Re: [chrony-users] help with bindacqaddress

Your clients shouldn't need to bind to an address to , so bindacqaddress is not needed there.. Are the ntp clients you are migrating from configured to work as peers on the network? The peer Setting in chrony works a bit differently than with ntpd... probably worth digging into the chrony faq and documentation regarding things.

If it is not possible to avoid configuring servers that might be routed through the VPN, then iptables, is probably best. If the iptables set up is simple ( or completely open :-o) adding the following rule should chrony from using the tun.

-I OUTPUT -o tun0 -p udp -m udp --dport 123 -j REJECT -m comment --comment "no ntp out to tun0"

"-I" instead of "-A" to insert it before a possible rule that might allow everything outbound.) The exact rule depends on how iptables is set up in your system, there are many ways to do it, but it should work.

If your tun0 routes ipv6 also, then the same for your ip6tables,

As Bill mentioned, "chronyc" can be used to change settings without restarting. It can be used from the command line or as a cli similar to "ntpq".

Best regards....

...Mike

On Tue, May 26, 2020 at 5:27 PM Giacomo Comes <comes@xxxxxxxx> wrote:

On Tue, May 26, 2020 at 09:42:03AM +0200, Miroslav Lichvar wrote:
> On Mon, May 25, 2020 at 11:24:41AM -0400, Giacomo Comes wrote:
> > with chrony the equivalent command should be:
> > bindacqaddress <ip>
> > and while this works with a network interface with static
> > ip address, it is troublesome with DHCP.
> > ( I need to change chrony.conf and and restart chronyd every
> > time the ip address changes).
> > Am I missing something?
>
> No, there is currently no way to specify the interface for NTP
> requests.
>
> > Could bindacqaddress be changed to
> > have as argument also the network interface name instead of
> > the ip address?
>
> It could, at least in theory. The trouble is with portability. I'm not
> sure how to bind a socket to a specific interface on non-Linux
> systems. There is a possibility of getting addresses of all
> interfaces, but I suspect that would be too expensive to do with each
> request. ntpd is continuously tracking all interfaces. That's complex,
> requires a lot of OS-specific code, and not really acceptable for
> chrony.
>
> As a workaround, maybe you could use policy routing (ip rule) to
> select the interface for NTP packets?

It could be done with policy routing or iptables (or using a cronjob script).
I was asking because having the possibility to use:
bindacqaddress eth0
whould have been easier.

Giacomo

--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.