On Wed, 2015-10-21 at 01:47 +0300, Dmitry Morozovsky
wrote:> Dear colleagues,
>
> Yesterday we'd found/stepped on a bit of trouble: on some of our
> FreeBSD-based
> routers (hundreds of vlans, etc):
>
> Oct 20 22:12:46 <ntp.notice> gwn4 ntpd[86421]: ntpd 4.2.4p5-a (1)
> Oct 20 22:12:46 <ntp.err> gwn4 ntpd[86422]: Too many sockets in use,
> FD_SETSIZE 1024 exceeded
>
> Actually, machine has to listen on 123 on just 2-3 interfaces (two
> upstream
> vlans and lo0), but googling leads me just to -L option which is not
> described
> in the manual page nor seams to work (I did not look at the sources
> yet
> though).
>
> Is there any way to restrict interfaces on which ntpd is listening
> (modulo
> jail, which has another/orthogonal set of restrictions)?
>
> As usual -- thanks in advance! :)
>
>
The -L option is in the manpage. Looking at the code, the way ntp
4.2.4p5 decides whether an interface is virtual is by looking for a
colon in the name (a comment in the 4.2.8 source uses "eth0:1" as an
example).
An option that is not in the manpage but should work with 4.2.4p5 is to
allow it to listen on only one interface with -I, such as "-I re0".
But that doesn't help your needs much because it appears you can only
list one interface in 4.2.4p5.
If you update to ntp 4.2.8 (the version in ports and standard now in
freebsd 10.2 and later) you can use the -I option multiple times to
make it listen on some exact set of interfaces.
-- Ian