[Git][NTPsec/ntpsec][master] 3 commits: Remove unused #define AM_* from ntp.h

Hal Murray gitlab at mg.gitlab.com
Mon Mar 23 11:03:07 UTC 2020 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
13317e91 by Hal Murray at 2020-03-23T04:00:58-07:00
Remove unused #define AM_* from ntp.h
Leftover from a cleanup a long time ago.

- - - - -
e15e61d2 by Hal Murray at 2020-03-23T04:00:58-07:00
Add logging for dropped packets: 2 per hour

- - - - -
9cecf01e by Hal Murray at 2020-03-23T04:00:58-07:00
Remove duplicte SIG-IGN for SIGPIPE

- - - - -


4 changed files:

- include/ntp.h
- ntpd/ntp_monitor.c
- ntpd/ntp_proto.c
- ntpd/ntpd.c


Changes:

=====================================
include/ntp.h
=====================================
@@ -729,18 +729,6 @@ struct endpoint {
 	int	type;			/* interval entry/exit */
 };
 
-/*
- * Association matching AM[] return codes
- */
-#define AM_ERR		-1		/* error */
-#define AM_NOMATCH	0		/* no match */
-#define AM_PROCPKT	1		/* server/symmetric packet */
-#define AM_BCST		2		/* broadcast packet */
-#define AM_FXMIT	3		/* client packet */
-#define AM_MANYCAST	4		/* manycast or pool */
-#define AM_NEWPASS	5		/* new passive */
-#define AM_NEWBCL	6		/* new broadcast */
-#define AM_POSSBCL	7		/* discard broadcast */
 
 /* ntpq -c mrulist rows per request limit in ntpd */
 #define MRU_ROW_LIMIT	256


=====================================
ntpd/ntp_monitor.c
=====================================
@@ -368,6 +368,8 @@ ntp_monitor(
 		 */
 		since_last = ldexpf(interval_fp, -32);
 		mon->score *= expf(-since_last/decay_time);
+		/* count the ones we drop */
+		/* with enough traffic, we drop everything */
 		mon->score += 1.0/decay_time;
 		if (mon->score < rate_limit) {
 			/* low score, turn off reject bits */


=====================================
ntpd/ntp_proto.c
=====================================
@@ -250,6 +250,7 @@ static	int	peer_unfit	(struct peer *);
 static	double	root_distance	(struct peer *);
 static	void	restart_nts_ke	(struct peer *);
 static	void	maybe_log_junk	(struct recvbuf *rbuf);
+static	void	maybe_log_drop	(struct recvbuf *rbuf);
 
 void
 set_sys_leap(unsigned char new_sys_leap) {
@@ -697,6 +698,7 @@ receive(
 	restrict_mask = ntp_monitor(rbufp, restrict_mask);
 	if (restrict_mask & RES_LIMITED) {
 		stat_count.sys_limitrejected++;
+		maybe_log_drop(rbufp);
 		if(!(restrict_mask & RES_KOD)) { return; }
 	}
 
@@ -2962,28 +2964,89 @@ proto_clr_stats(void)
 }
 
 
-/* limit logging so bad guys can't DDoS us by sending crap
- * Limit to 25 total.  Maybe should be 10/hour
- * This gets too-old cookies
- */
+/* limit logging so bad guys can't DDoS us by sending crap */
 
 void maybe_log_junk(struct recvbuf *rbufp) {
-    static unsigned int junk = 0;
+  static float junk_limit = 2.0;         /* packets per hour */
+  static float junk_score = 0;           /* score, packets/hour */
+  static float junk_decay = 2.0;         /* hours, exponential decay time */
+  static l_fp  junk_last = 0;            /* time of last attempted print */
+  static long  junk_count = 0;           /* total count */
+  static long  junk_print = 0;           /* printed count */
 #define JUNKSIZE 500
     char buf[JUNKSIZE];
     int lng = rbufp->recv_length;
     int i, j;
-    if (junk++>=25) return;
+
+    junk_count++;
+    if (0 == junk_last) {
+      /* first time */
+      junk_last = rbufp->recv_time;
+    } else {
+      l_fp interval_fp = rbufp->recv_time - junk_last;
+      float since_last = ldexpf(interval_fp, -32)/3600.0;
+      junk_last = rbufp->recv_time;
+      junk_score *= expf(-since_last/junk_decay);
+      if (junk_limit < junk_score)
+	return; 
+    }
+    junk_print++;
+    junk_score += 1.0/junk_decay;  /* only count the ones we print */
+
+    msyslog(LOG_INFO,
+	"JUNK: Count=%ld Print=%ld, Score=%.3f, M%d V%d from %s, lng=%d",
+	junk_count, junk_print, junk_score,
+        PKT_MODE(rbufp->pkt.li_vn_mode), PKT_VERSION(rbufp->pkt.li_vn_mode),
+        sockporttoa(&rbufp->recv_srcadr), lng);
     for (i=0,j=0; i<lng; i++) {
       if ((j+4)>JUNKSIZE) break;
       if (0 == (i%4)) buf[j++] = ' ';
       j += snprintf(&buf[j], (JUNKSIZE-j), "%02x", rbufp->recv_buffer[i]);
     }
     msyslog(LOG_INFO,
-	"JUNK: M%d V%d %s from %s, lng=%d",
-	PKT_MODE(rbufp->pkt.li_vn_mode), PKT_VERSION(rbufp->pkt.li_vn_mode),
-	buf,
-	sockporttoa(&rbufp->recv_srcadr),
-	lng);
+	"JUNK: %s", buf);
+}
+
+
+void maybe_log_drop(struct recvbuf *rbufp) {
+  static float drop_limit = 2.0;         /* packets per hour */
+  static float drop_score = 0;           /* score, packets/hour */
+  static float drop_decay = 2.0;         /* hours, exponential decay time */
+  static l_fp  drop_last = 0;            /* time of last attempted print */
+  static long  drop_count = 0;           /* total count */
+  static long  drop_print = 0;           /* printed count */
+#define DROPSIZE 500
+    char buf[DROPSIZE];
+    int lng = rbufp->recv_length;
+    int i, j;
+
+    drop_count++;
+    if (0 == drop_last) {
+      /* first time */
+      drop_last = rbufp->recv_time;
+    } else {
+      l_fp interval_fp = rbufp->recv_time - drop_last;
+      float since_last = ldexpf(interval_fp, -32)/3600.0;
+      drop_last = rbufp->recv_time;
+      drop_score *= expf(-since_last/drop_decay);
+      if (drop_limit < drop_score)
+	return; 
+    }
+    drop_print++;
+    drop_score += 1.0/drop_decay;  /* only count the ones we print */
+
+    rbufp->pkt.li_vn_mode = rbufp->recv_buffer[0]; /* no parse_packet() yet */
+    msyslog(LOG_INFO,
+	"DROP: Count=%ld Print=%ld, Score=%.3f, M%d V%d from %s, lng=%d",
+	drop_count, drop_print, drop_score,
+        PKT_MODE(rbufp->pkt.li_vn_mode), PKT_VERSION(rbufp->pkt.li_vn_mode),
+        sockporttoa(&rbufp->recv_srcadr), lng);
+    for (i=0,j=0; i<lng; i++) {
+      if ((j+4)>DROPSIZE) break;
+      if (0 == (i%4)) buf[j++] = ' ';
+      j += snprintf(&buf[j], (DROPSIZE-j), "%02x", rbufp->recv_buffer[i]);
+    }
+    msyslog(LOG_INFO,
+	"DROP: %s", buf);
 }
 


=====================================
ntpd/ntpd.c
=====================================
@@ -483,8 +483,10 @@ main(
 	int		pipe_fds[2];
 	int		rc;
 	int		exit_code;
-	struct sigaction sa;
 	int op;
+#ifdef SIGDANGER
+	struct sigaction sa;
+#endif
 
 	uv = umask(0);
 	if (uv) {
@@ -592,12 +594,6 @@ main(
 #endif	/* SIGDANGER */
 	}
 
-	/* Ignore SIGPIPE - from OpenSSL */
-	sa.sa_handler = SIG_IGN;
-	sigemptyset(&sa.sa_mask);
-	sa.sa_flags = SA_RESTART;
- 	(void)sigaction(SIGPIPE, &sa, NULL);
-
 	/*
 	 * Set up signals we pay attention to locally.
 	 */



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/fbdccec183f2999d6c9809cb14042ebaad33e167...9cecf01e72d9c9777f42b706a8cb98f6e75a5190

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/fbdccec183f2999d6c9809cb14042ebaad33e167...9cecf01e72d9c9777f42b706a8cb98f6e75a5190
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200323/6ef7d9d9/attachment-0001.htm>

More information about the vc mailing list