[Git][NTPsec/ntpsec][master] Address GitLab issue #356: reverse function for restrict
Eric S. Raymond
gitlab at mg.gitlab.com
Tue Aug 15 11:26:53 UTC 2017
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
e7a4b0d3 by Eric S. Raymond at 2017-08-15T07:25:46-04:00
Address GitLab issue #356: reverse function for restrict
- - - - -
7 changed files:
- NEWS
- docs/includes/access-commands.txt
- docs/ntpsec.txt
- include/ntp_config.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
Changes:
=====================================
NEWS
=====================================
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,10 @@ The code size has been further reduced, to 56KLOC.
ntpmon now reports units on time figures.
+You can now turn off restriction flags with an _unrestrict_ statement
+that takes arguments exactly like a _restrict_. This is expected to be
+useful mainly with the "ntpq config" command.
+
Builds are fully reproducible; see SOURCE_DATE_EPOCH and BUILD_EPOCH.
== 2017-03-21: 0.9.7 ==
=====================================
docs/includes/access-commands.txt
=====================================
--- a/docs/includes/access-commands.txt
+++ b/docs/includes/access-commands.txt
@@ -108,4 +108,11 @@ though if it is otherwise unconfigured; no flags are associated with
the default entry (i.e., everything besides your own NTP server is
unrestricted).
+[[restrict]]
++unrestrict+ _address_[/_cidr_] [+mask+ _mask_] [+flag+ +...+]::
+ Like a +restrict+ command, but turns off the specified flags
+ rather than turning them on (expected to be useful mainly with ntpq
+ config). Use only on an address/mask or CIDR-format address
+ mentioned in a previous +restrict+ statement.
+
// end
=====================================
docs/ntpsec.txt
=====================================
--- a/docs/ntpsec.txt
+++ b/docs/ntpsec.txt
@@ -222,6 +222,10 @@ codebase has been outright removed, with less than 5% new code added.
* The _restrict_ statement can now take an address range in CIDR
notation rather than as an address/mask pair.
+* You can now turn off restriction flags with an _unrestrict_
+ statement that takes arguments exactly like a _restrict_. This
+ is expected to be useful mainly with the "ntpq config" command.
+
* The includefile directive now evaluates relative pathnames not with
respect to the current working directory but with respect to the
directory name of the last pushed file in the stack. This means
=====================================
include/ntp_config.h
=====================================
--- a/include/ntp_config.h
+++ b/include/ntp_config.h
@@ -84,6 +84,7 @@ typedef DECL_FIFO_ANCHOR(string_node) string_fifo;
typedef struct restrict_node_tag restrict_node;
struct restrict_node_tag {
+ int mode; /* restrict or unrestrict? */
restrict_node * link;
address_node * addr;
address_node * mask;
@@ -267,7 +268,7 @@ attr_val *create_attr_sval(int attr, const char *s);
filegen_node *create_filegen_node(int filegen_token,
attr_val_fifo *options);
string_node *create_string_node(char *str);
-restrict_node *create_restrict_node(address_node *addr,
+restrict_node *create_restrict_node(int mode, address_node *addr,
address_node *mask,
int_fifo *flags, int line_no);
int_node *create_int_node(int val);
=====================================
ntpd/keyword-gen.c
=====================================
--- a/ntpd/keyword-gen.c
+++ b/ntpd/keyword-gen.c
@@ -65,6 +65,7 @@ struct key_tok ntp_keywords[] = {
{ "unconfig", T_Unconfig, FOLLBY_STRING },
{ "unit", T_Unit, FOLLBY_TOKEN },
{ "unpeer", T_Unpeer, FOLLBY_STRING },
+{ "unrestrict", T_Unrestrict, FOLLBY_TOKEN },
/* authentication_command */
{ "controlkey", T_ControlKey, FOLLBY_TOKEN },
{ "requestkey", T_Requestkey, FOLLBY_TOKEN }, /* dummy */
=====================================
ntpd/ntp_config.c
=====================================
--- a/ntpd/ntp_config.c
+++ b/ntpd/ntp_config.c
@@ -863,6 +863,7 @@ create_filegen_node(
restrict_node *
create_restrict_node(
+ const int mode,
address_node * addr,
address_node * mask,
int_fifo * flags,
@@ -872,6 +873,7 @@ create_restrict_node(
restrict_node *my_node;
my_node = emalloc_zero(sizeof(*my_node));
+ my_node->mode = mode;
my_node->addr = addr;
my_node->mask = mask;
my_node->flags = flags;
@@ -1793,7 +1795,9 @@ config_access(
}
do {
- hack_restrict(RESTRICT_FLAGS, &addr,
+ int op = (my_node->mode == T_Restrict)
+ ? RESTRICT_FLAGS : RESTRICT_UNFLAG;
+ hack_restrict(op, &addr,
&mask, mflags, flags, 0);
if (pai != NULL &&
NULL != (pai = pai->ai_next)) {
=====================================
ntpd/ntp_parser.y
=====================================
--- a/ntpd/ntp_parser.y
+++ b/ntpd/ntp_parser.y
@@ -211,6 +211,7 @@
%token <Integer> T_Unit
%token <Integer> T_Unconfig
%token <Integer> T_Unpeer
+%token <Integer> T_Unrestrict
%token <Integer> T_Usestats
%token <Integer> T_Version
%token <Integer> T_WanderThreshold /* Not a token */
@@ -292,6 +293,7 @@
%type <Attr_val_fifo> tos_option_list
%type <Integer> unpeer_keyword
%type <Set_var> variable_assign
+%type <Integer> restrict_prefix
%%
@@ -701,6 +703,11 @@ filegen_type
* -----------------------
*/
+restrict_prefix
+ : T_Restrict
+ | T_Unrestrict
+ ;
+
access_control_command
: T_Discard discard_option_list
{
@@ -710,35 +717,35 @@ access_control_command
{
CONCAT_G_FIFOS(cfgt.mru_opts, $2);
}
- | T_Restrict address ac_flag_list
+ | restrict_prefix address ac_flag_list
{
restrict_node *rn;
- rn = create_restrict_node($2, NULL, $3,
+ rn = create_restrict_node($1, $2, NULL, $3,
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
- | T_Restrict ip_address T_Mask ip_address ac_flag_list
+ | restrict_prefix ip_address T_Mask ip_address ac_flag_list
{
restrict_node *rn;
- rn = create_restrict_node($2, $4, $5,
+ rn = create_restrict_node($1, $2, $4, $5,
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
- | T_Restrict T_Default ac_flag_list
+ | restrict_prefix T_Default ac_flag_list
{
restrict_node *rn;
- rn = create_restrict_node(NULL, NULL, $3,
+ rn = create_restrict_node($1, NULL, NULL, $3,
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
- | T_Restrict T_Ipv4_flag T_Default ac_flag_list
+ | restrict_prefix T_Ipv4_flag T_Default ac_flag_list
{
restrict_node *rn;
- rn = create_restrict_node(
+ rn = create_restrict_node($1,
create_address_node(
estrdup("0.0.0.0"),
AF_INET),
@@ -749,11 +756,11 @@ access_control_command
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
- | T_Restrict T_Ipv6_flag T_Default ac_flag_list
+ | restrict_prefix T_Ipv6_flag T_Default ac_flag_list
{
restrict_node *rn;
- rn = create_restrict_node(
+ rn = create_restrict_node($1,
create_address_node(
estrdup("::"),
AF_INET6),
@@ -764,13 +771,13 @@ access_control_command
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
- | T_Restrict T_Source ac_flag_list
+ | restrict_prefix T_Source ac_flag_list
{
restrict_node * rn;
APPEND_G_FIFO($3, create_int_node($2));
rn = create_restrict_node(
- NULL, NULL, $3, lex_current()->curpos.nline);
+ $1, NULL, NULL, $3, lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
;
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/e7a4b0d3cf8932feeb898ed1343f25e8e65688d9
---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/e7a4b0d3cf8932feeb898ed1343f25e8e65688d9
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170815/5adf3951/attachment.html>
More information about the vc
mailing list