[ntp:questions] Clarification on 'discard' command, and possibly 'mru'...

Jason Rabel jasonrabel99 at gmail.com
Wed Dec 26 02:33:12 UTC 2018


I'm trying to tweak my ntp configuration so it will drop packets as
appropriate instead of using my firewall & hashlimit... (For reference, I'm
running the latest 4.2.8p12)

Apparently the relevant commands (beyond setting limited & kod) are
'discard' and 'mru'.

'discard' has three settings: average, minimum, and monitor.

Documentation is kind of conflicting over the first two settings, some say
the defaults are 3 & 1, some say 3 & 2, others say 5 & 2... I haven't dug
through the source yet to see what the true defaults are. Also the docs
says the first is in log2s, but the other is just in seconds??? I'm
assuming the second setting should also be log2s as *most* things in NTP
are that way. However, it's the third setting (monitor) that has me
scratching my head.

The doc for 'monitor' merely says, "specifies the discard probability for
packets once the permitted rate limits have been exceeded. The default
value is 3000 seconds. This option is intended for servers that receive
1000 or more requests per second."

I don't understand what it means by "discard probability" while also
mentioning "3000 seconds"... Probability to me would mean setting some sort
of percentage... I'm not sure how the time value of 50 minutes relates????

The 'mru' command docs are pretty clear, no issues with any of those
settings.

While on the subject, I've also noticed some documentation mentioning the
'limited' command in relation to grouping requests by subnets?

"These hosts are subject to limitation of number of clients from the same
net. Net in this context refers to the IP notion of net (class A, class B,
class C, etc.). Only the first client_limit hosts that have shown up at the
server and that have been active during the last client_limit_period
seconds are accepted. Requests from other clients from the same net are
rejected. Only time request packets are taken into account. Query packets
sent by the ntpq and ntpdc programs are not subject to these limits. A
history of clients is kept using the monitoring capability of ntpd. Thus,
monitoring is always active as long as there is a restriction entry with
the limited flag."

I've searched and searched and can't really find any further discussion
about this. I'm assuming if you did a 'restrict address mask ...' then it
would limit based on the mask... But what about the default restrict line?
In that instance I would assume rate limiting is based on individual IP? Is
there a way to set a 'default' with limiting grouped by say class C subnets?


More information about the questions mailing list