Maybe did multiple binddeviceinstead for the specified purpose ? вт, 5 сент. 2023 г. в 15:17, CpServiceSPb <cpservice...@gmail.com>:
> I don' t understand how packets are thrown between interfaces with IP > forwarding off. > Maybe nevertheless there is 0.0.0.0 binding. > > > вт, 5 сент. 2023 г. в 15:10, CpServiceSPb <cpservice...@gmail.com>: > >> As you added the functionality, can you send this version ? >> I will test as well on my own. >> >> >> вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar <mlich...@redhat.com>: >> >>> On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote: >>> > I may be wrong but as I understand that binding to an address is >>> almost the >>> > same as binding to an interface. >>> >>> I think those are two different things. In chrony there is the >>> binddevice directive for binding to a device. It can be used only once >>> for the same reasons as bindaddress. >>> >>> > Maybe I am wrong, again. >>> > And it is meaning that an appropriate opened socket will receive >>> packers >>> > only from the corresponding interface, of course if IP forwarding, >>> source >>> > nat and so on is not set up. >>> >>> I ran a test. I started the server with 'bindaddress 192.168.50.2' and >>> checked tcpdump output on the other interface, which has network >>> 192.168.70.0/24 and no other routes. >>> >>> 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, >>> length 48 >>> 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, >>> length 48 >>> >>> It is happily responding to clients sending to the bound address, even >>> if it's a different interface. IP forwarding is disabled. There is no >>> NAT. The rp_filter setting doesn't seem to affect this. I think it's >>> supposed to check only the source address. >>> >>> > So, it can be checked practically. >>> > Is it true or false. >>> > When you will add such functionality, I will build a new version of >>> chrony >>> > and will turn off nat, ip forwarding and will launch tcpdump and will >>> see >>> > what happens on the lan interface when some client from dmz sends a >>> request >>> > to dmz interface. >>> > That is, will any packets come to the lan interface or not. >>> >>> You can verify that with single bindaddress. >>> >>> If you really need multiple addresses, you can start multiple servers >>> instances as explained here: >>> >>> https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client >>> >>> -- >>> Miroslav Lichvar >>> >>> >>> -- >>> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >>> "unsubscribe" in the subject. >>> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >>> the subject. >>> Trouble? Email listmas...@chrony.tuxfamily.org. >>> >>>
