The address and mask configuration facility
adds various restrictions or erects barriers
between your host and other time servers.
A typical statement in the configuration file looks as follows:
restrict IP_address mask IP_address_mask flag1 flag2 . . .
Each statement adds an entry to an internal list maintained by ntpd. Each entry in this list contains the list entry address (the IP address following restrict), the address mask, and the flags. Below is a list of all of the flags and their meanings:
(source_address & address_mask) == (list_entry_address & address_mask)In words, the source address and the address mask are logically ANDed together bitwise, the list entry address and the address mask are logically ANDed together bitwise, and the two results compared for equality. If the results are equal, a match has occurred. To establish default restrictions that apply to all hosts for which no match is found, include a statement like the following in the configuration file:
restrict default flag1 flag2 . . .If a particular source address matches more than one list entry, the entry with the most one bits in the address mask is taken to be the matched entry. If a match is found, flags associated with this entry are returned.
Suppose that you are running ntpd on a host with IP address 10.0.246.16. You would like to ensure that runtime reconfiguration requests can be made only from the local host. Further, you would like the host to synchronize with only one of a pair of offsite servers or, failing that, a time source on the class B network whose address is 10.0. The following entries in the configuration file would implement this policy:
# By default, do not trust and do not allow modifications restrict default notrust nomodify
# These hosts are trusted for time, but no modifications allowed restrict 10.0.0.0 mask 255.255.0.0 nomodify restrict 18.104.22.168 nomodify restrict 22.214.171.124 nomodify
# These local addresses are unrestricted restrict 10.0.246.16 restrict 127.0.0.1
The first entry is the default entry, which all hosts match and hence which provides the default set of flags. The next three entries indicate that matching hosts have only the nomodify flag set and hence are trusted for time. If the mask is not specified in the restrict statement, it defaults to 255.255.255.255. Note that the address 10.0.246.16 matches three entries in the table, the default entry (mask 0.0.0.0), the entry for net 10.0 (mask 255.255.0.0), and the entry for the host itself (mask 255.255.255.255). As expected, the flags for the host are derived from the last entry, as that mask has the most bits set.
Each restrict statement applies to packets from all hosts, including those that are configured elsewhere in the configuration file. Hence, if you specify a default set of restrictions that you do not wish to apply to the hosts you are synchronizing with, you must override the default restrictions for those hosts with additional restrict statements.