[pkg-ntp-maintainers] Bug#455717: source address does not update on route change

martin f krafft madduck at debian.org
Tue Dec 11 12:08:03 UTC 2007 

Package: ntp
Version: 1:4.2.4p4+dfsg-2
Severity: important

I just ran into the following situation: I started NTP before
OpenVPN and it set up a peer from the machine's public IP 1.2.3.4 to
the NTP server's IP, 9.8.7.6.

I then started OpenVPN, which added a route for 9.0.0.0/8 via the
VPN server, using 10.9.8.0/24 as the VPN network/mask.

Now I started seeing the following in the VPN server's logs:

  ovpn-foobar[12466]: foobar.madduck.net/1.2.3.4:36393 MULTI: bad
  source address from client [1.2.3.4], packet dropped

for every packet ntpd sends. The reason is simply that ntpd somehow
hardcodes 1.2.3.4 as the source address for packets, which it then
hands to the kernel for routing. In this case, the route changed,
and a new source address would have to be used (10.9.8.123), but
ntpd stubbornly continues to stamp outgoing packets with the source
address that was used at the time the process started. It really
should leave this up to the kernel.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ntp depends on:
ii  adduser                       3.105      add and remove users and groups
ii  libc6                         2.7-4      GNU C Library: Shared libraries
ii  libcap1                       1:1.10-14  support for getting/setting POSIX.
ii  libreadline5                  5.2-3      GNU readline and history libraries
ii  libssl0.9.8                   0.9.8g-3   SSL shared libraries
ii  lsb-base                      3.1-24     Linux Standard Base 3.1 init scrip
ii  netbase                       4.30       Basic TCP/IP networking system

Versions of packages ntp recommends:
ii  perl                          5.8.8-12   Larry Wall's Practical Extraction 

-- no debconf information


-- 
 .''`.   martin f. krafft <madduck at debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
Url : http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20071211/bdb13d78/attachment.pgp

More information about the pkg-ntp-maintainers mailing list