On 6/7/2010 4:50 AM, Hal Murray wrote: > In article <[email protected]>, > Danny Mayer <[email protected]> writes: >> On 6/6/2010 3:24 AM, Hal Murray wrote: >>> https://bugs.ntp.org/show_bug.cgi?id=1568 >>> >>> Dave Hart points out that ntp-dev has a server option to the restrict >>> command. >>> >>> Description here: >>> http://www.eecis.udel.edu/~mills/ntp/html/accopt.html >>> >>> Would somebody who uses restrict please check to see if this >>> does what you want. >>> >> Hal, >> >> If this is about my suggestion to add a server option for restrict lines >> to allow easier control of packets from servers defined in the various >> server/pool, etc. lines then neither of these references describe that. > > Both mention >restrict server< > Yes, the part in accopt.html is hidden in the fine print. >
Actually they mention restrict source, not restrict server. There is essentially no description of what this option is or what it does. There needs to be a documentation effort to explain clear the usage and why and when to use it. >> The goal is to allow through packets from the servers you list even >> though there may be other restrict lines. > > I think >restrict server< will do that. > > I hope somebody more familiar with restrict will double check. > >> I'm not sure I understand the intention of your note. >> >> Danny > > There have been occasional discussion here about the interactions > of DNS with restrict. There was one recently. I entered the > bug to collect thoughts and keep it from falling through the cracks. > > It's possible that some work on the documentation will make > me happy and help others avoid confusion. I think it's simple > after you understand it, but it took me a while to figure that > out and I'm not really sure I've got it right. > > I think part of my confusion is that there are two things > you might want to do with restrict and DNS. > > One is the case you mention, let through packets from servers that > are looked up via DNS when your restrict line would otherwise > block them. I think the current code will do that. > > The other possibility it to block servers from a CIDR block, > even if you get one from DNS. This isn't interesting if > you trust the people running the servers you are using > and if you don't trust them, why are you using their servers? > But you might want to skip servers in XXX (pick your favorite > bad guy) even if they make it into the pool. > This one is not clear. If you want to specify a restriction on a block, I seem to recall that you can use a netmask. I don't think you can do a /24 style subnet yet unless Dave Hart has implemented that. Danny _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
