[ntp:hackers] What does "interface listen wildcard" do?

Danny Mayer mayer at ntp.org
Sat Jul 13 15:11:57 UTC 2013


On 7/12/2013 8:20 PM, Brian Utterback wrote:
> On 07/12/13 17:51, Danny Mayer wrote:
>> On 7/12/2013 3:52 PM, Philip Prindeville wrote:
>>> On Jul 12, 2013, at 6:03 AM, Brian Utterback
>>> <brian.utterback at oracle.com> wrote:
>>>
>>>> On 7/12/2013 11:59 AM, Danny Mayer wrote:
>>>>> It's not as simple as that. Admins want to make sure that NTP clients
>>>>> don't try that address for NTP packets. They actually want it to
>>>>> return
>>>>> "refused" so that those clients don't try. Accepting and dropping
>>>>> packets means that something is accepting the packets. Dropping
>>>>> them is
>>>>> not the same thing at all.
>>>> As I pointed out, we listen on the wildcard address now, by default.
>>>> We don't refuse them, we drop them right now.
>>>>
>>>> Brian Utterback
>>>
>>> You can't refuse the packet: it's a stateless connection.
>>>
>> Exactly. That was my point.
>>
>> Danny
>>
> 
> Now I am confused. As Philip said at another point in the thread, from
> the point of view of the sender, either a response comes back (read and
> accepted), no response comes back (read and dropped) or an ICMP comes
> back (nobody listening at that socket).  For packets that would be
> delivered to the wildcard address socket, the second scenario occurs,
> that is no response comes back.

Yes you are confused. This is not just about the receiving ntpd server,
it's also about the sender. If the sender gets nothing back it's not the
same as getting a connection refused error. If you have multiple
addresses on a system and you want ntp packets to only go to one of
those addresses you definitely want the sender to get a connection
refused message on any other address. This is an admin matter.

> 
> From the point of view of ntpd, either the packet is read and delivered
> to the application or the application never sees it. Currently the
> former occurs, the packet is read on the socket that is bound to the
> wildcard and then dropped.
> 

That's not what we are talking about. A server can do anything it likes
with a packet that's been received.

Danny


More information about the hackers mailing list