Configuring the Network Time Protocol (NTP)

NTP address and mask facility

The address and mask configuration facility adds various restrictions or erects barriers between your host and other time servers. A typical statement in the configuration file looks as follows:

restrict IP_address mask IP_address_mask flag1 flag2 . . .

Each statement adds an entry to an internal list maintained by ntpd. Each entry in this list contains the list entry address (the IP address following restrict), the address mask, and the flags. Below is a list of all of the flags and their meanings:

Indicates that all packets from hosts matching this entry will be ignored.

Indicates that your host will not respond to mode 6 and 7 packets sent from hosts with a matching address.

Indicates that your host will not allow itself to be reconfigured by hosts with a matching address.

Indicates that your host will not allow hosts with a matching address to register as a trap receiver.

Indicates that your host will give hosts with a matching address a low priority for the use of traps.

Indicates that your host will not give the time to hosts with a matching address.

Indicates that your host will not attempt to get time from any host with a matching address.

Indicates that hosts matching this entry, while treated normally in other respects, should not be trusted for synchronization.
When ntpd receives a packet, it compares the address of the host that sent the packet (the source address) with each entry in the internal list. Whenever the following relation (expressed in C language syntax) is true, a match occurs.
   (source_address & address_mask) == (list_entry_address & address_mask)
In words, the source address and the address mask are logically ANDed together bitwise, the list entry address and the address mask are logically ANDed together bitwise, and the two results compared for equality. If the results are equal, a match has occurred. To establish default restrictions that apply to all hosts for which no match is found, include a statement like the following in the configuration file:
   restrict default flag1 flag2 . . .
If a particular source address matches more than one list entry, the entry with the most one bits in the address mask is taken to be the matched entry. If a match is found, flags associated with this entry are returned.

Suppose that you are running ntpd on a host with IP address You would like to ensure that runtime reconfiguration requests can be made only from the local host. Further, you would like the host to synchronize with only one of a pair of offsite servers or, failing that, a time source on the class B network whose address is 10.0. The following entries in the configuration file would implement this policy:

   # By default, do not trust and do not allow modifications
   restrict default notrust nomodify

# These hosts are trusted for time, but no modifications allowed restrict mask nomodify restrict nomodify restrict nomodify

# These local addresses are unrestricted restrict restrict

The first entry is the default entry, which all hosts match and hence which provides the default set of flags. The next three entries indicate that matching hosts have only the nomodify flag set and hence are trusted for time. If the mask is not specified in the restrict statement, it defaults to Note that the address matches three entries in the table, the default entry (mask, the entry for net 10.0 (mask, and the entry for the host itself (mask As expected, the flags for the host are derived from the last entry, as that mask has the most bits set.

Each restrict statement applies to packets from all hosts, including those that are configured elsewhere in the configuration file. Hence, if you specify a default set of restrictions that you do not wish to apply to the hosts you are synchronizing with, you must override the default restrictions for those hosts with additional restrict statements.

Next topic: NTP name resolution
Previous topic: NTP association modes

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003