From ad22cbd46f8036b59163cb88914a7a5e4c4dad4d Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Thu, 7 Mar 2019 12:14:37 -0800
Subject: [ntp] T1280 - restrict option for servers, so they can query upstream
---
src/conf_mode/ntp.py | 3 ++-
src/tests/test_ntp.py | 75 ++++++++++++++++++++++++++-------------------------
2 files changed, 41 insertions(+), 37 deletions(-)
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py
index 37af02014..bdc8e574c 100755
--- a/src/conf_mode/ntp.py
+++ b/src/conf_mode/ntp.py
@@ -42,7 +42,6 @@ restrict default noquery nopeer notrap nomodify noquery notrust
restrict 127.0.0.1
restrict -6 ::1
-
#
# Configurable section
#
@@ -51,6 +50,8 @@ restrict -6 ::1
{% for s in servers -%}
# Server configuration for: {{ s.name }}
server {{ s.name }} iburst {{ s.options | join(" ") }}
+# allow server sync
+restrict {{ s.name }} nomodify notrap
{% endfor -%}
{% endif %}
diff --git a/src/tests/test_ntp.py b/src/tests/test_ntp.py
index c1a7f768d..be47c0432 100644
--- a/src/tests/test_ntp.py
+++ b/src/tests/test_ntp.py
@@ -191,42 +191,45 @@ class TestNtp(TestCase):
]
},
'expected': textwrap.dedent('''
- ### Autogenerated by ntp.py ###
-
- #
- # Non-configurable defaults
- #
- driftfile /var/lib/ntp/ntp.drift
- # By default, only allow ntpd to query time sources, ignore any incoming requests
- restrict default noquery nopeer notrap nomodify noquery notrust
- # Local users have unrestricted access, allowing reconfiguration via ntpdc
- restrict 127.0.0.1
- restrict -6 ::1
-
-
- #
- # Configurable section
- #
-
- # Server configuration for: 1.example.com
- server 1.example.com iburst noselect preempt prefer
-
- # Server configuration for: 2.example.com
- server 2.example.com iburst
-
-
-
- # Client configuration for network: 192.0.2.0/24
- restrict 192.0.2.1 mask 255.255.255.0 nomodify notrap nopeer
-
- # Client configuration for network: 198.51.100.0/24
- restrict 198.51.100.1 mask 255.255.255.0 nomodify notrap nopeer
-
-
-
- # NTP should listen on configured addresses only
- interface ignore wildcard
- interface listen 198.51.100.0/24
+ ### Autogenerated by ntp.py ###
+
+ #
+ # Non-configurable defaults
+ #
+ driftfile /var/lib/ntp/ntp.drift
+ # By default, only allow ntpd to query time sources, ignore any incoming requests
+ restrict default noquery nopeer notrap nomodify noquery notrust
+ # Local users have unrestricted access, allowing reconfiguration via ntpdc
+ restrict 127.0.0.1
+ restrict -6 ::1
+
+ #
+ # Configurable section
+ #
+
+ # Server configuration for: 1.example.com
+ server 1.example.com iburst noselect preempt prefer
+ # allow server sync
+ restrict 1.example.com nomodify notrap
+
+ # Server configuration for: 2.example.com
+ server 2.example.com iburst
+ # allow server sync
+ restrict 2.example.com nomodify notrap
+
+
+
+ # Client configuration for network: 192.0.2.0/24
+ restrict 192.0.2.1 mask 255.255.255.0 nomodify notrap nopeer
+
+ # Client configuration for network: 198.51.100.0/24
+ restrict 198.51.100.1 mask 255.255.255.0 nomodify notrap nopeer
+
+
+
+ # NTP should listen on configured addresses only
+ interface ignore wildcard
+ interface listen 198.51.100.0/24
'''),
},
--
cgit v1.2.3