[Git][NTPsec/ntpsec][master] Restriction cleanup -- when poking holes
Hal Murray
gitlab at mg.gitlab.com
Mon Sep 7 22:49:38 UTC 2020
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
0a4597a3 by Hal Murray at 2020-09-07T13:25:51-07:00
Restriction cleanup -- when poking holes
- - - - -
5 changed files:
- include/ntpd.h
- ntpd/ntp_config.c
- ntpd/ntp_peer.c
- ntpd/ntp_proto.c
- ntpd/ntp_restrict.c
Changes:
=====================================
include/ntpd.h
=====================================
@@ -195,7 +195,8 @@ extern void init_restrict (void);
extern unsigned short restrictions (sockaddr_u *);
extern void hack_restrict (int, sockaddr_u *, sockaddr_u *,
unsigned short, unsigned short);
-extern void restrict_source (sockaddr_u *, bool);
+extern void restrict_source (struct peer *);
+extern void unrestrict_source (struct peer *);
/* ntp_timer.c */
extern void init_timer (void);
=====================================
ntpd/ntp_config.c
=====================================
@@ -2594,6 +2594,7 @@ is_sane_resolved_address(
}
if (IS_IPV6(peeraddr) && !ipv6_works)
+ /* FIXME: error message */
return false;
/* Ok, all tests succeeded, now we can return true */
@@ -2724,10 +2725,10 @@ config_peers(
NULL,
curr_peer->host_mode,
&curr_peer->ctl);
- /*
- * If we have a numeric address, we can safely
- * proceed in the mainline with it.
- */
+ /*
+ * If we have a numeric address, we can safely
+ * proceed in the mainline with it.
+ */
} else if (is_ip_address(curr_peer->addr->address,
curr_peer->addr->type, &peeraddr)) {
@@ -2988,7 +2989,7 @@ config_ntpd(
config_monitor(ptree);
config_auth(ptree);
config_tos(ptree);
- config_access(ptree);
+ config_access(ptree); /* before config_peers */
config_tinker(ptree);
config_nts(ptree);
config_rlimit(ptree);
=====================================
ntpd/ntp_peer.c
=====================================
@@ -420,7 +420,7 @@ unpeer(
)
{
mprintf_event(PEVNT_DEMOBIL, peer, "assoc %u", peer->associd);
- restrict_source(&peer->srcadr, true);
+ unrestrict_source(peer);
set_peerdstadr(peer, NULL);
peer_demobilizations++;
peer_associations--;
@@ -589,9 +589,7 @@ newpeer(
/*
* If a peer is found, this would be a duplicate and we don't
- * allow that. This avoids duplicate ephemeral (broadcast/
- * multicast) and preemptible (manycast and pool) client
- * associations.
+ * allow that.
*/
if (peer != NULL) {
DPRINT(2, ("newpeer(%s) found existing association\n", name));
@@ -689,14 +687,16 @@ newpeer(
/*
* Put the new peer in the hash tables.
*/
- if ((MDF_UCAST & cast_flags) && !(FLAG_LOOKUP & ctl->flags))
+ if ((MDF_UCAST & cast_flags) && !(FLAG_LOOKUP & ctl->flags)) {
+ /* simple server with numeric address */
peer_add_hash(peer);
+ restrict_source(peer);
+ }
hash = peer->associd & NTP_HASH_MASK;
LINK_SLIST(assoc_hash[hash], peer, aid_link);
assoc_hash_count[hash]++;
LINK_SLIST(peer_list, peer, p_link);
- restrict_source(&peer->srcadr, false);
mprintf_event(PEVNT_MOBIL, peer, "assoc %d", peer->associd);
DPRINT(1, ("newpeer: %s->%s mode %u vers %u poll %u %u flags 0x%x 0x%x mode %u key %08x\n",
latoa(peer->dstadr), socktoa(&peer->srcadr), peer->hmode,
=====================================
ntpd/ntp_proto.c
=====================================
@@ -2372,7 +2372,6 @@ dns_take_server(
sockaddr_u *rmtadr
)
{
- int restrict_mask;
struct peer * pp;
if(!(server->cfg.flags & FLAG_LOOKUP))
@@ -2390,17 +2389,11 @@ dns_take_server(
msyslog(LOG_INFO, "DNS: Server taking: %s", socktoa(rmtadr));
else
msyslog(LOG_INFO, "DNS: Server taking: %s", sockporttoa(rmtadr));
- server->cfg.flags &= (unsigned)~FLAG_LOOKUP;
+ server->cfg.flags &= (unsigned)~FLAG_LOOKUP;
server->srcadr = *rmtadr;
peer_add_hash(server);
-
- restrict_mask = restrictions(&server->srcadr);
- if (RES_FLAGS & restrict_mask) {
- msyslog(LOG_INFO, "DNS: Server poking hole in restrictions for: %s",
- socktoa(&server->srcadr));
- restrict_source(&server->srcadr, false);
- }
+ restrict_source(server);
peer_refresh_interface(server);
@@ -2423,7 +2416,6 @@ dns_take_pool(
{
struct peer_ctl pctl;
struct peer * peer;
- int restrict_mask;
endpt * lcladr;
peer = findexistingpeer(rmtadr, NULL, NULL, MODE_CLIENT);
@@ -2450,13 +2442,6 @@ dns_take_pool(
peer->retry = NTP_RETRY;
poll_update(peer, peer->hpoll);
- restrict_mask = restrictions(&peer->srcadr);
- if (RES_FLAGS & restrict_mask) {
- msyslog(LOG_INFO, "DNS: Pool poking hole in restrictions for: %s",
- socktoa(&peer->srcadr));
- restrict_source(&peer->srcadr, false);
- }
-
DPRINT(1, ("dns_take_pool: at %u %s->%s pool\n",
current_time, latoa(lcladr), socktoa(rmtadr)));
}
=====================================
ntpd/ntp_restrict.c
=====================================
@@ -610,31 +610,31 @@ hack_restrict(
}
-/*
- * restrict_source - maintains dynamic "restrict source ..." entries as
- * peers come and go.
+/* restrict_source - poke hole in restrictions if needed
+ * requires "restrict source <flags|NULL>"
+ * Called in 3 cases:
+ * newpeer when allocating a slot with IP Address
+ * dns_check/dns_take_server when DNS assigns an IP Address
+ * nts_check/dns_take_server when NTS assigns an IP Address
+ *
+ * Holes created have RESM_SOURCE in mflags
+ * Restrictions must be initialized before adding servers
*/
void
restrict_source(
- sockaddr_u * addr,
- bool farewell /* false to add, true to remove */
+ struct peer * peer
)
{
+ sockaddr_u * addr = &peer->srcadr;
sockaddr_u onesmask;
restrict_u * res;
- int found_specific;
-
- if (!restrict_source_enabled || SOCK_UNSPEC(addr) || IS_MCAST(addr))
- return;
+ bool found_specific = false;
+ bool need_poke = false;
+ bool auth, nts;
REQUIRE(AF_INET == AF(addr) || AF_INET6 == AF(addr));
SET_HOSTMASK(&onesmask, AF(addr));
- if (farewell) {
- hack_restrict(RESTRICT_REMOVE, addr, &onesmask, 0, 0);
- DPRINT(1, ("restrict_source: %s removed", socktoa(addr)));
- return;
- }
/*
* If there is a specific entry for this address, hands
@@ -650,12 +650,65 @@ restrict_source(
found_specific = ADDR6_EQ(&res->u.v6.mask,
&SOCK_ADDR6(&onesmask));
}
+
+ if (RES_IGNORE & res->flags) {
+ need_poke = true;
+ }
+ auth = (0 != peer->cfg.peerkey);
+ nts = peer->cfg.flags & FLAG_NTS;
+ if (RES_DONTTRUST & res->flags && !auth && !nts) {
+ /* needs authentication, but this slot doesn't have any */
+ need_poke = true;
+ }
+ if (!need_poke) {
+ /* works without a hole */
+ return;
+ }
if (found_specific) {
+ msyslog(LOG_ERR, "RESTRICT: Specific restriction will break %s",
+ socktoa(addr));
return;
}
+ if (!restrict_source_enabled) {
+ msyslog(LOG_ERR, "RESTRICT: Can't poke hole in restrictions for %s - need \"restrict source <flags>\"",
+ socktoa(addr));
+ return;
+ }
+
+ msyslog(LOG_INFO, "RESTRICT: Poking hole in restrictions for %s",
+ socktoa(addr));
hack_restrict(RESTRICT_FLAGS, addr, &onesmask,
restrict_source_mflags, restrict_source_flags);
- DPRINT(1, ("restrict_source: %s host restriction added\n",
- socktoa(addr)));
}
+
+/* unrestrict_source - remove hole poked in restrictions
+ */
+void
+unrestrict_source(
+ struct peer * peer
+ )
+{
+ sockaddr_u * addr = &peer->srcadr;
+ sockaddr_u onesmask;
+ restrict_u * res;
+
+ if (IS_IPV4(addr)) {
+ res = match_restrict4_addr(SRCADR(addr), SRCPORT(addr));
+ } else {
+ res = match_restrict6_addr(&SOCK_ADDR6(addr),
+ SRCPORT(addr));
+ }
+ if (!(res->mflags & RESM_SOURCE)) {
+ return; /* nothing to cleanup */
+ }
+
+ msyslog(LOG_INFO, "RESTRICT: Removing hole in restrictions for %s",
+ socktoa(addr));
+
+ SET_HOSTMASK(&onesmask, AF(addr));
+ hack_restrict(RESTRICT_REMOVE, addr, &onesmask, 0, 0);
+
+}
+
+
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/0a4597a3f6cd53077d6f0ae533f099d87e2e7c4e
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/0a4597a3f6cd53077d6f0ae533f099d87e2e7c4e
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200907/36945ffe/attachment-0001.htm>
More information about the vc
mailing list