Re: [chrony-dev] Multihomed (multiple) network interfaces support !

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

I don' t understand how packets are thrown between interfaces with IP forwarding off.
Maybe nevertheless there is 0.0.0.0 binding.


вт, 5 сент. 2023 г. в 15:10, CpServiceSPb <cpservicespb@xxxxxxxxx>:
As you added the functionality, can you send this version ?
I will test as well on my own.


вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar <mlichvar@xxxxxxxxxx>:
On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote:
> I may be wrong but as I understand that binding to an address is almost the
> same as binding to an interface.

I think those are two different things. In chrony there is the
binddevice directive for binding to a device. It can be used only once
for the same reasons as bindaddress.

> Maybe I am wrong, again.
> And it is meaning that an appropriate opened socket will receive packers
> only from the corresponding interface, of course if IP forwarding, source
> nat and so on is not set up.

I ran a test. I started the server with 'bindaddress 192.168.50.2' and
checked tcpdump output on the other interface, which has network
192..168.70.0/24 and no other routes.

10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, length 48
10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, length 48

It is happily responding to clients sending to the bound address, even
if it's a different interface. IP forwarding is disabled. There is no
NAT. The rp_filter setting doesn't seem to affect this. I think it's
supposed to check only the source address.

> So, it can be checked practically.
> Is it true or false.
> When you will add such functionality, I will build a new version of chrony
> and will turn off nat, ip forwarding and will launch tcpdump and will see
> what happens on the lan interface when some client from dmz sends a request
> to dmz interface.
> That is, will any packets come to the lan interface or not.

You can verify that with single bindaddress.

If you really need multiple addresses, you can start multiple servers
instances as explained here:
https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client

--
Miroslav Lichvar


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/