[Git][NTPsec/ntpsec][master] 2 commits: Remove documentation references to multicast client and server operation.
Eric S. Raymond
gitlab at mg.gitlab.com
Fri Dec 9 22:17:03 UTC 2016
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
e86e0e7e by Eric S. Raymond at 2016-12-09T17:16:38-05:00
Remove documentation references to multicast client and server operation.
- - - - -
76528189 by Eric S. Raymond at 2016-12-09T17:16:38-05:00
Removal of broadscact client and multicast modes.
- - - - -
21 changed files:
- docs/assoc.txt
- docs/authentic.txt
- docs/confopt.txt
- docs/decode.txt
- docs/discover.txt
- docs/includes/assoc-auxcommands.txt
- docs/includes/assoc-commands.txt
- docs/includes/assoc-options.txt
- docs/includes/ntpq-body.txt
- docs/index.txt
- docs/mode6.txt
- include/ntp_config.h
- include/ntpd.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_io.c
- ntpd/ntp_parser.y
- ntpd/ntp_peer.c
- ntpd/ntp_proto.c
- − wafhelpers/check_multicast.py
- wafhelpers/configure.py
Changes:
=====================================
docs/assoc.txt
=====================================
--- a/docs/assoc.txt
+++ b/docs/assoc.txt
@@ -39,12 +39,12 @@ discovery packet. They are are demobilized by timeout or when preempted
by a "better" server, as described on the link:discover.html[Automatic
Server Discovery Schemes] page.
-There are three principal modes of operation in NTP: client/server,
-symmetric active/passive and broadcast/multicast. There are three
-automatic server discovery schemes in NTP: broadcast/multicast, manycast
-and pool described on the link:discover.html[Automatic Server Discovery
-Schemes] page. In addition, the link:#burst[burst options] and
-link:orphan.html[orphan mode] can be used in appropriate cases.
+There are two principal modes of operation in NTP: client/server and
+broadcast. There are three automatic server discovery schemes in NTP:
+broadcast and pool described on the link:discover.html[Automatic
+Server Discovery Schemes] page. In addition, the link:#burst[burst
+options] and link:orphan.html[orphan mode] can be used in appropriate
+cases.
Following is a summary of the operations in each mode. Note that
reference to option applies to the commands described on the
@@ -117,17 +117,14 @@ NTPsec. Client-mode support has been removed; server-side support
is retained for backward compatibility but may be removed in a
future release.
-NTP broadcast and multicast modes are intended for configurations
+NTP broadcast modes are intended for configurations
involving one or a few servers and a possibly very large client
population. Broadcast mode can be used with Ethernet, FDDI and WiFi
spans interconnected by hubs or switches. Ordinarily, broadcast packets
-do not extend beyond a level-3 router. Where service is intended beyond
-a level-3 router, multicast mode can be used. Additional information is
-on the link:discover.html[Automatic NTP Configuration Options] page.
+do not extend beyond a level-3 router.
-A server is configured to send broadcast or multicast messages using
-the +broadcast+ command and specifying the subnet address for
-broadcast or the multicast group address for multicast.
+A server is configured to send broadcast messages using the
++broadcast+ command and specifying the subnet address for broadcast.
[[many]]
== Manycast and Pool Modes ==
=====================================
docs/authentic.txt
=====================================
--- a/docs/authentic.txt
+++ b/docs/authentic.txt
@@ -56,23 +56,6 @@ message digest. If the packet has been modified in any way or replayed
by an intruder, it will fail one or more of these checks and be
discarded.
-The +auth+ flag controls whether new associations or remote
-configuration commands require cryptographic authentication. This flag
-can be set or reset by the +enable+ and +disable+ commands and also by
-remote configuration commands sent by a {ntpqman} program running in
-another machine. If this flag is enabled, which is the default case,
-new broadcast client and symmetric passive associations and remote
-configuration commands must be cryptographically authenticated. If
-this flag is disabled, these operations are effective even if not
-cryptographic authenticated. It should be understood that operating
-with the +auth+ flag disabled invites a significant vulnerability
-where a cracker can masquerade as a falseticker and seriously disrupt
-system timekeeping. It is important to note that this flag has no
-purpose other than to allow or disallow a new association in response
-to new broadcast and symmetric active messages and remote
-configuration commands and, in particular, the flag has no effect on
-the authentication process itself.
-
The security model and protocol schemes for symmetric key
are summarized below.
@@ -195,12 +178,7 @@ various authentication schemes.
By default, the client sends non-authenticated packets and the server
responds with non-authenticated packets. If the client sends
authenticated packets, the server responds with authenticated packets if
-correct, or a crypto-NAK packet if not. In the case of unsolicited
-packets which might consume significant resources, such as broadcast or
-symmetric mode packets, authentication is required, unless overridden
-by a +disable auth+ command. In the current climate of targeted
-broadcast or "letterbomb" attacks, defeating this requirement would be
-decidedly dangerous. In any case, the +notrust +flag, described on the
+correct, or a crypto-NAK packet if not. The +notrust +flag, described on the
link:authopt.html[Access Control Options] page, can be used to disable
access to all but correctly authenticated clients.
=====================================
docs/confopt.txt
=====================================
--- a/docs/confopt.txt
+++ b/docs/confopt.txt
@@ -33,11 +33,8 @@ various related operations.
The various modes described on the link:assoc.html[Association
Management] page are determined by the command keyword and the DNS
name or IP address. Addresses are classed by type as (s) a remote
-server or peer (IPv4 class A, B and C or IPv6), (b) the IPv4 broadcast
-address of a local interface, or (m) a multicast address (IPv4 class D
-or IPv6). For multicast addresses the IANA has assigned the multicast
-group address IPv4 224.0.1.1 and IPv6 ff05::101 (site local)
-exclusively to NTP, but other nonconflicting addresses can be used.
+server or peer (IPv4 class A, B and C or IPv6), or (b) the IPv4 broadcast
+address of a local interface.
If the Basic Socket Interface Extensions for IPv6 (RFC 2553) is
detected, support for the IPv6 address family is generated in addition
@@ -70,8 +67,8 @@ include::includes/assoc-options.txt[]
[[aux]]
== Auxiliary Commands ==
-Information on authentication for broadcast, manycast, and
-multicast options can be found at link:authopt.html[Authentication Options].
+Information on authentication for broadcast options can be found at
+link:authopt.html[Authentication Options].
include::includes/assoc-auxcommands.txt[]
=====================================
docs/decode.txt
=====================================
--- a/docs/decode.txt
+++ b/docs/decode.txt
@@ -265,7 +265,6 @@ identifier field in +ntpq+ billboards. Following is the current list:
| +BCST+ | broadcast server
| +DENY+ | access denied by server
| +INIT+ | association initialized
-| +MCST+ | multicast server
| +RATE+ | rate exceeded
| +TIME+ | association timeout
| +STEP+ | step time change
=====================================
docs/discover.txt
=====================================
--- a/docs/discover.txt
+++ b/docs/discover.txt
@@ -26,12 +26,11 @@ include::includes/hand.txt[]
== Introduction ==
This page describes the automatic server discovery schemes provided in
-NTPv4. There are three automatic server discovery schemes:
-broadcast/multicast, manycast, and server pool, which are described on
-this page. The broadcast/multicast and many cast schemes utilize the
-ubiquitous broadcast or one-to-many paradigm native to IPv4 and IPv6.
-The server pool scheme uses DNS to resolve addresses of multiple
-volunteer servers scattered throughout the world.
+NTPv4. There are two automatic server discovery schemes: broadcast and
+server pool, which are described on this page. The broadcast scheme
+utilizes the ubiquitous broadcast or one-to-many paradigm native to
+IPv4 and IPv6. The server pool scheme uses DNS to resolve addresses
+of multiple volunteer servers scattered throughout the world.
All three schemes work in much the same way and might be described as
_grab-n'-prune._ Through one means or another they grab a number of
@@ -63,7 +62,7 @@ on the link:authentic.html[Authentication Support] page.
The pruning process uses a set of unreach counters, one for each
association created by the configuration or discovery processes. At each
poll interval, the counter is increased by one. If an acceptable packet
-arrives for a persistent (configured) or ephemeral (broadcast/multicast)
+arrives for a persistent (configured) or ephemeral (broadcast)
association, the counter is set to zero. If an acceptable packet arrives
for a preemptable (manycast, pool) association and survives the
selection and clustering algorithms, the counter is set to zero. If the
@@ -87,8 +86,8 @@ Options] page. See that page for applicability and defaults.
The broadcast/multicast scheme is deprecated in NTPsec due to
irreparable security flaws. Client-side support has been removed.
-Server-side support remains present but may be removed in a future
-version, and its use is strongly discouraged.
+Server-side support for broadcast only remains present but may be
+removed in a future version, and its use is strongly discouraged.
A broadcast server generates messages continuously at intervals by
default 64 s and time-to-live by default 127. These defaults can be
@@ -115,23 +114,6 @@ more local interfaces are installed with different broadcast addresses,
a +broadcast+ command is needed for each address. This provides a way to
limit exposure in a firewall, for example.
-NTP multicast mode can be used to extend the scope using IPv4 multicast
-or IPv6 broadcast with defined span. The IANA has assigned IPv4
-multicast address 224.0.1.1 and IPv6 address FF05::101 (site local) to
-NTP, but these addresses should be used only where the multicast span
-can be reliably constrained to protect neighbor networks. In general,
-administratively scoped IPv4 group addresses should be used, as
-described in RFC 2365, or GLOP group addresses, as described in
-RFC 2770.
-
-A multicast server is configured using the +broadcast+ command, but
-specifying a multicast address instead of a broadcast address. Note
-that there is a subtle distinction between the IPv4 and IPv6 address
-families. The IPv4 broadcast or multicast mode is determined by the
-IPv4 class. For IPv6 the same distinction can be made using the
-link-local prefix FF02 for each interface and site-local prefix FF05
-for all interfaces.
-
NTPsec permits the use of symmetric authentication with broadcast mode
the same way as any other mode; however, it is not effective at
providing security because the sessionless, one-way nature of the
=====================================
docs/includes/assoc-auxcommands.txt
=====================================
--- a/docs/includes/assoc-auxcommands.txt
+++ b/docs/includes/assoc-auxcommands.txt
@@ -1,15 +1,5 @@
// Auxiliary association commands - included twice
-+manycastserver+ _address..._::
- This command enables reception of manycast client messages to the
- multicast group address(es) (type m) specified. At least one address
- is required, but the NTP multicast address 224.0.1.1 assigned by the
- IANA should NOT be used, unless specific means are taken to limit the
- span of the reply and avoid a possibly massive implosion at the
- original sender. Note that, in order to avoid accidental or malicious
- disruption in this mode, both the server and client should operate
- using authentication as described on the "Authentication Options" page.
-
+mdnstries+ _number_::
If we are participating in mDNS, after we have synched for the first
time we attempt to register with the mDNS system. If that registration
=====================================
docs/includes/assoc-commands.txt
=====================================
--- a/docs/includes/assoc-commands.txt
+++ b/docs/includes/assoc-commands.txt
@@ -46,19 +46,12 @@ link-local IPV6 address with an interface specified in
associations cannot be secured. Broadcast-client mode has been
completely removed.
+
-For broadcast and multicast addresses (only), this command mobilizes
-a persistent broadcast mode association. Multiple commands can be
-used to specify multiple local broadcast interfaces (subnets) and/or
-multiple multicast groups. Note that local broadcast messages go
-only to the interface associated with the subnet specified, but
-multicast messages go to all interfaces. In broadcast mode the local
-server sends periodic broadcast messages to a client population at
-the _address_ specified, which is usually the broadcast address on
-(one of) the local network(s) or a multicast address assigned to
-NTP. The IANA has assigned the multicast group address IPv4
-224.0.1.1 and IPv6 ff05::101 (site local) exclusively to NTP, but
-other nonconflicting addresses can be used to contain the messages
-within administrative boundaries.
+For broadcast addresses (only), this command mobilizes a persistent
+broadcast mode association. Multiple commands can be used to specify
+multiple local broadcast interfaces (subnets) In broadcast mode the
+local server sends periodic broadcast messages to a client population
+at the _address_ specified, which is usually the broadcast address on
+(one of) the local network(s).
[[unpeer]]
+unpeer+::
=====================================
docs/includes/assoc-options.txt
=====================================
--- a/docs/includes/assoc-options.txt
+++ b/docs/includes/assoc-options.txt
@@ -57,8 +57,8 @@
+ttl+ _ttl_::
This option is used only with broadcast server mode. It specifies
- the time-to-live _ttl_ to use on broadcast server and multicast
- server and the maximum _ttl_ for the expanding ring search with
+ the time-to-live _ttl_ to use on broadcast server
+ and the maximum _ttl_ for the expanding ring search with
manycast client packets. Selection of the proper value, which
defaults to 127, is something of a black art and should be
coordinated with the network administrator.
=====================================
docs/includes/ntpq-body.txt
=====================================
--- a/docs/includes/ntpq-body.txt
+++ b/docs/includes/ntpq-body.txt
@@ -346,8 +346,7 @@ of the link:decode.html#peer[peer status word]
|+st+ |stratum
|+t+ |
+u+: unicast or manycast client,
-+l+: local (reference clock), +s+: symmetric (peer), +A+: manycast
-server, +B+: broadcast server, +M+: multicast server
++l+: local (reference clock), +s+: symmetric (peer), server, +B+: broadcast server,
|+when+ |sec/min/hr since last received packet
|+poll+ |poll interval (log~2~ s)
|+reach+ |reach shift register (octal)
=====================================
docs/index.txt
=====================================
--- a/docs/index.txt
+++ b/docs/index.txt
@@ -95,9 +95,12 @@ few will be user-visible.
just an alias for keyword server. Incoming peer packets are ignored.
* Broadcast- and multicast client modes, which are impossible to
- secure, has been removed. Broadcast and multicast service can still
- be enabled, though this is a deprecated mode of operation and may be
- removed in a future release.
+ secure, have been removed. Broadcast (but not multicast) service can still
+ be enabled, though this is a deprecated and unsupported mode of
+ operation and may be entirely removed in a future release.
+
+* The authentication requirement for remote configuration commands
+ (e.g., via +ntpq+) can no longer be disabled.
* The deprecated and vulnerability-prone ntpdate program has been
replaced with a shell wrapper around ntpdig. Its -e and -p
@@ -287,8 +290,8 @@ link:assoc.html[Association Management]::
Describes how to configure servers and peers and manage the various
options. Includes automatic server discovery schemes.
link:discover.html[Automatic Server Discovery Schemes]::
- Describes automatic server discovery using broadcast, multicast,
- manycast and server pool scheme.
+ Describes automatic server discovery using broadcast
+ and server pool schemes.
link:access.html[Access Control Support]::
Describes the access control mechanisms that can be used to limit
client access to various time and management functions.
=====================================
docs/mode6.txt
=====================================
--- a/docs/mode6.txt
+++ b/docs/mode6.txt
@@ -426,8 +426,6 @@ en.#:: Integer literal. 1 if packets on this interface are processed, 0
flags.#:: A hex literal that is a mask of flag bits on.
Flag mask values are described in a following table.
-mc.#:: Count of multicast transmissions.
-
name.#:: The interface name, such as would occur in an ifconfig listing.
pc.#:: Count of peers using this interface.
@@ -448,9 +446,9 @@ up.#:: Uptime in seconds.
|INT_PPP | 0x002 | Point-to-point interface
|INT_LOOPBACK | 0x004 | the loopback interface
|INT_BROADCAST | 0x008 | can broadcast out this interface
-|INT_MULTICAST | 0x010 | can multicast out this interface
+|INT_MULTICAST | 0x010 | can multicast out this interface (not used)
|INT_BCASTOPEN | 0x020 | broadcast receive socket is open
-|INT_MCASTOPEN | 0x040 | multicasting enabled
+|INT_MCASTOPEN | 0x040 | multicasting enabled (not used)
|INT_WILDCARD | 0x080 | wildcard interface - usually skipped
|INT_MCASTIF | 0x100 | bound directly to MCAST address
|INT_PRIVACY | 0x200 | RFC 4941 IPv6 privacy address
=====================================
include/ntp_config.h
=====================================
--- a/include/ntp_config.h
+++ b/include/ntp_config.h
@@ -200,8 +200,6 @@ struct config_tree_tag {
unpeer_fifo * unpeers;
/* Other Modes */
- address_fifo * manycastserver;
-
attr_val_fifo * orphan_cmds; /* s/b renamed tos_options */
/* Monitoring Configuration */
=====================================
include/ntpd.h
=====================================
--- a/include/ntpd.h
+++ b/include/ntpd.h
@@ -108,7 +108,6 @@ extern endpt * select_peerinterface (struct peer *, sockaddr_u *,
extern endpt * findinterface (sockaddr_u *);
extern endpt * findbcastinter (sockaddr_u *);
extern void enable_broadcast (endpt *, sockaddr_u *);
-extern void enable_multicast_if (endpt *, sockaddr_u *);
extern void interface_update (interface_receiver_t, void *);
extern void io_handler (void);
extern void init_io (void);
@@ -185,7 +184,7 @@ extern void clear (struct peer *);
extern void clock_filter (struct peer *, double, double, double);
extern void init_proto (const bool);
extern void set_sys_tick_precision(double);
-extern void proto_config (int, u_long, double, sockaddr_u *);
+extern void proto_config (int, u_long, double);
extern void proto_clr_stats (void);
extern void proto_dump(FILE *);
=====================================
ntpd/keyword-gen.c
=====================================
--- a/ntpd/keyword-gen.c
+++ b/ntpd/keyword-gen.c
@@ -41,7 +41,6 @@ struct key_tok ntp_keywords[] = {
{ "leapsmearinterval", T_Leapsmearinterval, FOLLBY_TOKEN },
{ "logconfig", T_Logconfig, FOLLBY_STRINGS_TO_EOC },
{ "logfile", T_Logfile, FOLLBY_STRING },
-{ "manycastserver", T_Manycastserver, FOLLBY_STRINGS_TO_EOC },
{ "mem", T_Mem, FOLLBY_TOKEN },
{ "path", T_Path, FOLLBY_STRING },
{ "peer", T_Peer, FOLLBY_STRING },
=====================================
ntpd/ntp_config.c
=====================================
--- a/ntpd/ntp_config.c
+++ b/ntpd/ntp_config.c
@@ -213,7 +213,6 @@ static void free_config_fudge(config_tree *);
static void free_config_logconfig(config_tree *);
static void free_config_monitor(config_tree *);
static void free_config_nic_rules(config_tree *);
-static void free_config_other_modes(config_tree *);
static void free_config_peers(config_tree *);
static void free_config_phone(config_tree *);
static void free_config_reset_counters(config_tree *);
@@ -291,7 +290,6 @@ static void config_logfile(config_tree *);
static void config_vars(config_tree *);
static void config_ntpd(config_tree *, bool input_from_file);
-static void config_other_modes(config_tree *);
static void config_auth(config_tree *);
static void config_access(config_tree *);
static void config_mdnstries(config_tree *);
@@ -387,7 +385,6 @@ free_config_tree(
if (ptree->source.value.s != NULL)
free(ptree->source.value.s);
- free_config_other_modes(ptree);
free_config_auth(ptree);
free_config_tos(ptree);
free_config_monitor(ptree);
@@ -1141,28 +1138,6 @@ create_addr_opts_node(
*/
static void
-config_other_modes(
- config_tree * ptree
- )
-{
- sockaddr_u addr_sock;
- address_node * addr_node;
-
- addr_node = HEAD_PFIFO(ptree->manycastserver);
- while (addr_node != NULL) {
- ZERO_SOCK(&addr_sock);
- AF(&addr_sock) = addr_node->type;
- if (1 == getnetnum(addr_node->address, &addr_sock, 1,
- t_UNK)) {
- proto_config(PROTO_MULTICAST_ADD,
- 0, 0., &addr_sock);
- sys_manycastserver = 1;
- }
- addr_node = addr_node->link;
- }
-}
-
-static void
destroy_address_fifo(
address_fifo * pfifo
)
@@ -1182,15 +1157,6 @@ destroy_address_fifo(
static void
-free_config_other_modes(
- config_tree *ptree
- )
-{
- FREE_ADDRESS_FIFO(ptree->manycastserver);
-}
-
-
-static void
config_auth(
config_tree *ptree
)
@@ -1362,7 +1328,7 @@ config_tos(
item = PROTO_BEACON;
break;
}
- proto_config(item, 0, val, NULL);
+ proto_config(item, 0, val);
}
}
@@ -2247,27 +2213,27 @@ apply_enable_disable(
break;
case T_Auth:
- proto_config(PROTO_AUTHENTICATE, enable, 0., NULL);
+ proto_config(PROTO_AUTHENTICATE, enable, 0.);
break;
case T_Calibrate:
- proto_config(PROTO_CAL, enable, 0., NULL);
+ proto_config(PROTO_CAL, enable, 0.);
break;
case T_Kernel:
- proto_config(PROTO_KERNEL, enable, 0., NULL);
+ proto_config(PROTO_KERNEL, enable, 0.);
break;
case T_Monitor:
- proto_config(PROTO_MONITOR, enable, 0., NULL);
+ proto_config(PROTO_MONITOR, enable, 0.);
break;
case T_Ntp:
- proto_config(PROTO_NTP, enable, 0., NULL);
+ proto_config(PROTO_NTP, enable, 0.);
break;
case T_Stats:
- proto_config(PROTO_FILEGEN, enable, 0., NULL);
+ proto_config(PROTO_FILEGEN, enable, 0.);
break;
}
@@ -3320,7 +3286,6 @@ config_ntpd(
io_open_sockets();
- config_other_modes(ptree);
config_peers(ptree);
config_unpeers(ptree);
config_fudge(ptree);
=====================================
ntpd/ntp_io.c
=====================================
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -218,8 +218,6 @@ static void init_async_notifications (void);
static bool addr_eqprefix (const sockaddr_u *, const sockaddr_u *,
int);
-static bool addr_samesubnet (const sockaddr_u *, const sockaddr_u *,
- const sockaddr_u *, const sockaddr_u *);
static int create_sockets (u_short);
static void set_reuseaddr (int);
static bool socket_broadcast_enable (endpt *, SOCKET, sockaddr_u *);
@@ -606,48 +604,6 @@ addr_eqprefix(
}
-static bool
-addr_samesubnet(
- const sockaddr_u * a,
- const sockaddr_u * a_mask,
- const sockaddr_u * b,
- const sockaddr_u * b_mask
- )
-{
- const uint32_t * pa;
- const uint32_t * pa_limit;
- const uint32_t * pb;
- const uint32_t * pm;
- size_t loops;
-
- NTP_REQUIRE(AF(a) == AF(a_mask));
- NTP_REQUIRE(AF(b) == AF(b_mask));
- /*
- * With address and mask families verified to match, comparing
- * the masks also validates the address's families match.
- */
- if (!SOCK_EQ(a_mask, b_mask))
- return false;
-
- if (IS_IPV6(a)) {
- loops = sizeof(NSRCADR6(a)) / sizeof(*pa);
- pa = (const void *)&NSRCADR6(a);
- pb = (const void *)&NSRCADR6(b);
- pm = (const void *)&NSRCADR6(a_mask);
- } else {
- loops = sizeof(NSRCADR(a)) / sizeof(*pa);
- pa = (const void *)&NSRCADR(a);
- pb = (const void *)&NSRCADR(b);
- pm = (const void *)&NSRCADR(a_mask);
- }
- for (pa_limit = pa + loops; pa < pa_limit; pa++, pb++, pm++)
- if ((*pa & *pm) != (*pb & *pm))
- return false;
-
- return true;
-}
-
-
/*
* Code to tell if we have an IP address
* If we have then return the sockaddr structure
@@ -798,167 +754,11 @@ add_interface(
endpt * ep
)
{
- endpt ** pmclisthead;
- endpt * scan;
- endpt * scan_next;
- endpt * unlinked;
- sockaddr_u * addr;
- bool ep_local;
- bool scan_local;
- bool same_subnet;
- bool ep_univ_iid; /* iface ID from MAC address */
- bool scan_univ_iid; /* see RFC 4291 */
- bool ep_privacy; /* random local iface ID */
- bool scan_privacy; /* see RFC 4941 */
- int rc;
-
/* Calculate the refid */
ep->addr_refid = addr2refid(&ep->sin);
/* link at tail so ntpq -c ifstats index increases each row */
LINK_TAIL_SLIST(ep_list, ep, elink, endpt);
ninterfaces++;
-#ifdef MCAST
- /* the rest is for enabled multicast-capable addresses only */
- if (ep->ignore_packets || !(INT_MULTICAST & ep->flags) ||
- INT_LOOPBACK & ep->flags)
- return;
-# ifndef USE_IPV6_MULTICAST_SUPPORT
- if (AF_INET6 == ep->family)
- return;
-# endif
- pmclisthead = (AF_INET == ep->family)
- ? &mc4_list
- : &mc6_list;
-
- if (AF_INET6 == ep->family) {
- ep_local =
- IN6_IS_ADDR_LINKLOCAL(PSOCK_ADDR6(&ep->sin)) ||
- IN6_IS_ADDR_SITELOCAL(PSOCK_ADDR6(&ep->sin));
- ep_univ_iid = IS_IID_UNIV(&ep->sin);
- ep_privacy = !!(INT_PRIVACY & ep->flags);
- } else {
- ep_local = false;
- ep_univ_iid = false;
- ep_privacy = false;
- }
- DPRINTF(4, ("add_interface mcast-capable %s%s%s%s\n",
- socktoa(&ep->sin),
- (ep_local) ? " link/scope-local" : "",
- (ep_univ_iid) ? " univ-IID" : "",
- (ep_privacy) ? " privacy" : ""));
- /*
- * If we have multiple local addresses on the same network
- * interface, and some are link- or site-local, do not multicast
- * out from the link-/site-local addresses by default, to avoid
- * duplicate manycastclient associations between v6 peers using
- * link-local and global addresses. link-local can still be
- * chosen using "nic ignore myv6globalprefix::/64".
- * Similarly, if we have multiple global addresses from the same
- * prefix on the same network interface, multicast from one,
- * preferring EUI-64, then static, then least RFC 4941 privacy
- * addresses.
- */
- for (scan = *pmclisthead; scan != NULL; scan = scan_next) {
- scan_next = scan->mclink;
- if (ep->family != scan->family)
- continue;
- if (strcmp(ep->name, scan->name))
- continue;
- same_subnet = addr_samesubnet(&ep->sin, &ep->mask,
- &scan->sin, &scan->mask);
- if (AF_INET6 == ep->family) {
- addr = &scan->sin;
- scan_local =
- IN6_IS_ADDR_LINKLOCAL(PSOCK_ADDR6(addr)) ||
- IN6_IS_ADDR_SITELOCAL(PSOCK_ADDR6(addr));
- scan_univ_iid = IS_IID_UNIV(addr);
- scan_privacy = !!(INT_PRIVACY & scan->flags);
- } else {
- scan_local = false;
- scan_univ_iid = false;
- scan_privacy = false;
- }
- DPRINTF(4, ("add_interface mcast-capable scan %s%s%s%s\n",
- socktoa(&scan->sin),
- (scan_local) ? " link/scope-local" : "",
- (scan_univ_iid) ? " univ-IID" : "",
- (scan_privacy) ? " privacy" : ""));
- if ((ep_local && !scan_local) || (same_subnet &&
- ((ep_privacy && !scan_privacy) ||
- (!ep_univ_iid && scan_univ_iid)))) {
- DPRINTF(4, ("did not add %s to %s of IPv6 multicast-capable list which already has %s\n",
- socktoa(&ep->sin),
- (ep_local)
- ? "tail"
- : "head",
- socktoa(&scan->sin)));
- return;
- }
- if ((scan_local && !ep_local) || (same_subnet &&
- ((scan_privacy && !ep_privacy) ||
- (!scan_univ_iid && ep_univ_iid)))) {
- UNLINK_SLIST(unlinked, *pmclisthead,
- scan, mclink, endpt);
- DPRINTF(4, ("%s %s from IPv6 multicast-capable list to add %s\n",
- (unlinked != scan)
- ? "Failed to remove"
- : "removed",
- socktoa(&scan->sin), socktoa(&ep->sin)));
- }
- }
- /*
- * Add link/site local at the tail of the multicast-
- * capable unicast interfaces list, so that ntpd will
- * send from global addresses before link-/site-local
- * ones.
- */
- if (ep_local)
- LINK_TAIL_SLIST(*pmclisthead, ep, mclink, endpt);
- else
- LINK_SLIST(*pmclisthead, ep, mclink);
- DPRINTF(4, ("added %s to %s of IPv%s multicast-capable unicast local address list\n",
- socktoa(&ep->sin),
- (ep_local)
- ? "tail"
- : "head",
- (AF_INET == ep->family)
- ? "4"
- : "6"));
-
- if (INVALID_SOCKET == ep->fd)
- return;
-
- /*
- * select the local address from which to send to multicast.
- */
- switch (AF(&ep->sin)) {
-
- case AF_INET :
- rc = setsockopt(ep->fd, IPPROTO_IP,
- IP_MULTICAST_IF,
- (void *)&NSRCADR(&ep->sin),
- sizeof(NSRCADR(&ep->sin)));
- if (rc)
- msyslog(LOG_ERR,
- "setsockopt IP_MULTICAST_IF %s fails: %m",
- socktoa(&ep->sin));
- break;
-
-# ifdef USE_IPV6_MULTICAST_SUPPORT
- case AF_INET6 :
- rc = setsockopt(ep->fd, IPPROTO_IPV6,
- IPV6_MULTICAST_IF,
- (void *)&ep->ifindex,
- sizeof(ep->ifindex));
- /* do not complain if bound addr scope is ifindex */
- if (rc && ep->ifindex != SCOPE(&ep->sin))
- msyslog(LOG_ERR,
- "setsockopt IPV6_MULTICAST_IF %u for %s fails: %m",
- ep->ifindex, socktoa(&ep->sin));
- break;
-# endif
- }
-#endif /* MCAST */
}
@@ -1131,14 +931,6 @@ create_wildcards(
wildif->flags = INT_BROADCAST | INT_UP | INT_WILDCARD;
wildif->ignore_packets = (ACTION_DROP == action);
-#if defined(MCAST)
- /*
- * enable multicast reception on the broadcast socket
- */
- AF(&wildif->bcast) = AF_INET;
- SET_ADDR4N(&wildif->bcast, INADDR_ANY);
- SET_PORT(&wildif->bcast, port);
-#endif /* MCAST */
wildif->fd = open_socket(&wildif->sin, 0, 1, wildif);
if (wildif->fd != INVALID_SOCKET) {
@@ -2212,74 +2004,6 @@ socket_broadcast_disable(
#endif /* OPEN_BCAST_SOCKET */
/*
- * Multicast servers need to set the appropriate Multicast interface
- * socket option in order for it to know which interface to use for
- * send the multicast packet.
- */
-void
-enable_multicast_if(
- endpt * iface,
- sockaddr_u * maddr
- )
-{
-#ifdef MCAST
-#ifdef IP_MULTICAST_LOOP
- TYPEOF_IP_MULTICAST_LOOP off = 0;
-#endif
-#if defined(USE_IPV6_MULTICAST_SUPPORT) && defined(IPV6_MULTICAST_LOOP)
- u_int off6 = 0;
-#endif
-
- NTP_REQUIRE(AF(maddr) == AF(&iface->sin));
-
- switch (AF(&iface->sin)) {
-
- case AF_INET:
-#ifdef IP_MULTICAST_LOOP
- /*
- * Don't send back to itself, but allow failure to set
- */
- if (setsockopt(iface->fd, IPPROTO_IP,
- IP_MULTICAST_LOOP,
- SETSOCKOPT_ARG_CAST &off,
- sizeof(off))) {
-#ifndef __COVERITY__
- msyslog(LOG_ERR,
- "setsockopt IP_MULTICAST_LOOP failed: %m on socket %d, addr %s for multicast address %s",
- iface->fd, socktoa(&iface->sin),
- socktoa(maddr));
-#endif /* __COVERITY__ */
- }
-#endif
- break;
-
- case AF_INET6:
-#ifdef USE_IPV6_MULTICAST_SUPPORT
-#ifdef IPV6_MULTICAST_LOOP
- /*
- * Don't send back to itself, but allow failure to set
- */
- if (setsockopt(iface->fd, IPPROTO_IPV6,
- IPV6_MULTICAST_LOOP,
- (char *) &off6, sizeof(off6))) {
-#ifndef __COVERITY__
- msyslog(LOG_ERR,
- "setsockopt IPV6_MULTICAST_LOOP failed: %m on socket %d, addr %s for multicast address %s",
- iface->fd, socktoa(&iface->sin),
- socktoa(maddr));
-#endif /* __COVERITY__ */
- }
-#endif
- break;
-#else
- return;
-#endif /* USE_IPV6_MULTICAST_SUPPORT */
- }
- return;
-#endif
-}
-
-/*
* open_socket - open a socket, returning the file descriptor
*/
@@ -2470,71 +2194,22 @@ sendpkt(
)
{
endpt * src;
- int ismcast;
int cc;
- int rc;
- uint8_t cttl;
-
- ismcast = IS_MCAST(dest);
- if (!ismcast)
- src = ep;
- else
- src = (IS_IPV4(dest))
- ? mc4_list
- : mc6_list;
+ src = ep;
if (NULL == src) {
/*
* unbound peer - drop request and wait for better
* network conditions
*/
- DPRINTF(2, ("%ssendpkt(dst=%s, ttl=%d, len=%d): no interface - IGNORED\n",
- ismcast ? "\tMCAST\t***** " : "",
+ DPRINTF(2, ("sendpkt(dst=%s, ttl=%d, len=%d): no interface - IGNORED\n",
socktoa(dest), ttl, len));
return;
}
do {
- DPRINTF(2, ("%ssendpkt(%d, dst=%s, src=%s, ttl=%d, len=%d)\n",
- ismcast ? "\tMCAST\t***** " : "", src->fd,
- socktoa(dest), socktoa(&src->sin), ttl, len));
-#ifdef MCAST
- /*
- * for the moment we use the bcast option to set multicast ttl
- */
- if (ismcast && ttl > 0 && ttl != src->last_ttl) {
- /*
- * set the multicast ttl for outgoing packets
- */
- switch (AF(&src->sin)) {
-
- case AF_INET :
- cttl = (uint8_t)ttl;
- rc = setsockopt(src->fd, IPPROTO_IP,
- IP_MULTICAST_TTL,
- (void *)&cttl,
- sizeof(cttl));
- break;
-
- case AF_INET6 :
- rc = setsockopt(src->fd, IPPROTO_IPV6,
- IPV6_MULTICAST_HOPS,
- (void *)&ttl,
- sizeof(ttl));
- break;
-
- default:
- rc = 0;
- }
-
- if (!rc)
- src->last_ttl = ttl;
- else
- msyslog(LOG_ERR,
- "setsockopt IP_MULTICAST_TTL/IPV6_MULTICAST_HOPS fails on address %s: %m",
- socktoa(&src->sin));
- }
-#endif /* MCAST */
+ DPRINTF(2, ("sendpkt(%d, dst=%s, src=%s, ttl=%d, len=%d)\n",
+ src->fd, socktoa(dest), socktoa(&src->sin), ttl, len));
cc = sendto(src->fd, pkt, (u_int)len, 0,
&dest->sa, SOCKLEN(dest));
@@ -2545,9 +2220,8 @@ sendpkt(
src->sent++;
packets_sent++;
}
- if (ismcast)
- src = src->mclink;
- } while (ismcast && src != NULL);
+ src = src->mclink;
+ } while (src != NULL);
}
=====================================
ntpd/ntp_parser.y
=====================================
--- a/ntpd/ntp_parser.y
+++ b/ntpd/ntp_parser.y
@@ -126,7 +126,6 @@
%token <Integer> T_Logconfig
%token <Integer> T_Logfile
%token <Integer> T_Loopstats
-%token <Integer> T_Manycastserver
%token <Integer> T_Mask
%token <Integer> T_Maxage
%token <Integer> T_Maxclock
@@ -235,7 +234,6 @@
%type <Int_fifo> ac_flag_list
%type <Address_node> address
%type <Integer> address_fam
-%type <Address_fifo> address_list
%type <Integer> boolean
%type <Integer> client_type
%type <Integer> counter_set_keyword
@@ -510,9 +508,7 @@ unpeer_keyword
*/
other_mode_command
- : T_Manycastserver address_list
- { CONCAT_G_FIFOS(cfgt.manycastserver, $2); }
- | T_Mdnstries T_Integer
+ : T_Mdnstries T_Integer
{ cfgt.mdnstries = $2; }
;
@@ -1441,19 +1437,6 @@ string_list
}
;
-address_list
- : address_list address
- {
- $$ = $1;
- APPEND_G_FIFO($$, $2);
- }
- | address
- {
- $$ = NULL;
- APPEND_G_FIFO($$, $1);
- }
- ;
-
boolean
: T_Integer
{
=====================================
ntpd/ntp_peer.c
=====================================
--- a/ntpd/ntp_peer.c
+++ b/ntpd/ntp_peer.c
@@ -604,13 +604,6 @@ peer_refresh_interface(
if (p->dstadr != piface && !(MDF_ACAST & p->cast_flags)
&& MODE_BROADCAST != p->pmode)
peer_clear(p, "XFAC", false);
-
- /*
- * Multicast needs the socket interface enabled for
- * multicast
- */
- if (MDF_MCAST & p->cast_flags)
- enable_multicast_if(p->dstadr, &p->srcadr);
}
}
@@ -764,12 +757,6 @@ newpeer(
if ((MDF_BCAST & cast_flags) && peer->dstadr != NULL)
enable_broadcast(peer->dstadr, srcadr);
- /*
- * Multicast needs the socket interface enabled for multicast
- */
- if ((MDF_MCAST & cast_flags) && peer->dstadr != NULL)
- enable_multicast_if(peer->dstadr, srcadr);
-
peer->ttl = ttl;
peer->keyid = key;
peer->precision = sys_precision;
@@ -778,8 +765,6 @@ newpeer(
peer_clear(peer, "ACST", initializing);
else if (cast_flags & MDF_POOL)
peer_clear(peer, "POOL", initializing);
- else if (cast_flags & MDF_MCAST)
- peer_clear(peer, "MCST", initializing);
else if (cast_flags & MDF_BCAST)
peer_clear(peer, "BCST", initializing);
else
=====================================
ntpd/ntp_proto.c
=====================================
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -2816,8 +2816,7 @@ void
proto_config(
int item,
u_long value,
- double dvalue,
- sockaddr_u *svalue
+ double dvalue
)
{
/*
=====================================
wafhelpers/check_multicast.py deleted
=====================================
--- a/wafhelpers/check_multicast.py
+++ /dev/null
@@ -1,15 +0,0 @@
-def check_multicast(ctx):
- "Probe for IP multicast capability."
- ctx.check_cc(
- fragment="""
-#include <netinet/in.h>
-int main(void) {
- struct ip_mreq ipmr;
- ipmr.imr_interface.s_addr = 0;
- return 0;
-}
-""",
- define_name="MCAST",
- msg = "Checking for multicast capability",
- mandatory = False,
- comment = "IP multicast capability")
=====================================
wafhelpers/configure.py
=====================================
--- a/wafhelpers/configure.py
+++ b/wafhelpers/configure.py
@@ -282,9 +282,6 @@ def cmd_configure(ctx, config):
ctx.define("GETSOCKNAME_SOCKLEN_TYPE", "socklen_t", quote=False, comment="socklen type")
ctx.define("DFLT_RLIMIT_STACK", 50, comment="Default stack size")
- from wafhelpers.check_multicast import check_multicast
- check_multicast(ctx)
-
ctx.define("TYPEOF_IP_MULTICAST_LOOP", "u_char", quote=False, comment="Multicast loop type") #XXX: check for mcast type
# These are helpful and don't break Linux or *BSD
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/2ef4717a27b024ca25bfb72babb493ea97092617...765281897cb1f6ebe17d0a2562e2efe360469981
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20161209/4a3d1035/attachment.html>
More information about the vc
mailing list