From ad22cbd46f8036b59163cb88914a7a5e4c4dad4d Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 7 Mar 2019 12:14:37 -0800 Subject: [ntp] T1280 - restrict option for servers, so they can query upstream --- src/conf_mode/ntp.py | 3 ++- src/tests/test_ntp.py | 75 ++++++++++++++++++++++++++------------------------- 2 files changed, 41 insertions(+), 37 deletions(-) (limited to 'src') diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 37af02014..bdc8e574c 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -42,7 +42,6 @@ restrict default noquery nopeer notrap nomodify noquery notrust restrict 127.0.0.1 restrict -6 ::1 - # # Configurable section # @@ -51,6 +50,8 @@ restrict -6 ::1 {% for s in servers -%} # Server configuration for: {{ s.name }} server {{ s.name }} iburst {{ s.options | join(" ") }} +# allow server sync +restrict {{ s.name }} nomodify notrap {% endfor -%} {% endif %} diff --git a/src/tests/test_ntp.py b/src/tests/test_ntp.py index c1a7f768d..be47c0432 100644 --- a/src/tests/test_ntp.py +++ b/src/tests/test_ntp.py @@ -191,42 +191,45 @@ class TestNtp(TestCase): ] }, 'expected': textwrap.dedent(''' - ### Autogenerated by ntp.py ### - - # - # Non-configurable defaults - # - driftfile /var/lib/ntp/ntp.drift - # By default, only allow ntpd to query time sources, ignore any incoming requests - restrict default noquery nopeer notrap nomodify noquery notrust - # Local users have unrestricted access, allowing reconfiguration via ntpdc - restrict 127.0.0.1 - restrict -6 ::1 - - - # - # Configurable section - # - - # Server configuration for: 1.example.com - server 1.example.com iburst noselect preempt prefer - - # Server configuration for: 2.example.com - server 2.example.com iburst - - - - # Client configuration for network: 192.0.2.0/24 - restrict 192.0.2.1 mask 255.255.255.0 nomodify notrap nopeer - - # Client configuration for network: 198.51.100.0/24 - restrict 198.51.100.1 mask 255.255.255.0 nomodify notrap nopeer - - - - # NTP should listen on configured addresses only - interface ignore wildcard - interface listen 198.51.100.0/24 + ### Autogenerated by ntp.py ### + + # + # Non-configurable defaults + # + driftfile /var/lib/ntp/ntp.drift + # By default, only allow ntpd to query time sources, ignore any incoming requests + restrict default noquery nopeer notrap nomodify noquery notrust + # Local users have unrestricted access, allowing reconfiguration via ntpdc + restrict 127.0.0.1 + restrict -6 ::1 + + # + # Configurable section + # + + # Server configuration for: 1.example.com + server 1.example.com iburst noselect preempt prefer + # allow server sync + restrict 1.example.com nomodify notrap + + # Server configuration for: 2.example.com + server 2.example.com iburst + # allow server sync + restrict 2.example.com nomodify notrap + + + + # Client configuration for network: 192.0.2.0/24 + restrict 192.0.2.1 mask 255.255.255.0 nomodify notrap nopeer + + # Client configuration for network: 198.51.100.0/24 + restrict 198.51.100.1 mask 255.255.255.0 nomodify notrap nopeer + + + + # NTP should listen on configured addresses only + interface ignore wildcard + interface listen 198.51.100.0/24 '''), }, -- cgit v1.2.3