Jason Rabel writes: > I'm trying to tweak my ntp configuration so it will drop packets as > appropriate instead of using my firewall & hashlimit... (For reference, I'm > running the latest 4.2.8p12) > > Apparently the relevant commands (beyond setting limited & kod) are > 'discard' and 'mru'.
'discard' controls the behavior around 'limited'. If you don't mess with the 'discard' values, then 'limited' will kick in if folks violate the default limits. 'mru' controls stuff around MRU list stuff. Perhaps I don't understand what you're trying to do, but 'mru' only affects the MRU list monitoring facility, and doesn't affect NTP "responses". > 'discard' has three settings: average, minimum, and monitor. > > Documentation is kind of conflicting over the first two settings, some say > the defaults are 3 & 1, some say 3 & 2, others say 5 & 2... I haven't dug > through the source yet to see what the true defaults are. Also the docs > says the first is in log2s, but the other is just in seconds??? I'm > assuming the second setting should also be log2s as *most* things in NTP > are that way. However, it's the third setting (monitor) that has me > scratching my head. 'discard average X minimum Y monitor Z' is described in accopt.html. If you think any of that stuff is unclear, please speak up. Currently: X is log2 seconds, with a default of 3 (for 8 seconds). This is the minimum average interpacket spacing. Y is seconds, with a default of 2 (seconds). This is the minimum interpacket spacing. Z is the probability of being recorded for packets that overflow the MRU list size limit. This shouldn't be an issue unless you are receiving more than 1000 packets per second. I'm saying the above based on reading the documentation. I haven't looked at the relevant code fragments in years. > The doc for 'monitor' merely says, "specifies the discard probability for > packets once the permitted rate limits have been exceeded. The default > value is 3000 seconds. This option is intended for servers that receive > 1000 or more requests per second." > > I don't understand what it means by "discard probability" while also > mentioning "3000 seconds"... Probability to me would mean setting some sort > of percentage... I'm not sure how the time value of 50 minutes relates???? While I haven't dug, I believe this means the value is the % chance that the packet will be discarded instead of recorded when deciding what goes in to the MRU list. Again, unless you have high traffic volume, this won't be an issue. If you *do* have high traffic volume, you have knobs you can adjust to alter the default MRU list size, and you can also decide the % that a packet will be added to the MRU list. > The 'mru' command docs are pretty clear, no issues with any of those > settings. > > While on the subject, I've also noticed some documentation mentioning the > 'limited' command in relation to grouping requests by subnets? > > "These hosts are subject to limitation of number of clients from the same > net. Net in this context refers to the IP notion of net (class A, class B, > class C, etc.). Only the first client_limit hosts that have shown up at the > server and that have been active during the last client_limit_period > seconds are accepted. Requests from other clients from the same net are > rejected. Only time request packets are taken into account. Query packets > sent by the ntpq and ntpdc programs are not subject to these limits. A > history of clients is kept using the monitoring capability of ntpd. Thus, > monitoring is always active as long as there is a restriction entry with > the limited flag." Where are you seeing the above documentation? > I've searched and searched and can't really find any further discussion > about this. I'm assuming if you did a 'restrict address mask ...' then it > would limit based on the mask... But what about the default restrict line? > In that instance I would assume rate limiting is based on individual IP? Is > there a way to set a 'default' with limiting grouped by say class C subnets? -- Harlan Stenn <[email protected]> http://networktimefoundation.org - be a member! _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
