Project

General

Profile

Actions

Bug #9829

closed

NTP Status vs. parsing NTP Access Restrictions

Added by Edgar Wiesmann about 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Category:
NTPD
Target version:
Start date:
10/16/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4-p3
Affected Architecture:
amd64

Description

Status/NTP displays "Statistics unavailable because ntpq and ntpdc queries are disabled in the NTP service settings" when noquery is set in an ACL which covers web clients IP address even when specific ACLs allow 127.0.0.1 and ::1

To reproduce:
Start with pfSense synced to NTP peer(s) and the following NTP ACLs:

    restrict default kod limited nomodify noquery nopeer notrap
    restrict -6 default kod limited nomodify noquery nopeer notrap
    restrict source kod limited nomodify noquery notrap
    restrict 127.0.0.1 mask 255.0.0.0
    restrict ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    restrict 192.168.10.0 mask 255.255.255.0 kod limited nomodify noquery notrap

loggedon to pfsense via ssh "ntpq -4" and "ntpq -6" show correct values
In the web GUI (from Host with IP 192.168.10.42 Status/NTP complains as above and doesn't display any peers...

After adding a new ACL as:

    restrict 192.168.10.42 mask 255.255.255.255 kod limited nomodify notrap

the web GUI also shows correct values.

After changing localhost ACLs to:

    restrict 127.0.0.1 mask 255.0.0.0 noquery
    restrict ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff noquery

the web GUI complains about:
No peers found, is the ntp service running?

So why checking the http clients IP address against ACLs in /usr/local/www/status_ntpd.php:

    if (!empty($config['ntpd']['restrictions']['row']) && is_array($config['ntpd']['restrictions']['row'])) {
            foreach ($config['ntpd']['restrictions']['row'] as $v) {
                    if (ip_in_subnet($_SERVER['REMOTE_ADDR'], "{$v['acl_network']}/{$v['mask']}")) {
                            $allow_query = !isset($v['noquery']);
                    }
            }
    }

and later quering ntpd with localhost address?

Actions

Also available in: Atom PDF