diff options
| author | hagbard <vyosdev@derith.de> | 2019-03-07 12:14:37 -0800 |
|---|---|---|
| committer | hagbard <vyosdev@derith.de> | 2019-03-07 12:14:37 -0800 |
| commit | ad22cbd46f8036b59163cb88914a7a5e4c4dad4d (patch) | |
| tree | 537c4b47deb7b10b0cbe56dc91a734b7cff71ce0 | |
| parent | 5f7ff72ea44f3d5b53c8debf947e5c05f4a34aa8 (diff) | |
| download | vyos-1x-ad22cbd46f8036b59163cb88914a7a5e4c4dad4d.tar.gz vyos-1x-ad22cbd46f8036b59163cb88914a7a5e4c4dad4d.zip | |
[ntp] T1280 - restrict option for servers, so they can query upstream
| -rwxr-xr-x | src/conf_mode/ntp.py | 3 | ||||
| -rw-r--r-- | src/tests/test_ntp.py | 75 |
2 files changed, 41 insertions, 37 deletions
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 37af02014..bdc8e574c 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -42,7 +42,6 @@ restrict default noquery nopeer notrap nomodify noquery notrust restrict 127.0.0.1 restrict -6 ::1 - # # Configurable section # @@ -51,6 +50,8 @@ restrict -6 ::1 {% for s in servers -%} # Server configuration for: {{ s.name }} server {{ s.name }} iburst {{ s.options | join(" ") }} +# allow server sync +restrict {{ s.name }} nomodify notrap {% endfor -%} {% endif %} diff --git a/src/tests/test_ntp.py b/src/tests/test_ntp.py index c1a7f768d..be47c0432 100644 --- a/src/tests/test_ntp.py +++ b/src/tests/test_ntp.py @@ -191,42 +191,45 @@ class TestNtp(TestCase): ] }, 'expected': textwrap.dedent(''' - ### Autogenerated by ntp.py ### - - # - # Non-configurable defaults - # - driftfile /var/lib/ntp/ntp.drift - # By default, only allow ntpd to query time sources, ignore any incoming requests - restrict default noquery nopeer notrap nomodify noquery notrust - # Local users have unrestricted access, allowing reconfiguration via ntpdc - restrict 127.0.0.1 - restrict -6 ::1 - - - # - # Configurable section - # - - # Server configuration for: 1.example.com - server 1.example.com iburst noselect preempt prefer - - # Server configuration for: 2.example.com - server 2.example.com iburst - - - - # Client configuration for network: 192.0.2.0/24 - restrict 192.0.2.1 mask 255.255.255.0 nomodify notrap nopeer - - # Client configuration for network: 198.51.100.0/24 - restrict 198.51.100.1 mask 255.255.255.0 nomodify notrap nopeer - - - - # NTP should listen on configured addresses only - interface ignore wildcard - interface listen 198.51.100.0/24 + ### Autogenerated by ntp.py ### + + # + # Non-configurable defaults + # + driftfile /var/lib/ntp/ntp.drift + # By default, only allow ntpd to query time sources, ignore any incoming requests + restrict default noquery nopeer notrap nomodify noquery notrust + # Local users have unrestricted access, allowing reconfiguration via ntpdc + restrict 127.0.0.1 + restrict -6 ::1 + + # + # Configurable section + # + + # Server configuration for: 1.example.com + server 1.example.com iburst noselect preempt prefer + # allow server sync + restrict 1.example.com nomodify notrap + + # Server configuration for: 2.example.com + server 2.example.com iburst + # allow server sync + restrict 2.example.com nomodify notrap + + + + # Client configuration for network: 192.0.2.0/24 + restrict 192.0.2.1 mask 255.255.255.0 nomodify notrap nopeer + + # Client configuration for network: 198.51.100.0/24 + restrict 198.51.100.1 mask 255.255.255.0 nomodify notrap nopeer + + + + # NTP should listen on configured addresses only + interface ignore wildcard + interface listen 198.51.100.0/24 '''), }, |