | @code{incalloc} @kbd{count} | @code{incmem} @kbd{kilobytes}]} +@item @code{mru} @code{[@code{maxdepth} @kbd{count} | @code{maxmem} @kbd{kilobytes} | @code{mindepth} @kbd{count} | @code{maxage} @kbd{seconds} | @code{initialloc} @kbd{count} | @code{initmem} @kbd{kilobytes} | @code{incalloc} @kbd{count} | @code{incmem} @kbd{kilobytes}]} Controls size limite of the monitoring facility's Most Recently Used (MRU) list of client addresses, which is also used by the @@ -2751,14 +2766,7 @@ For the JJY driver (type 40 mode 100 - 180), the argument is one telephone number used to dial the telephone JJY service. The Hayes command ATDT is normally prepended to the number. The number can contain other modem control codes as well. -@item @code{reset} -@code{[@code{allpeers}]} -@code{[@code{auth}]} -@code{[@code{ctl}]} -@code{[@code{io}]} -@code{[@code{mem}]} -@code{[@code{sys}]} -@code{[@code{timer}]} +@item @code{reset} @code{[@code{allpeers}]} @code{[@code{auth}]} @code{[@code{ctl}]} @code{[@code{io}]} @code{[@code{mem}]} @code{[@code{sys}]} @code{[@code{timer}]} Reset one or more groups of counters maintained by @code{ntpd} and exposed by diff --git a/ntpd/ntp.conf.5man b/ntpd/ntp.conf.5man index fb5008321..6d8233ec9 100644 --- a/ntpd/ntp.conf.5man +++ b/ntpd/ntp.conf.5man @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp.conf 5man "21 Jan 2018" "4.2.8p10" "File Formats" +.TH ntp.conf 5man "22 Jan 2018" "4.2.8p10" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (in-mem file) .\" -.\" It has been AutoGen-ed January 21, 2018 at 12:41:58 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed January 22, 2018 at 11:49:11 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agman-cmd.tpl .SH NAME @@ -1665,7 +1665,7 @@ The subcommand specifies the probability of discard for packets that overflow the rate-control window. .TP 7 -.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]] +.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[B-Font]ippeerlimit\f[] \f\*[I-Font]int\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]] The \f\*[I-Font]address\f[] argument expressed in @@ -1689,6 +1689,15 @@ Note that text string \f\*[B-Font]default\f[], with no mask option, may be used to indicate the default entry. +The +\f\*[B-Font]ippeerlimit\f[] +directive limits the number of peer requests for each IP to +\f\*[I-Font]int\f[], +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, \f\*[B-Font]flag\f[] always @@ -1744,6 +1753,19 @@ This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. .TP 7 +.NOP \f\*[B-Font]noepeer\f[] +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +\fIntp.keys\f[] +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +\f\*[B-Font]noepeer\f[] +to become the default in ntp-4.4. +.TP 7 .NOP \f\*[B-Font]nomodify\f[] Deny \fCntpq\f[]\fR(1ntpqmdoc)\f[] @@ -1781,10 +1803,6 @@ include the \f\*[B-Font]nopeer\f[] directive. .TP 7 -.NOP \f\*[B-Font]noepeer\f[] -Deny packets that would mobilize an ephemeral peering association, -even if authenticated. -.TP 7 .NOP \f\*[B-Font]noserve\f[] Deny all packets except \fCntpq\f[]\fR(1ntpqmdoc)\f[] @@ -2819,9 +2837,7 @@ This option is useful for sites that run on multiple hosts, with (mostly) common options (e.g., a restriction list). .TP 7 -.NOP \f\*[B-Font]interface\f[] -[\f\*[B-Font]listen\f[] | \f\*[B-Font]ignore\f[] | \f\*[B-Font]drop\f[]] -[\f\*[B-Font]all\f[] | \f\*[B-Font]ipv4\f[] | \f\*[B-Font]ipv6\f[] | \f\*[B-Font]wildcard\f[] \f\*[I-Font]name\f[] | \f\*[I-Font]address\f[] [\f\*[B-Font]/\f[] \f\*[I-Font]prefixlen\f[]] +.NOP \f\*[B-Font]interface\f[] [\f\*[B-Font]listen\f[] | \f\*[B-Font]ignore\f[] | \f\*[B-Font]drop\f[]] [\f\*[B-Font]all\f[] | \f\*[B-Font]ipv4\f[] | \f\*[B-Font]ipv6\f[] | \f\*[B-Font]wildcard\f[] \f\*[I-Font]name\f[] | \f\*[I-Font]address\f[] [\f\*[B-Font]/\f[] \f\*[I-Font]prefixlen\f[]]] The \f\*[B-Font]interface\f[] directive controls which network addresses @@ -2991,8 +3007,7 @@ This is the same operation as the \f\*[B-Font]\-l\f[] command line option. .TP 7 -.NOP \f\*[B-Font]mru\f[] -[\f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] | \f\*[B-Font]initialloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]] +.NOP \f\*[B-Font]mru\f[] [\f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] | \f\*[B-Font]initialloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]] Controls size limite of the monitoring facility's Most Recently Used (MRU) list of client addresses, which is also used by the @@ -3077,14 +3092,7 @@ one telephone number used to dial the telephone JJY service. The Hayes command ATDT is normally prepended to the number. The number can contain other modem control codes as well. .TP 7 -.NOP \f\*[B-Font]reset\f[] -[\f\*[B-Font]allpeers\f[]] -[\f\*[B-Font]auth\f[]] -[\f\*[B-Font]ctl\f[]] -[\f\*[B-Font]io\f[]] -[\f\*[B-Font]mem\f[]] -[\f\*[B-Font]sys\f[]] -[\f\*[B-Font]timer\f[]] +.NOP \f\*[B-Font]reset\f[] [\f\*[B-Font]allpeers\f[]] [\f\*[B-Font]auth\f[]] [\f\*[B-Font]ctl\f[]] [\f\*[B-Font]io\f[]] [\f\*[B-Font]mem\f[]] [\f\*[B-Font]sys\f[]] [\f\*[B-Font]timer\f[]] Reset one or more groups of counters maintained by \f\*[B-Font]ntpd\f[] and exposed by diff --git a/ntpd/ntp.conf.5mdoc b/ntpd/ntp.conf.5mdoc index 8d3e971cb..c779405fa 100644 --- a/ntpd/ntp.conf.5mdoc +++ b/ntpd/ntp.conf.5mdoc @@ -1,9 +1,9 @@ -.Dd January 21 2018 +.Dd January 22 2018 .Dt NTP_CONF 5mdoc File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed January 21, 2018 at 12:41:54 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed January 22, 2018 at 11:49:08 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -1532,6 +1532,7 @@ subcommand specifies the probability of discard for packets that overflow the rate\-control window. .It Xo Ic restrict address .Op Cm mask Ar mask +.Op Cm ippeerlimit Ar int .Op Ar flag ... .Xc The @@ -1557,6 +1558,15 @@ Note that text string .Cm default , with no mask option, may be used to indicate the default entry. +The +.Cm ippeerlimit +directive limits the number of peer requests for each IP to +.Ar int , +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, .Cm flag always @@ -1607,6 +1617,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +.It Cm noepeer +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +.Pa ntp.keys +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +.Cm noepeer +to become the default in ntp\-4.4. .It Cm nomodify Deny .Xr ntpq 1ntpqmdoc @@ -1641,9 +1663,6 @@ line as well that does include the .Cm nopeer directive. -.It Cm noepeer -Deny packets that would mobilize an ephemeral peering association, -even if authenticated. .It Cm noserve Deny all packets except .Xr ntpq 1ntpqmdoc @@ -2642,7 +2661,7 @@ This option is useful for sites that run .Xr ntpd 1ntpdmdoc on multiple hosts, with (mostly) common options (e.g., a restriction list). -.It Ic interface +.It Xo Ic interface .Oo .Cm listen | Cm ignore | Cm drop .Oc @@ -2652,6 +2671,7 @@ restriction list). .Oo Cm / Ar prefixlen .Oc .Oc +.Xc The .Cm interface directive controls which network addresses @@ -2818,13 +2838,14 @@ facility. This is the same operation as the .Fl l command line option. -.It Ic mru +.It Xo Ic mru .Oo .Cm maxdepth Ar count | Cm maxmem Ar kilobytes | .Cm mindepth Ar count | Cm maxage Ar seconds | .Cm initialloc Ar count | Cm initmem Ar kilobytes | .Cm incalloc Ar count | Cm incmem Ar kilobytes .Oc +.Xc Controls size limite of the monitoring facility's Most Recently Used (MRU) list of client addresses, which is also used by the @@ -2898,7 +2919,7 @@ For the JJY driver (type 40 mode 100 \- 180), the argument is one telephone number used to dial the telephone JJY service. The Hayes command ATDT is normally prepended to the number. The number can contain other modem control codes as well. -.It Ic reset +.It Xo Ic reset .Oo .Ic allpeers .Oc @@ -2920,6 +2941,7 @@ The number can contain other modem control codes as well. .Oo .Ic timer .Oc +.Xc Reset one or more groups of counters maintained by .Cm ntpd and exposed by diff --git a/ntpd/ntp.conf.def b/ntpd/ntp.conf.def index db2545ec6..40628713e 100644 --- a/ntpd/ntp.conf.def +++ b/ntpd/ntp.conf.def @@ -1534,6 +1534,7 @@ subcommand specifies the probability of discard for packets that overflow the rate-control window. .It Xo Ic restrict address .Op Cm mask Ar mask +.Op Cm ippeerlimit Ar int .Op Ar flag ... .Xc The @@ -1559,6 +1560,15 @@ Note that text string .Cm default , with no mask option, may be used to indicate the default entry. +The +.Cm ippeerlimit +directive limits the number of peer requests for each IP to +.Ar int , +where a value of -1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, .Cm flag always @@ -1609,6 +1619,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +.It Cm noepeer +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +.Pa ntp.keys +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +.Cm noepeer +to become the default in ntp-4.4. .It Cm nomodify Deny .Xr ntpq 1ntpqmdoc @@ -1643,9 +1665,6 @@ line as well that does include the .Cm nopeer directive. -.It Cm noepeer -Deny packets that would mobilize an ephemeral peering association, -even if authenticated. .It Cm noserve Deny all packets except .Xr ntpq 1ntpqmdoc @@ -2644,7 +2663,7 @@ This option is useful for sites that run .Xr ntpd 1ntpdmdoc on multiple hosts, with (mostly) common options (e.g., a restriction list). -.It Ic interface +.It Xo Ic interface .Oo .Cm listen | Cm ignore | Cm drop .Oc @@ -2654,6 +2673,7 @@ restriction list). .Oo Cm / Ar prefixlen .Oc .Oc +.Xc The .Cm interface directive controls which network addresses @@ -2820,13 +2840,14 @@ facility. This is the same operation as the .Fl l command line option. -.It Ic mru +.It Xo Ic mru .Oo .Cm maxdepth Ar count | Cm maxmem Ar kilobytes | .Cm mindepth Ar count | Cm maxage Ar seconds | .Cm initialloc Ar count | Cm initmem Ar kilobytes | .Cm incalloc Ar count | Cm incmem Ar kilobytes .Oc +.Xc Controls size limite of the monitoring facility's Most Recently Used (MRU) list of client addresses, which is also used by the @@ -2900,7 +2921,7 @@ For the JJY driver (type 40 mode 100 - 180), the argument is one telephone number used to dial the telephone JJY service. The Hayes command ATDT is normally prepended to the number. The number can contain other modem control codes as well. -.It Ic reset +.It Xo Ic reset .Oo .Ic allpeers .Oc @@ -2922,6 +2943,7 @@ The number can contain other modem control codes as well. .Oo .Ic timer .Oc +.Xc Reset one or more groups of counters maintained by .Cm ntpd and exposed by diff --git a/ntpd/ntp.conf.man.in b/ntpd/ntp.conf.man.in index c311ea4aa..70cc30202 100644 --- a/ntpd/ntp.conf.man.in +++ b/ntpd/ntp.conf.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp.conf 5 "21 Jan 2018" "4.2.8p10" "File Formats" +.TH ntp.conf 5 "22 Jan 2018" "4.2.8p10" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (in-mem file) .\" -.\" It has been AutoGen-ed January 21, 2018 at 12:41:58 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed January 22, 2018 at 11:49:11 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agman-cmd.tpl .SH NAME @@ -1665,7 +1665,7 @@ The subcommand specifies the probability of discard for packets that overflow the rate-control window. .TP 7 -.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]] +.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[B-Font]ippeerlimit\f[] \f\*[I-Font]int\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]] The \f\*[I-Font]address\f[] argument expressed in @@ -1689,6 +1689,15 @@ Note that text string \f\*[B-Font]default\f[], with no mask option, may be used to indicate the default entry. +The +\f\*[B-Font]ippeerlimit\f[] +directive limits the number of peer requests for each IP to +\f\*[I-Font]int\f[], +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, \f\*[B-Font]flag\f[] always @@ -1744,6 +1753,19 @@ This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. .TP 7 +.NOP \f\*[B-Font]noepeer\f[] +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +\fIntp.keys\f[] +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +\f\*[B-Font]noepeer\f[] +to become the default in ntp-4.4. +.TP 7 .NOP \f\*[B-Font]nomodify\f[] Deny \fCntpq\f[]\fR(@NTPQ_MS@)\f[] @@ -1781,10 +1803,6 @@ include the \f\*[B-Font]nopeer\f[] directive. .TP 7 -.NOP \f\*[B-Font]noepeer\f[] -Deny packets that would mobilize an ephemeral peering association, -even if authenticated. -.TP 7 .NOP \f\*[B-Font]noserve\f[] Deny all packets except \fCntpq\f[]\fR(@NTPQ_MS@)\f[] @@ -2819,9 +2837,7 @@ This option is useful for sites that run on multiple hosts, with (mostly) common options (e.g., a restriction list). .TP 7 -.NOP \f\*[B-Font]interface\f[] -[\f\*[B-Font]listen\f[] | \f\*[B-Font]ignore\f[] | \f\*[B-Font]drop\f[]] -[\f\*[B-Font]all\f[] | \f\*[B-Font]ipv4\f[] | \f\*[B-Font]ipv6\f[] | \f\*[B-Font]wildcard\f[] \f\*[I-Font]name\f[] | \f\*[I-Font]address\f[] [\f\*[B-Font]/\f[] \f\*[I-Font]prefixlen\f[]] +.NOP \f\*[B-Font]interface\f[] [\f\*[B-Font]listen\f[] | \f\*[B-Font]ignore\f[] | \f\*[B-Font]drop\f[]] [\f\*[B-Font]all\f[] | \f\*[B-Font]ipv4\f[] | \f\*[B-Font]ipv6\f[] | \f\*[B-Font]wildcard\f[] \f\*[I-Font]name\f[] | \f\*[I-Font]address\f[] [\f\*[B-Font]/\f[] \f\*[I-Font]prefixlen\f[]]] The \f\*[B-Font]interface\f[] directive controls which network addresses @@ -2991,8 +3007,7 @@ This is the same operation as the \f\*[B-Font]\-l\f[] command line option. .TP 7 -.NOP \f\*[B-Font]mru\f[] -[\f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] | \f\*[B-Font]initialloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]] +.NOP \f\*[B-Font]mru\f[] [\f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] | \f\*[B-Font]initialloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]] Controls size limite of the monitoring facility's Most Recently Used (MRU) list of client addresses, which is also used by the @@ -3077,14 +3092,7 @@ one telephone number used to dial the telephone JJY service. The Hayes command ATDT is normally prepended to the number. The number can contain other modem control codes as well. .TP 7 -.NOP \f\*[B-Font]reset\f[] -[\f\*[B-Font]allpeers\f[]] -[\f\*[B-Font]auth\f[]] -[\f\*[B-Font]ctl\f[]] -[\f\*[B-Font]io\f[]] -[\f\*[B-Font]mem\f[]] -[\f\*[B-Font]sys\f[]] -[\f\*[B-Font]timer\f[]] +.NOP \f\*[B-Font]reset\f[] [\f\*[B-Font]allpeers\f[]] [\f\*[B-Font]auth\f[]] [\f\*[B-Font]ctl\f[]] [\f\*[B-Font]io\f[]] [\f\*[B-Font]mem\f[]] [\f\*[B-Font]sys\f[]] [\f\*[B-Font]timer\f[]] Reset one or more groups of counters maintained by \f\*[B-Font]ntpd\f[] and exposed by diff --git a/ntpd/ntp.conf.mdoc.in b/ntpd/ntp.conf.mdoc.in index 06364512b..20a652937 100644 --- a/ntpd/ntp.conf.mdoc.in +++ b/ntpd/ntp.conf.mdoc.in @@ -1,9 +1,9 @@ -.Dd January 21 2018 +.Dd January 22 2018 .Dt NTP_CONF 5 File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed January 21, 2018 at 12:41:54 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed January 22, 2018 at 11:49:08 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -1532,6 +1532,7 @@ subcommand specifies the probability of discard for packets that overflow the rate\-control window. .It Xo Ic restrict address .Op Cm mask Ar mask +.Op Cm ippeerlimit Ar int .Op Ar flag ... .Xc The @@ -1557,6 +1558,15 @@ Note that text string .Cm default , with no mask option, may be used to indicate the default entry. +The +.Cm ippeerlimit +directive limits the number of peer requests for each IP to +.Ar int , +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, .Cm flag always @@ -1607,6 +1617,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +.It Cm noepeer +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +.Pa ntp.keys +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +.Cm noepeer +to become the default in ntp\-4.4. .It Cm nomodify Deny .Xr ntpq @NTPQ_MS@ @@ -1641,9 +1663,6 @@ line as well that does include the .Cm nopeer directive. -.It Cm noepeer -Deny packets that would mobilize an ephemeral peering association, -even if authenticated. .It Cm noserve Deny all packets except .Xr ntpq @NTPQ_MS@ @@ -2642,7 +2661,7 @@ This option is useful for sites that run .Xr ntpd @NTPD_MS@ on multiple hosts, with (mostly) common options (e.g., a restriction list). -.It Ic interface +.It Xo Ic interface .Oo .Cm listen | Cm ignore | Cm drop .Oc @@ -2652,6 +2671,7 @@ restriction list). .Oo Cm / Ar prefixlen .Oc .Oc +.Xc The .Cm interface directive controls which network addresses @@ -2818,13 +2838,14 @@ facility. This is the same operation as the .Fl l command line option. -.It Ic mru +.It Xo Ic mru .Oo .Cm maxdepth Ar count | Cm maxmem Ar kilobytes | .Cm mindepth Ar count | Cm maxage Ar seconds | .Cm initialloc Ar count | Cm initmem Ar kilobytes | .Cm incalloc Ar count | Cm incmem Ar kilobytes .Oc +.Xc Controls size limite of the monitoring facility's Most Recently Used (MRU) list of client addresses, which is also used by the @@ -2898,7 +2919,7 @@ For the JJY driver (type 40 mode 100 \- 180), the argument is one telephone number used to dial the telephone JJY service. The Hayes command ATDT is normally prepended to the number. The number can contain other modem control codes as well. -.It Ic reset +.It Xo Ic reset .Oo .Ic allpeers .Oc @@ -2920,6 +2941,7 @@ The number can contain other modem control codes as well. .Oo .Ic timer .Oc +.Xc Reset one or more groups of counters maintained by .Cm ntpd and exposed by diff --git a/tests/ntpd/run-ntp_restrict.c b/tests/ntpd/run-ntp_restrict.c index 6013bbf74..3303640f1 100644 --- a/tests/ntpd/run-ntp_restrict.c +++ b/tests/ntpd/run-ntp_restrict.c @@ -65,12 +65,12 @@ int main(int argc, char *argv[]) UnityBegin("ntp_restrict.c"); RUN_TEST(test_RestrictionsAreEmptyAfterInit, 63); RUN_TEST(test_ReturnsCorrectDefaultRestrictions, 90); - RUN_TEST(test_HackingDefaultRestriction, 102); - RUN_TEST(test_CantRemoveDefaultEntry, 126); - RUN_TEST(test_AddingNewRestriction, 138); - RUN_TEST(test_TheMostFittingRestrictionIsMatched, 152); - RUN_TEST(test_DeletedRestrictionIsNotMatched, 175); - RUN_TEST(test_RestrictUnflagWorks, 200); + RUN_TEST(test_HackingDefaultRestriction, 103); + RUN_TEST(test_CantRemoveDefaultEntry, 129); + RUN_TEST(test_AddingNewRestriction, 143); + RUN_TEST(test_TheMostFittingRestrictionIsMatched, 159); + RUN_TEST(test_DeletedRestrictionIsNotMatched, 184); + RUN_TEST(test_RestrictUnflagWorks, 211); return (UnityEnd()); }

Access Control Commands and Options

Related Links

Commands and Options