[ntp:hackers] What does "interface listen wildcard" do?

Philip Prindeville philipp_subx at redfish-solutions.com
Sun Jul 14 01:39:47 UTC 2013

On Jul 13, 2013, at 9:11 AM, Danny Mayer <mayer at ntp.org> wrote:

> On 7/12/2013 8:20 PM, Brian Utterback wrote:
>> On 07/12/13 17:51, Danny Mayer wrote:
>>> On 7/12/2013 3:52 PM, Philip Prindeville wrote:
>>>> On Jul 12, 2013, at 6:03 AM, Brian Utterback
>>>> <brian.utterback at oracle.com> wrote:
>>>>> On 7/12/2013 11:59 AM, Danny Mayer wrote:
>>>>>> It's not as simple as that. Admins want to make sure that NTP clients
>>>>>> don't try that address for NTP packets. They actually want it to
>>>>>> return
>>>>>> "refused" so that those clients don't try. Accepting and dropping
>>>>>> packets means that something is accepting the packets. Dropping
>>>>>> them is
>>>>>> not the same thing at all.
>>>>> As I pointed out, we listen on the wildcard address now, by default.
>>>>> We don't refuse them, we drop them right now.
>>>>> Brian Utterback
>>>> You can't refuse the packet: it's a stateless connection.
>>> Exactly. That was my point.
>>> Danny
>> Now I am confused. As Philip said at another point in the thread, from
>> the point of view of the sender, either a response comes back (read and
>> accepted), no response comes back (read and dropped) or an ICMP comes
>> back (nobody listening at that socket).  For packets that would be
>> delivered to the wildcard address socket, the second scenario occurs,
>> that is no response comes back.
> Yes you are confused. This is not just about the receiving ntpd server,
> it's also about the sender. If the sender gets nothing back it's not the
> same as getting a connection refused error.

I guess I don't understand how you have a "connection refused" on a connectionless protocol.


> If you have multiple
> addresses on a system and you want ntp packets to only go to one of
> those addresses you definitely want the sender to get a connection
> refused message on any other address. This is an admin matter.
>> From the point of view of ntpd, either the packet is read and delivered
>> to the application or the application never sees it. Currently the
>> former occurs, the packet is read on the socket that is bound to the
>> wildcard and then dropped.
> That's not what we are talking about. A server can do anything it likes
> with a packet that's been received.
> Danny

More information about the hackers mailing list