As you added the functionality, can you send this version ? I will test as well on my own.
вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar <mlich...@redhat.com>: > On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote: > > I may be wrong but as I understand that binding to an address is almost > the > > same as binding to an interface. > > I think those are two different things. In chrony there is the > binddevice directive for binding to a device. It can be used only once > for the same reasons as bindaddress. > > > Maybe I am wrong, again. > > And it is meaning that an appropriate opened socket will receive packers > > only from the corresponding interface, of course if IP forwarding, source > > nat and so on is not set up. > > I ran a test. I started the server with 'bindaddress 192.168.50.2' and > checked tcpdump output on the other interface, which has network > 192.168.70.0/24 and no other routes. > > 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, > length 48 > 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, > length 48 > > It is happily responding to clients sending to the bound address, even > if it's a different interface. IP forwarding is disabled. There is no > NAT. The rp_filter setting doesn't seem to affect this. I think it's > supposed to check only the source address. > > > So, it can be checked practically. > > Is it true or false. > > When you will add such functionality, I will build a new version of > chrony > > and will turn off nat, ip forwarding and will launch tcpdump and will see > > what happens on the lan interface when some client from dmz sends a > request > > to dmz interface. > > That is, will any packets come to the lan interface or not. > > You can verify that with single bindaddress. > > If you really need multiple addresses, you can start multiple servers > instances as explained here: > > https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
