On 6/14/16, Achim Gratz <[email protected]> wrote: > Sorry for the sidetracking, but while you mention iptables: if we can > presume the existence of a packet filter in the OS, would it perhaps > make sense to not implement that part of the filtering in ntpd and leave > it to that filter?
No, because most of the time you're going to want to filter on the contents of the NTP packet and/or the state of your association with a peer, not just on the UDP/IP headers. iptables generally can't do that, barring various crude hacks involving the U32 target and/or connection tracking. _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
