Re: [chrony-dev] Multihomed (multiple) network interfaces support !

[CpServiceSPb <cpservicespb@xxxxxxxxx>]

As I found out unfortunately we are both right.

But I am right for BSD and Vista+ OSes, you are right  for Linux OSes.

I am talking about  Weak and Strong ES modes.

Due to Weak ES mode in Linux OSes, please remake a test but change a little bit test conditions:

When aiming for Strong ES Model in Linux, you'll first need these sysctl settings:
net.ipv4.conf.all.arp_filter=1
net.ipv4.conf.all.arp_ignore=1 # or even 2
net.ipv4.conf.all.arp_announce=2

And I see the only way is to implement not bindaddress but binddevice available multiple times for listening and receiving requests to.

To avoid a quite complicated setting up of Linux OSes.

Additionally, lhere are:

https://stackoverflow.com/questions/33917575/choosing-socket-output-interface-so-bindtodevice-vs-bind-before-connect
https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc137807(v=msdn.10)?redirectedfrom=MSDN
https://networkengineering.stackexchange.com/questions/59836/bind-to-specific-address
https://unix.stackexchange.com/questions/258810/linux-source-routing-strong-end-system-model-strong-host-model
https://wiki.treck.com/Appendix_C:_Strong_End_System_Model_/_Weak_End_System_Model

вт, 5 сент. 2023 г. в 15:31, CpServiceSPb <cpservicespb@xxxxxxxxx>:

Maybe did multiple binddeviceinstead for the specified purpose ?

вт, 5 сент. 2023 г. в 15:17, CpServiceSPb <cpservicespb@xxxxxxxxx>:

I don' t understand how packets are thrown between interfaces with IP forwarding off.

Maybe nevertheless there is 0.0.0.0 binding.

вт, 5 сент. 2023 г. в 15:10, CpServiceSPb <cpservicespb@xxxxxxxxx>:

As you added the functionality, can you send this version ?

I will test as well on my own.

вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar <mlichvar@xxxxxxxxxx>:

On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote:
> I may be wrong but as I understand that binding to an address is almost the
> same as binding to an interface.

I think those are two different things. In chrony there is the
binddevice directive for binding to a device. It can be used only once
for the same reasons as bindaddress.

> Maybe I am wrong, again.
> And it is meaning that an appropriate opened socket will receive packers
> only from the corresponding interface, of course if IP forwarding, source
> nat and so on is not set up.

I ran a test. I started the server with 'bindaddress 192.168.50.2' and
checked tcpdump output on the other interface, which has network
192..168.70.0/24 and no other routes.

10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, length 48
10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, length 48

It is happily responding to clients sending to the bound address, even
if it's a different interface. IP forwarding is disabled. There is no
NAT. The rp_filter setting doesn't seem to affect this. I think it's
supposed to check only the source address.

> So, it can be checked practically.
> Is it true or false.
> When you will add such functionality, I will build a new version of chrony
> and will turn off nat, ip forwarding and will launch tcpdump and will see
> what happens on the lan interface when some client from dmz sends a request
> to dmz interface.
> That is, will any packets come to the lan interface or not.

You can verify that with single bindaddress.

If you really need multiple addresses, you can start multiple servers
instances as explained here:
https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client

--
Miroslav Lichvar


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.