The address and mask configuration facility
can be used to add various restrictions or to erect barriers
between your host and other time servers.
A typical statement in the configuration file looks as follows:
restrict IP_address mask IP_address_mask flag1 flag2 . . .
Each statement adds an entry to an internal list maintained by xntpd. Each entry in this list contains the list entry address (the IP address following restrict), the address mask, and the flags. See xntpd(1Mtcp) for a list of all of the flags and their meanings.
When xntpd receives a packet, it compares the address of the host that sent the packet (the source address) with each entry in the internal list. Whenever the following relation (expressed in C language syntax) is true, a match occurs.
(source_address & address_mask) == (list_entry_address & address_mask)That is, the source address and the address mask are logically ANDed together bitwise, the list entry address and the address mask are logically ANDed together bitwise. If the results are equal, a match has occurred. To establish default restrictions that apply to all hosts for which no match is found, include a statement such as the following in the configuration file:
restrict default flag1 flag2 . . .If a particular source address matches more than one list entry, the entry with the most one bits in the address mask is taken to be the matched entry. If a match is found, flags associated with this entry are returned.
For example, suppose that you are running xntpd on a host with IP address 172.16.246.16. You would like to ensure that runtime reconfiguration requests can be made only from the local host. Further, you would like the host to synchronize with only one of a pair of offsite servers or, failing that, a time source on the class B network whose address is 172.16. The following entries in the configuration file would implement this policy:
# By default, do not trust and do not allow modifications restrict default notrust nomodify# These hosts are trusted for time, but no modifications allowed restrict 172.16.0.0 mask 255.255.0.0 nomodify restrict 128.115.14.97 nomodify restrict 16.1.0.22 nomodify
# These local addresses are unrestricted restrict 172.16.246.16 restrict 127.0.0.1
The first entry is the default entry, which all hosts match and which provides the default set of flags. The next three entries indicate that matching hosts have only the nomodify flag set and are trusted for time. If the mask is not specified in the restrict statement, it defaults to 255.255.255.255. Note that the address 172.16.246.16 matches three entries in the table, the default entry (mask 0.0.0.0), the entry for net 172.16 (mask 255.255.0.0), and the entry for the host itself (mask 255.255.255.255). As expected, the flags for the host are derived from the last entry, as that mask has the most bits set.
Each restrict statement applies to packets from all hosts, including those that are configured elsewhere in the configuration file. If you specify a default set of restrictions that you do not wish to apply to the hosts with which you are synchronizing, you must override the default restrictions for those hosts via additional restrict statements.
For more information about restrict statements or flags, see xntpd(1Mtcp).