Tangle with -4 and -6

James Browning jamesb192 at jamesb192.com
Tue Sep 19 20:51:42 UTC 2023

> On 09/17/2023 at 10:36 PM PDT, Hal Murray wrote:
> -4 and -6 work on the server line in ntp.conf but are not documented

The closest I can see to an implementation is in ntpd/ntp_parser.y
lines 390-395. I infer this to mean that it sets the Address Family
of peer->srcaddr to a matching value. Which I could draft a document of.

> -4/ipv4 and -6/ipv6 "work" on the command line, but they don't do what the
> documentation says.  The man page says:
>            Force DNS resolution of following host names on the command line to
>            the IPv4 namespace.
> What they do is turn off setting up sockets for the other protocol.

I could write some code to do both and update the doc to reflect
that but not merge it.

> I'm not sure what the NTS server does if, say, the system doesn't support IPv6 
> when it tries to listen on an IPv6 address.

A couple of possible cases here: First if a host truly doesn't support
IPv6, it will probably generate a failure at some point that gets
logged> OTOH a host that has disconnected IPv6 will probably set up a
peer entry that will persist unless something removes it.

> The network side sets up two flags: ipv4_works and ipv6_works
> The command line -4 and -6 flags turn off the other _works flag.

There are variables in ntpd.c for whether to try choosing a particular
AF or go with the default. After checking which AFs work, there is
the following code...

        if (ipv4_works && ipv6_works) {
                if (opt_ipv4)
                        ipv6_works = false;
                else if (opt_ipv6)
                        ipv4_works = false;
        } else if (!ipv4_works && !ipv6_works) {
                msyslog(LOG_ERR, "INIT: Neither IPv4 nor IPv6 networking detected, fatal.");
        } else if (opt_ipv4 && !ipv4_works)
                msyslog(LOG_WARNING, "INIT: -4/--ipv4 ignored, IPv4 networking not found.");
        else if (opt_ipv6 && !ipv6_works)
                msyslog(LOG_WARNING, "INIT: -6/--ipv6 ignored, IPv6 networking not found.");

Replace with something more like the following.

if (metal_af == AF_NONE) {
    msyslog(LOG_ALERT, "INIT: The Network does not work.");
} else if ((metal_af == argv_af) || (metal_af == AF_UNSPEC)) {
    sys_af = argv_af;
} else if (peer_af == AF_UNSPEC) {
    sys_af = metal_af;
} else {
    msyslog(LOG_WARNING, "INIT: Ignoring requested family %d", argv_af);

> I wrote the DNS code for both server/pool and NTS.  I don't remember how the 
> -4/-6 options work (and a quick look didn't refresh my memory).  I don't 
> remember ever checking the above flags or thinking about doing it.

It uses the AF of peer->srcaddr, AFAICT the command line doesn't
affect it even indirectly.

> Note that there are 2 DNS lookups on the NTS path, one for the NTS-KE server 
> and another if the server returns a name/address rather than using the default 
> of the same address as was used for the NTS-KE lookup.

I was going to try to write something relevant here, but I decided
not to.

> I'm pretty sure the command line processing doesn't do any DNS lookups.
> It roughly adds a server line, and does a DNS lookup with the constant-only 
> (no net traffic) flag so that slot won't get delayed behing a real DNS lookup 
> that is skow.
> ----------
> I think we should clean up this area.  That includes:

I would also suggest cleaning up libntp/{initnetwork,isc_net}.c to
remove isc_result as we only seem to care if we succeed and not the
why of failures.

> Making sure DNS lookups don't use an address for a disabled protocol.

A minor patch in ntp_dns.c may help with that.

if ((sys_af == AF_UNSPEC) || (sys_af = peer_af)) {
    hint.af = peer_af;
} else if (peer_af = AF_UNSPEC) {
    hint.af = sys_af;
} else {
    msyslog(LOG_WARNING, "DNS: Requested supported family %d", peer_af);

> Add enable/disable -4/ipv4 -6/ipv6 to ntp.conf
> Note that these will have a backwards meaning from the -4 on the command line.
>   -4 on the command line <=> disable -6
> Does this make sense?
> Am I missing anything?

A corner case and minor details, perhaps.

> This will take a lot of testing.

Ah, yes, the other reason why I can't get anything merged.

> We should move the command line code in config_peers to that checks for a 
> numeric address to the main processing loop.

We should do it before the main loop starts; the
check is probably affordable.
static bool is_sane_resolved_address()
in ntp_cconfig.c is written for that.

It seems that -4 and -6 also apply to the interface commands in the
config file and via mode 6.

More information about the devel mailing list