[Git][NTPsec/ntpsec][master] 3 commits: Squash another "ntp" which would want /etc/services
Hal Murray
gitlab at mg.gitlab.com
Sun Sep 6 10:56:19 UTC 2020
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
5ec6dedf by Hal Murray at 2020-09-05T01:26:47-07:00
Squash another "ntp" which would want /etc/services
- - - - -
03edc32d by Hal Murray at 2020-09-06T02:17:32-07:00
Fix unrestrict default quirk #665
- - - - -
4052f654 by Hal Murray at 2020-09-06T02:27:18-07:00
Restrict cleanup - mostly remove unused expire
- - - - -
8 changed files:
- include/ntp.h
- include/ntpd.h
- ntpd/ntp_config.c
- ntpd/ntp_io.c
- ntpd/ntp_peer.c
- ntpd/ntp_proto.c
- ntpd/ntp_restrict.c
- tests/ntpd/restrict.c
Changes:
=====================================
include/ntp.h
=====================================
@@ -668,7 +668,6 @@ struct restrict_u_tag {
uint32_t hitcount; /* number of packets matched */
unsigned short flags; /* accesslist flags */
unsigned short mflags; /* match flags */
- unsigned long expire; /* valid until time */
union { /* variant starting here */
res_addr4 v4;
res_addr6 v6;
=====================================
include/ntpd.h
=====================================
@@ -194,8 +194,8 @@ extern void set_use_stattime(uptime_t stattime);
extern void init_restrict (void);
extern unsigned short restrictions (sockaddr_u *);
extern void hack_restrict (int, sockaddr_u *, sockaddr_u *,
- unsigned short, unsigned short, unsigned long);
-extern void restrict_source (sockaddr_u *, bool, unsigned long);
+ unsigned short, unsigned short);
+extern void restrict_source (sockaddr_u *, bool);
/* ntp_timer.c */
extern void init_timer (void);
=====================================
ntpd/ntp_config.c
=====================================
@@ -1571,6 +1571,7 @@ config_access(
/* Configure the restrict options */
my_node = HEAD_PFIFO(ptree->restrict_opts);
for (; my_node != NULL; my_node = my_node->link) {
+ int op;
if (ai_list != NULL) {
/* we do this here, to not need at every continue */
freeaddrinfo(ai_list);
@@ -1687,7 +1688,7 @@ config_access(
DPRINT(1, ("restrict source template mflags %x flags %x\n",
mflags, flags));
hack_restrict(RESTRICT_FLAGS, NULL,
- NULL, mflags, flags, 0);
+ NULL, mflags, flags);
continue;
}
} else {
@@ -1719,7 +1720,7 @@ config_access(
hints.ai_socktype = SOCK_DGRAM;
hints.ai_family = my_node->addr->type;
rc = getaddrinfo(my_node->addr->address,
- "ntp", &hints,
+ NTP_PORTA, &hints,
&ai_list);
if (rc) {
msyslog(LOG_ERR,
@@ -1755,30 +1756,28 @@ config_access(
}
}
}
+ if (my_node->mode == T_Restrict)
+ op = RESTRICT_FLAGS;
+ else if (my_node->mode == T_Unrestrict
+ && flags == 0 && mflags == 0)
+ op = RESTRICT_REMOVE;
+ else if (my_node->mode == T_Unrestrict)
+ op = RESTRICT_UNFLAG;
+ else
+ continue; /* should never happen */
/* Set the flags */
if (restrict_default) {
+ /* default case, do both -4 and -6 */
AF(&addr) = AF_INET;
AF(&mask) = AF_INET;
- hack_restrict(RESTRICT_FLAGS, &addr,
- &mask, mflags, flags, 0);
+ hack_restrict(op, &addr, &mask, mflags, flags);
AF(&addr) = AF_INET6;
AF(&mask) = AF_INET6;
}
do {
- int op;
- if (my_node->mode == T_Restrict)
- op = RESTRICT_FLAGS;
- else if (my_node->mode == T_Unrestrict
- && flags == 0 && mflags == 0)
- op = RESTRICT_REMOVE;
- else if (my_node->mode == T_Unrestrict)
- op = RESTRICT_UNFLAG;
- else
- continue; /* should never happen */
- hack_restrict(op, &addr,
- &mask, mflags, flags, 0);
+ hack_restrict(op, &addr, &mask, mflags, flags);
if (pai != NULL &&
NULL != (pai = pai->ai_next)) {
INSIST(pai->ai_addr != NULL);
=====================================
ntpd/ntp_io.c
=====================================
@@ -799,7 +799,7 @@ remove_interface(
/* remove restrict interface entry */
SET_HOSTMASK(&resmask, AF(&ep->sin));
hack_restrict(RESTRICT_REMOVEIF, &ep->sin, &resmask,
- RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0);
+ RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE);
}
@@ -1750,7 +1750,7 @@ create_interface(
*/
SET_HOSTMASK(&resmask, AF(&iface->sin));
hack_restrict(RESTRICT_FLAGS, &iface->sin, &resmask,
- RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0);
+ RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE);
/*
* set globals with the first found
=====================================
ntpd/ntp_peer.c
=====================================
@@ -420,7 +420,7 @@ unpeer(
)
{
mprintf_event(PEVNT_DEMOBIL, peer, "assoc %u", peer->associd);
- restrict_source(&peer->srcadr, true, 0);
+ restrict_source(&peer->srcadr, true);
set_peerdstadr(peer, NULL);
peer_demobilizations++;
peer_associations--;
@@ -696,7 +696,7 @@ newpeer(
assoc_hash_count[hash]++;
LINK_SLIST(peer_list, peer, p_link);
- restrict_source(&peer->srcadr, false, 0);
+ restrict_source(&peer->srcadr, false);
mprintf_event(PEVNT_MOBIL, peer, "assoc %d", peer->associd);
DPRINT(1, ("newpeer: %s->%s mode %u vers %u poll %u %u flags 0x%x 0x%x mode %u key %08x\n",
latoa(peer->dstadr), socktoa(&peer->srcadr), peer->hmode,
=====================================
ntpd/ntp_proto.c
=====================================
@@ -66,11 +66,6 @@ static inline l_fp_w htonl_fp(l_fp lfp) {
#define CLOCK_SGATE 3. /* popcorn spike gate */
#define NTP_ORPHWAIT 300 /* orphan wait (s) */
-/*
- * pool soliciting restriction duration (s)
- */
-#define POOL_SOLICIT_WINDOW 8
-
#define DIFF(x, y) (SQUARE((x) - (y)))
/*
@@ -2404,7 +2399,7 @@ dns_take_server(
if (RES_FLAGS & restrict_mask) {
msyslog(LOG_INFO, "DNS: Server poking hole in restrictions for: %s",
socktoa(&server->srcadr));
- restrict_source(&server->srcadr, false, 0);
+ restrict_source(&server->srcadr, false);
}
peer_refresh_interface(server);
@@ -2459,8 +2454,7 @@ dns_take_pool(
if (RES_FLAGS & restrict_mask) {
msyslog(LOG_INFO, "DNS: Pool poking hole in restrictions for: %s",
socktoa(&peer->srcadr));
- restrict_source(&peer->srcadr, false,
- current_time + POOL_SOLICIT_WINDOW + 1);
+ restrict_source(&peer->srcadr, false);
}
DPRINT(1, ("dns_take_pool: at %u %s->%s pool\n",
=====================================
ntpd/ntp_restrict.c
=====================================
@@ -109,7 +109,7 @@ static unsigned short restrict_source_mflags;
*/
static restrict_u * alloc_res4(void);
static restrict_u * alloc_res6(void);
-static void free_res(restrict_u *, int);
+static void free_res(restrict_u *, bool);
static void inc_res_limited(void);
static void dec_res_limited(void);
static restrict_u * match_restrict4_addr(uint32_t, unsigned short);
@@ -220,7 +220,7 @@ alloc_res6(void)
static void
free_res(
restrict_u * res,
- int v6
+ bool v6
)
{
restrict_u ** plisthead;
@@ -272,15 +272,11 @@ match_restrict4_addr(
unsigned short port
)
{
- const int v6 = 0;
restrict_u * res;
restrict_u * next;
for (res = rstrct.restrictlist4; res != NULL; res = next) {
next = res->link;
- if (res->expire &&
- res->expire <= current_time)
- free_res(res, v6);
if (res->u.v4.addr == (addr & res->u.v4.mask)
&& (!(RESM_NTPONLY & res->mflags)
|| NTP_PORT == port))
@@ -296,7 +292,6 @@ match_restrict6_addr(
unsigned short port
)
{
- const int v6 = 1;
restrict_u * res;
restrict_u * next;
struct in6_addr masked;
@@ -304,9 +299,6 @@ match_restrict6_addr(
for (res = rstrct.restrictlist6; res != NULL; res = next) {
next = res->link;
INSIST(next != res);
- if (res->expire &&
- res->expire <= current_time)
- free_res(res, v6);
MASK_IPV6_ADDR(&masked, addr, &res->u.v6.mask);
if (ADDR6_EQ(&masked, &res->u.v6.addr)
&& (!(RESM_NTPONLY & res->mflags)
@@ -493,11 +485,10 @@ hack_restrict(
sockaddr_u * resaddr,
sockaddr_u * resmask,
unsigned short mflags,
- unsigned short flags,
- unsigned long expire
+ unsigned short flags
)
{
- int v6;
+ bool v6;
restrict_u match;
restrict_u * res;
restrict_u ** plisthead;
@@ -506,6 +497,7 @@ hack_restrict(
op, socktoa(resaddr), socktoa(resmask), mflags, flags));
if (NULL == resaddr) {
+ /* restrict source */
REQUIRE(NULL == resmask);
REQUIRE(RESTRICT_FLAGS == op);
restrict_source_flags = flags;
@@ -517,10 +509,10 @@ hack_restrict(
ZERO(match);
/* silence VC9 potentially uninit warnings */
res = NULL;
- v6 = 0;
+ v6 = false;
if (IS_IPV4(resaddr)) {
- v6 = 0;
+ v6 = false;
/*
* Get address and mask in host byte order for easy
* comparison as uint32_t
@@ -530,7 +522,7 @@ hack_restrict(
match.u.v4.addr &= match.u.v4.mask;
} else if (IS_IPV6(resaddr)) {
- v6 = 1;
+ v6 = true;
/*
* Get address and mask in network byte order for easy
* comparison as byte sequences (e.g. memcmp())
@@ -544,7 +536,6 @@ hack_restrict(
match.flags = flags;
match.mflags = mflags;
- match.expire = expire;
res = match_restrict_entry(&match, v6);
switch (op) {
@@ -626,8 +617,7 @@ hack_restrict(
void
restrict_source(
sockaddr_u * addr,
- bool farewell, /* false to add, true to remove */
- unsigned long expire /* 0 is infinite, valid until */
+ bool farewell /* false to add, true to remove */
)
{
sockaddr_u onesmask;
@@ -641,8 +631,7 @@ restrict_source(
SET_HOSTMASK(&onesmask, AF(addr));
if (farewell) {
- hack_restrict(RESTRICT_REMOVE, addr, &onesmask,
- 0, 0, 0);
+ hack_restrict(RESTRICT_REMOVE, addr, &onesmask, 0, 0);
DPRINT(1, ("restrict_source: %s removed", socktoa(addr)));
return;
}
@@ -651,10 +640,6 @@ restrict_source(
* If there is a specific entry for this address, hands
* off, as it is condidered more specific than "restrict
* server ...".
- * However, if the specific entry found is a fleeting one
- * added by pool_xmit() before soliciting, replace it
- * immediately regardless of the expire value to make way
- * for the more persistent entry.
*/
if (IS_IPV4(addr)) {
res = match_restrict4_addr(SRCADR(addr), SRCPORT(addr));
@@ -665,17 +650,12 @@ restrict_source(
found_specific = ADDR6_EQ(&res->u.v6.mask,
&SOCK_ADDR6(&onesmask));
}
- if (!expire && found_specific && res->expire) {
- found_specific = 0;
- free_res(res, IS_IPV6(addr));
- }
if (found_specific) {
return;
}
hack_restrict(RESTRICT_FLAGS, addr, &onesmask,
- restrict_source_mflags, restrict_source_flags,
- expire);
+ restrict_source_mflags, restrict_source_flags);
DPRINT(1, ("restrict_source: %s host restriction added\n",
socktoa(addr)));
}
=====================================
tests/ntpd/restrict.c
=====================================
@@ -68,14 +68,12 @@ TEST(hackrestrict, RestrictionsAreEmptyAfterInit) {
TEST_ASSERT_EQUAL(rl4->hitcount, rstrct.restrictlist4->hitcount);
TEST_ASSERT_EQUAL(rl4->flags, rstrct.restrictlist4->flags);
TEST_ASSERT_EQUAL(rl4->mflags, rstrct.restrictlist4->mflags);
- TEST_ASSERT_EQUAL(rl4->expire, rstrct.restrictlist4->expire);
TEST_ASSERT_EQUAL(rl4->u.v4.addr, rstrct.restrictlist4->u.v4.addr);
TEST_ASSERT_EQUAL(rl4->u.v4.mask, rstrct.restrictlist4->u.v4.mask);
TEST_ASSERT_EQUAL(rl6->hitcount, rstrct.restrictlist6->hitcount);
TEST_ASSERT_EQUAL(rl6->flags, rstrct.restrictlist6->flags);
TEST_ASSERT_EQUAL(rl6->mflags, rstrct.restrictlist6->mflags);
- TEST_ASSERT_EQUAL(rl6->expire, rstrct.restrictlist6->expire);
free(rl4);
free(rl6);
@@ -101,7 +99,7 @@ TEST(hackrestrict, HackingDefaultRestriction) {
sockaddr_u resaddr = create_sockaddr_u(54321, "0.0.0.0");
sockaddr_u resmask = create_sockaddr_u(54321, "0.0.0.0");
- hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, 0, flags, 0);
+ hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, 0, flags);
sockaddr_u sockaddr = create_sockaddr_u(54321, "111.123.251.124");
@@ -113,7 +111,7 @@ TEST(hackrestrict, CantRemoveDefaultEntry) {
sockaddr_u resaddr = create_sockaddr_u(54321, "0.0.0.0");
sockaddr_u resmask = create_sockaddr_u(54321, "0.0.0.0");
- hack_restrict(RESTRICT_REMOVE, &resaddr, &resmask, 0, 0, 0);
+ hack_restrict(RESTRICT_REMOVE, &resaddr, &resmask, 0, 0);
TEST_ASSERT_EQUAL(RES_Default, restrictions(&resaddr));
}
@@ -125,7 +123,7 @@ TEST(hackrestrict, AddingNewRestriction) {
const unsigned short flags = 42;
- hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, 0, flags, 0);
+ hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, 0, flags);
TEST_ASSERT_EQUAL(flags, restrictions(&resaddr));
}
@@ -144,9 +142,9 @@ TEST(hackrestrict, TheMostFittingRestrictionIsMatched) {
sockaddr_u resaddr_second_match = create_sockaddr_u(54321, "11.99.33.44");
sockaddr_u resmask_second_match = create_sockaddr_u(54321, "255.0.0.0");
- hack_restrict(RESTRICT_FLAGS, &resaddr_not_matching, &resmask_not_matching, 0, 11, 0);
- hack_restrict(RESTRICT_FLAGS, &resaddr_best_match, &resmask_best_match, 0, 22, 0);
- hack_restrict(RESTRICT_FLAGS, &resaddr_second_match, &resmask_second_match, 0, 128, 0);
+ hack_restrict(RESTRICT_FLAGS, &resaddr_not_matching, &resmask_not_matching, 0, 11);
+ hack_restrict(RESTRICT_FLAGS, &resaddr_best_match, &resmask_best_match, 0, 22);
+ hack_restrict(RESTRICT_FLAGS, &resaddr_second_match, &resmask_second_match, 0, 128);
TEST_ASSERT_EQUAL(22, restrictions(&resaddr_target));
}
@@ -164,12 +162,12 @@ TEST(hackrestrict, DeletedRestrictionIsNotMatched) {
sockaddr_u resaddr_second_match = create_sockaddr_u(54321, "11.99.33.44");
sockaddr_u resmask_second_match = create_sockaddr_u(54321, "255.0.0.0");
- hack_restrict(RESTRICT_FLAGS, &resaddr_not_matching, &resmask_not_matching, 0, 11, 0);
- hack_restrict(RESTRICT_FLAGS, &resaddr_best_match, &resmask_best_match, 0, 22, 0);
- hack_restrict(RESTRICT_FLAGS, &resaddr_second_match, &resmask_second_match, 0, 128, 0);
+ hack_restrict(RESTRICT_FLAGS, &resaddr_not_matching, &resmask_not_matching, 0, 11);
+ hack_restrict(RESTRICT_FLAGS, &resaddr_best_match, &resmask_best_match, 0, 22);
+ hack_restrict(RESTRICT_FLAGS, &resaddr_second_match, &resmask_second_match, 0, 128);
/* deleting the best match*/
- hack_restrict(RESTRICT_REMOVE, &resaddr_best_match, &resmask_best_match, 0, 22, 0);
+ hack_restrict(RESTRICT_REMOVE, &resaddr_best_match, &resmask_best_match, 0, 22);
TEST_ASSERT_EQUAL(128, restrictions(&resaddr_target));
}
@@ -179,9 +177,9 @@ TEST(hackrestrict, RestrictUnflagWorks) {
sockaddr_u resaddr = create_sockaddr_u(54321, "11.22.30.20");
sockaddr_u resmask = create_sockaddr_u(54321, "255.255.0.0");
- hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, 0, 11, 0);
+ hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, 0, 11);
- hack_restrict(RESTRICT_UNFLAG, &resaddr, &resmask, 0, 10, 0);
+ hack_restrict(RESTRICT_UNFLAG, &resaddr, &resmask, 0, 10);
TEST_ASSERT_EQUAL(1, restrictions(&resaddr));
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/c594f3e65ed1f88859bfd3ca893b56dbac012e4a...4052f654c4a82e8796e2db696bb76c725a38c514
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/c594f3e65ed1f88859bfd3ca893b56dbac012e4a...4052f654c4a82e8796e2db696bb76c725a38c514
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200906/75c9b27e/attachment-0001.htm>
More information about the vc
mailing list