On Tue, 22 Aug 2023 at 18:48, Edward McGuire <met...@gmail.com> wrote:
> I'm coming back to this issue because the solution I tried: > > ntpq> :config restrict 17.253.2.123 ignore > ntpq> :config unpeer 17.253.2.123 > > ultimately doesn't work. The "unpeer" drops the pool peer, but later the > pool peer is "rediscovered" despite the "restrict ignore". Apparently the > client maintains the association indefinitely. Evidence for this is that > "ntpdc -n -c reslist" returns: > > 17.253.2.123 255.255.255.255 0 ignore > 17.253.2.123 255.255.255.255 366 source, noquery, nomodify, > notrap, limited, kod > > The first entry is the "restrict ignore" ACE I entered manually. The > second is the "restrict source" ACE that still exists even after the > "unpeer". > > Short of restarting NTP, or adding an entry to my nftables firewall, is > there a way to drop the association with the bad peer so it doesn't keep > coming back? > > I don't know of one, but a better solution to me is that the "restrict source" restriction shouldn't be added if there's already a host-specific restriction in place. Please file a bug report requesting this.