Page MenuHomeVyOS Platform

[1.3.3->1.4.0-epa1 Migration] NTP "listen-address" config removed
Closed, WontfixPublicBUG

Description

On 1.3.3:-

set system ntp listen-address 'xxx.xxx.42.171'
set system ntp listen-address 'xxx.xxx.42.210'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld

and after migration to 1.4.0-epa1:-

set service ntp allow-client address '0.0.0.0/0'
set service ntp allow-client address '::/0'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld

The "listen-address" directives have been removed, when they should have been migrated. They do appear still to be configurable within 1.4.

Details

Version
1.4.0-epa1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Viacheslav triaged this task as Normal priority.Mar 15 2024, 2:23 PM
Viacheslav subscribed.

Most likely won't fix
https://chrony-project.org/doc/3.4/chrony.conf.html

bindaddress 192.168.1.1

Currently, for each of the IPv4 and IPv6 protocols, only one bindaddress directive can be specified. Therefore, it is not useful on computers which should serve NTP on multiple network interfaces.

The issue is which to choose if there are multiple, thus removing all, chrony will listen on all interfaces.

As this is an upstream package limitation its a wontfix, sorry

Given that Chrony only allows one bind address, versus ntpd which allows multiple, a "wontfix" sounds like the correct answer! :-)

Proper would be to throw out chrony and use ntpsec instead which supports proper filtering.

Another fix would be to by default have a default firewall were this filtering is applied if the broken chrony cannot filter this properly itself.

Something like this task: https://vyos.dev/T5509