Project

General

Profile

Bug #9829

NTP Status vs. parsing NTP Access Restrictions

Added by Edgar Wiesmann 3 months ago. Updated 14 days ago.

Status:
Resolved
Priority:
Normal
Category:
NTPD
Target version:
Start date:
10/16/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:
amd64

Description

Status/NTP displays "Statistics unavailable because ntpq and ntpdc queries are disabled in the NTP service settings" when noquery is set in an ACL which covers web clients IP address even when specific ACLs allow 127.0.0.1 and ::1

To reproduce:
Start with pfSense synced to NTP peer(s) and the following NTP ACLs:

    restrict default kod limited nomodify noquery nopeer notrap
    restrict -6 default kod limited nomodify noquery nopeer notrap
    restrict source kod limited nomodify noquery notrap
    restrict 127.0.0.1 mask 255.0.0.0
    restrict ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    restrict 192.168.10.0 mask 255.255.255.0 kod limited nomodify noquery notrap

loggedon to pfsense via ssh "ntpq -4" and "ntpq -6" show correct values
In the web GUI (from Host with IP 192.168.10.42 Status/NTP complains as above and doesn't display any peers...

After adding a new ACL as:

    restrict 192.168.10.42 mask 255.255.255.255 kod limited nomodify notrap

the web GUI also shows correct values.

After changing localhost ACLs to:

    restrict 127.0.0.1 mask 255.0.0.0 noquery
    restrict ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff noquery

the web GUI complains about:
No peers found, is the ntp service running?

So why checking the http clients IP address against ACLs in /usr/local/www/status_ntpd.php:

    if (!empty($config['ntpd']['restrictions']['row']) && is_array($config['ntpd']['restrictions']['row'])) {
            foreach ($config['ntpd']['restrictions']['row'] as $v) {
                    if (ip_in_subnet($_SERVER['REMOTE_ADDR'], "{$v['acl_network']}/{$v['mask']}")) {
                            $allow_query = !isset($v['noquery']);
                    }
            }
    }

and later quering ntpd with localhost address?

History

#1 Updated by Jim Pingle 3 months ago

  • Target version set to 2.5.0

The page checks for settings, and if 'noquery' is set, then it assumes the daemon will be unreachable. It could maybe be smarter about that, but we can't risk having it run into a situation where it gets stuck waiting on a response that will never come.

#2 Updated by Edgar Wiesmann 3 months ago

Dear Jim,

thanks for your reply, but I'm afraid I did not quite understand it...

If I check "Disable ntpq and ntpdc queries (noquery)." in Default ACLs I have to explicitly allow localhost in an new ACL.
(if not: status page gives error message "No peers found, is the ntp service running?" after timeout...)
D'accord!

But why disallow an (already) authorized web GUI user, because his origin IP is disallowed by default/extra ACL (see above extrct of /usr/local/www/status_ntpd.php) and not check whether localhost is allowed to do queries?

IMHO /usr/local/www/status_ntpd.php should check whether localhost is allowed to query ntp deamon to avoid running into timeout...

I hope I'm not annoying...

#4 Updated by Jim Pingle 17 days ago

  • Status changed from New to Pull Request Review

#5 Updated by Renato Botelho 15 days ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version changed from 2.5.0 to 2.4.5
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#6 Updated by Viktor Gurov 14 days ago

  • Status changed from Feedback to Resolved

Renato Botelho wrote:

PR has been merged. Thanks!

works as expected on 2.4.5.a.20200107.1903

Also available in: Atom PDF