Date: Tue, 20 Oct 2015 20:37:46 -0600 From: Ian Lepore <ian@freebsd.org> To: Dmitry Morozovsky <marck@rinet.ru>, freebsd-stable@FreeBSD.org Subject: Re: ntpd and router with a *lot* of addresses Message-ID: <1445395066.14963.6.camel@freebsd.org> In-Reply-To: <alpine.BSF.2.00.1510210140451.69767@woozle.rinet.ru> References: <alpine.BSF.2.00.1510210140451.69767@woozle.rinet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2015-10-21 at 01:47 +0300, Dmitry Morozovsky wrote: > Dear colleagues, > > Yesterday we'd found/stepped on a bit of trouble: on some of our > FreeBSD-based > routers (hundreds of vlans, etc): > > Oct 20 22:12:46 <ntp.notice> gwn4 ntpd[86421]: ntpd 4.2.4p5-a (1) > Oct 20 22:12:46 <ntp.err> gwn4 ntpd[86422]: Too many sockets in use, > FD_SETSIZE 1024 exceeded > > Actually, machine has to listen on 123 on just 2-3 interfaces (two > upstream > vlans and lo0), but googling leads me just to -L option which is not > described > in the manual page nor seams to work (I did not look at the sources > yet > though). > > Is there any way to restrict interfaces on which ntpd is listening > (modulo > jail, which has another/orthogonal set of restrictions)? > > As usual -- thanks in advance! :) > > The -L option is in the manpage. Looking at the code, the way ntp 4.2.4p5 decides whether an interface is virtual is by looking for a colon in the name (a comment in the 4.2.8 source uses "eth0:1" as an example). An option that is not in the manpage but should work with 4.2.4p5 is to allow it to listen on only one interface with -I, such as "-I re0". But that doesn't help your needs much because it appears you can only list one interface in 4.2.4p5. If you update to ntp 4.2.8 (the version in ports and standard now in freebsd 10.2 and later) you can use the -I option multiple times to make it listen on some exact set of interfaces. -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1445395066.14963.6.camel>