+* Updates and cleanup from Dave Mills:
+ I've now spent eleven months of a sabbatical year - 7 days a week, 6-10
+ hours most days - working on NTP. I have carefully reviewed every major
+ algorithm, examined its original design and evolution from that design.
+ I've trimmed off dead code and briar patches and did zillions of tests
+ contrived to expose evil vulnerabilities. The development article is in
+ rather good shape and should be ready for prime time.
+
+ 1. The protostats statistics files have been very useful in exposing
+ little twitches and turns when something hiccups, like a broken PPS
+ signal. Most of what used to be syslog messages are now repackaged as
+ protostats messages with optional syslog as well. These can also be sent
+ as traps which might be handy to tiggle a beeper or celltext. These, the
+ sysstats files and cryptostats files reveal the ambient health of a busy
+ server, monitor traffic and error counts and spot crypto attacks.
+
+ 2. Close inspection of the clock discipline behavior at long poll
+ intervals (36 h) showed it not doing as well as it should. I redesigned
+ the FLL loop to improve nominal accuracy from several tens of
+ milliseconds to something less than ten milliseconds.
+
+ 3. Autokey (again). The enhanced error checking was becoming a major
+ pain. I found a way to toss out gobs of ugly fat code and replace the
+ function with a much simpler and more comprehensive scheme. It resists
+ bait-and-switch attacks and quickly detect cases when the protocol is
+ not correctly synchronized.
+
+ 4. The interface code for the kernel PPS signal was not in sync with the
+ kernel code itself. Some error checks were duplicated and some
+ ineffective. I found none of the PPS-capable drivers, including the atom
+ driver, do anything when the prefer peer fails; the kernel PPS signal
+ remains in control. The atom driver now disables the kernel PPS when the
+ prefer peer comes bum. This is important when the prefer peer is not a
+ reference clock but a remote NTP server.
+
+ 5. The flake restrict bit turned out to be really interesting,
+ especially with symmtric modes and of those especially those using
+ Autokey. Small changes in the recovery procedures when packets are lost
+ now avoid almost all scenarios which previously required protocol resets.
+
+ 6. I've always been a little uncomfortable when using the clock filter
+ with long poll intervals because the samples become less and less
+ correlated as the sample age exceeds the Allan intercept. Various
+ schemes have been used over the years to cope with this fact. The latest
+ one and the one that works the best is to use a modified sort metric
+ where the delay is used when the age of the sample is less than the
+ intercept and the sum of delay and dispersion above that. The net result
+ is that, at small poll intervals the algorithm operates as a minimum
+ filter, while at larger poll intervals it morphs to FIFO. Left
+ unmodified, a sample could be used when twelve days old. This along with
+ the FLL modifications has made a dramatic improvement at large poll
+ intervals.
+
+- [Backward Incompatible] The 'state' variable is no longer reported or
+ available via ntpq output. The following system status bit names
+ have been changed:
+ - sync_alarm -> leap_alarm
+ - sync_atomic -> sync_pps
+ - sync_lf_clock -> sync_lf_radio
+ - sync_hf_clock -> sync_hf_radio
+ - sync_uhf_clock -> sync_uhf_radio
+ - sync_local_proto -> sync_local
+ - sync_udp/time -> sync_other
+ Other names have been changed as well. See the change history for
+ libntp/statestr.c for more details.
+ Other backward-incompatible changes in ntpq include:
+ - assID -> associd
+ - rootdispersion -> rootdisp
+ - pkt_head -> pkt_neader
+ See the change history for other details.
+
* Updates and cleanup from Dave Mills.
* [Bug 995] Remove spurious ; from ntp-keygen.c.
* More cleanup and changes from Dave Mills.
<h3>Access Control Options</h3>
<img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>The skunk watches for intruders and sprays.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">15:56</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Wednesday, January 02, 2008</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">18:08</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="230">Sunday, May 04, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/command.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/accopt.txt"></script>
<h4>Table of Contents</h4>
<ul>
<li class="inline"><a href="#acx">Access Control Support</a>
- <li class="inline"><a href="#kiss">The Kiss-of-Death Packet</a>
<li class="inline"><a href="#cmd">Access Control Commands</a>
</ul>
<hr>
<h4 id="acx">Access Control Support</h4>
- The<tt> ntpd</tt> daemon implements a general purpose address/mask based restriction list. The list contains address/match entries sorted first by increasing address values and and then by increasing mask values. A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list. The list is searched in order with the last match found defining the restriction flags associated with the entry.
- <p>The restriction facility was implemented in conformance with the access policies for the original NSFnet backbone time servers. Later the facility was expanded to deflect cryptographic and clogging attacks. While this facility may be useful for keeping unwanted or broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.</p>
- <p>Clients can be denied service because they are explicitly included in the restrict list created by the <tt>restrict</tt> command or implicitly as the result of cryptographic or rate limit violations. Cryptographic violations include certificate or identity verification failure; rate limit violations generally result from defective NTP implementations that send packets at abusive rates. Some violations cause denied service only for the offending packet, others cause denied service for a timed period and others cause the denied service for an indefinate period. When a client or network is denied access for an indefinate period, the only way at present to remove the restrictions is by restarting the server.</p>
- <h4 id="kiss">The Kiss-of-Death Packet</h4>
- <p>Ordinarily, packets denied service are simply dropped with no further action except incrementing statistics counters. Sometimes a more proactive response is needed, such as a server message that explicitly requests the client to stop sending and leave a message for the system operator. A special packet format has been created for this purpose called the "kiss-o'-death" (KoD) packet. KoD packets have the leap bits set unsynchronized and stratum set to zero and the reference identifier field set to a four-byte ASCII code. If the <tt>noserve</tt> or <tt>notrust</tt> flag of the matching restrict list entry is set, the code is "DENY"; if the <tt>limited</tt> flag is set and the rate limit is exceeded, the code is "RATE". Finally, if a cryptographic violation occurs, the code is "CRYP".</p>
- <p>A client receiving a KoD performs a set of sanity checks to minimize security exposure, then updates the stratum and reference identifier peer variables, sets the access denied (TEST4) bit in the peer flash variable and sends a message to the log. As long as the TEST4 bit is set, the client will send no further packets to the server. The only way at present to recover from this condition is to restart the protocol at both the client and server. This happens automatically at the client when the association times out. It will happen at the server only if the server operator cooperates.</p>
+ The<tt> ntpd</tt> daemon implements a general purpose access control list (ACL) containing address/match entries sorted first by increasing address values and and then by increasing mask values. A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list. The list is searched in order with the last match found defining the restriction flags associated with the entry.
+ <p>An example may clarify how it works. Our campus has two class-B networks, 128.4 for the ECE and CIS deparements and 128.175 for the rest of campus. Subnet 128.4.1 homes critical services like class rosters and spread sheets. A suitable ACL might be</p>
+<pre>
+restrict default nopeer # deny new association
+restrict 128.175.0.0 255.255.0.0 # allow campus access
+restrict 128.4.0.0 255.255.0.0 none # allow ECE and CIS access
+restrict 128.4.1.0 255.255.255.0 notrust # require auth
+restrict time.nist.gov # allow access
+</pre>
+<p>While this facility may be useful for keeping unwanted, broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.</p>
<h4 id="cmd">Access Control Commands</h4>
<dl>
- <dt><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] [ monitor <i>prob</i> ]</tt>
- <dd>Set the parameters of the <tt>limited</tt> facility which protects the server from client abuse. The <tt>average</tt> subcommand specifies the minimum average packet spacing, while the <tt>minimum</tt> subcommand specifies the minimum packet spacing. Packets that violate these minima are discarded and a kiss-o'-death packet returned if enabled. The default minimum average and minimum are 5 and 2, respectively. The monitor subcommand specifies the probability of discard for packets that overflow the rate-control window.
- <dt><tt>restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt>
- <dd>The <i><tt>address</tt></i> argument expressed in dotted-quad form is the address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a valid host DNS name. The <i><tt>mask</tt></i> argument expressed in dotted-quad form defaults to <tt>255.255.255.255</tt>, meaning that the <i><tt>address</tt></i> is treated as the address of an individual host. A default entry (address <tt>0.0.0.0</tt>, mask <tt>0.0.0.0</tt>) is always included and is always the first entry in the list. Note that text string <tt>default</tt>, with no mask option, may be used to indicate the default entry.
- <dd>In the current implementation, <i><tt>flag</tt></i> always restricts access, i.e., an entry with no flags indicates that free access to the server is to be given. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two catagories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:
+ <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] [ monitor <i>prob</i> ]</tt>
+ <dd>Set the parameters of the rate control facility which protects the server from client abuse. If the <tt>limited</tt> flag is present in the ACL, packets that violate these limits are discarded. If in addition the <tt>kod</tt> restriction is present, a kiss-o'-death packet is returned.
<dl>
- <dt><tt>ignore</tt>
+ <dt><tt>average <i>avg</i></tt>
+ <dd>Sspecify the minimum average interpacket spacing (minimum average headway time) in log<sub>2</sub> s with default 3.<dt><tt>minimum <i>min</i></tt>
+ <dd>Specify the minimum interpacket spacing (guard time) in log<sub>2</sub> s with default 1.<dt><tt>monitor</tt>
+ <dd>Specify the probability of discard for packets that overflow the rate-control window. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.</dl>
+
+
+ <dt id="restrict"><tt>restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt>
+ <dd>The <i><tt>address</tt></i> argument expressed in dotted-quad form is the address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a valid host DNS name. The <i><tt>mask</tt></i> argument expressed in dotted-quad form defaults to <tt>255.255.255.255</tt>, meaning that the <i><tt>address</tt></i> is treated as the address of an individual host. A default entry (address <tt>0.0.0.0</tt>, mask <tt>0.0.0.0</tt>) is always included and is always the first entry in the list. Note that the text string <tt>default</tt>, with no mask option, may be used to indicate the default entry.
+ <dd>In the current implementation, <i><tt>flag</tt></i> always restricts access, i.e., an entry with no flags indicates no restrictions. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two catagories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:<dl>
+ <dt><tt>frac</tt>
+ <dd>Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's <i>flakeway</i>, which once did a similar thing for early Internet testing.<dt><tt>ignore</tt>
<dd>Deny packets of all kinds, including <tt>ntpq</tt> and <tt>ntpdc</tt> queries.
<dt><tt>kod</tt>
- <dd>If this flag is set when an access violation occurs, a kiss-o'-death (KoD) packet is sent. KoD packets are rate limited to no more than one per second. If another KoD packet occurs within one second after the last one, the packet is dropped
- <dt><tt>limited</tt>
- <dd>Deny service if the packet spacing violates the lower limits specified in the <tt>discard</tt> command. A history of clients is kept using the monitoring capability of <tt>ntpd</tt>. Thus, monitoring is always active as long as there is a restriction entry with the <tt>limited</tt> flag.
- <dt><tt>lowpriotrap</tt>
+ <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is present and a packet violates the rate limits established by the <tt>discard</tt> command. KoD packets are themselves rate limited for each source address separately. Packets that violate the rate limit are discarded.<dt><tt>limited</tt>
+ <dd>Deny time service if the packet violates the rate limits established by the <tt>discard</tt> command. This does not apply to <tt>ntpq</tt> and <tt>ntpdc</tt> queries. <dt><tt>lowpriotrap</tt>
<dd>Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.
<dt><tt>nomodify</tt>
<dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.
<dt><tt>noquery</tt>
- <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not affected.
- <dt><tt>nopeer</tt>
+ <dd>Deny <tt>ntpq</tt> and <tt>ntpq</tt> queries. Time service is not affected.<dt><tt>nopeer</tt>
<dd>Deny packets which would result in mobilizing a new association. This includes broadcast, symmetric-active and manycast client packets when a configured association does not exist.
<dt><tt>noserve</tt>
<dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> queries.
<dt><tt>notrap</tt>
<dd>Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the <tt>ntpdq</tt> control message protocol which is intended for use by remote event logging programs.
<dt><tt>notrust</tt>
- <dd>Deny packets unless the packet is cryptographically authenticated.
- <dt><tt>ntpport</tt>
+ <dd>Deny packets that are not cryptographically authenticated.<dt><tt>ntpport</tt>
+ <dt><tt>non-ntpport</tt>
<dd>This is actually a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched only if the source port in the packet is the standard NTP UDP port (123). Both <tt>ntpport</tt> and <tt>non-ntpport</tt> may be specified. The <tt>ntpport</tt> is considered more specific and is sorted later in the list.
<dt><tt>version</tt>
<dd>Deny packets that do not match the current NTP version.
<h3>Authentication Options</h3>
<img src="pic/alice44.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
<p>Our resident cryptographer; now you see him, now you don't.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">15:56</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Wednesday, January 02, 2008</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:38</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 17, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/command.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/authopt.txt"></script>
<h4>Table of Contents</h4>
<ul>
- <li class="inline"><a href="#auth">Authentication Support</a>
+ <li class="inline"><a href="#auth">Introduction</a>
<li class="inline"><a href="#symm">Symmetric Key Cryptography</a>
<li class="inline"><a href="#pub">Public Key Cryptography</a>
<li class="inline"><a href="#group">NTP Secure Groups</a>
<li class="inline"><a href="#file">Files</a>
</ul>
<hr>
- <h4 id="auth">Authentication Support</h4>
+ <h4 id="auth">Introduction</h4>
+ <p>This page describes the various cryptographic authentication provisions in NTPv4. Details about the configuration commands and options are given on the <a href="confopt.html">Configuration Options</a> page. Details about the cryptographic authentication schemes are given on the <a href="authopt.html">Authentication Options</a> page. Details about the automatic server discovery schemes are described on the <a href="manyopt.html">Automatic Server Discovery Schemes</a> page. Additional information is available in the papers, reports, memoranda and briefings on the <a href="http://www.eecis.udel.edu/~mills/ntp.html"> NTP Project</a> page.</p>
<p>Authentication support allows the NTP client to verify that servers are in fact known and trusted and not intruders intending accidentally or intentionally to masquerade as a legitimate server. The NTPv3 specification RFC-1305 defines a scheme using the Data Encryption Standard (DES) algorithm, commonly called DES-CBC. Subsequently, this scheme was replaced by the RSA Message Digest 5 (MD5) algorithm, commonly called keyed-MD5. Either algorithm computes a message digest or one-way hash which can be used to verify the client has the same key as the server.</p>
<p>NTPv4 includes the NTPv3 scheme, properly described as symmetric key cryptography and, in addition a new scheme based on public key cryptography and called Autokey. Public key cryptography is generally considered more secure than symmetric key cryptography, since the security is based on private and public values which are generated by each participant and where the private value is never revealed. Autokey uses X.509 public certificates, which can be produced by commercial services, utility programs in the OpenSSL software library or a utility program in the NTP software distribution.</p>
<p>While the algorithms for symmetric key cryptography are included in the NTPv4 software distribution, Autokey cryptography requires the OpenSSL software library to be installed before building the NTP distribution. This library is available from <a href="http://www.openssl.org">http://www.openssl.org</a> and can be installed using the procedures outlined in the <a href="build.html">Building and Installing the Distribution</a> page. Once installed, the configure and build process automatically detects the library and links the library routines required.</p>
- <p>Authentication is configured separately for each association
separately using the <tt>key</tt> or <tt>autokey</tt> option on the <tt>peer</tt>, <tt>server</tt>, <tt>broadcast</tt> or <tt>manycastclient</tt> configuration commands, as described in the <a href="confopt.html">Server Options</a> page, and the options described on this page. The <a href="keygen.html">ntp-keygen</a> page describes the files required for the various authentication schemes. Further details are in the briefings, papers and reports at the NTP project page linked from <a href="http://www.ntp.org">www.ntp.org</a>.</p>
+ <p>Authentication is configured separately for each association
using the <tt>key</tt> or <tt>autokey</tt> option of the <tt>server</tt> command, as described in the <a href="confopt.html">Server Options</a> page, and the options described on this page. The <a href="keygen.html">ntp-keygen</a> page describes the files required for the various authentication schemes. Further details are in the briefings, papers and reports at the NTP project page linked from <a href="http://www.ntp.org">www.ntp.org</a>.</p>
<h4 id="symm">Symmetric Key Cryptography</h4>
The original RFC-1305 specification allows any one of possibly 65,534 keys (excluding zero), each distinguished by a 32-bit key ID, to authenticate an association. The servers and clients involved must agree on the key and key ID to authenticate NTP packets. If an NTP packet includes a message authentication code (MAC), consisting of a key ID and message digest, it is accepted only if the key ID matches a trusted key and the message digest is verified with this key.
<p>Keys and related information are specified in a keys file, usually called <tt>ntp.keys</tt>, which must be distributed and stored using secure means beyond the scope of the NTP protocol itself. Besides the keys used for ordinary NTP associations, additional keys can be used as passwords for the <tt><a href="ntpq.html">ntpq</a></tt> and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs. Ordinarily, the <tt>ntp.keys</tt> file is generated by the <tt><a href="keygen.html">ntp-keygen</a></tt> program, but it can be constructed using an ordinary text editor.</p>
- <p>When <tt>ntpd</tt> is first started, it reads the key file specified by the <tt>keys</tt> configuration command and installs the keys in the key cache. However, individual keys must be activated with the <tt>trustedkey</tt> command before use. This allows, for instance, the installation of possibly several batches of keys and then activating a key remotely using <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID used as the password for the <tt>ntpdc</tt> utility, while the <tt>controlkey</tt> command selects the key ID used as the password for the <tt>ntpq</tt> utility.</p>
+ <p>When <tt>ntpd</tt> is first started, it reads the key file specified by the <tt>keys</tt> command and installs the keys in the key cache. However, individual keys must be activated with the <tt>trustedkey</tt> command before use. This allows, for instance, the installation of possibly several batches of keys and then activating a key remotely using <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID used as the password for the <tt>ntpdc</tt> utility, while the <tt>controlkey</tt> command selects the key ID used as the password for the <tt>ntpq</tt> utility.</p>
<h4 id="pub">Public Key Cryptography</h4>
- <p>NTPv4 supports the Autokey security protocol, which is based on public key cryptography. The Autokey Version 2 protocol described on the <a href="http://www.eecis.udel.edu/
~mills/proto.html">Autokey Protocol</a> page verifies packet integrity using MD5 message digests and verifies the source using digital signatures and any of several digest/signature schemes. Optional identity schemes described on the <a href="http://www.eecis.udel.edu/~mills/ident.html">Autokey Identity Schemes</a> page are based on cryptographic challenge/response exchanges. Using these schemes provides strong security against replay with or without modification, spoofing, masquerade and most forms of clogging attacks. These schemes are described along with an executive summary, current status, briefing slides and reading list on the <a href="http://www.eecis.udel.edu/%7emills/autokey.html">Autonomous Authentication</a> page.</p>
+ <p>NTPv4 supports the Autokey security protocol, which is based on public key cryptography. The Autokey Version 2 protocol described on the <a href="http://www.eecis.udel.edu/
%7emills/proto.html">Autokey Protocol</a> page verifies packet integrity using MD5 message digests and verifies the source using digital signatures and any of several digest/signature schemes. Optional identity schemes described on the <a href="http://www.eecis.udel.edu/%7emills/ident.html">Autokey Identity Schemes</a> page are based on cryptographic challenge/response exchanges. These schemes provide strong security against replay with or without message modification, spoofing, masquerade and most forms of clogging attacks. These schemes are described along with an executive summary, current status, briefing slides and reading list on the <a href="http://www.eecis.udel.edu/%7emills/autokey.html">Autonomous Authentication</a> page.</p>
<p>Autokey authenticates individual packets using cookies bound to the IP source and destination addresses. The cookies must have the same addresses at both the server and client. For this reason operation with network address translation schemes is not possible. This reflects the intended robust security model where government and corporate NTP servers are operated outside firewall perimeters.</p>
+ <p>There are three timeouts associated with the Autokey scheme. The key list timeout, which defaults to about 1.1 h, specifies the interval between generating new key lists. The revoke timeout, which defaults to about 36 h, specifies the interval between generating new private values. The restart timeout, with default about 5 d, specifies the interval between protocol restarts to refresh public values. In general, the behavior when these timeouts expire is not affected by the issues discussed on this page.</p>
<h4 id="group">NTP Secure Groups</h4>
- <p>NTP secure groups are used to define cryptographic compartments and security hierarchies. All hosts belonging to a secure group have the same group name but different host names. The string specified in the <tt>host</tt> option of the <tt>crypto</tt> command is the name of the host and
in the name of the host key, sign key and certificate files. The string specified in the <tt>ident</tt> option of the <tt>crypto</tt> comand is the group name of all group hosts and in the name of the identity files. The file naming conventions are described on the <a href="keygen.html">ntp-keygen</a> page.</p>
- <p>Each group includes one or more trusted hosts (THs) operating at the root, or lowest stratum in the group. The group name is used in the subject and issuer fields of the TH trusted certificate. The host name is used in these fields for hosts other than THs.</p>
+ <p>NTP secure groups are used to define cryptographic compartments and security hierarchies. All hosts belonging to a secure group have the same group name but different host names. The string specified in the <tt>host</tt> option of the <tt>crypto</tt> command is the name of the host and
the name of the host key, sign key and certificate files. The string specified in the <tt>ident</tt> option of the <tt>crypto</tt> comand is the group name of all group hosts and the name of the identity files. The file naming conventions are described on the <a href="keygen.html">ntp-keygen</a> page.</p>
+ <p>Each group includes one or more trusted hosts (THs) operating at the root, or lowest stratum in the group. The group name is used in the subject and issuer fields of the TH trusted certificate. The host name is used in these fields for all other hosts.</p>
<p>All group hosts are configured to provide an unbroken path, called a certificate trail, from each host, possibly via intermediate hosts and ending at a TH. When a host starts up, it recursively retrieves the certificates along the trail in order to verify group membership and avoid masquerade and middleman attacks.</p>
<p>Secure groups can be configured as hierarchies where a TH of one group can be a client of one or more other groups operating at a lower stratum. In one scenario, groups RED and GREEN can be cryptographically distinct, but both be clients of group BLUE operating at a lower stratum. In another scenario, group CYAN can be a client of multiple groups YELLOW and MAGENTA, both operating at a lower stratum. There are many other scenarios, but all must be configured to include only acyclic certificate trails.</p>
<h4 id="ident">Identity Schemes and Cryptotypes</h4>
- <p>All configurations include a public/private host key pair and matching certificate. Absent an identity scheme, this is a Trusted Certificate (TC) scheme. There are three identity schemes, IFF, GQ and MV described on the <a href="http://www.eecis.udel.edu/%7emills/ident.html">Identity Schemes</a> page. With these schemes all servers in the group have encrypted server identity keys, while clients have nonencrypted client identity parameters. The client parameters can be obtained from a trusted agent (TA), usually one of the THs of the lower stratum group. Further information on identity schemes is on the <a href="http://www.eecis.udel.edu/~mills/ident.html">Autokey Identity Schemes</a> page.</p>
+ <p>All configurations include a public/private host key pair and matching certificate. Absent an identity scheme, this is a Trusted Certificate (TC) scheme. There are three identity schemes, IFF, GQ and MV described on the <a href="http://www.eecis.udel.edu/%7emills/ident.html">Identity Schemes</a> page. With these schemes all servers in the group have encrypted server identity keys, while clients have nonencrypted client identity parameters. The client parameters can be obtained from a trusted agent (TA), usually one of the THs of the lower stratum group. Further information on identity schemes is on the <a href="http://www.eecis.udel.edu/%7emills/ident.html">Autokey Identity Schemes</a> page.</p>
<p>A specific combination of authentication and identity schemes is called a cryptotype, which applies to clients and servers separately. A group can be configured using more than one cryptotype combination, although not all combinations are interoperable. Note however that some cryptotype combinations may successfully interoperate with each other, but may not represent good security practice. The server and client cryptotypes are defined by the the following codes.</p>
<dl>
<dt>NONE
</table>
<p>* These combinations are not valid if the restriction list includes the <tt>notrust</tt> option.</p>
<h4 id="cfg">Configuration</h4>
- <p>Autokey has an intimidating number of configuration options, most of which are not necessary in typical scenarios. The simplest scenario consists of a
secure group with one TH at the lowest stratum. For the simplest identity scheme TC, the TH generates host key and trusted certificate files using the <tt>ntp-keygen -T</tt> command, while the remaining group hosts use the same command with no options. All hosts use the <tt>crypto</tt> configuration command with no options. Configuration with passwords is described in the <a href="keygen.html">ntp-keygen</a> page</p>
- <p>When an identity scheme is included, for example IFF, the TH generates host key, trusted certificate and private identity keys files using the <tt>ntp-keygen -T -I -i <i>group</i> </tt>command, where <tt><i>group</i></tt> is the group name. The remaining group hosts use the same command with no options. All hosts use the <tt>crypto ident <i>group</i></tt> configuration command.</p>
- <p>Hosts with no dependent clients can retrieve public identity parameters from an archive or web page. The <tt>ntp-keygen</tt> can export these data using the <tt>-e</tt> option. Hosts with dependent clients other than the TH must retrieve copies of the TH private identity keys using secure means. The <tt>ntp-keygen</tt> can export these data using the <tt>-q</tt> option. In either case the data are installed as a file and then renamed using the name given as the first line in the file, but without the filestamp.</p>
+ <p>Autokey has an intimidating number of configuration options, most of which are not necessary in typical scenarios. The simplest scenario consists of a
n unnamed secure group with one TH at the lowest stratum. For the simplest identity scheme TC, the TH generates host key and trusted certificate files using the <tt>ntp-keygen -T</tt> command, while the remaining group hosts use the same command with no options to generate the host key and public certificate files. All hosts use the <tt>crypto</tt> configuration command with no options. Configuration with passwords is described in the <a href="keygen.html">ntp-keygen</a> page</p>
+ <p>When an identity scheme is included, for example IFF, the TH generates host key, trusted certificate and private server identity files using the <tt>ntp-keygen -T -I -i <i>group</i> </tt>command, where <tt><i>group</i></tt> is the group name. The reemaining group hosts use the same command as above. The client identity files are obtained separately. All hosts use the <tt>crypto ident <i>group</i></tt> configuration command.</p>
+ <p>Hosts with no dependent clients can retrieve client files from an archive or web page. The <tt>ntp-keygen</tt> can export these data using the <tt>-e</tt> option. Hosts with dependent clients other than the TH must retrieve copies of the server files using secure means. The <tt>ntp-keygen</tt> can export these data using the <tt>-q</tt> option. In either case the data are installed as a file and then renamed using the name given as the first line in the file, but without the filestamp.</p>
<h4 id="exam">Examples</h4>
<p>Consider a scenario involving three secure groups RED, GREEN and BLUE. RED and BLUE are typical of national laboratories providing certified time to the Internet at large. TH mort of RED and TH macabre of BLUE run NTP symmetric mode with each other for monitoring or backup. GREEN is typical of a large university providing certified time to the campus community. TH howland of GREEN is a client of both RED and BLUE. BLUE uses the IFF scheme, while both RED and GREEN use the GQ scheme, but with different keys.</p>
<p>BLUE TH macabre uses configuration commands</p>
<p><tt>crypto pw yyy ident green<br>
</tt><tt>server mort autokey<br>
</tt><tt>server macabre autokey</tt></p>
- <p>where <tt>yyy</tt> is the password for mort files. It generates GREEN files using the commands</p>
+ <p>where <tt>yyy</tt> is the password for howland files. It generates GREEN files using the commands</p>
<p><tt>ntp-keygen -p yyy -T -G -i green<br>
ntp-keygen -p yyy -e >ntpkey_gqpar_green<br>
- </tt><tt>ntp-keygen -p yyy -v zzz >zzz_ntpkey_gqkey_green</tt></p>
+ </tt><tt>ntp-keygen -p yyy -q zzz >zzz_ntpkey_gqkey_green</tt></p>
<p>The first two lines serve the same purpose as the preceeding examples. The third line generats a copy of the private GREEN server file for use on another server in the same group, but encrypted with the <tt>zzz</tt> pasword.</p>
- <p>Each TH in a group acting as a client of another group retrieves the public client file for that group from a public archive or web page using nonsecure means. In addition, each server in a group retrieves the private server file from the TH of that group, but it is encrypted and so can be sent using nonsecured means. The files are installed in the keys directory with name taken from the first line in the file, but without the filestamp</p>
+ <p>A client of GREEN, for example, uses the configuration commands</p>
+ <p><tt>crypto pw abc ident green<br>
+ </tt><tt>server howland autokey</tt></p>
+ <p>where <tt>abc</tt> is the password for its files. It generates files using the command</p>
+ <p><tt>ntp-keygen -p abc</tt></p>
+ <p>The client retrieves the client file for that group from a public archive or web page using nonsecure means. In addition, each server in a group retrieves the private server file from the TH of that group, but it is encrypted and so can be sent using nonsecured means. The files are installed in the keys directory with name taken from the first line in the file, but without the filestamp.</p>
+ <p>In another example mort and macabre are operated as broadcast servers and howland as a broadcast client. Replace the server configuration command for both mort and macabre with the two commands</p>
+ <p><tt>broadcast <i>ipaddr</i> autokey<br>
+ broadcastclient</tt></p>
+ <p>where <tt><i>ipaddr</i></tt> is the broadast address, and replace the two server commands for howland with the single command</p>
+ <p><tt>broadcastclient</tt></p>
+ <p>Note that if servers of different groups, in this case RED and BLUE, share the same broadcast media, each server must have client files for all groups other than its own, while each client must have client files for all groups.</p>
<h4 id="cmd">Authentication Commands</h4>
<dl>
- <dt><tt>autokey [<i>logsec</i>]</tt>
- <dd>Specifies the interval between regenerations of the session key list used with the Autokey protocol. Note that the size of the key list for each association depends on this interval and the current poll interval. The default value is 12 (4096 s or about 1.1 hours). For poll intervals above the specified interval, a session key list with a single entry will be regenerated for every message sent.
- <dt><tt>controlkey <i>key</i></tt>
- <dd>Specifies the key ID to use with the <a href="ntpq.html"><tt>ntpq</tt></a> utility, which uses the standard protocol defined in RFC-1305. The <tt><i>key</i></tt> argument is the key ID for a trusted key, where the value can be in the range 1 to 65,534, inclusive.<dt><tt>crypto [randfile <i>file</i>] [host <i>name</i>] [ident <i>name</i>] [pw <i>password</i>]</tt>
+ <dt id=autokey><tt>autokey [<i>logsec</i>]</tt>
+ <dd>Specifies the interval between regenerations of the session key list used with the Autokey protocol, as a power of 2 in seconds. Note that the size of the key list for each association depends on this interval and the current poll interval. The default interval is 12 (about 1.1 h). For poll intervals above the specified interval, a session key list with a single entry will be regenerated for every message sent.<dt id="controlkey"><tt>controlkey <i>key</i></tt>
+ <dd>Specifies the key ID to use with the <a href="ntpq.html"><tt>ntpq</tt></a> utility, which uses the standard protocol defined in RFC-1305. The <tt><i>key</i></tt> argument is the key ID for a trusted key, where the value can be in the range 1 to 65,534, inclusive.
+ <dt id="crypto"><tt>crypto [randfile <i>file</i>] [host <i>name</i>] [ident <i>name</i>] [pw <i>password</i>]</tt>
<dd>This command requires the OpenSSL library. It activates public key cryptography and loads the required host key and public certificat. If one or more files are left unspecified, the default names are used as described below. Unless the complete path and name of the file are specified, the location of a file is relative to the keys directory specified in the <tt>keysdir</tt> configuration command or default <tt>/usr/local/etc</tt>. Following are the options.
<dl>
<dt><tt>host <i>name</i></tt>
<dt><tt>randfile <i>file</i></tt>
<dd>Specifies the location of the random seed file used by the OpenSSL library. The defaults are described on the <a href="keygen.html"><tt>ntp-keygen</tt></a> page.
</dl>
- <dt><tt>keys <i>keyfile</i></tt>
+ <dt id="keys"><tt>keys <i>keyfile</i></tt>
<dd>Specifies the complete path to the MD5 key file containing the keys and key IDs used by <tt>ntpd</tt>, <tt>ntpq</tt> and <tt>ntpdc</tt> when operating with symmetric key cryptography. This is the same operation as the <tt>-k </tt>command line option.
- <dt><tt>keysdir <i>path</i></tt>
+ <dt id="keysdir"><tt>keysdir <i>path</i></tt>
<dd>This command specifies the default directory path for cryptographic keys, parameters and certificates. The default is <tt>/usr/local/etc/</tt>.
- <dt><tt>requestkey <i>key</i></tt>
- <dd>Specifies the key ID to use with the <a href="ntpdc.html"><tt>ntpdc</tt></a> utility program, which uses a proprietary protocol specific to this implementation of <tt>ntpd</tt>. The <tt><i>key</i></tt> argument is a key ID for the trusted key, where the value can be in the range 1 to 65,534, inclusive.<dt><tt>revoke [<i>logsec</i>]</tt>
- <dd>Specifies the interval between re-randomization of certain cryptographic values used by the Autokey scheme, as a power of 2 in seconds. These values need to be updated frequently in order to deflect brute-force attacks on the algorithms; however, updating some values is a relatively expensive operation. The default interval is 16 (65,536 s or about 18 hours). For poll intervals above the specified interval, the values will be updated for every message sent.<dt><tt>trustedkey <i>key</i> [...]</tt>
+ <dt id="requestkey"><tt>requestkey <i>key</i></tt>
+ <dd>Specifies the key ID to use with the <a href="ntpdc.html"><tt>ntpdc</tt></a> utility program, which uses a proprietary protocol specific to this implementation of <tt>ntpd</tt>. The <tt><i>key</i></tt> argument is a key ID for the trusted key, where the value can be in the range 1 to 65,534, inclusive.<dt id="revoke"><tt>revoke [<i>logsec</i>]</tt>
+ <dd>Specifies the interval between re-randomization of certain cryptographic values used by the Autokey scheme, as a power of 2 in seconds. These values need to be updated frequently in order to deflect brute-force attacks on the algorithms; however, updating some values is a relatively expensive operation. The default interval is 17 (about 36 h). For poll intervals above the specified interval, the values will be updated for every message sent.<dt id="trustedkey"><tt>trustedkey <i>key</i> [...]</tt>
<dd>Specifies the key ID which are trusted for the purposes of authenticating peers with symmetric key cryptography, as well as keys used by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs. The authentication procedures require that both the local and remote servers share the same key and key ID for this purpose, although different keys can be used with different servers.</dl>
<h4 id="err">Error Codes</h4>
<p>Errors can occur due to mismatched configurations, unexpected restarts, expired certificates and unfriendly people. In most cases the protocol state machine recovers automatically by retransmission, timeout and restart, where necessary. Some errors are due to mismatched keys, digest schemes or identity schemes and must be corrected by installing the correct media and/or correcting the configuration file. One of the most common errors is expired certificates, which must be regenerated and signed at least once per year using the <tt><a href="keygen.html">ntp-keygen</a></tt> program.</p>
<h3>NTP Bug Reporting Procedures</h3>
<img src="pic/hornraba.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
<p>The rabbit toots to make sure you read this.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">20:52</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="296">Saturday, February 02, 2008</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">04:05</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
.<br clear="left">
<hr>
<h4> Security Bug Reporting Procedures</h4>
<p>If you find or suspect a security related program bug in this distribution, please send a report to <a href="mailto:security@ntp.org">security@ntp.org</a>. Please do not contact developers directly.</p>
<h4>Non-Security Bug Reporting Procedures</h4>
<p>If you find or suspect a non-security related program bug in this distribution, please send a report to the NTP Public Service Project Bug Tracking System (Bugzilla) at <a href="http://bugs.ntp.org/">http://bugs.ntp.org/</a>. Bugs reported this way are immediately forwarded to the developers. Please do not contact the developers directly.</p>
- <p>If you find or suspect an error in the program documention pages, please send a report directly to the editor David Mills at <a href="mailto:mills@udel.edu">mills@udel.edu</a>. The master documentation pages are not controlled by the bug tracking system. You are invited to contribute new or revised pages in similar style and DOS format.</p>
+ <p>If you find or suspect an error in the program documention pages, please send a report directly to the editor David Mills at <a href="mailto:mills@udel.edu">mills@udel.edu</a>. The master documentation pages are not controlled by the bug tracking system. You are invited to contribute new or revised pages in similar style and format.</p>
<p>If you wish to send a report via electronic mail, please remember that your report will be held until one of our volunteers enters it in Bugzilla. The email address for these reports is <a href="mailto:bugs@ntp.org">bugs@ntp.org</a>. You will need to register at <a href="http://bugs.ntp.org/">http://bugs.ntp.org/</a> so that you may participate directly in any e-mail discussion regarding your report.</p>
<hr>
<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
<h3>Building and Installing the Distribution</h3>
<img src="pic/beaver.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>For putting out compiler fires.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">21:11</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="285">Saturday, January 19, 2008</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">16:45</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/install.txt"></script>
<li class="inline"><a href="#conf">Configuration</a>
<li class="inline"><a href="#prob">If You Have Problems</a>
<li class="inline"><a href="#make">Additional <tt>make</tt> Commands</a>
-</a>
</ul>
<hr>
<h4 id="build">Building and Installing the Distribution</h4>
- <p>It is not possible in a software distribution such as this to support every individual computer and operating system with a common executable, even with the same system but different versions
. Therefore, it is necessary to configure, build and install for each system and version. In almost all cases, these procedures are completely automatic, The user types <tt>./configure</tt>, <tt>make</tt> and <tt>install</tt> in that order and the autoconfigure system does the rest. There are some exceptions, as noted below and on the <a href="hints.html">Hints and Kinks</a> pages.</p>
- <p>If available, the OpenSSL library from <a href="http://www.openssl.org">http://www.openssl.org</a> is used to support public key cryptography. The library must be built and installed prior to building NTPv4. The procedures for doing that are included in the OpenSSL documentation. The library is found during the normal NTPv4 configure phase and the interface routines compiled automatically. Only the <tt>libcrypto.a</tt> library file and <tt>openssl</tt> header files are needed. If the library is not available or disabled, this step is not required.</p>
- <p>The <a href="config.html">Configuration Options</a> page describes a number of options that determine whether debug support is included, whether and which reference clock drivers are included and the locations of the executables and library files, if not the default. By default debugging options and all reference clock drivers are included.</p>
+ <p>It is not possible in a software distribution such as this to support every individual computer and operating system with a common executable, even with the same system but different versions
and options. Therefore, it is necessary to configure, build and install for each system and version. In almost all cases, these procedures are completely automatic, The user types <tt>./configure</tt>, <tt>make</tt> and <tt>install</tt> in that order and the autoconfigure system does the rest. There are some exceptions, as noted below and on the <a href="hints.html">Hints and Kinks</a> pages.</p>
+ <p>If available, the OpenSSL library from <a href="http://www.openssl.org">http://www.openssl.org</a> is used to support public key cryptography. The library must be built and installed prior to building NTP. The procedures for doing that are included in the OpenSSL documentation. The library is found during the normal NTP configure phase and the interface routines compiled automatically. Only the <tt>libcrypto.a</tt> library file and <tt>openssl</tt> header files are needed. If the library is not available or disabled, this step is not required.</p>
+ <p>The <a href="config.html">Build Options</a> page describes a number of options that determine whether debug support is included, whether and which reference clock drivers are included and the locations of the executables and library files, if not the default. By default debugging options and all reference clock drivers are included.</p>
<h4 id="unix">Building and Installing for Unix</h4>
- <p>This distribution uses common compilers and tools that come with most Unix distributions. Not all of these tools exist in the standard distribution of modern Unix versions (compilers are likely to be an add-on product). If this is the case, consider using the GNU tools and <tt>gcc</tt> compiler included as freeware in some products. For a successful build, all of these tools should be accessible via the current path.</p>
- <p>The first thing to do is uncompress the distribution and extract the source tree. In the distribution base directory use the <tt>./configure</tt> command to perform an automatic configuration procedure. This command inspects the hardware and software environment and configures the build process accordingly. Use the <tt>make</tt> command to compile and link the distribution and the <tt>install</tt> command to install the executables by default in <tt>/usr/local/bin</tt>.</p>
- <p>If your site supports multiple architectures and uses NFS to share files, you can use a single source tree to build executables for multiple architectures. While running on a particular architecture, change to the base directory and create a subdirectory using a command like <tt>mkdir A.machine</tt> which will create an architecture-specific directory, then change to this directory and mumble <tt>../configure</tt>. The remaining steps are the same whether building in the base directory or in the subdirectory.</p>
+ <p>This distribution uses common compilers and tools that come with most Unix distributions. Not all of these tools exist in the standard distribution of modern Unix versions (compilers are likely to be an add-on product). If this is the case, consider using the GNU tools and <tt>gcc</tt> compiler included as freeware in some systems. For a successful build, all of these tools should be accessible via the current path.</p>
+ <p>The first thing to do is uncompress the distribution and extract the source tree. In the distribution base directory use the <tt>./configure </tt>command to perform an automatic configuration procedure. This command inspects the hardware and software environment and configures the build process accordingly. Use the <tt>make</tt> command to compile and link the distribution and the <tt>install</tt> command to install the executables by default in <tt>/usr/local/bin</tt>.</p>
+ <p>If your site supports multiple architectures and uses NFS to share files, you can use a single source tree to build executables for multiple architectures. While running on a particular architecture, change to the base directory and create a subdirectory using a command like <tt>mkdir A.machine, </tt>which will create an architecture-specific directory, then change to this directory and mumble <tt>../configure</tt>. The remaining steps are the same whether building in the base directory or in the subdirectory.</p>
<h4 id="win">Building and Installing for Windows</h4>
- <p>NTP supports Windows Vista, XP, NT4 and 2000 systems. See <tt><a href="hints/winnt.html">hints/winnt.htm</a></tt> for directions to compile the sources and install the executables. A precompiled executable is available.</p>
+ <p>NTP supports Windows Vista, XP, NT4 and 2000 systems. See the <a href="hints/winnt.html">NTP 4.x for Windows NT</a> page for directions to compile the sources and install the executables. A precompiled executable is available.</p>
<h4 id="conf">Configuration</h4>
- <p>You are now ready to configure the daemon. You will need to create a NTP configuration file by default in <tt>
n/etc/ntp.conf.</tt> Newbies should see the <a href="quick.html">Quick Start</a> page for orientation. Seasoned veterans can start with the <a href="ntpd.html"><tt>ntpd</tt> - Network Time Protocol (NTP) daemon</a> page and move on to the specific configuration option pages from there.</p>
+ <p>You are now ready to configure the daemon. You will need to create a NTP configuration file by default in <tt>/etc/ntp.conf.</tt> Newbies should see the <a href="quick.html">Quick Start</a> page for orientation. Seasoned veterans can start with the <a href="ntpd.html"><tt>ntpd</tt> - Network Time Protocol (NTP) daemon</a> page and move on to the specific configuration option pages from there.</p>
<h4 id="prob">If You Have Problems</h4>
<p>If you have problems with your hardware and software environment (e.g. operating system-specific issues), browse the <a href="hints.html">Hints and Kinks</a> pages. For other problems a tutorial on debugging technique is in the <a href="debug.html">NTP Debugging Technique</a> page. A list of important system log messages is on the <a href="msyslog.html"><tt>ntpd</tt> System Log Messages</a> page.</p>
<p>The first line of general assistance is the NTP web site <a href="http://www.ntp.org">www.ntp.org</a> and the helpful documents resident there. Requests for assistance of a general nature and of interest to other timekeepers should be sent to the NTP newsgroup comp.protocols.time.ntp.</p>
<body>
<h3>Reference Clock Options</h3>
- <img src="pic/stack1a.jpg" alt="gif" align="left">
- <p>See the radios, all in a row.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">16:01</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Wednesday, January 02, 2008</csobj></p>
+ <img src="pic/stack1a.jpg" alt="gif" align="left">Master Time Facility at the <a href="http://www.eecis.udel.edu/%7emills/lab.html">UDel Internet Research Laboratory</a>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">16:09</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/refclock.txt"></script>
<script type="text/javascript" language="javascript" src="scripts/audio.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/clockopt.txt"></script>
<h4>Table of Contents</h4>
<ul>
<li class="inline"><a href="#ref">Reference Clock Support</a>
<p>The stratum number of a reference clock is by default zero. Since the <tt>ntpd</tt> daemon adds one to the stratum of each peer, a primary server ordinarily displays an external stratum of one. In order to provide engineered backups, it is often useful to specify the reference clock stratum as greater than zero. The <tt>stratum</tt> option is used for this purpose. Also, in cases involving both a reference clock and a pulse-per-second (PPS) discipline signal, it is useful to specify the reference clock identifier as other than the default, depending on the driver. The <tt>refid</tt> option is used for this purpose. Except where noted, these options apply to all clock drivers.</p>
<h4 id="cmd">Reference Clock Commands</h4>
<dl>
- <dt><tt>server 127.127.<i>t.u</i> [prefer] [mode <i>int</i>] [minpoll <i>int</i>] [maxpoll <i>int</i>]</tt>
+ <dt id="server"><tt>server 127.127.<i>t.u</i> [prefer] [mode <i>int</i>] [minpoll <i>int</i>] [maxpoll <i>int</i>]</tt>
<dd>This command can be used to configure reference clocks in special ways. The options are interpreted as follows:
<dl>
<dt><tt>prefer</tt>
<dt><tt>maxpoll <i>int</i></tt>
<dd>These options specify the minimum and maximum polling interval for reference clock messages in seconds, interpreted as dual logarithms (2 ^ x). For most directly connected reference clocks, both <tt>minpoll</tt> and <tt>maxpoll</tt> default to 6 (2^16 = 64 s). For modem reference clocks, <tt>minpoll</tt> defaults to 10 (2^10 = 1024 s = 17.1 m) and <tt>maxpoll</tt> defaults to 14 (2^14 = 16384 s = 4.5 h). The allowable range is 4 (16 s) to 17 (36.4 h) inclusive.
</dl>
- <dt><tt>fudge 127.127.<i>t.u</i> [time1 <i>sec</i>] [time2 <i>sec</i>] [stratum <i>int</i>] [refid <i>string</i>] [mode <i>int</i>] [flag1 0|1] [flag2 0|1] [flag3 0|1] [flag4 0|1]</tt>
+ <dt id="fudge"><tt>fudge 127.127.<i>t.u</i> [time1 <i>sec</i>] [time2 <i>sec</i>] [stratum <i>int</i>] [refid <i>string</i>] [mode <i>int</i>] [flag1 0|1] [flag2 0|1] [flag3 0|1] [flag4 0|1]</tt>
<dd>This command can be used to configure reference clocks in special ways. It must immediately follow the <tt>server</tt> command which configures the driver. Note that the same capability is possible at run time using the <tt><a href="ntpdc.html">ntpdc</a></tt> program. The options are interpreted as follows:
<dl>
<dt><tt>time1 <i>sec</i></tt>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+
+<html>
+
+ <head>
+ <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
+ <meta name="generator" content="HTML Tidy, see www.w3.org">
+ <title>Command Index</title>
+ <link href="scripts/style.css" type="text/css" rel="stylesheet">
+ </head>
+
+ <body>
+ <h3>Command Index</h3>
+ <img src="pic/alice38.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carrol</a>
+ <p>The Mad Hatter says "Bring it on".</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">15:17</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
+ <br clear="left">
+ <h4>Related Links</h4>
+ <script type="text/javascript" language="javascript" src="scripts/accopt.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/authopt.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/clockopt.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/confopt.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/miscopt.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/monopt.txt"></script>
+ <hr>
+ <br>
+ <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
+ </body>
+
+</html>
\ No newline at end of file
<head>
<meta http-equiv="content-type" content="text/html;charset=windows-1252">
<meta name="generator" content="HTML Tidy, see www.w3.org">
- <title>Configuration Options</title>
+ <title>Build Options</title>
<link href="scripts/style.css" type="text/css" rel="stylesheet">
</head>
<body>
- <h3>Configuration Options</h3>
+ <h3>Build Options</h3>
<img src="pic/pogo3a.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>Gnu autoconfigure tools are in the backpack.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="99">03:07 AM</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="270">Monday, October 13, 2003</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">04:01</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<br clear="left">
<h4>Table of Contents</h4>
<ul>
- <li class="inline"><a href="#basic">Basic Configuration Options - the <tt>configure</tt> utility</a>
+ <li class="inline"><a href="#basic">Basic Build Options - the <tt>configure</tt> utility</a>
<li class="inline"><a href="#opt">Options</a>
<li class="inline"><a href="#dir">Directory and File Names</a>
<li class="inline"><a href="#host">Host Type</a>
<li class="inline"><a href="#parse">PARSE Clocks</a>
</ul>
<hr>
- <h4 id="basic">Basic Configuration Options - the <tt>configure</tt> utility</h4>
+ <h4 id="basic">Basic Build Options - the <tt>configure</tt> Utility</h4>
<p>The following options are for compiling and installing a working version of the NTP distribution. In most cases, the build process is completely automatic. In some cases where memory space is at a premium, or the binaries are to be installed in a different place, it is possible to tailor the configuration to remove such features as reference clock driver support, debugging support, and so forth.</p>
<p>Configuration options are specified as arguments to the <tt>configure</tt> script. Following is a summary of the current options, as of the 4.0.99m version:</p>
<p>Usage: <tt>configure [options] [host]</tt><br>
<h3>Server Options</h3>
<img src="pic/boom3a.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>The chicken is getting configuration advice.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">00:57</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Saturday, November 24, 2007</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:18</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/command.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/confopt.txt"></script>
<h4>Table of Contents</h4>
<ul>
<li class="inline"><a href="#cfg">Configuration Commands</a>
<p>If the Basic Socket Interface Extensions for IPv6 (RFC-2553) is detected, support for the IPv6 address family is generated in addition to the default IPv4 address family. IPv6 addresses can be identified by the presence of colons ":" in the address field. IPv6 addresses can be used almost everywhere where IPv4 addresses can be used, with the exception of reference clock addresses, which are always IPv4. Note that in contexts where a host name is expected, a <tt>-4</tt> qualifier preceding the host name forces DNS resolution to the IPv4 namespace, while a <tt>-6</tt> qualifier forces DNS resolution to the IPv6 namespace.</p>
<h4 id="cfg">Configuration Commands</h4>
<dl>
- <dt><tt>server <i>address</i> [options ...]</tt><br>
+ <dt id="server"><tt>server <i>address</i> [options ...]</tt><br>
<tt>peer <i>address</i> [</tt><tt>options ...]<br>
broadcast <i>address</i> [options ...]</tt><br>
<tt>manycastclient <i>address</i> [options ...]<br>
<dt><tt>iburst</tt>
<dd>When the server is unreachable, send a burst of eight packets instead of the usual one. The packet spacing is normally 2 s; however, the spacing between the first and second packets can be changed with the <a href="miscopt.html"><tt>calldelay</tt></a> command to allow additional time for a modem or ISDN call to complete. This option is valid only with the <tt>server</tt> command and type s addresses. It is a recommended option with this command.<dt><tt>key</tt> <i><tt>key</tt></i>
<dd>Send and receive packets authenticated by the symmetric key scheme described in the <a href="authopt.html">Authentication Options</a> page. This option is valid only with <tt>server</tt> and <tt>peer</tt> commands and type s addresses. The <i><tt>key</tt></i> specifies the key identifier with values from 1 to 65534, inclusive. This option is incompatible with the <tt>autokey</tt> option.
-
<dt><tt>minpoll <i>minpoll<br>
</i></tt><tt>maxpoll <i>maxpoll</i></tt>
<dd>These options specify the minimum and maximum poll intervals for NTP messages, in seconds as a power of two. The maximum poll interval defaults to 10 (1024 s), but can be increased by the <tt>maxpoll</tt> option to an upper limit of 17 (36 h). The minimum poll interval defaults to 6 (64 s), but can be decreased by the <tt>minpoll</tt> option to a lower limit of 4 (16 s). These option are valid only with the <tt>server</tt> and <tt>peer</tt> commands and type s addresses.
<dd>Allows a server/peer to be configured even if it is not reachable at configuration time. It is assumed that at some point in the future the network environment changes so that this server/peer can be reached. This option is useful to configure servers/peers on mobile systems with intermittent network access (e.g. wlan clients). Note: the current implemenation does not support this option.</dl>
<h4 id="aux">Auxilliary Commands</h4>
<dl>
- <dt><tt>broadcastclient [novolley]</tt>
- <dd>Enable reception of broadcast server messages to any local interface (type b address). Ordinarily, upon receiving a message for the first time, the broadcast client measures the nominal server propagation delay using a brief client/server exchange, after which it continues in listen-only mode. If the <tt>novolley</tt> keyword is present, the exchange is not used and the value specified in the <tt>broadcastdelay</tt> command is used or, if the <tt>broadcastdelay</tt> command is not used, the default 4.0 ms. Note that, in order to avoid accidental or malicious disruption in this mode, both the server and client should operate using symmetric key or public key authentication as described in the <a href="authopt.html">Authentication Options</a> page. Note that the <tt>novolley</tt> keyword is incompatible with public key authentication.<dt><tt>manycastserver <i>address</i> [...]</tt>
+ <dt id="broadcastclient"><tt>broadcastclient [novolley]</tt>
+ <dd>Enable reception of broadcast server messages to any local interface (type b address). Ordinarily, upon receiving a message for the first time, the broadcast client measures the nominal server propagation delay using a brief client/server exchange, after which it continues in listen-only mode. If the <tt>novolley</tt> keyword is present, the exchange is not used and the value specified in the <tt>broadcastdelay</tt> command is used or, if the <tt>broadcastdelay</tt> command is not used, the default 4.0 ms. Note that, in order to avoid accidental or malicious disruption in this mode, both the server and client should operate using symmetric key or public key authentication as described in the <a href="authopt.html">Authentication Options</a> page. Note that the <tt>novolley</tt> keyword is incompatible with public key authentication.
+ <dt id="manycastserver"><tt>manycastserver <i>address</i> [...]</tt>
<dd>Enable reception of manycast client messages (type m)to the multicast group address(es) (type m) specified. At least one address is required. Note that, in order to avoid accidental or malicious disruption, both the server and client should operate using symmetric key or public key authentication as described in the <a href="authopt.html">Authentication Options</a> page.
- <dt><tt>multicastclient <i>address</i> [...]</tt>
+ <dt id="multicastclient"><tt>multicastclient <i>address</i> [...]</tt>
<dd>Enable reception of multicast server messages to the multicast group address(es) (type m) specified. Upon receiving a message for the first time, the multicast client measures the nominal server propagation delay using a brief client/server exchange with the server, then enters the broadcast client mode, in which it synchronizes to succeeding multicast messages. Note that, in order to avoid accidental or malicious disruption in this mode, both the server and client should operate using symmetric key or public key authentication as described in the <a href="authopt.html">Authentication Options</a> page.
</dl>
<h4 id="bug">Bugs</h4>
<body>
<h3>Copyright Notice</h3>
- <img src="pic/sheepb.jpg" alt="jpg" align="left"> "Clone me," says Dolly sheepishly
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">21:32</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="292">Monday, December 31, 2007</csobj></p>
+ <img src="pic/sheepb.jpg" alt="jpg" align="left"> "Clone me," says Dolly sheepishly.<p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">15:19</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<br clear="left">
<hr>
<p>The following copyright notice applies to all files collectively called the Network Time Protocol Version 4 Distribution. Unless specifically declared otherwise in an individual file, this notice applies as if the text was explicitly included in the file.</p>
<h3>NTP Debugging Techniques</h3>
<img src="pic/pogo.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>We make house calls and bring our own bugs.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">00:58</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Saturday, November 24, 2007</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:37</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 24, 2008</csobj></p>
<br clear="left">
<h4>More Help</h4>
<script type="text/javascript" language="javascript" src="scripts/install.txt"></script>
<hr>
- <p>Once the NTP software distribution has been compiled and installed and the configuration file constructed, the next step is to verify correct operation and fix any bugs that may result. Usually, the command line that starts the daemon is included in the system startup file, so it is executed only at system boot time; however, the daemon can be stopped and restarted from root at any time. Usually, no command-line arguments are required, unless special actions described in the <a href="ntpd.html"><tt>ntpd</tt> - Network Time Protocol (NTP) daemon</a> page are required. Once started, the daemon will begin sending and receiving messages, as specified in the configuration file.</p>
<h4>Initial Startup</h4>
- <p>When started for the first time, the frequency file, usually called <tt>ntp.drift</tt>, has not yet been created. The daemon switches to a special training routine designed to quickly determine the system clock frequency offset of the particular machine. The routine first measures the current clock offset and sets the clock, then continues for up to twenty minutes before measuring the clock offset, which might involve setting the clock again. The two measurements are used to compute the initial frequency offset and the daemon continues in regular operation, during which the frequency offset is continuously updated. Once each hour the daemon writes the current frequency offset to the <tt>ntp.drift</tt> file. When restarted after that, the daemon reads the frequency offset from the <tt>ntp.drift</tt> file and avoids the training routine.</p>
- <p>Note that the daemon requires at least four packet exchanges when first started in any case. This is required in order for the mitigation algorithms to insure valid and accurate measurements and defend against network delay spikes and accidental or malicious errors induced by the servers selected in the configuration file. It normally takes less than four minutes to set the clock when first started, but this can be reduced to less than ten seconds with the <tt>iburst</tt> configuration option.</p>
- <p>The best way to verify correct operation is using the <a href="ntpq.html"><tt>ntpq</tt> - standard NTP query program</a> and <a href="ntpdc.html"><tt>ntpdc</tt> - special NTP query program</a> utility programs, either on the server itself or from another machine elsewhere in the network. The <tt>ntpq</tt> program implements the management functions specified in the NTP specification <a href="http://www.eecis.udel.edu/%7emills/database/rfc/rfc1305/rfc1305c.ps">RFC-1305, Appendix A</a>. The <tt>ntpdc</tt> program implements additional functions not provided in the standard. Both programs can be used to inspect the state variables defined in the specification and, in the case of <tt>ntpdc</tt>, additional ones intended for serious debugging. In addition, the <tt>ntpdc</tt> program can be used to selectively reconfigure and enable or disable some functions while the daemon is running.</p>
- <p>In extreme cases with elusive bugs, the daemon can operate in two modes, depending on the presence of the <tt>-d</tt> command-line debug switch. If not present, the daemon detaches from the controlling terminal and proceeds autonomously. If one or more <tt>-d</tt> switches are present, the daemon does not detach and generates special output useful for debugging. In general, interpretation of this output requires reference to the sources. However, a single <tt>-d</tt> does produce only mildly cryptic output and can be very useful in finding problems with configuration and network troubles. With a little experience, the volume of output can be reduced by piping the output to <tt>grep</tt> and specifying the keyword of the trace you want to see.</p>
- <p>Some problems are immediately apparent when the daemon first starts running. The most common of these are the lack of a UDP port for NTP (123) in the Unix <tt>/etc/services</tt> file (or equivalent in some systems). <b>Note that NTP does not use TCP in any form. Also note that NTP requires 123 for both source and destination ports.</b> These facts should be pointed out to firewall administrators.</p>
- <p>Other problems are apparent in the system log, which ordinarily shows the startup banner, some cryptic initialization data and the computed precision value. Error messages at startup and during regular operation are sent to the system log. In real emergencies the daemon will sent a terminal error message to the system log and then cease operation.</p>
- <p>The next most common problem is incorrect DNS names. Check that each DNS name used in the configuration file exists and that the address responds to the Unix <tt>ping</tt> command. The Unix <tt>traceroute</tt> or Windows <tt>tracert</tt> utility can be used to verify a partial or complete path exists. Most problems reported to the NTP newsgroup are not NTP problems, but problems with the network or firewall configuration.</p>
- <p>When first started, the daemon polls the servers listed in the configuration file at 64-s intervals. In order to allow a sufficient number of samples for the NTP algorithms to reliably discriminate between truechimer servers and possible falsetickers, at least four valid messages from at least one server or peer listed in the configuration file is required before the daemon can set the clock. However, if the difference between the client time and server time is greater than the panic threshold, which defaults to 1000 s, the daemon sends a message to the system log and shuts down without setting the clock. It is necessary to set the local clock to within the panic threshold first, either manually by eyeball and wristwatch and the Unix <tt>date</tt> command, or by the <tt>ntpdate</tt> or <tt>ntpd -q</tt> commands. The panic threshold can be changed by the <tt>tinker panic</tt> command discribed on the <a href="miscopt.html">Miscellaneous Options</a> page. The panic threshold can be disabled for the first measurement by the <tt>-g</tt> command line option described on the <a href="ntpd.html"><tt>ntpd</tt> - Network Time Protocol (NTP) daemon</a> page.</p>
- <p>If the difference between local time and server time is less than the panic threshold but greater than the step threshold, which defaults to 128 ms, the daemon will perform a step adjustment; otherwise, it will gradually slew the clock to the nominal time. Step adjustments are extremely rare in ordinary operation, usually as the result of reboot or hardware failure. The step threshold can be changed to 300 s using the <tt>-x</tt> command line option described on the <tt>ntpd</tt> page. This is usually sufficient to avoid a step after reboot or when the operator has set the system clock to within five minutes by eyeball-and-wristwatch. In extreme cases the step threshold can be changed by the <tt>tinker step</tt> command discribed on the <a href="miscopt.html">Miscellaneous Options</a> page. If set to zero, the clock will never be stepped; however, users should understand the implications for doing this in a distributed data network where all processing must be tightly synchronized. See the <a href="http://www.eecis.udel.edu/%7emills/leap.html">NTP Timescale and Leap Seconds</a> page for further information. If a step adjustment is made, the clock discipline algorithm will start all over again, requiring another round of at least four messages as before. This is necessary so that all servers and peers operate on the same set of time values.</p>
- <p>The clock discipline algorithm is designed to avoid large noise spikes that might occur on a congested network or access line. If an offset sample exceeds the step threshold, it is ignored and a timer started. If a later sample is below the step threshold, the counter is reset and operation continues normally. However, if the counter is greater than the stepout interval, which defaults to 900 s, the next sample will step the time as directed. The stepout threshold can be changed by the <tt>tinker stepout</tt> command discribed on the Miscellaneous Options page.</p>
- <p>If for some reason the hardware clock oscillator frequency error is very large, say over 400 PPM, the time offset when the daemon is started for the first time may increase over time until exceeding the step threshold, which requires a frequency adjustment and another step correction. However, due to provisions that reduce vulnerability to noise spikes, the second correction will not be done until after the stepout threshold. When the frequency error is very large, it may take a number of cycles like this until converging to the nominal frequency correction and writing the <tt>ntp.drift</tt> file. If the frequency error is over 500 PPM, convergence will never occur and occasional step adjustments will occur indefinitely.</p>
+ <p>This page discusses <tt>ntpd</tt> program monitoring and debugging techniques using the <a href="ntpq.html"><tt>ntpq</tt> - standard NTP query program</a>, either on the local server or from a remote machine. In special circumstances the <a href="ntpdc.html"><tt>ntpdc</tt> - special NTP query program</a>, can be useful, but its use is not covered here. The <tt>ntpq</tt> program implements the management functions specified in the NTP specification <a href="http://www.eecis.udel.edu/%7emills/database/rfc/rfc1305/rfc1305c.ps">RFC-1305, Appendix A</a>. It is used to read and write the variables defined in the NTP Version 4 specification now navigating the standards process. In addition, the program can be used to send remote configuration commands to the server.</p>
+ <p>The <tt>ntpd</tt> daemon can operate in two modes, depending on the presence of the <tt>-d</tt> command-line option. Without the option the daemon detaches from the controlling terminal and proceeds autonomously. With one or more <tt>-d</tt> options the daemon does not detach and generates special trace output useful for debugging. In general, interpretation of this output requires reference to the sources. However, a single <tt>-d</tt> does produce only mildly cryptic output and can be very useful in finding problems with configuration and network troubles.</p>
+ <p>Some problems are immediately apparent when the daemon first starts running. The most common of these are the lack of a UDP port for NTP (123) in the Unix <tt>/etc/services</tt> file (or equivalent in some systems). <b>Note that NTP does not use TCP in any form. Also note that NTP requires port 123 for both source and destination ports.</b> These facts should be pointed out to firewall administrators.</p>
+ <p>Other problems are apparent in the system log, which ordinarily shows the startup banner, some cryptic initialization data and the computed precision value. Event messages at startup and during regular operation are sent to the optional <tt>protostats</tt> monitor file, as described on the <a href="decode.html">Event Messages and Status Words</a> page. These and other error messages are sent to the system log, as described on the <a href="msyslog.html"><tt>ntpd</tt> System Log Messages</a> page. In real emergencies the daemon will sent a terminal error message to the system log and then cease operation.</p>
+ <p>The next most common problem is incorrect DNS names. Check that each DNS name used in the configuration file exists and that the address responds to the Unix <tt>ping</tt> command. The Unix <tt>traceroute</tt> or Windows <tt>tracert</tt> utility can be used to verify a partial or complete path exists. Most problems reported to the NTP newsgroup are not NTP problems, but problems with the network or firewall configuration.</p>
<h4>Verifying Correct Operation</h4>
- <p>After starting the daemon, run the <tt>ntpq</tt> program using the <tt>-n</tt> switch, which will avoid possible distractions due to name resolution problems. Use the <tt>pe</tt> command to display a billboard showing the status of configured peers and possibly other clients poking the daemon. After operating for a few minutes, the display should be something like:</p>
- <pre>
-ntpq> pe
- remote refid st t when poll reach delay offset jitter
-=====================================================================
--isipc6.cairn.ne .GPS1. 1 u 18 64 377 65.592 -5.891 0.044
-+saicpc-isiepc2. pogo.udel.edu 2 u 241 128 370 10.477 -0.117 0.067
-+uclpc.cairn.net pogo.udel.edu 2 u 37 64 177 212.111 -0.551 0.187
-*pogo.udel.edu .GPS1. 1 u 95 128 377 0.607 0.123 0.027
-</pre>
- <p>The host names or addresses shown in the <tt>remote</tt> column correspond to the server and peer entries listed in the configuration file; however, the DNS names might not agree if the names listed are not the canonical DNS names. IPv4 addresses are shown in dotted quad notation, while IPv6 addresses are shown alarmingly. The <tt>refid</tt> column shows the current source of synchronization, while the <tt>st</tt> column reveals the stratum, <tt>t</tt> the type (<tt>u</tt> = unicast, <tt>m</tt> = multicast, <tt>l</tt> = local, <tt>-</tt> = don't know), and <tt>poll</tt> the poll interval in seconds. The <tt>when</tt> column shows the time since the peer was last heard in seconds, while the <tt>reach</tt> column shows the status of the reachability register (see RFC-1305) in octal. The remaining entries show the latest delay, offset and jitter in milliseconds. Note that in NTP Version 4 what used to be the <tt>dispersion</tt> column has been replaced by the <tt>jitter</tt> column.</p>
- <p>As per the NTP specification RFC-1305, when the <tt>stratum</tt> is between 0 and 15 for a NTP server, the <tt>refid</tt> field shows the server DNS name or, if not found, the IP address in dotted-quad. When the <tt>stratum</tt> is any value for a reference clock, this field shows the identification string assigned to the clock. However, until the client has synchronized to a server, or when the <tt>stratum</tt> for a NTP server is 0 (appears as 16 in the billboards), the status cannot be determined. As a help in debugging, the <tt>refid</tt> field is set to a four-character string called the kiss code. The current kiss codes are as as follows.</p>
- <p>Peer Kiss Codes</p>
- <p><tt>ACST</tt></p>
- <dl>
- <dd>The association belongs to a anycast server.
- <dt><tt>AUTH</tt>
- <dd>Server authentication failed. Please wait while the association is restarted.
- <dt><tt>AUTO</tt>
- <dd>Autokey sequence failed. Please wait while the association is restarted.
- <dt><tt>BCST</tt>
- <dd>The association belongs to a broadcast server.
- <dt><tt>CRYP</tt>
- <dd>Cryptographic authentication or identification failed. The details should be in the system log file or the <tt>cryptostats</tt> statistics file, if configured. No further messages will be sent to the server.
- <dt><tt>DENY</tt>
- <dd>Access denied by remote server. No further messages will be sent to the server.
- <dt><tt>DROP</tt>
- <dd>Lost peer in symmetric mode. Please wait while the association is restarted.
- <dt><tt>RSTR</tt>
- <dd>Access denied due to local policy. No further messages will be sent to the server.
- <dt><tt>INIT</tt>
- <dd>The association has not yet synchronized for the first time.
- <dt><tt>MCST</tt>
- <dd>The association belongs to a manycast server.
- <dt><tt>NKEY</tt>
- <dd>No key found. Either the key was never installed or is not trusted.
- <dt><tt>RATE</tt>
- <dd>Rate exceeded. The server has temporarily denied access because the client exceeded the rate threshold.
- <dt><tt>RMOT</tt>
- <dd>Somebody is tinkering with the association from a remote host running <tt>ntpdc</tt>. Not to worry unless some rascal has stolen your keys.
- <dt><tt>STEP</tt>
- <dd>A step change in system time has occurred, but the association has not yet resynchronized.
- </dl>
- <p>System Kiss Codes</p>
- <dl>
- <dt><tt>INIT</tt>
- <dd>The system clock has not yet synchronized for the first time.
- <dt><tt>STEP</tt>
- <dd>A step change in system time has occurred, but the system clock has not yet resynchronized.
- </dl>
- <p>The tattletale symbol at the left margin displays the synchronization status of each peer. The currently selected peer is marked <tt>*</tt>, while additional peers designated acceptable for synchronization are marked <tt>+</tt>. Peers marked <tt>*</tt> and <tt>+</tt> are included in the weighted average computation to set the local clock; the data produced by peers marked with other symbols are discarded. See the <tt>ntpq</tt> page for the meaning of these symbols.</p>
- <p>Additional details for each peer separately can be determined by the following procedure. First, use the <tt>as</tt> command to display an index of association identifiers, such as</p>
- <pre>
-ntpq> as
-ind assID status conf reach auth condition last_event cnt
-===========================================================
- 1 50252 f314 yes yes ok outlyer reachable 1
- 2 50253 f414 yes yes ok candidat reachable 1
- 3 50254 f414 yes yes ok candidat reachable 1
- 4 50255 f614 yes yes ok sys.peer reachable 1
-</pre>
- <p>Each line in this billboard is associated with the corresponding line in the <tt>pe</tt> billboard above. The <tt>assID</tt> shows the unique identifier for each mobilized association, while the <tt>status</tt> column shows the peer status word in hex, as defined in the NTP specification. Next, use the <tt>rv</tt> command and the respective <tt>assID</tt> identifier to display a detailed synopsis for the selected peer, such as</p>
- <pre>
-ntpq> rv 50253
-status=f414 reach, conf, auth, sel_candidat, 1 event, event_reach,
-srcadr=saicpc-isiepc2.cairn.net, srcport=123, dstadr=140.173.1.46,
-dstport=123, keyid=3816249004, stratum=2, precision=-27,
-rootdelay=10.925, rootdispersion=12.848, refid=pogo.udel.edu,
-reftime=bd11b225.133e1437 Sat, Jul 8 2000 13:59:01.075, delay=10.550,
-offset=-1.357, jitter=0.074, dispersion=1.444, reach=377, valid=7,
-hmode=1, pmode=1, hpoll=6, ppoll=7, leap=00, flash=00 ok,
-org=bd11b23c.01385836 Sat, Jul 8 2000 13:59:24.004,
-rec=bd11b23c.02dc8fb8 Sat, Jul 8 2000 13:59:24.011,
-xmt=bd11b21a.ac34c1a8 Sat, Jul 8 2000 13:58:50.672,
-filtdelay= 10.45 10.50 10.63 10.40 10.48 10.43 10.49 11.26,
-filtoffset= -1.18 -1.26 -1.26 -1.35 -1.35 -1.42 -1.54 -1.81,
-filtdisp= 0.51 1.47 2.46 3.45 4.40 5.34 6.33 7.28,
-hostname="miro.time.saic.com", signature=md5WithRSAEncryption, flags=0x83f01, initsequence=61, initkey=0x287b649c,
-timestamp=3172053041
-</pre>
- <p>A detailed explanation of the fields in this billboard are beyond the scope of this discussion; however, most variables defined in the NTP Version 3 specification RFC-1305 are available along with others defined for NTPv4 on the <tt>ntpq</tt> page. This particular example was chosen to illustrate probably the most complex configuration involving symmetric modes and public-key cryptography. As the result of debugging experience, the names and values of these variables may change from time to time.</p>
- <p>A useful indicator of miscellaneous problems is the <tt>flash</tt> value, which reveals the state of the various sanity tests on incoming packets. There are currently 12 bits, one for each test, numbered from the right, which is for test 1. If the test fails, the corresponding bit is set to one and zero otherwise. If any bit is set following each processing step, the packet is discarded. The meaning of each test is described on the <tt>ntpq</tt> page.</p>
- <p>The three lines identified as <tt>filtdelay</tt>, <tt>filtoffset</tt> and <tt>filtdisp</tt> reveal the roundtrip delay, clock offset and dispersion for each of the last eight measurement rounds, all in milliseconds. Note that the dispersion, which is an estimate of the error, increases as the age of the sample increases. From these data, it is usually possible to determine the incidence of severe packet loss, network congestion, and unstable local clock oscillators. There are no hard and fast rules here, since every case is unique; however, if one or more of the rounds show large values or change radically from one round to another, the network is probably congested or lossy.</p>
- <p>Once the daemon has set the local clock, it will continuously track the discrepancy between local time and NTP time and adjust the local clock accordingly. There are two components of this adjustment, time and frequency. These adjustments are automatically determined by the clock discipline algorithm, which functions as a hybrid phase/frequency feedback loop. The behavior of this algorithm is carefully controlled to minimize residual errors due to network jitter and frequency variations of the local clock hardware oscillator that normally occur in practice. However, when started for the first time, the algorithm may take some time to converge on the intrinsic frequency error of the host machine.</p>
- <p>The state of the local clock itself can be determined using the <tt>rv</tt> command (without the argument), such as</p>
- <pre>
-ntpq> rv
-status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
-version="ntpd 4.0.99j4-r Fri Jul 7 23:38:17 GMT 2000 (1)",
-processor="i386", system="FreeBSD3.4-RELEASE", leap=00, stratum=2,
-precision=-27, rootdelay=0.552, rootdispersion=12.532, peer=50255,
-refid=pogo.udel.edu,
-reftime=bd11b220.ac89f40a Sat, Jul 8 2000 13:58:56.673, poll=6,
-clock=bd11b225.ee201472 Sat, Jul 8 2000 13:59:01.930, state=4,
-phase=0.179, frequency=44.298, jitter=0.022, stability=0.001,
-hostname="barnstable.udel.edu", signature=md5WithRSAEncryption,
-flags=0x80011, hostkey=3171372095, refresh=3172016539
-cert="grundoon.udel.edu grundoon.udel.edu 0x3 3233600829"
-cert="whimsy.udel.edu whimsy.udel.edu 0x5 3233682156"
-</pre>
- <p>An explanation about most of these variables is in the RFC-1305 specification. The most useful ones include <tt>clock</tt>, which shows when the clock was last adjusted, and <tt>reftime</tt>, which shows when the server clock of <tt>refid</tt> was last adjusted. The <tt>version</tt>, <tt>processor</tt> and <tt>system</tt> values are very helpful when included in bug reports. The mean millisecond time offset (<tt>phase</tt>) and deviation (<tt>jitter</tt>) monitor the clock quality, while the mean PPM frequency offset (<tt>frequency</tt>) and deviation (<tt>stability</tt>) monitor the clock stability and serve as a useful diagnostic tool. It has been the experience of NTP operators over the years that these data represent useful environment and hardware alarms. If the motherboard fan freezes up or some hardware bit sticks, the system clock is usually the first to notice it.</p>
- <p>Among the new variables added for NTP Version 4 are the <tt>hostname</tt>, <tt>signature</tt>, <tt>flags, hostkey, refresh </tt>and<tt> cert</tt>, which are used for the Autokey public-key cryptography described on the <a href="authopt.html">Authentication Options</a> page. The numeric values show the filestamps, in NTP seconds, that the associated media files were created. These are useful in diagnosing problems with cryptographic key consistency and ordering principles.</p>
- <p>When nothing seems to happen in the <tt>pe</tt> billboard after some minutes, there may be a network problem. One common network problem is an access controlled router on the path to the selected peer or an access controlled server using methods described on the <a href="accopt.html">Access Control Options</a> page. Another common problem is that the server is down or running in unsynchronized mode due to a local problem. Use the <tt>ntpq</tt> program to spy on the server variables in the same way you can spy on your own.</p>
- <p>Normally, the daemon will adjust the local clock in small steps in such a way that system and user programs are unaware of its operation. The adjustment process operates continuously unless the apparent clock error exceeds the step threshold for a period longer than the stepout threshold, which for most Internet paths is a very rare event. If the event is simply an outlyer due to an occasional network delay spike, the correction is simply discarded; however, if the apparent time error persists for longer than the stepout threshold of about 17 minutes, the local clock is stepped or slewed to the new value as directed. This behavior is designed to resist errors due to severely congested network paths, as well as errors due to confused radio clocks upon the epoch of a leap second.</p>
+ <p>Unless using the <tt>iburst</tt> option, the client normally takes a few minutes to synchronize to a server. If the client time at startup happens to be more thatn 1000 s distant from NTP time, the daemon exits with a message to the system log directing the operator to manually set the time within 1000 s and restart. If the time is less than 1000 s but more than 128 s distant, a step correction occurs and the daemon restarts automatically.</p>
+ <p>When started for the first time and a frequency file is not present, the daemon enters a special mode in order to calibrate the frequency. This takes 900 s during which the time is not desciplined. When calibration is complete, the daemon creates the frequency file and enters normal mode to amortize whatever residual offset remains.</p>
+ <p>The <tt>ntpq</tt> commands <tt>pe</tt>, <tt>as</tt> and <tt>rv</tt> are normally sufficient to verify correct operation and assess nominal performace. The <a href="ntpq.html#pe"><tt>pe</tt></a> command displays a list showing the DNS name or IP address for each association along with selected status and statistics variables. The first character in each line is the tally code, which shows which associations are candidates to set the system clock and of these which one is the system peer. The encoding is shown in the source field of the <a href="decode.html#sys">system status word</a>.</p>
+ <p>The <a href="ntpq.html#as"><tt>as</tt></a> command displays a list of associations and association identifiers. Note the <tt>condition</tt> column, which reflects the tally code. The <a href="ntpq.html#pe"><tt>rv</tt></a> command displays the <a href="ntpq.html#system">system variables</a> billboard, including the <a href="decode.html#sys">system status word</a>. The <a href="ntpq.html#rv"><tt>rv <i>assocID</i></tt></a> command, where <tt><i>assocID</i></tt> is the association ID, displays the <a href="ntpq.html#peer">peer variables</a> billboard, including the <a href="decode.html#peer">peer status word</a>. Note that, except for explicit calendar dates, times are in milliseconds and frequencies are in parts-per-million (PPM).</p>
+ <p>A detailed explanation of the system, peer and clock variables in the billboards is beyond the scope of this page; however, a comprehensive explanation for each one is in the NTPv4 protocol specification. The following observations will be useful in debugging and monitoring.</p>
+ <ol>
+ <li>The server has successfull synchronized to its sources if the <tt>leap</tt> peer variable has value other than zero. The client has successfully synchronized to the server when the <tt>leap</tt> system variable has value other than zero.
+ <li>The <tt>reach</tt> peer variable is an 8-bit shift register displayed in octal format. When a valid packet is received, the rightmost bit is lit. When a packet is sent, the register is shifted left one bit with 0 replacing the rightmost bit. If the <tt>reach</tt> value is nonzero, the server is reachable; otherwise, it is unreachable. Note that, even if all servers become unreachable, the system continues to show valid time to dependent applications.
+ <li>A useful indicator of miscellaneous problems is the <tt>flash</tt> peer variable, which shows the result of 13 sanity tests. It contains the <a href="decode.html#flash">flash status word</a> bits, commonly called flashers, which displays the current errors for the association. These bits should all be zero for a valid server.
+ <li>The three peer variables <tt>filtdelay</tt>, <tt>filtoffset</tt> and <tt>filtdisp</tt> show the delay, offset and jitter statistics for each of the last eight measurement rounds. These statistics and their trends are valuable performance indicators for the server, client and the network. For instance, large fluctuations in delay and jitter suggest network congestion. Missing clock filter stages suggest packet losses in the network.
+ <li>The synchronization distance, defined as one-half the delay plus the dispersion, represents the maximum error statistic. The jitter represents the expected error statistic. The maximum error and expected error calculated from the peer variables represents the quality metric for the server. The maximum error and expected error calculated from the system variables represents the quality metric for the client. If the root synchronization distance for any server exceeds 1.5 s, called the select threshold, the server is considered invalid.</ol>
<h4>Large Frequency Errors</h4>
- <p>The frequency tolerance of computer clock oscillators can vary widely, which can put a strain on the daemon's ability to compensate for the intrinsic frequency error. While the daemon can handle frequency errors up to 500 parts-per-million (PPM), or 43 seconds per day, values much above 100 PPM reduce the headroom and increase the time to learn the particular value and record it in the <tt>ntp.drift</tt> file. In extreme cases before the particular oscillator frequency error has been determined, the residual system time offsets can sweep from one extreme to the other of the 128-ms tracking window only for the behavior to repeat at 900-s intervals until the measurements have converged.</p>
- <p>In order to determine if excessive frequency error is a problem, observe the nominal <tt>filtoffset</tt> values for a number of rounds and divide by the poll interval. If the result is something approaching 500 PPM, there is a good chance that NTP will not work properly until the frequency error is reduced by some means. A common cause is the hardware time-of-year (TOY) clock chip, which must be disabled when NTP disciplines the software clock. For some systems this can be done using the <tt><a href="tickadj.html">tickadj</a></tt> utility and the <tt>-s</tt> command line argument. For other systems this can be done using a command in the system startup file.</p>
- <p>If the TOY chip is not the cause, the problem may be that the hardware clock frequency may simply be too slow or two fast. In some systems this might require tweaking a trimmer capacitor on the motherboard. For other systems the clock frequency can be adjusted in increments of 100 PPM using the <tt>tickadj</tt> utility and the <tt>-t</tt> command line argument. Note that the <tt>tickadj</tt> alters certain kernel variables and, while the utility attempts to figure out an acceptable way to do this, there are many cases where <tt>tickadj</tt> is incompatible with a running kernel.</p>
+ <p>The frequency tolerance of computer clock oscillators varies widely, sometimes above 500 PPM. While the daemon can handle frequency errors up to 500 PPM, or 43 seconds per day, values much above 100 PPM reduce the headroom, especially at the lowest poll intervals. To determine the particular oscillator frequency, start <tt>ntpd</tt> using the <tt>noselect</tt> option with the <tt>server</tt> configuration command.</p>
+ <p>Record the time of day and offset displayed by the <tt>ntpq</tt> <a href="ntpq.html#pe"><tt>pe</tt></a> command. Wait for an hour or so and record the time of day and offset. Calculate the frequency as the offset difference divided by the time difference. If the frequency is much above 100 PPM, the <a href="tickadj.html">tickadj</a> program might be useful to adjust the kernel clock frequency below that value. For systems that do not support this program, this might be one using a command in the system startup file.</p>
<h4>Access Controls</h4>
<p>Provisions are included in <tt>ntpd</tt> for access controls which deflect unwanted traffic from selected hosts or networks. The controls described on the <a href="accopt.html">Access Control Options</a> include detailed packet filter operations based on source address and address mask. Normally, filtered packets are dropped without notice other than to increment tally counters. However, the server can be configured to send a "kiss-o'-death" (KOD) packet to the client either when explicitly configured or when cryptographic authentication fails for some reason. The client association is permanently disabled, the access denied bit (TEST4) is set in the flash variable and a message is sent to the system log.</p>
<p>The access control provisions include a limit on the packet rate from a host or network. If an incoming packet exceeds the limit, it is dropped and a KOD sent to the source. If this occurs after the client association has synchronized, the association is not disabled, but a message is sent to the system log. See the <a href="accopt.html">Access Control Options</a> page for further informatin.</p>
<li>Verify the <tt>/etc/services</tt> file host machine is configured to accept UDP packets on the NTP port 123. NTP is specifically designed to use UDP and does not respond to TCP.
<li>Check the system log for <tt>ntpd</tt> messages about configuration errors, name-lookup failures or initialization problems. Common system log messages are summarized on the <a href="msyslog.html"><tt>ntpd</tt> System Log Messages</a> page. Check to be sure that only one copy of <tt>ntpd</tt> is running.
<li>Verify using <tt>ping</tt> or other utility that packets actually do make the round trip between the client and server. Verify using <tt>nslookup</tt> or other utility that the DNS server names do exist and resolve to valid Internet addresses.
- <li>Check that the remote NTP server is up and running. The usual evidence that it is not is a <tt>Connection refused</tt> message.
+ <li>Check that the remote NTP server is up and running. The usual evidence that it is not is a <tt>Connection refused</tt> message.
<li>Using the <tt>ntpdc</tt> program, verify that the packets received and packets sent counters are incrementing. If the sent counter does not increment and the configuration file includes configured servers, something may be wrong in the host network or interface configuration. If this counter does increment, but the received counter does not increment, something may be wrong in the network or the server NTP daemon may not be running or the server itself may be down or not responding.
<li>If both the sent and received counters do increment, but the <tt>reach</tt> values in the <tt>pe</tt> billboard with <tt>ntpq</tt> continues to show zero, received packets are probably being discarded for some reason. If this is the case, the cause should be evident from the <tt>flash</tt> variable as discussed above and on the <tt>ntpq</tt> page. It could be that the server has disabled access for the client address, in which case the refid field in the <tt>ntpq pe</tt> billboard will show a kiss code. See earlier on this page for a list of kiss codes and their meaning.
<li>If the <tt>reach</tt> values in the <tt>pe</tt> billboard show the servers are alive and responding, note the tattletale symbols at the left margin, which indicate the status of each server resulting from the various grooming and mitigation algorithms. The interpretation of these symbols is discussed on the <tt>ntpq</tt> page. After a few minutes of operation, one or another of the reachable server candidates should show a * tattletale symbol. If this doesn't happen, the intersection algorithm, which classifies the servers as truechimers or falsetickers, may be unable to find a majority of truechimers among the server population.
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+ <head>
+ <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
+ <meta name="generator" content="HTML Tidy, see www.w3.org">
+ <title>ntpd System Log Messages</title>
+ <link href="scripts/style.css" type="text/css" rel="stylesheet">
+ </head>
+ <body>
+ <h3>Event Messages and Status Words</h3>
+ <img src="pic/alice47.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
+ <p>Caterpillar knows all the error codes, which is more than most of us do.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">04:18</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="237">Tuesday, May 06, 2008</csobj></p>
+ <br clear="left">
+ <h4>Related Links</h4>
+ <p><script type="text/javascript" language="javascript" src="scripts/install.txt"></script></p>
+ <h4>Table of Contents</h4>
+ <ul>
+ <li class="inline"><a href="#intro">Introduction</a>
+ <li class="inline"><a href="#sys">System Status Word</a>
+ <li class="inline"><a href="#peer">Peer Status Word</a>
+ <li class="inline"><a href="#clock">Clock Status Word</a>
+ <li class="inline"><a href="#flash">Flash Status Word</a>
+ <li class="inline"><a href="#kiss">Kiss Codes</a>
+ <li class="inline"><a href="#crypto">Crypto Messages</a>
+ </ul>
+ <hr>
+ <h4 id="intro">Introduction</h4>
+ <p>This page lists the status and event messages and error codes used for status reporting and monitoring. Status words are used to display the current status of the running program. There is one system status word and a peer status word for each association. There is a clock status word for each association that supports a reference clock driver. There is a flash code for each association which shows errors found in the last packet received (pkt) and during protocol processing (peer). These are commonly viewed using the <tt>ntpq</tt> program.</p>
+ <p>Sinificant changes in program state are reported as events. There is one set of system events and a set of peer events for each association. In adition, there is a set of clock events for each association that supports a reference clock driver. Events are normally reported to the <tt>protostats</tt> file and optionally to the system log. In addition, if the trap facility is configured, traps can be reported to a remote program that can page an administrator.</p>
+ <p>This page also includes a description of the error messages produced by the Autokey protocol. These messages are normally sent to the <tt>cryptostats</tt> file.</p>
+ <p>In the following tables the Code Field is the status or event code assigned and the Message Field a short string used for display and event reporting. The Description field contains a longer explanation of the status or event. Some messages include additional information useful for error diagnosis and performance assessment.</p>
+ <h4 id="sys">System Status Word</h4>
+ <p>The system status word consists of four fields LI (0-1), Source (2-7), Count (8-11) and Code (12-15). It is reported in the first line of the <tt>ntpd rv</tt> display.</p>
+ <table width="50%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>
+ <div align="center">Leap</div>
+ </td>
+ <td>
+ <div align="center">
+ Source</div>
+ </td>
+ <td>
+ <div align="center">
+ Count</div>
+ </td>
+ <td>
+ <div align="center">
+ Code</div>
+ </td>
+ </tr>
+ </table>
+ <p>The Leap Field displays the system leap indicator bits coded as follows:</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Message</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>0</tt></td>
+ <td><tt>leap_none</tt></td>
+ <td>normal synchronized state</td>
+ </tr>
+ <tr>
+ <td><tt>1</tt></td>
+ <td><tt>leap_add_sec</tt></td>
+ <td>insert second after 23:59:59 of the current day</td>
+ </tr>
+ <tr>
+ <td><tt>2</tt></td>
+ <td><tt>leap_del_sec</tt></td>
+ <td>delete second 23:59:59 of the current day</td>
+ </tr>
+ <tr>
+ <td><tt>3</tt></td>
+ <td><tt>leap_alarm</tt></td>
+ <td>never synchronized</td>
+ </tr>
+ </table>
+ <p>The Source Field displays the current synchronization source coded as follows:.</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Message</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>0</tt></td>
+ <td><tt>sync_unspec</tt></td>
+ <td>not yet synchronized</td>
+ </tr>
+ <tr>
+ <td><tt>1</tt></td>
+ <td><tt>sync_pps</tt></td>
+ <td>pulse-per-second signal (Cs, Ru, GPS, etc.)</td>
+ </tr>
+ <tr>
+ <td><tt>2</tt></td>
+ <td><tt>sync_lf_radio</tt></td>
+ <td>VLF/LF radio (WWVB, DCF77, etc.)</td>
+ </tr>
+ <tr>
+ <td><tt>3</tt></td>
+ <td><tt>sync_hf_radio</tt></td>
+ <td>MF/HF radio (WWV, etc.)</td>
+ </tr>
+ <tr>
+ <td><tt>4</tt></td>
+ <td><tt>sync_uhf_radio</tt></td>
+ <td>VHF/UHF radio/satellite (GPS, Galileo, etc.)</td>
+ </tr>
+ <tr>
+ <td><tt>5</tt></td>
+ <td><tt>sync_local</tt></td>
+ <td>local timecode (IRIG, LOCAL driver, etc.)</td>
+ </tr>
+ <tr>
+ <td><tt>6</tt></td>
+ <td><tt>sync_ntp</tt></td>
+ <td>NTP</td>
+ </tr>
+ <tr>
+ <td><tt>7</tt></td>
+ <td><tt>sync_other</tt></td>
+ <td>other (IEEE 1588, openntp, crony, etc.)</td>
+ </tr>
+ <tr>
+ <td><tt>8</tt></td>
+ <td><tt>sync_wristwatch</tt></td>
+ <td>eyeball and wristwatch</td>
+ </tr>
+ <tr>
+ <td><tt>9</tt></td>
+ <td><tt>sync_telephone</tt></td>
+ <td>telephone modem (ACTS, PTB, etc.)</td>
+ </tr>
+ </table>
+ <p>The Count Field displays the number of events since the last <tt>rv</tt> command while the Event Field displays the most recent event message coded as follows:</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Message</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>0</tt></td>
+ <td><tt>unspecified</tt></td>
+ <td>unspecified</td>
+ </tr>
+ <tr>
+ <td><tt>1</tt></td>
+ <td><tt>freq_not_set</tt></td>
+ <td>frequency file not available</td>
+ </tr>
+ <tr>
+ <td><tt>2</tt></td>
+ <td><tt>freq_set</tt></td>
+ <td>frequency set from frequency file</td>
+ </tr>
+ <tr>
+ <td><tt>3</tt></td>
+ <td><tt>spike_detect</tt></td>
+ <td>spike detected</td>
+ </tr>
+ <tr>
+ <td><tt>4</tt></td>
+ <td><tt>freq_mode</tt></td>
+ <td>initial frequency training mode</td>
+ </tr>
+ <tr>
+ <td><tt>5</tt></td>
+ <td><tt>clock_sync</tt></td>
+ <td>clock synchronized</td>
+ </tr>
+ <tr>
+ <td><tt>6</tt></td>
+ <td><tt>restart</tt></td>
+ <td>program restart</td>
+ </tr>
+ <tr>
+ <td><tt>7</tt></td>
+ <td><tt>panic_stop</tt></td>
+ <td>clock error more than 600 s</td>
+ </tr>
+ <tr>
+ <td><tt>8</tt></td>
+ <td><tt>no_system_peer</tt></td>
+ <td>no system peer</td>
+ </tr>
+ <tr>
+ <td><tt>9</tt></td>
+ <td><tt>leap_armed</tt></td>
+ <td>leap second armed from file or Autokey</td>
+ </tr>
+ <tr>
+ <td><tt>10</tt></td>
+ <td><tt>leap_disarmed</tt></td>
+ <td>leap second disarmed</td>
+ </tr>
+ <tr>
+ <td><tt>11</tt></td>
+ <td><tt>leap_event</tt></td>
+ <td>leap event</td>
+ </tr>
+ <tr>
+ <td><tt>12</tt></td>
+ <td><tt>clock_step</tt></td>
+ <td>clock stepped</td>
+ </tr>
+ <tr>
+ <td><tt>13</tt></td>
+ <td><tt>kern</tt></td>
+ <td>kernel information message</td>
+ </tr>
+ </table>
+ <h4 id="peer">Peer Status Word</h4>
+ <p>The peer status word consists of four fields: Status (0-4, Select (5-7), Count (8-11) and Code (12-15). It is reported in the first line of the <tt>ntpd rv <i>associd</i></tt> display.</p>
+ <table width="50%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>
+ <div align="center">
+ Status</div>
+ </td>
+ <td>
+ <div align="center">Select</div>
+ </td>
+ <td>
+ <div align="center">
+ Count</div>
+ </td>
+ <td>
+ <div align="center">
+ Code</div>
+ </td>
+ </tr>
+ </table>
+ <p>The Status Field displays the peer status code bits in hexadecimal as follows:</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Message</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>08</tt></td>
+ <td><tt>bcst</tt></td>
+ <td>broadcast association</td>
+ </tr>
+ <tr>
+ <td><tt>10</tt></td>
+ <td><tt>reach</tt></td>
+ <td>host reachable</td>
+ </tr>
+ <tr>
+ <td><tt>20</tt></td>
+ <td><tt>authenb</tt></td>
+ <td>authentication enabled</td>
+ </tr>
+ <tr>
+ <td><tt>40</tt></td>
+ <td><tt>auth</tt></td>
+ <td>authentication ok</td>
+ </tr>
+ <tr>
+ <td><tt>80</tt></td>
+ <td><tt>config</tt></td>
+ <td>persistent association</td>
+ </tr>
+ </table>The Select Field displays the current selection. status The T Field displays the tally codes beginning the <tt>ntpq peers</tt> display. The values are coded as follows:<table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Message</td>
+ <td>T</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>0</tt></td>
+ <td><tt>sel_reject</tt></td>
+ <td></td>
+ <td>discarded as not valid (TEST10-TEST13)</td>
+ </tr>
+ <tr>
+ <td><tt>1</tt></td>
+ <td><tt>sel_falsetick</tt></td>
+ <td><tt>x</tt></td>
+ <td>discarded by intersection algorithm</td>
+ </tr>
+ <tr>
+ <td><tt>2</tt></td>
+ <td><tt>sel_excess</tt></td>
+ <td><tt>.</tt></td>
+ <td>discarded by table overflow (not used)</td>
+ </tr>
+ <tr>
+ <td><tt>3</tt></td>
+ <td><tt>sel_outlyer</tt></td>
+ <td><tt>-</tt></td>
+ <td>discarded by the cluster algorithm</td>
+ </tr>
+ <tr>
+ <td><tt>4</tt></td>
+ <td><tt>sel_candidate</tt></td>
+ <td><tt>+</tt></td>
+ <td>included by the combine algorithm</td>
+ </tr>
+ <tr>
+ <td><tt>5</tt></td>
+ <td><tt>sel_backup</tt></td>
+ <td><tt>#</tt></td>
+ <td>backup (more than <tt>tinker maxclock</tt> sources)</td>
+ </tr>
+ <tr>
+ <td><tt>6</tt></td>
+ <td><tt>sel_sys.peer</tt></td>
+ <td><tt>*</tt></td>
+ <td>system peer</td>
+ </tr>
+ <tr>
+ <td><tt>7</tt></td>
+ <td><tt>sel_pps.peer</tt></td>
+ <td><tt>o</tt></td>
+ <td>PPS peer (when the prefer peer is valid)</td>
+ </tr>
+ </table>
+ <p>The Count Field displays the number of events since the last <tt>rv</tt> command, while the Event Field displays the most recent event message coded as follows:</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Message</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>1</tt></td>
+ <td><tt>mobilize</tt></td>
+ <td>association mobilized</td>
+ </tr>
+ <tr>
+ <td><tt>2</tt></td>
+ <td><tt>demobilize</tt></td>
+ <td>association demobilized</td>
+ </tr>
+ <tr>
+ <td><tt>3</tt></td>
+ <td><tt>unreachable</tt></td>
+ <td>server unreachable</td>
+ </tr>
+ <tr>
+ <td><tt>4</tt></td>
+ <td><tt>reachable</tt></td>
+ <td>server reachable</td>
+ </tr>
+ <tr>
+ <td><tt>5</tt></td>
+ <td><tt>restart</tt></td>
+ <td>association restart</td>
+ </tr>
+ <tr>
+ <td><tt>6</tt></td>
+ <td><tt>no_reply</tt></td>
+ <td>no server found (<tt>ntpdate</tt> mode)</td>
+ </tr>
+ <tr>
+ <td><tt>7</tt></td>
+ <td><tt>rate_exceeded</tt></td>
+ <td>rate exceeded (kiss code <tt>RATE</tt>)</td>
+ </tr>
+ <tr>
+ <td><tt>8</tt></td>
+ <td><tt>access_denied</tt></td>
+ <td>access denied (kiss code <tt>DENY</tt>)</td>
+ </tr>
+ <tr>
+ <td><tt>9</tt></td>
+ <td><tt>leap_armed</tt></td>
+ <td>leap armed from server LI code</td>
+ </tr>
+ <tr>
+ <td><tt>10</tt></td>
+ <td><tt>sys_peer</tt></td>
+ <td>new system peer</td>
+ </tr>
+ <tr>
+ <td><tt>11</tt></td>
+ <td><tt>clock</tt></td>
+ <td>reference clock message (see clock status word)</td>
+ </tr>
+ </table>
+ <h4 id="clock">Clock Status Word</h4>
+ <p>The clock status word consists of four fields: Unused (0-7), Count (8-11) and Code (12-15). It is reported in the first line of the <tt>ntpd clockvar <i>associd</i></tt> display.</p>
+ <table width="50%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>
+ <div align="center">
+ Unused</div>
+ </td>
+ <td>
+ <div align="center">
+ Count</div>
+ </td>
+ <td>
+ <div align="center">
+ Code</div>
+ </td>
+ </tr>
+ </table>
+ <p>The Count Field displays the number of events since the last <tt>clockvar</tt> command, while the Event Field displays the most recent event message coded as follows:</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Message</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>0</tt></td>
+ <td><tt>clk_unspe</tt></td>
+ <td>nominal</td>
+ </tr>
+ <tr>
+ <td><tt>1</tt></td>
+ <td><tt>clk_noreply</tt></td>
+ <td>no reply to poll</td>
+ </tr>
+ <tr>
+ <td><tt>2</tt></td>
+ <td><tt>clk_badformat</tt></td>
+ <td>bad timecode format</td>
+ </tr>
+ <tr>
+ <td><tt>3</tt></td>
+ <td><tt>clk_fault</tt></td>
+ <td>hardware or software fault</td>
+ </tr>
+ <tr>
+ <td><tt>4</tt></td>
+ <td><tt>clk_bad_signal</tt></td>
+ <td>signal loss</td>
+ </tr>
+ <tr>
+ <td><tt>5</tt></td>
+ <td><tt>clk_bad_date</tt></td>
+ <td>bad date format</td>
+ </tr>
+ <tr>
+ <td><tt>6</tt></td>
+ <td><tt>clk_bad_time</tt></td>
+ <td>bad time format</td>
+ </tr>
+ </table>
+ <p>When the clock driver sets the code to a new value, a <tt>clock_alarm</tt> (11) peer event is reported.</p>
+ <h4 id="flash">Flash Status Word</h4>
+ <p>The flash status word is displayed by the <tt>ntpq</tt> program <tt>rv</tt> command. It consists of a number of bits coded in hexadecimal as follows:</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Tag</td>
+ <td>Message</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>0001</tt></td>
+ <td>TEST1</td>
+ <td><tt>pkt_dup</tt></td>
+ <td>duplicate packet</td>
+ </tr>
+ <tr>
+ <td><tt>0002</tt></td>
+ <td>TEST2</td>
+ <td><tt>pkt_bogus</tt></td>
+ <td>bogus packet</td>
+ </tr>
+ <tr>
+ <td><tt>0004</tt></td>
+ <td>TEST3</td>
+ <td><tt>pkt_unsync</tt></td>
+ <td>protocol unsynchronized</td>
+ </tr>
+ <tr>
+ <td><tt>0008</tt></td>
+ <td>TEST4</td>
+ <td><tt>pkt_denied</tt></td>
+ <td>access denied</td>
+ </tr>
+ <tr>
+ <td><tt>0010</tt></td>
+ <td>TEST5</td>
+ <td><tt>pkt_auth</tt></td>
+ <td>bad authentication</td>
+ </tr>
+ <tr>
+ <td><tt>0020</tt></td>
+ <td>TEST6</td>
+ <td><tt>pkt_stratum</tt></td>
+ <td>bad synch or stratum</td>
+ </tr>
+ <tr>
+ <td><tt>0040</tt></td>
+ <td>TEST7</td>
+ <td><tt>pkt_header</tt></td>
+ <td>bad header</td>
+ </tr>
+ <tr>
+ <td><tt>0080</tt></td>
+ <td>TEST8</td>
+ <td><tt>pkt_autokey</tt></td>
+ <td>bad autokey</td>
+ </tr>
+ <tr>
+ <td><tt>0100</tt></td>
+ <td>TEST9</td>
+ <td><tt>pkt_crypto</tt></td>
+ <td>bad crypto</td>
+ </tr>
+ <tr>
+ <td><tt>0200</tt></td>
+ <td>TEST10</td>
+ <td><tt>peer_stratum</tt></td>
+ <td>peer bad synch or stratum</td>
+ </tr>
+ <tr>
+ <td><tt>0400</tt></td>
+ <td>TEST11</td>
+ <td><tt>peer_dist</tt></td>
+ <td>peer distance exceeded</td>
+ </tr>
+ <tr>
+ <td><tt>0800</tt></td>
+ <td>TEST12</td>
+ <td><tt>peer_loop</tt></td>
+ <td>peer synchronization loop</td>
+ </tr>
+ <tr>
+ <td><tt>1000</tt></td>
+ <td>TEST13</td>
+ <td><tt>peer_unreach</tt></td>
+ <td>peer unreachable</td>
+ </tr>
+ </table>
+ <h4 id="kiss">Kiss Codes</h4>
+ Kiss codes are used in kiss-o'-death (koD) packets, billboard displays and log messages. They consist of a string of four zero-padded ASCII charactes. In practice they are informal and tend to change with time and implementation. Some of these codes can appear in the reference identifier field in <tt>ntpq</tt> billboards. Following is the current list:
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>ACST</tt></td>
+ <td>manycast server</td>
+ </tr>
+ <tr>
+ <td><tt>AUTH</tt></td>
+ <td>authentication error</td>
+ </tr>
+ <tr>
+ <td><tt>AUTO</tt></td>
+ <td>Autokey sequence error</td>
+ </tr>
+ <tr>
+ <td><tt>BCST</tt></td>
+ <td>broadcast server</td>
+ </tr>
+ <tr>
+ <td><tt>CRYPT</tt></td>
+ <td>Autokey protocol error</td>
+ </tr>
+ <tr>
+ <td><tt>DENY</tt></td>
+ <td>access denied by server</td>
+ </tr>
+ <tr>
+ <td><tt>INIT</tt></td>
+ <td>association initialized</td>
+ </tr>
+ <tr>
+ <td><tt>MCST</tt></td>
+ <td>multicast server</td>
+ </tr>
+ <tr>
+ <td><tt>RATE</tt></td>
+ <td>rate exceeded</td>
+ </tr>
+ <tr>
+ <td><tt>TIME</tt></td>
+ <td>association timeout</td>
+ </tr>
+ <tr>
+ <td><tt>STEP</tt></td>
+ <td>step time change</td>
+ </tr>
+ </table>
+ <h4 id="crypto">Crypto Messages</h4>
+ <p>These messages are sent to the <tt>cryptostats</tt> file when an error is detected in the Autokey protocol.</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Code</td>
+ <td>Message</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>1</tt></td>
+ <td><tt>bad_format</tt></td>
+ <td>bad extension field format or length</td>
+ </tr>
+ <tr>
+ <td><tt>2</tt></td>
+ <td><tt>bad_timestamp</tt></td>
+ <td>bad timestamp</td>
+ </tr>
+ <tr>
+ <td><tt>3</tt></td>
+ <td><tt>bad_filestamp</tt></td>
+ <td>bad filestamp</td>
+ </tr>
+ <tr>
+ <td><tt>4</tt></td>
+ <td><tt>bad_public_key</tt></td>
+ <td>bad or missing public key</td>
+ </tr>
+ <tr>
+ <td><tt>5</tt></td>
+ <td><tt>bad_digest</tt></td>
+ <td>unsupported digest type</td>
+ </tr>
+ <tr>
+ <td><tt>6</tt></td>
+ <td><tt>bad_identity</tt></td>
+ <td>unsupported identity type</td>
+ </tr>
+ <tr>
+ <td><tt>7</tt></td>
+ <td><tt>bad_siglength</tt></td>
+ <td>bad signature length</td>
+ </tr>
+ <tr>
+ <td><tt>8</tt></td>
+ <td><tt>bad signature</tt></td>
+ <td>extension field signature not verified</td>
+ </tr>
+ <tr>
+ <td><tt>9</tt></td>
+ <td><tt>cert_not_verified</tt></td>
+ <td>certificate signature not verified</td>
+ </tr>
+ <tr>
+ <td><tt>10</tt></td>
+ <td><tt>cert_expired</tt></td>
+ <td>host certificate expired</td>
+ </tr>
+ <tr>
+ <td><tt>11</tt></td>
+ <td><tt>bad_cookie</tt></td>
+ <td>bad or missing cookie</td>
+ </tr>
+ <tr>
+ <td><tt>12</tt></td>
+ <td><tt>bad_leapseconds</tt></td>
+ <td>bad or misssing leapseconds values</td>
+ </tr>
+ <tr>
+ <td><tt>13</tt></td>
+ <td><tt>cert_missing</tt></td>
+ <td>bad or missing certificate</td>
+ </tr>
+ <tr>
+ <td><tt>14</tt></td>
+ <td><tt>bad_group_key</tt></td>
+ <td>bad or missing group key</td>
+ </tr>
+ <tr>
+ <td><tt>15</tt></td>
+ <td><tt>proto_error</tt></td>
+ <td>protocol error</td>
+ </tr>
+ </table>
+ <hr>
+ <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
+ </p>
+ </body>
+
+</html>
\ No newline at end of file
<h3><tt>ntp-keygen</tt> - Generate Public and Private Keys Files</h3>
<img src="pic/alice23.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
<p>Alice holds the key.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">20:57</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="306">Saturday, December 22, 2007</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:27</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 03, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/manual.txt"></script>
<h3>NTP 4.x for Windows NT</h3>
<h4>Introduction</h4>
- <p>The NTP 4 distribution runs as service on Windows Vista, Windows NT 4.0, Windows 2000, Windows XP, Windows .NET Server 2003. It will NOT run on Windows 95, 98, ME, etc. The binaries work on multi-processor systems. This port has not been tested on the Alpha platform. This release now uses OpenSSL for authentication. IPv6 is not implemented yet for Win32 platforms. A ready-to-run install distribution is available from Meinberg at <a href="http://www.meinberg.de/english/sw/ntp.htm">http://www.meinberg.de/english/sw/ntp.htm</a></p>
- <h4>Authentication Keys</h4>
- <p>With this release ntp-keygen is supported. See the <a href="../keygen.html"> ntp keygen documentation</a> for details on how to use ntp-keygen.</p>
+ <p>The NTP 4 distribution runs as service on Windows Vista, Windows NT 4.0, Windows 2000, Windows XP, Windows .NET Server 2003. It will NOT run on Windows 95, 98, ME, etc. The binaries work on multi-processor systems. This port has not been tested on the Alpha platform. This release now uses OpenSSL for authentication. IPv6 is not implemented yet for Win32 platforms. A ready-to-run install distribution is available from Meinberg at <a href="http://www.meinberg.de/english/sw/ntp.htm">http://www.meinberg.de/english/sw/ntp.htm.</a></p>
+ <p>Users should note that the stock Windows client sends requests as mode-1 packets, which can have unintended consequences and create a security risk. The client should send requests as mode-3 (client) packets, which conform to the protocol specification. The issues and resolution are described in Microsoft KB 875424. A less desirable alternative that avoids changing registry keys is to use the <tt>--with-wintime</tt> option when building the executable.</p>
+ <h4>Authentication Keys</h4>
+ <p>With this release ntp-keygen is supported. See the <a href="../keygen.html"> ntp keygen documentation</a> for details on how to use ntp-keygen.</p>
<p><tt>ntpd</tt> can now use the generated keys in the same way as on Unix platforms. Please refer to the <a href="../authopt.html">Authentication Options</a> for details on how to use these.</p>
<p><B>NOTE:</B> ntpd and <tt>ntp-keygen</tt> both use OpenSSL which requires a random
character file called <tt>.rnd</tt> by default. Both of these programs will automatically generate this file if they are not found. The programs will look for an environmental variable called RANDFILE and use that for the name of the random character file if the variable exists. If it does not exist it will look for an environmental variable called HOME and use that directory to search for a file called <tt>.rnd</tt> in that directory. Finally, if neither RANDFILE nor HOME exists it will look in <tt>C:\</tt> for a .rnd file. In each case it will search for and create the file if the environmental variable exists or in the C:\ directory if it doesn't.</p>
<h3>The Network Time Protocol (NTP) Distribution</h3>
<img src="pic/barnstable.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html"><i>P.T. Bridgeport Bear</i>; from <i>Pogo</i>, Walt Kelly</a>
<p>Pleased to meet you.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">21:11</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="285">Saturday, January 19, 2008</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">16:21</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="289">Wednesday, March 12, 2008</csobj></p>
<p>Note: These pages are being updated and may appear a little scruffy for awhile.</p>
<br clear="left">
<h4>Related Links</h4>
- <ul>A list of all links is on the <a href="sitemap.html">Site Map</a> page.
+ <ul>
+ <li>A list of all links is on the <a href="sitemap.html">Site Map</a> page.
</ul>
<h4>Table of Contents</h4>
<ul>
<p>The most important factor in providing accurate, reliable time is the selection of modes and servers in the configuration file. A discussion on the available modes is on the <a href="assoc.html">Association Management</a> page. The current public server list is maintained at the <a href="http://www.ntp.org">www.ntp.org</a> web site. In many cases the configuration can be automated using the schemes described on the <a href="manyopt.html">Automatic Server Discovery Schemes</a> page.</p>
<h4 id="opt">Features and Options</h4>
<p>This distribution includes a statistics data recording facility which can record performance statistics and events of various types for retrospective analysis. These include time and frequency statistics, significant events and usage statistics described on the <a href="monopt.html">Monitoring Options</a> page.</p>
- <p>Some programs included in this distribution use cryptographic algorithms to verify server authenticity. Where local security policy permits relatively weak symmetric key cryptography, the required software is included in this distribution. Where local policy requires stronger public key cryptography, the OpenSSL library available from <a href="http://www.openssl.org">http://www.openssl.org</a> is required. This library is also used by the Secure Shell facility, so is often already installed.
NTP public key cryptography is described on the <a href="authopt.html">Authentication Options</a> page.</p>
+ <p>Some programs included in this distribution use cryptographic algorithms to verify server authenticity. Where local security policy permits relatively weak symmetric key cryptography, the required software is included in this distribution. Where local policy requires stronger public key cryptography, the OpenSSL library available from <a href="http://www.openssl.org">http://www.openssl.org</a> is required. This library is also used by the Secure Shell facility, so is often already installed.
Additional details are on the <a href="authopt.html">Authentication Options</a> page.</p>
<p>This distribution includes features that can restrict access in various ways as described on the <a href="accopt.html">Access Control Options</a> page. This can be used to deny service if not authenticated, deny service requiring persistent resources or deny service altogether.</p>
<p>This distribution includes a simulation framework in which substantially all the runtime NTP operations and most features can be tested and evaluated. This has been very useful in exploring invitro response to unusal circumstances or over time periods impractical invivo. Details are on the <a href="ntpdsim.html">Network Time Protocol (NTP) Simulator</a> page.</p>
<h4 id="prob">Resolving Problems</h4>
<p>The <a href="debug.html">NTP Debugging Techniques</a> and <a href="hints.html">Hints and Kinks</a> pages contain useful information for identifying problems and devising solutions. Additional information on reference clock driver construction and debugging is in the <a href="rdebug.html">Debugging Hints for Reference Clock Drivers</a> page.</p>
<p>Users are invited to report bugs and offer suggestions via the <a href="bugs.html">NTP Bug Reporting Procedures</a> page.</p>
<h4 id="info">Further Information</h4>
- <p>The <a href="sitemap.html">Site Map</a> page contains a list of document collections arranged by topic. The Program Manual Pages collection may be the best place to start, followed by the Configuration Commands and Options collection. A great wealth of additional information is available via the External Links collection, including a book and numerous background papers and briefing presentations.</p>
+ <p>The <a href="sitemap.html">Site Map</a> page contains a list of document collections arranged by topic. The Program Manual Pages collection may be the best place to start, followed by the <a href="comdex.html"></a>Configuration Commands and Options collection. The <a href="comdex.html">Command Index</a> collection contains a list of all configuration file commands together with a short function description. A great wealth of additional information is available via the External Links collection, including a book and numerous background papers and briefing presentations.</p>
<hr>
<div align="center">
<img src="pic/pogo1a.gif" alt="gif"></div>
<body>
<h3>Kernel Model for Precision Timekeeping</h3>
<p><img src="pic/alice61.gif" alt="gif" align="left"> <a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a></p>
- <p>Alice touched the kernel and it exploded.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">19:25</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="276">Tuesday, January 01, 2008</csobj></p>
+ <p>Alice finds the kernel a house of cards.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">15:42</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/misc.txt"></script>
<body>
<h3>PPSAPI Interface for Precision Time Signals</h3>
+ <img src="pic/tonea.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>NBS Special Publication 432, 1979</i></a> (out of print)
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">15:40</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
+ <br clear="left">
<h4>Related Links</h4>
<p>
<script type="text/javascript" language="javascript" src="scripts/misc.txt"></script>
<head>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
<meta name="generator" content="HTML Tidy, see www.w3.org">
- <title>Automatic Server Discovery Schemes</title>
+ <title>Automatic Server Discovery</title>
<link href="scripts/style.css" type="text/css" rel="stylesheet">
</head>
<body>
- <h3>Automatic Server Discovery Schemes</h3>
+ <h3>Automatic Server Discovery</h3>
<img src="pic/alice51.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
<p>Make sure who your friends are.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">21:48</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="277">Friday, December 28, 2007</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">01:56</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 17, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/config.txt"></script>
<hr>
<h4 id="modes">Introduction</h4>
<p>This page describes the automatic server discovery schemes provided in NTPv4. Details about the configuration commands and options are described on the <a href="confopt.html">Configuration Options</a> page. Details about the cryptographic authentication schemes are described on the <a href="authopt.html">Authentication Options</a> page. Details about the other modes not directly involved in these schemes are described on the <a href="assoc.html">Association Management</a> page. Additional information is available in the papers, reports, memoranda and briefings on the <a href="http://www.eecis.udel.edu/%7emills/ntp.html">NTP Project</a> page.</p>
- <p>There are three automatic server discovery schemes: broadcast/multicast, manycast and server pool described on this page. The broadcast/multicast and manycast schemes utilize the ubiquitous broadcast or one-to-many paradigm native to IPv4 and IPv6. The server pool scheme uses DNS to resolve addresses of multiple volunteer servers scattered throughout the world. All three schemes work in much the same way and might be described as <i>grab-n'-drop</i>. Through one means or another they grab at least the number of potential servers specified by the <tt>tos maxclock</tt> configuration command, order them from best to worst using the NTP algorithms, then cast off from the end of the list until no more than the number of survivors specified in the <tt>tos minclock</tt> command remain.</p>
- <p>This process is handled using a set of counters, one for each preemptible association. Once each poll interval the counter is increased by one. It the counter reaches a cutoff value of 10, it is preempted and demobilized. However, the counters for the survivors at the beginning of the list are set to zero.</p>
- <p>Any of the schemes can use a stratum filter to select just those servers with stratum considered useful. This can avoid large numbers of clients ganging up on a small number of low-stratum servers and avoid servers above a certain stratum level. The range of acceptable strata range from the number specified by the <tt>tos floor</tt> command, inclusive, to the number specified by the <tt>tos ceiling</tt> command, exclusive. Potential servers operating at the same stratum as the client will be avoided unless the <tt>tos cohort</tt> command is present.</p>
- <p></p>
- <p>Since an intruder can impersonate a broadcast or multicast server and inject false time values, broadcast mode should always be cryptographically authenticated.</p>
+ <p>There are three automatic server discovery schemes: broadcast/multicast, manycast and server pool described on this page. The broadcast/multicast and manycast schemes utilize the ubiquitous broadcast or one-to-many paradigm native to IPv4 and IPv6. The server pool scheme uses DNS to resolve addresses of multiple volunteer servers scattered throughout the world. All three schemes work in much the same way and might be described as <i>grab-n'-prune</i>. Through one means or another they grab a number of associations either directly or indirectly from the configuration file, order them from best to worst according to a defined metric, then cast off the associations with the lowest metric until no more than the number specified by the <tt>maxclock</tt> option of the <tt>tos </tt>command remain.</p>
+ <h4>Association Management</h4>
+ <p>All schemes use a stratum filter to select just those servers with stratum considered useful. This can avoid large numbers of clients ganging up on a small number of low-stratum servers and avoid servers below or above specified stratum levels. By default, servers of all strata are acceptable; however, the <tt>tos</tt> command can be used to restrict the acceptable range from the <tt>floor</tt> option, inclusive, to the <tt>ceiling</tt> option, exclusive. Potential servers operating at the same stratum as the client will be avoided, unless the <tt>cohort</tt> option is present.</p>
+ <p>The pruning process is handled using a set of counters, one for each preemptible association. Once each poll interval the counter is increased by one. If the association survives the selection and clustering algorithms; that is, it is a candidate for synchronization, the counter is reset to zero. If not and the counter reaches a defined threshold and the number of assocations is greater than <tt>maxclock</tt>, the association becomes a candidate for pruning. The pruning algorithm assigns to each association a metric ranging from the lowest, corresponding to no possibility of synchronization, to the highest, corresponding to a very likely possibility of synchronization. Upon reaching the threshold, an association is demobilized if it has the lowest metric of all associations. Operation continues in this way until the number of remaining associations is not greater than <tt>maxclock</tt>.</p>
<p>Following is a summary of each scheme. Note that reference to option applies to the commands described on the <a href="confopt.html">Configuration Options</a> page. See that page for applicability and defaults.</p>
<h4 id="bcst">Broadcast/Multicast Scheme</h4>
- <p>A broadcast server generates messages continuously at intervals by default 64 s and time-to-live by default 127. These defaults can be overriden by the <tt>minpoll</tt> and <tt>ttl</tt> options, respectively. Not all kernels support the <tt>ttl</tt> command. A broadcast client responds to the first message received by waiting a randomized interval to avoid implosion at the server. It then polls the server in client/server mode and using the iburst opion in order to quickly authenticate the server, set the host clock and calibrate the broadcast message propagation delay. This normally results in a volley of six client/server exchanges at 2-s intervals during which both the synchronization and cryptographic protocols run concurrently.</p>
- <p>Following the volley, the server continues in listen-only mode and sends no further messages. If for some reason the broadcast server does not respond to these messages, the client will cease transmission and continue in listen-only mode with a default propagation delay. The volley can be avoided by using the <tt>authdelay</tt> configuration command with nonzero argument.</p>
+ <p>A broadcast server generates messages continuously at intervals by default 64 s and time-to-live by default 127. These defaults can be overriden by the <tt>minpoll</tt> and <tt>ttl</tt> options, respectively. Not all kernels support the <tt>ttl</tt> option. A broadcast client responds to the first message received by waiting a randomized interval to avoid implosion at the server. It then polls the server in client/server mode using the <tt>iburst</tt> option in order to quickly authenticate the server, calibrate the propagation delay and set the host clock. This normally results in a volley of six client/server exchanges at 2-s intervals during which both the synchronization and cryptographic protocols run concurrently.</p>
+ <p>Following the volley, the server continues in listen-only mode and sends no further messages. If for some reason the broadcast server does not respond to these messages, the client will cease transmission and continue in listen-only mode with a default propagation delay. The volley can be avoided by using the <tt>authdelay</tt> command with nonzero argument.</p>
<p>A server is configured in broadcast mode using the <tt>broadcast</tt> command and specifying the broadcast address of a local interface. If two or more local interfaces are installed with different broadcast addresses, a <tt>broadcast</tt> command is needed for each address. This provides a way to limit exposure in a firewall, for example. A broadcast client is configured using the <tt>broadcastclient</tt> command. </p>
- <p>NTP multicast mode can be used to extend the scope of a timekeeping using IPv4 multicast or IPv6 broadcast with defined span. The IANA has assigned IPv4 multicast address 224.0.1.1 and IPv6 address FF05::101 (site local) to NTP, but these addresses should be used only where the multicast span can be reliably constrained to protect neighbor networks. In general, administratively scoped IPv4 group addresses should be used, as described in RFC-2365, or GLOP group addresses, as described in RFC-2770.</p>
- <p>A multicast server is configured using the <tt>broadcast</tt> command, but specifying a multicast address instead of a broadcast address. A multicast client is configured using the <tt>multicastclient</tt> command specifying a list of one or more multicast addresses. Note that there is a subtle distinction between the IPv4 and IPv6 address families. The IPv4 broadcast or mulitcast mode is determined by the IPv4 class. For IPv6 the same distinction can be made using the link-local prefix FF02 for each interface and site-local prefix FF05 for all interfacesl.</p>
- <p>In both broadcast and multicast versions the client association is demobilized in case of timeout.</p>
+ <p>NTP multicast mode can be used to extend the scope using IPv4 multicast or IPv6 broadcast with defined span. The IANA has assigned IPv4 multicast address 224.0.1.1 and IPv6 address FF05::101 (site local) to NTP, but these addresses should be used only where the multicast span can be reliably constrained to protect neighbor networks. In general, administratively scoped IPv4 group addresses should be used, as described in RFC-2365, or GLOP group addresses, as described in RFC-2770.</p>
+ <p>A multicast server is configured using the <tt>broadcast</tt> command, but specifying a multicast address instead of a broadcast address. A multicast client is configured using the <tt>multicastclient</tt> command specifying a list of one or more multicast addresses. Note that there is a subtle distinction between the IPv4 and IPv6 address families. The IPv4 broadcast or mulitcast mode is determined by the IPv4 class. For IPv6 the same distinction can be made using the link-local prefix FF02 for each interface and site-local prefix FF05 for all interfaces.</p>
+ <p>It is possible and frequently useful to configure a host as both broadcast client and broadcast server. A number of hosts configured this way and sharing a common broadcast address will automatically organize themselves in an optimum configuration based on stratum and synchronization distance.</p>
+ <p>Since an intruder can impersonate a broadcast server and inject false time values, broadcast mode should always be cryptographically authenticated. By default, a broadcast association will not be mobilized unless cryptographically authenticated. If necessary, the <tt>auth</tt> option of the <tt>disable</tt> command will disable this feature. The feature can be selectively enabled using the <tt>notrust</tt> option of the <tt>restrict</tt> command.</p>
+ <p>With symmetric key cryptography each broadcast server can use the same or different keys. In one scenario on a broadcast LAN, a set of broadcast clients and servers share the same key along with another set that share a different key. Only the clients with matching key will respond to a server broadcast.</p>
+ <p>Public key cryptography can be used with some restrictions. If multiple servers belonging to different secure groups share the same broadcast LAN, the clients on that LAN must have the client keys for all of them. This scenario is illustrated in the example on the <a href="authopt.html">Authentication Options</a> page.</p>
<h4 id="mcst">Manycast Scheme</h4>
- <p>Manycast is a automatic server discovery and configuration paradigm new to NTPv4. It is intended as a means for a client to troll the nearby network neighborhood to find cooperating servers, validate them using cryptographic means and evaluate their time values with respect to other servers that might be lurking in the vicinity. It uses the grab-n'-drop paradigm with the additional feature that active means are used to grab additional servers should the number of survivors fall below the <tt>minclock</tt> threshold.</p>
+ <p>Manycast is a automatic server discovery and configuration paradigm new to NTPv4. It is intended as a means for a client to troll the nearby network neighborhood to find cooperating servers, validate them using cryptographic means and evaluate their time values with respect to other servers that might be lurking in the vicinity. It uses the grab-n'-drop paradigm with the additional feature that active means are used to grab additional servers should the number of survivors fall below the <tt>minclock</tt> option of the <tt>tos</tt> command.</p>
<p>The manycast paradigm is not the anycast paradigm described in RFC-1546, which is designed to find a single server from a clique of servers providing the same service. The manycast paradigm is designed to find a plurality of redundant servers satisfying defined optimality criteria.</p>
- <p>A manycast clients is configured using the <tt>manycastclient</tt> configuration command, which is similar to the <tt>server</tt> configuration command. It sends ordinary client mode messages, but with a broadcast address rather than a unicast address and sends only if less than <tt>minclock</tt> survivors remain and then only at the minimum feasible rate and minimum feasible time-to-live (TTL) hops. The polling strategy is designed to reduce as much as possible the volume of broadcast messages and the effects of implosion due to near-simultaneous arrival of manycast server messages. There can be as many manycast client associations as different addresses, each one serving as a template for a future unicast client/server association.</p>
+ <p>A manycast clients is configured using the <tt>manycastclient</tt> configuration command, which is similar to the <tt>server</tt> configuration command. It sends ordinary client mode messages, but with a broadcast address rather than a unicast address and sends only if less than <tt>minclock</tt> associateons remain and then only at the minimum feasible rate and minimum feasible time-to-live (TTL) hops. The polling strategy is designed to reduce as much as possible the volume of broadcast messages and the effects of implosion due to near-simultaneous arrival of manycast server messages. There can be as many manycast client associations as different addresses, each one serving as a template for a future unicast client/server association.</p>
<p>A manycast server is configured using the <tt>manycastserver</tt> command, which listens on the specified broadcast address for manycast client messages. If a manycast server is in scope of the current TTL and is itself synchronized to a valid source and operating at a stratum level equal to or lower than the manycast client, it replies with an ordinary unicast server message.</p>
<p>The manycast client receiving this message mobilizes a preemptable client association according to the matching manycast client template, but only if cryptographically authenticated and the server stratum is less than or equal to the client stratum. </p>
- <p>It is possible and frequently useful to configure a host as both manycast client and manycast server. A number of hosts configured this way and sharing a common group address will automatically organize themselves in an optimum configuration based on stratum and synchronization distance.</p>
+ <p>It is possible and frequently useful to configure a host as both manycast client and manycast server. A number of hosts configured this way and sharing a common multicast group address will automatically organize themselves in an optimum configuration based on stratum and synchronization distance.</p>
+ <p>The use of cryptograpic authentication is always a good idea in any server descovery scheme. Both symmetric key and public key cryptography can be used in the same scenarios as described above for the broadast/multicast scheme.</p>
<h4 id="pool">Server Pool Scheme</h4>
- <p>The idea of targeting servers on a random basis to distribute and balance the load is not a new one; however, the NTP pool scheme puts this on steroids. At present, several hundred operators around the globe have volunteered their servers for public access. In general, NTP is a lightweight service and servers used for other purposes don't mind an additional small load. The trick is to randomize over the population and minimize the load on any one server while retaining the advantages of multiple servers with the NTP mitigation algorithms.</p>
- <p>To support this service the DNS for some volunteer servers as been modified to collect a number of the volunteer servers and return a randomized list in response to a query. The client receiving this list modbilizes some or all of them just as in the other discovery schemes and casts off the excess.</p>
- <p>The pool scheme is configured using one or <tt>pool</tt> commands with the DNS name <tt><i>region</i>.pool.ntp.org</tt>, where <tt><i>region</i></tt> is a region of the world, country of the region or state of the country or even the whole world if absent. The <tt>pool</tt> command can be used more than once; duplicate servers are detected and discarded. In principle, it is possible to use a configuration file containing a single line <tt>pool.ntp.org</tt>.</p>
+ <p>The idea of targeting servers on a random basis to distribute and balance the load is not a new one; however, the NTP pool scheme puts this on steroids. At present, several hundred operators around the globe have volunteered their servers for public access. In general, NTP is a lightweight service and servers used for other purposes don't mind an additional small load. The trick is to randomize over the population and minimize the load on any one server while retaining the advantages of multiple servers using the NTP mitigation algorithms.</p>
+ <p>To support this service the DNS for some volunteer servers as been modified to collect a number of other volunteer servers and return a randomized list in response to a DNS query. The client receiving this list modbilizes some or all of them just as in the other discovery schemes and casts off the excess.</p>
+ <p>The pool scheme is configured using one or <tt>pool</tt> commands with the DNS name <tt><i>region</i>.pool.ntp.org</tt>, where <tt><i>region</i></tt> is a region of the world, country of the region or state of the country or even the whole world if absent. The <tt>pool</tt> command can be used more than once; duplicate servers are detected and discarded. In principle, it is possible to use a configuration file containing a single line <tt>pool pool.ntp.org</tt>.</p>
<hr>
<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
</body>
<h3>Miscellaneous Options</h3>
<img src="pic/boom3.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>We have three, now looking for more.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">19:43</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="296">Saturday, February 02, 2008</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">23:15</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="289">Wednesday, March 12, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/command.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/miscopt.txt"></script>
<hr>
<dl>
- <dt><tt>broadcastdelay <i>seconds</i></tt>
- <dd>The broadcast and multicast modes require a special calibration to determine the network delay between the local and remote servers. Ordinarily, this is done automatically by the initial protocol exchanges between the client and server. In some cases, the calibration procedure may fail due to network or server access controls, for example. This command specifies the default delay to be used under these circumstances. Typically (for Ethernet), a number between 0.003 and 0.007 seconds is appropriate. The default when this command is not used is 0.004 seconds.
-
- <dt><tt>driftfile <i>driftfile</i> { <i>tolerance</i> ]</tt>
- <dd>This command specifies the complete path and name of the file used to record the frequency of the local clock oscillator. This is the same operation as the <tt>-f</tt> command linke option. If the file exists, it is read at startup in order to set the initial frequency and then updated once per hour with the current frequency computed by the daemon. If the file name is specified, but the file itself does not exist, the starts with an initial frequency of zero and creates the file when writing it for the first time. If this command is not given, the daemon will always start with an initial frequency of zero.
+ <dt id="broadcastdelay"><tt>broadcastdelay <i>seconds</i></tt>
+ <dd>The broadcast and multicast modes require a special calibration to determine the network delay between the local and remote servers. Ordinarily, this is done automatically by the initial protocol exchanges between the client and server. In some cases, the calibration procedure may fail due to network or server access controls, for example. This command specifies the default delay to be used under these circumstances. Typically (for Ethernet), a number between 0.003 and 0.007 seconds is appropriate.
+ <dt id="driftfile"><tt>driftfile <i>driftfile</i> { <i>tolerance</i> ]</tt>
+ <dd>This command specifies the complete path and name of the file used to record the frequency of the local clock oscillator. This is the same operation as the <tt>-f</tt> command linke option. If the file exists, it is read at startup in order to set the initial frequency and then updated once per hour or more with the current frequency computed by the daemon. If the file name is specified, but the file itself does not exist, the starts with an initial frequency of zero and creates the file when writing it for the first time. If this command is not given, the daemon will always start with an initial frequency of zero.
<p>The file format consists of a single line containing a single floating point number, which records the frequency offset measured in parts-per-million (PPM). The file is updated by first writing the current drift value into a temporary file and then renaming this file to replace the old version. This implies that <tt>ntpd</tt> must have write permission for the directory the drift file is located in, and that file system links, symbolic or otherwise, should be avoided.</p>
-
-<p>The parameter <tt>tolerance</tt> is the wander threshold to skip writing the new value. If the value of wander computed from recent frequency changes is greater than this threshold the file will be updated once per hour. If below the threshold, the file will not be written.</p>
-<dt><tt>enable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats]</tt><br>
+ <p>The parameter <tt>tolerance</tt> is the wander threshold to skip writing the new value. If the value of wander computed from recent frequency changes is greater than this threshold the file will be updated once per hour. If below the threshold, the file will not be written.</p>
+ <dt id="enable"><tt>enable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats]</tt><br>
<tt>disable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats ]</tt>
<dd>Provides a way to enable or disable various system options. Flags not mentioned are unaffected. Note that all of these flags can be controlled remotely using the <a href="ntpdc.html"><tt>ntpdc</tt></a> utility program.
<dl>
<dt><tt>stats</tt>
<dd>Enables the statistics facility. See the <a href="monopt.html">Monitoring Options</a> page for further information. The default for this flag is disable
</dl>
- <dt><tt>includefile <i>includefile</i></tt>
+ <dt id="includefile"><tt>includefile <i>includefile</i></tt>
<dd>This command allows additional configuration commands to be included from a separate file. Include files may be nested to a depth of five; upon reaching the end of any include file, command processing resumes in the previous configuration file. This option is useful for sites that run <tt>ntpd</tt> on multiple hosts, with (mostly) common options (e.g., a restriction list).
- <dt><tt>leapfile <i>leapfile</i></tt>
+ <dt id="leapfile"><tt>leapfile <i>leapfile</i></tt>
<dd>This command loads the NIST leapseconds file and initializes the leapsecond values for the next leapsecond time, expiration time and TAI offset. The file can be obtained directly from NIST national time servers using <tt>ftp</tt> as the ASCII file <tt>pub/leap-seconds</tt>.
<p>While not strictly a security function, the Autokey protocol provides means to securely retrieve the current or updated leapsecond values from a server.</p>
-
- <dt><tt>logconfig <i>configkeyword</i></tt>
+ <dt id="logconfig"><tt>logconfig <i>configkeyword</i></tt>
<dd>This command controls the amount and type of output written to the system <tt>syslog</tt> facility or the alternate <tt>logfile</tt> log file. All <i><tt>configkeyword</tt></i> keywords can be prefixed with <tt>=</tt>, <tt>+</tt> and <tt>-</tt>, where <tt>=</tt> sets the <tt>syslogmask</tt>, <tt>+</tt> adds and <tt>-</tt> removes messages. <tt>syslog messages</tt> can be controlled in four classes (<tt>clock</tt>, <tt>peer</tt>, <tt>sys</tt> and <tt>sync</tt>). Within these classes four types of messages can be controlled: informational messages (<tt>info</tt>), event messages (<tt>events</tt>), statistics messages (<tt>statistics</tt>) and status messages (<tt>status</tt>).
<p>Configuration keywords are formed by concatenating the message class with the event class. The <tt>all</tt> prefix can be used instead of a message class. A message class may also be followed by the <tt>all</tt> keyword to enable/disable all messages of the respective message class. By default, <tt>logconfig</tt> output is set to <tt>allsync</tt>.
- <p>Thus, a minimal log configuration could look like this:</p>
+ </p>
+ <p>Thus, a minimal log configuration could look like this:</p>
<p><tt>logconfig=syncstatus +sysevents</tt></p>
<dl>
<dd>
<p>This would just list the synchronizations state of <tt>ntpd</tt> and the major system events. For a simple reference server, the following minimum message configuration could be useful:</p>
-
</dl>
-
<dd>
<p><tt>logconfig=allsync +allclock</tt></p>
<dl>
<dd>
<p>This configuration will list all clock information and synchronization information. All other events and messages about peers, system events and so on is suppressed.</p>
-
</dl>
- <dt><tt>logfile <i>logfile</i></tt>
- <dl>
- <dd>
- <p>This command specifies the location of an alternate log file to be used instead of the default system <tt>syslog</tt> facility. This is the same operation as the <tt>-l </tt>command line option.</p>
-
- </dl>
- <dt><tt>phone <i>dial</i>1 <i>dial</i>2 ...</tt>
- <dl>
- <dd>This command is used in conjunction with the ACTS modem driver (type 18). The arguments consist of a maximum of 10 telephone numbers used to dial USNO, NIST or European time services. The Hayes command ATDT is normally prepended to the number, which can contain other modem control codes as well.
- </dl>
- <dt><tt>setvar <i>variable</i> [default]</tt>
+ <dt id="logfile"><tt>logfile <i>logfile</i></tt>
+ <dd>This command specifies the location of an alternate log file to be used instead of the default system <tt>syslog</tt> facility. This is the same operation as the <tt>-l </tt>command line option.
+ <dt id="phone"><tt>phone <i>dial</i>1 <i>dial</i>2 ...</tt>
+ <dd>This command is used in conjunction with the ACTS modem driver (type 18). The arguments consist of a maximum of 10 telephone numbers used to dial USNO, NIST or European time services. The Hayes command ATDT is normally prepended to the number, which can contain other modem control codes as well.
+ <dt id="setvar"><tt>setvar <i>variable</i> [default]</tt>
<dd>This command adds an additional system variable. These variables can be used to distribute additional information such as the access policy. If the variable of the form <tt><i>name</i> = <i>value</i></tt> is followed by the <tt>default</tt> keyword, the variable will be listed as part of the default system variables (<tt>ntpq rv</tt> command). These additional variables serve informational purposes only. They are not related to the protocol other that they can be listed. The known protocol variables will always override any variables defined via the <tt>setvar</tt> mechanism. There are three special variables that contain the names of all variable of the same group. The <tt>sys_var_list</tt> holds the names of all system variables. The <tt>peer_var_list</tt> holds the names of all peer variables and the <tt>clock_var_list</tt> holds the names of the reference clock variables.
- <dt><tt>tinker [ allan <i>allan</i> | dispersion <i>dispersion</i> | freq <i>freq</i> | huffpuff <i>huffpuff</i> | panic <i>panic</i> | step <i>step</i> | stepout <i>stepout</i> ]</tt>
- <dd>This command can be used to alter several system variables in very exceptional circumstances. It should occur in the configuration file before any other configuration options. The default values of these variables have been carefully optimized for a wide range of network speeds and reliability expectations. In general, they interact in intricate ways that are hard to predict and some combinations can result in some very nasty behavior. Very rarely is it necessary to change the default values; but, some folks can't resist twisting the knobs anyway and this command is for them. Emphasis added: twisters are on their own and can expect no help from the support group.
- <p>The variables operate as follows:</p>
+ <dt id="tinker"><tt>tinker [ allan <i>allan</i> | dispersion <i>dispersion</i> | freq <i>freq</i> | huffpuff <i>huffpuff</i> | panic <i>panic</i> | step <i>step</i> | stepout <i>stepout</i> ]</tt>
+ <dd>This command alters certain system variables used by the clock discipline algorithm. The default values of these variables have been carefully optimized for a wide range of network speeds and reliability expectations. Very rarely is it necessary to change the default values; but, some folks can't resist twisting the knobs. The options are as follows:
+ <p><tt>allan <i>allan</i></tt></p>
<dl>
- <dt><tt>allan <i>allan</i></tt>
- <dd>The argument becomes the new value for the Allan intercept, which is a parameter of the PLL/FLL clock discipline algorithm. The value is in seconds with default 1500 s, which is appropriate for most computer clocks.<dt><tt>dispersion <i>dispersion</i></tt>
- <dd>The argument becomes the new value for the dispersion increase rate, normally .000015 s/s.
- <dt><tt>freq <i>freq</i></tt>
- <dd>The argument becomes the initial value of the frequency offset in parts-per-million. This overrides the value in the frequency file, if present, and avoids the initial training state if it is not.
- <dt><tt>huffpuff <i>huffpuff</i></tt>
- <dd>The argument becomes the new value for the experimental huff-n'-puff filter span, which determines the most recent interval the algorithm will search for a minimum delay. The lower limit is 900 s (15 m), but a more reasonable value is 7200 (2 hours). There is no default, since the filter is not enabled unless this command is given.
- <dt><tt>panic <i>panic</i></tt>
- <dd>The argument is the panic threshold, by default 1000 s. If set to zero, the panic sanity check is disabled and a clock offset of any value will be accepted.
- <dt><tt>step <i>step</i></tt>
- <dd>The argument is the step threshold, by default 0.128 s. It can be set to any positive number in seconds. If set to zero, step adjustments will never occur. Note: The kernel time discipline is disabled if the step threshold is set to zero or greater than the default.
- <dt><tt>stepout <i>stepout</i></tt>
- <dd>The argument is the stepout timeout, by default 900 s. It can be set to any positive number in seconds. If set to zero, the stepout pulses will not be suppressed.
- </dl>
- <dt><tt>tos [ ceiling <i>ceiling</i> | cohort {0 | 1} | floor <i>floor</i> | orphan <i>orphan</i> | maxdistance <i>maxdistance</i> | minclock <i>minclock</i> | minsane <i>minsane</i> ]</tt>
- <dd>This command affects the clock selection and clustering algorithms. It can be used to select the quality and quantity of peers used to synchronize the system clock and is most useful in manycast mode. The variables operate as follows:
- <dl> <dt><tt>beacon <i>beacon</i></tt>
- <dd>The manycast server sends packets at intervals of 64 s if less than <i><tt>maxclock</tt></i> servers are available. Otherwise, it sends packets at the <i><tt>beacon</tt></i> interval in seconds. The default is 3600 s.<dt><tt>ceiling <i>ceiling</i></tt>
- <dd>Servers with stratum at or above <i>ceiling</i> will be discarded if there are at least <i><tt>minclock</tt></i> peers remaining. This value defaults to 15, but can be changed to any number from 1 to 15.
- <dt><tt>cohort { 0 | 1 }</tt>
- <dd>This is a binary flag which enables (0) or disables (1) manycast server replies to manycast clients with the same stratum level. This is useful to reduce implosions where large numbers of clients with the same stratum level are present. The default is to enable these replies.
- <dt><tt>floor <i>floor</i></tt>
- <dd>Peers with strata below <i>floor</i> will be discarded if there are at least <i>minclock</i> peers remaining. This value defaults to 1, but can be changed to any number from 1 to 15.
- <dt><tt>orphan <i>stratum</i></tt>
- <dd>If <tt><i>stratum</i></tt> is set at some value less than 16 a special orphan mode is enterred when no outside source of synchronization is available. To use orphan mode a number of participants are identically configured both as broadcast client and as broadcast server. One or more participants are configured to use an outside source, either a reference clock or another Internet server. When the source or sources fail, the system stratum is set at <tt><i>stratum</i></tt> and a leader is elected to serve as the reference source. When an outside source of synchronization is again available, the orphan mode is disabled.<dt><tt>mindist <i>mindistance</i></tt>
- <dd>The slection algorithm normally pads each intersection a minimum of one millisecond to avoid needless classification. In some cases, such as reference clocks with high jitter and a PPS signal, it is useful to increase the padding. This command can be used for that purpose. As a general rule, set the mindistance to the maximum expected offset plus the maxiumum expected jitter, in seconds.
+ <dd>Spedifies the Allan intercept, which is a parameter of the PLL/FLL clock discipline algorithm, in seconds with default 1500 s.
+ <dt><tt>dispersion <i>dispersion</i></tt>
+ <dd>Specifies the dispersion increase rate in parts-per-million (PPM) with default 15 PPM.<dt><tt>freq <i>freq</i></tt>
+ <dd>Spedifies the frequency offset in parts-per-million (PPM) with default the value in the frequency file.<dt><tt>huffpuff <i>huffpuff</i></tt>
+ <dd>Spedifies the huff-n'-puff filter span, which determines the most recent interval the algorithm will search for a minimum delay. The lower limit is 900 s (15 m), but a more reasonable value is 7200 (2 hours).<dt><tt>panic <i>panic</i></tt>
+ <dd>Spedifies the panic threshold in seconds with default 1000 s. If set to zero, the panic sanity check is disabled and a clock offset of any value will be accepted.<dt><tt>step <i>step</i></tt>
+ <dd>Spedifies the step threshold in seconds with default 0.128 s. If set to zero, step adjustments will never occur. Note: The kernel time discipline is disabled if the step threshold is set to zero or greater than the default.<dt><tt>stepout <i>stepout</i></tt>
+ <dd>Specifies the stepout threshold in seconds with default 900 s. It If set to zero, popcorn spikes will not be suppressed.</dl>
+ <dt id="tos"><tt>tos [ beacon <i>beacon</i> | ceiling <i>ceiling</i> | cohort {0 | 1} | floor <i>floor</i> | maxclock <i>maxclock </i>| maxdist <i>maxdist</i> | minclock <i>minclock</i> | mindist <i>mindist </i>| minsane <i>minsane</i> | orphan <i>stratum</i> ]</tt> <dd>This command alters certain system variables used by the the clock selection and clustering algorithms. The default values of these variables have been carefully optimized for a wide range of network speeds and reliability expectations. Very rarely is it necessary to change the default values; but, some folks can't resist twisting the knobs. It can be used to select the quality and quantity of peers used to synchronize the system clock and is most useful in dynamic server discovery schemes. The options are as follows:
+ <dl>
+ <dt><tt>beacon <i>beacon</i></tt>
+ <dd>The manycast server sends packets at intervals of 64 s if less than <tt>maxclock</tt> servers are available. Otherwise, it sends packets at the <i><tt>beacon</tt></i> interval in seconds. The default is 3600 s. See the <a href="manyopt.html">Automatic Server Discovery</a> page for further details. <dt><tt>ceiling <i>ceiling</i></tt>
+ <dd>Specify the maximum stratum (exclusive) for acceptable server packets. The default is 16. See the <a href="manyopt.html">Automatic Server Discovery</a> page for further details. <dt><tt>cohort { 0 | 1 }</tt>
+ <dd>Specify whether (1) or whether not (0) a server packet will be accepted for the same stratum as the client. The default is 0. See the <a href="manyopt.html">Automatic Server Discovery</a> page for further details.
+ <dt><tt>floor <i>floo r</i></tt>
+ <dd>Specify the minimum stratum (inclusive) for acceptable server packest. The default is 1. See the <a href="manyopt.html">Automatic Server Discovery</a> page for further details.
+ <dt><tt>maxclock <i>maxclock</i></tt> <dd>Specify the maximum number of servers retained by the server discovery schemes. The default is 10. See the <a href="manyopt.html">Automatic Server Discovery</a> page for further details.
<dt><tt>maxdist <i>maxdistance</i></tt>
- <dd>The selection algorithm accumulates a number of packets before setting the clock in order to use the best data available. The number is determined by the synchronization distance for each association and a limit called the distance threshold. The synchronization distance starts at 16, then drops by a factor of about two as each packet is received. The default distance threshold is 1.0, which usually results in four packets. Setting maxdistance to some value between 1 and 16 can be used to change the number of packets required. For instance, setting it to 16 will set the clock on the first packet received; howver, setting it to this value essentially disables the mitigation and grooming algorithms.
- <dt><tt>minclock <i>minclock</i></tt>
- <dd>The clustering algorithm repeatedly casts out outlyer associations until no more than <i>minclock</i> associations remain. This value defaults to 3, but can be changed to any number from 1 to the number of configured sources.
- <dt><tt>minsane <i>minsane</i></tt>
- <dd>This is the minimum number of candidates available to the clock selection algorithm in order to produce one or more truechimers for the clustering algorithm. If fewer than this number are available, the clock is undisciplined and allowed to run free. The default is 1 for legacy purposes. However, according to principles of Byzantine agreement, <i>minsane</i> should be at least 4 in order to detect and discard a single falseticker.
- </dl>
- <dt><tt>ttl <i>hop</i> ...</tt>
- <dd>This command specifies a list of TTL values in increasing order. up to 8 values can be specified. In manycast mode these values are used in turn in an expanding-ring search. The default is eight multiples of 32 starting at 31.
- <dt><tt>trap <i>host_address</i> [port <i>port_number</i>] [interface <i>interface_address</i>]</tt>
+ <dd>Specify the synchronization distance threshold used by the clock selection algorithm. The default is 1.5 s. This determines both the minimum number of packets to set the system clock and the maximum roundtrip delay. It can be decreased to improve reliability or increased to synchronize clocks on the Moon or planets.<dt><tt>minclock <i>minclock</i></tt>
+ <dd>Specify the number of servers used by the clustering algorithm as the minimum to include on the candidate list. The default is 3. This is also the number of servers to be averaged by the combining algorithm.<dt><tt>mindist <i>mindistance</i></tt>
+ <dd>Specify the increment used by the selection algorithm to augment the correctness interval. The default is .005 s. In some cases, such as reference clocks with high jitter and a PPS signal, it is useful to increase the increment to insure the intersection interval is always nonempty.<dt><tt>minsane <i>minsane</i></tt>
+ <dd>Specify the number of servers used by the selection algorithm as the minimum to set the system clock. The default is 1 for legacy purposes; however, for critical applications the value should be somewhat higher but less than <tt>minclock</tt>.
+ <dt><tt>orphan <i>stratum</i></tt>
+ <dd>Specify the orphan stratum with default 16. If less than 16 this is the stratum assumed by the root servers. See the <a href="assoc.html">Association Management</a> page for further details.
+ </dl><dt id="trap"><tt>trap <i>host_address</i> [port <i>port_number</i>] [interface <i>interface_address</i>]</tt>
<dd>This command configures a trap receiver at the given host address and port number for sending messages with the specified local interface address. If the port number is unspecified, a value of 18447 is used. If the interface address is not specified, the message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes.
<p>The trap receiver will generally log event messages and other information from the server in a log file. While such monitor programs may also request their own trap dynamically, configuring a trap receiver will ensure that no messages are lost when the server is started.</p>
- <dt><tt>ttl <i>hop</i> ...</tt>
+ <dt id="ttl"><tt>ttl <i>hop</i> ...</tt>
<dd>This command specifies a list of TTL values in increasing order. up to 8 values can be specified. In manycast mode these values are used in turn in an expanding-ring search. The default is eight multiples of 32 starting at 31.
</dl>
-
<hr>
<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
</body>
<body>
<h3>Monitoring Options</h3>
<img src="pic/pogo8.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
- <p>The pig watches the logs.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">22:27</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="267">Friday, February 01, 2008</csobj></p>
+ <p>Pig was hired to watch the logs.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">19:47</csobj> UTC <csobj format="LongDate" h="25" locale="00 000409" region="0" t="DateTime" w="0"></csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/command.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/monopt.txt"></script>
<h4>Table of Contents</h4>
<ul>
<li class="inline"><a href="#intro">introduction</a>
<li class="inline"><a href="#cmd">Monitoring Options</a>
<li class="inline"><a href="#types">File Set Types</a>
- </ul> <hr>
+ </ul>
+ <hr>
<h4 id="intro">Introduction</h4>
- <p><tt>ntpd</tt> includes a comprehensive monitoring facility which collects statistical data of various types and writes the data to files associated with each type at defined intervals. The files associated with a particular type are collectively called the generation file set for that type. The files in the file set are the members of that set.<p>File sets have names specific to the type and generation epoch. The names are constructed from three concatenated elements <i><tt>prefix</tt></i>, <i><tt>filename</tt></i> and <i><tt>suffix</tt></i>:</p>
+ <p>The <tt>ntpd</tt> includes a comprehensive monitoring facility which collects statistical data of various types and writes the data to files associated with each type at defined events or intervals. The files associated with a particular type are collectively called the generation file set for that type. The files in the file set are the members of that set.</p>
+ <p>File sets have names specific to the type and generation epoch. The names are constructed from three concatenated elements <i><tt>prefix</tt></i>, <i><tt>filename</tt></i> and <i><tt>suffix</tt></i>:</p>
<dl>
- <dd><i><tt>prefix</tt></i>
+ <dt><i><tt>prefix</tt></i>
<dd>The directory path specified in the <tt>statsdir</tt> command.
+
<dt><i><tt>name</tt></i>
<dd>The name specified by the <tt>file</tt> option of the <tt>filegen</tt> command.
+
<dt><i><tt>suffix</tt></i>
- <dd>A string of elements bdginning with . (dot) followed by a string of elementes depending on the particular file set type.
+ <dd>A string of elements bdginning with . (dot) followed by a number of elements depending on the file set type.
</dl>
<p>Statistics files can be managed using scripts, examples of which are in the <tt>./scripts</tt> directory. Using these or similar scripts and Unix <tt>cron</tt> jobs, the files can be automatically summarized and archived for retrospective analysis.</p>
<h4 id="cmd">Monitoring Commands</h4>
<dl>
- <dd><tt>filegen <i>name</i> file <i>filename</i> [type <i>type</i>] [link | nolink] [enable | disable]</tt>
- <dl>
- <dt><i><tt>name</tt></i>
- <dd>Specifies the file set type from the list in the next section.
- <dt><tt>file <i>filename</i></tt>
- <dd>Specfies the file set name.
- <dt><tt>type <i>typename</i></tt>
- <dd>Specifies the file set interval. The following intervals are supported with default <tt>day</tt>:
+ <dt id="filegen"><tt>filegen <i>name</i> file <i>filename</i> [type <i>type</i>] [link | nolink] [enable | disable]</tt>
+ <dd>
<dl>
- <dt><tt>none</tt>
- <dd>The file set is actually a single plain file.
- <dt><tt>pid</tt>
- <dd>One file set member is created for every incarnation of <tt>ntpd</tt>. . The file name suffix is the string .<tt>n</tt>, where <tt>n</tt> is the process ID of the <tt>ntpd</tt> server process.
- <dt><tt>day</tt>
- <dd>One file set member is created per day. A day is defined as the period between 00:00 and 24:00 UTC. The file name suffix is the string .<tt>yyyymmdd</tt>, where <tt>yyyy</tt> is the year, <tt>mm</tt> the month of the year and <tt>dd</tt> the day of the month. Thus, member created on 10 December 1992 would have suffix <tt>.19921210</tt>.
- <dt><tt>week</tt>
- <dd>One file set member is created per week. The week is defined as the day of year modulo 7. The file name suffix is the string .<tt>yyyyWww</tt>, where <tt>yyyy</tt> is the year, <tt>W</tt> stands for itself and <tt>ww</tt> the week number. For example, The member created on 10 January 1992 would have suffix <tt>.1992W1</tt>.
- <dt><tt>month</tt>
- <dd>One file set member is created per month. The file name suffix is the string .<tt>yyyymm</tt>, where <tt>yyyy</tt> is the year and <tt>mm</tt> the month of the year. For example, The member created on 10 January 1992 would have suffix <tt>.199201</tt>.
- <dt><tt>year</tt>
- <dd>One file set member is generated per year. The file name suffix is the string .<tt>yyyy</tt>, where <tt>yyyy</tt> is the year. For example, The member created on 1 January 1992 would have suffix <tt>.1992</tt>.<dt><tt>age</tt>
- <dd>One file set member is generated every 24 hours of <tt>ntpd</tt> operation. The filename suffix is the string <tt>.adddddddd</tt>, where <tt>a</tt> stands for itself and <tt>dddddddd</tt> is the <tt>ntpd</tt> running time in seconds at the start of the corresponding 24-hour period.
+ <dt><i><tt>name</tt></i>
+ <dd>Specifies the file set type from the list in the next section.
+
+ <dt><tt>file <i>filename</i></tt>
+ <dd>Specfies the file set name.
+
+ <dt><tt>type <i>typename</i></tt>
+ <dd>Specifies the file set interval. The following intervals are supported with default <tt>day</tt>:
+ <dl>
+ <dt><tt>none</tt>
+ <dd>The file set is actually a single plain file.
+
+ <dt><tt>pid</tt>
+ <dd>One file set member is created for every incarnation of <tt>ntpd</tt>. The file name suffix is the string .<tt>n</tt>, where <tt>n</tt> is the process ID of the <tt>ntpd</tt> server process.
+
+ <dt><tt>day</tt>
+ <dd>One file set member is created per day. A day is defined as the period between 00:00 and 23:59 UTC. The file name suffix is the string .<tt>yyyymmdd</tt>, where <tt>yyyy</tt> is the year, <tt>mm</tt> the month of the year and <tt>dd</tt> the day of the month. Thus, member created on 10 December 1992 would have suffix <tt>.19921210</tt>.
+
+ <dt><tt>week</tt>
+ <dd>One file set member is created per week. The week is defined as the day of year modulo 7. The file name suffix is the string .<tt>yyyyWww</tt>, where <tt>yyyy</tt> is the year, <tt>W</tt> stands for itself and <tt>ww</tt> the week number starting from 0. For example, The member created on 10 January 1992 would have suffix <tt>.1992W1</tt>.
+
+ <dt><tt>month</tt>
+ <dd>One file set member is created per month. The file name suffix is the string .<tt>yyyymm</tt>, where <tt>yyyy</tt> is the year and <tt>mm</tt> the month of the year starting from 1. For example, The member created on 10 January 1992 would have suffix <tt>.199201</tt>.
+
+ <dt><tt>year</tt>
+ <dd>One file set member is generated per year. The file name suffix is the string .<tt>yyyy</tt>, where <tt>yyyy</tt> is the year. For example, The member created on 1 January 1992 would have suffix <tt>.1992</tt>.
+
+ <dt><tt>age</tt>
+ <dd>One file set member is generated every 24 hours of <tt>ntpd</tt> operation. The filename suffix is the string <tt>.adddddddd</tt>, where <tt>a</tt> stands for itself and <tt>dddddddd</tt> is the <tt>ntpd</tt> running time in seconds at the start of the corresponding 24-hour period.
+
+ </dl>
+ <dt><tt>link | nolink</tt>
+ <dd>It is convenient to be able to access the current file set members by file name, but without the suffix. This feature is enabled by <tt>link</tt> and disabled by <tt>nolink</tt>. If enabled, which is the default, a hard link from the current file set member to a file without suffix is created. When there is already a file with this name and the number of links to this file is one, it is renamed by appending a dot, the letter <tt>C</tt>, and the pid of the <tt>ntpd</tt> server process. When the number of links is greater than one, the file is unlinked. This allows the current file to be accessed by a constant name.
+
+ <dt><tt>enable | disable</tt>
+ <dd>Enable or disable the recording function, with default <tt>enable</tt>. These options are intended for remote configutation commands.
+
</dl>
- <dt><tt>link | nolink</tt>
- <dd>It is convenient to be able to access the current file set members by file name, but without the suffix. This feature is enabled by <tt>link</tt> and disabled by <tt>nolink</tt>. If enabled, which is the default, a hard link from the current file set member to a file without suffix is created. When there is already a file with this name and the number of links to this file is one, it is renamed by appending a dot, the letter <tt>C</tt>, and the pid of the <tt>ntpd</tt> server process. When the number of links is greater than one, the file is unlinked. This allows the current file to be accessed by a constant name.
- <dt><tt>enable | disable</tt>
- <dd>Enable or disable the recording function, with default <tt>enable</tt>. These options are intended for remote configutation commands.
- </dl>
<dt><tt>statsdir <i>directory_path</i></tt>
<dd>Specify the directory path prefix for statistics file names.
+
</dl>
<h4 id="types">File Set Types</h4>
- <dl> <dt><tt>clockstats</tt>
- <dd>Record reference clock statistics. Each update received from a reference clock driver appends one line to the <tt>clockstats</tt> file set:<dd><tt>49213 525.624 127.127.4.1 93 226 00:08:29.606 D</tt>
+ <dl>
+ <dt><tt>clockstats</tt>
+ <dd>Record reference clock statistics. Each update received from a reference clock driver appends one line to the <tt>clockstats</tt> file set:
+
+ <dd><tt>49213 525.624 127.127.4.1 93 226 00:08:29.606 D</tt>
+ <dd>
+ <table width="100%" border="1" cellspacing="2" cellpadding="0">
+ <tr>
+ <td>Item</td>
+ <td>Units</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>49213</tt></td>
+ <td>MJD</td>
+ <td>date</td>
+ </tr>
+ <tr>
+ <td><tt>525.624</tt></td>
+ <td>s</td>
+ <td>time past midnight</td>
+ </tr>
+ <tr>
+ <td><tt>127.127.4.1</tt></td>
+ <td>IP</td>
+ <td>reference clock address</td>
+ </tr>
+ <tr>
+ <td><tt><i>message</i></tt></td>
+ <td>text</td>
+ <td>log message</td>
+ </tr>
+ </table>
+ <dd>The <tt><i>message</i></tt> field includes the last timecode received in decoded ASCII format, where meaningful. In some cases a good deal of additional information is displayed. See information specific to each reference clock for further details.
+
+ <dt><tt>cryptostats</tt>
+ <dd>Record significant events in the Autokey protocol. This option requires the OpenSSL cryptographic software library. Each event appends one line to the <tt>cryptostats</tt> file set:
+ <dd><tt>49213 525.624 128.4.1.1 <i>message</i></tt>
+ <dd>
+ <table width="100%" border="1" cellspacing="2" cellpadding="0">
+ <tr>
+ <td>Item</td>
+ <td>Units</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>49213</tt></td>
+ <td>MJD</td>
+ <td>date</td>
+ </tr>
+ <tr>
+ <td><tt>525.624</tt></td>
+ <td>s</td>
+ <td>time past midnight</td>
+ </tr>
+ <tr>
+ <td><tt>128.4.1.1</tt></td>
+ <td>IP</td>
+ <td>source address (<tt>0.0.0.0</tt> for system)</td>
+ </tr>
+ <tr>
+ <td><tt><i>message</i></tt></td>
+ <td>text</td>
+ <td>log message</td>
+ </tr>
+ </table>
+ <dd>The <tt><i>message</i></tt> field includes the message type and certain ancillary information. See the <a href="authopt.html">Authentication Options</a> page for further information.
+
+ <dt><tt>loopstats</tt>
+ <dd>Record clock discipline loop statistics. Each system clock update appends one line to the <tt>loopstats</tt> oopstats</tt> file set:
+ <dd><tt>50935 75440.031 0.000006019 13.778 0.000351733 0.013380 6</tt>
+ <dd>
+ <table width="100%" border="1" cellspacing="2" cellpadding="0">
+ <tr>
+ <td>Item</td>
+ <td>Units</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>50935</tt></td>
+ <td>MJD</td>
+ <td>date</td>
+ </tr>
+ <tr>
+ <td><tt>75440.031</tt></td>
+ <td>s</td>
+ <td>time past midnight</td>
+ </tr>
+ <tr>
+ <td><tt>0.000006019</tt></td>
+ <td>s</td>
+ <td>clock offset</td>
+ </tr>
+ <tr>
+ <td><tt>13.778</tt></td>
+ <td>PPM</td>
+ <td>frequency offset</td>
+ </tr>
+ <tr>
+ <td><tt>0.000351733</tt></td>
+ <td>s</td>
+ <td>RMS jitter</td>
+ </tr>
+ <tr>
+ <td><tt>0.013380</tt></td>
+ <td>PPM</td>
+ <td>RMS wander</td>
+ </tr>
+ <tr>
+ <td><tt>6 </tt></td>
+ <td>log<sub>2</sub> s</td>
+ <td>clock discipline loop time constant</td>
+ </tr>
+ </table>
+ <dt><tt>peerstats</tt>
+ <dd>Record peer statistics. Each NTP packet or reference clock update received appends one line to the <tt>peerstats</tt> file set:
+ <dd><tt>48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674</tt>
+ <dd>
+ <table width="100%" border="1" cellspacing="2" cellpadding="0">
+ <tr>
+ <td>Item</td>
+ <td>Units</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>48773</tt></td>
+ <td>MJD</td>
+ <td>date</td>
+ </tr>
+ <tr>
+ <td><tt>10847.650</tt></td>
+ <td>s</td>
+ <td>time past midnight</td>
+ </tr>
+ <tr>
+ <td><tt>127.127.4.1</tt></td>
+ <td>IP</td>
+ <td>source address</td>
+ </tr>
+ <tr>
+ <td><tt>9714</tt></td>
+ <td>hex</td>
+ <td>status word</td>
+ </tr>
+ <tr>
+ <td><tt>-0.001605376</tt></td>
+ <td>s</td>
+ <td>clock offset</td>
+ </tr>
+ <tr>
+ <td><tt>0.000000000 </tt></td>
+ <td>s</td>
+ <td>roundtrip delay</td>
+ </tr>
+ <tr>
+ <td><tt>0.001424877</tt></td>
+ <td>s</td>
+ <td>dispersion</td>
+ </tr>
+ <tr>
+ <td><tt>0.000958674</tt></td>
+ <td>s</td>
+ <td>RMS jitter</td>
+ </tr>
+ </table>
+ <dd>The status field is encoded in hex format as described in Appendix B of the NTP specification RFC 1305.
+
+ <dt><tt>protostats</tt>
+ <dd>Record significant peer, system and clock events. Each significant event appends one line to the <tt>cryptostats</tt> file set:
+ <dd><tt>49213 525.624 128.4.1.1 <i>message</i></tt>
<dd>
- <table width="100%" border="1" cellspacing="2" cellpadding="0">
- <tr>
- <td>Item</td>
- <td>Units</td>
- <td>Description</td>
- </tr>
- <tr>
- <td><tt>49213</tt></td>
- <td>MJD</td>
- <td>date</td>
- </tr>
- <tr>
- <td><tt>525.624</tt></td>
- <td>s</td>
- <td>time past midnight</td>
- </tr>
- <tr>
- <td><tt>127.127.4.1</tt></td>
- <td>IP</td>
- <td>reference clock address</td>
- </tr>
- <tr>
- <td><tt><i>message</i></tt></td>
- <td>text</td>
- <td>log message</td>
- </tr>
- </table>
- <p>The <tt><i>message</i></tt> field includes the last timecode received in decoded ASCII format, where meaningful. In some cases a good deal of additional information is displayed. See information specific to each reference clock for further details.</p>
- <dt><tt>cryptostats</tt>
- <dd>Record significant events in the Autokey protocol. This option requires the OpenSSL cryptographic software library. Each event of the protocol module appends one line to the <tt>cryptostats</tt> file set:<dd><tt>49213 525.624 128.4.1.1 <i>message</i></tt>
- <dd>
- <table width="100%" border="1" cellspacing="2" cellpadding="0">
- <tr>
- <td>Item</td>
- <td>Units</td>
- <td>Description</td>
- </tr>
- <tr>
- <td><tt>49213</tt></td>
- <td>MJD</td>
- <td>date</td>
- </tr>
- <tr>
- <td><tt>525.624</tt></td>
- <td>s</td>
- <td>time past midnight</td>
- </tr>
- <tr>
- <td><tt>128.4.1.1</tt></td>
- <td>IP</td>
- <td>source address</td>
- </tr>
- <tr>
- <td><tt><i>message</i></tt></td>
- <td>text</td>
- <td>log message</td>
- </tr>
- </table>
- <p>The <tt><i>message</i></tt> field includes the message type and certain ancillary information. See the <a href="authopt.html">Authentication Options</a> page for further information.</p>
- <dt><tt>loopstats</tt>
- <dd>Record clock disiplilne loop statistics. Each system clock update appends one line to the <tt>loopstats</tt> file set:<dd><tt>50935 75440.031 0.000006019 13.778 0.000351733 0.013380 6</tt>
- <dd>
- <table width="100%" border="1" cellspacing="2" cellpadding="0">
- <tr>
- <td>Item</td>
- <td>Units</td>
- <td>Description</td>
- </tr>
- <tr>
- <td><tt>50935</tt></td>
- <td>MJD</td>
- <td>date</td>
- </tr>
- <tr>
- <td><tt>75440.031</tt></td>
- <td>s</td>
- <td>time past midnight</td>
- </tr>
- <tr>
- <td><tt>0.000006019</tt></td>
- <td>s</td>
- <td>clock offset</td>
- </tr>
- <tr>
- <td><tt>13.778</tt></td>
- <td>PPM</td>
- <td>frequency offset</td>
- </tr>
- <tr>
- <td><tt>0.000351733</tt></td>
- <td>hex</td>
- <td>RMS jitter</td>
- </tr>
- <tr>
- <td><tt>0.013380</tt></td>
- <td>PPM</td>
- <td>RMS wander</td>
- </tr>
- <tr>
- <td><tt>6 </tt></td>
- <td>log<sub>2</sub> s</td>
- <td>clock discipline loop time constant</td>
- </tr>
- </table>
- <dt><tt>peerstats</tt>
- <dd>Record peer statistics. Each NTP packet or reference clock update received appends one line to the <tt>peerstats</tt> file set:<dd><tt>48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674</tt>
- <dd>
- <table width="100%" border="1" cellspacing="2" cellpadding="0">
- <tr>
- <td>Item</td>
- <td>Units</td>
- <td>Description</td>
- </tr>
- <tr>
- <td><tt>48773</tt></td>
- <td>MJD</td>
- <td>date</td>
- </tr>
- <tr>
- <td><tt>10847.650</tt></td>
- <td>s</td>
- <td>time past midnight</td>
- </tr>
- <tr>
- <td><tt>127.127.4.1</tt></td>
- <td>IP</td>
- <td>source address</td>
- </tr>
- <tr>
- <td><tt>128.4.1.20</tt></td>
- <td>IP</td>
- <td>destination address</td>
- </tr>
- <tr>
- <td><tt>9714</tt></td>
- <td>hex</td>
- <td>status word</td>
- </tr>
- <tr>
- <td><tt>-0.001605376</tt></td>
- <td>s</td>
- <td>clock offset</td>
- </tr>
- <tr>
- <td><tt>0.000000000 </tt></td>
- <td>s</td>
- <td>roundtrip delay</td>
- </tr>
- <tr>
- <td><tt>0.001424877</tt></td>
- <td>s</td>
- <td>dispersion</td>
- </tr>
- <tr>
- <td><tt>0.000958674</tt></td>
- <td>s</td>
- <td>RMS jitter</td>
- </tr>
- </table>
- <p>The status field is encoded in hex format as described in Appendix B of the NTP specification RFC 1305.</p>
- <dt><tt>rawstats</tt>
- <dd>Record timestamp statistics. Each NTP packet received appends one line to the <tt>rawstats</tt> file set:<dd><tt>50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000</tt>
- <dd>
- <table width="100%" border="1" cellspacing="2" cellpadding="0">
- <tr>
- <td>Item</td>
- <td>Units</td>
- <td>Description</td>
- </tr>
- <tr>
- <td><tt>50928</tt></td>
- <td>MJD</td>
- <td>date</td>
- </tr>
- <tr>
- <td><tt>2132.543</tt></td>
- <td>s</td>
- <td>time past midnight</td>
- </tr>
- <tr>
- <td><tt>128.4.1.1</tt></td>
- <td>IP</td>
- <td>source address</td>
- </tr>
- <tr>
- <td><tt>128.4.1.20</tt></td>
- <td>IP</td>
- <td>destination address</td>
- </tr>
- <tr>
- <td><tt>3102453281.584327000</tt></td>
- <td>NTP s</td>
- <td>originate timestamp</td>
- </tr>
- <tr>
- <td><tt>3102453281.586228000</tt></td>
- <td>NTP s</td>
- <td>receive timestamp</td>
- </tr>
- <tr>
- <td><tt>3102453332.540806000 </tt></td>
- <td>NTP s</td>
- <td>transmit timestamp</td>
- </tr>
+ <table width="100%" border="1" cellspacing="2" cellpadding="0">
+ <tr>
+ <td>Item</td>
+ <td>Units</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>49213</tt></td>
+ <td>MJD</td>
+ <td>date</td>
+ </tr>
+ <tr>
+ <td><tt>525.624</tt></td>
+ <td>s</td>
+ <td>time past midnight</td>
+ </tr>
+ <tr>
+ <td><tt>128.4.1.1</tt></td>
+ <td>IP</td>
+ <td>source address (<tt>0.0.0.0</tt> for system)</td>
+ </tr>
+ <tr>
+ <td><tt><i>message</i></tt></td>
+ <td>text</td>
+ <td>log message</td>
+ </tr>
+ </table>
+ <dd>The <tt><i>message</i></tt> field includes the message type and certain ancillary information.
+ <dt><tt>rawstats</tt>
+ <dd>Record timestamp statistics. Each NTP packet received appends one line to the <tt>rawstats</tt> file set:
+
+ <dd><tt>50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000</tt>
+ <dd>
+ <table width="100%" border="1" cellspacing="2" cellpadding="0">
+ <tr>
+ <td>Item</td>
+ <td>Units</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>50928</tt></td>
+ <td>MJD</td>
+ <td>date</td>
+ </tr>
+ <tr>
+ <td><tt>2132.543</tt></td>
+ <td>s</td>
+ <td>time past midnight</td>
+ </tr>
+ <tr>
+ <td><tt>128.4.1.1</tt></td>
+ <td>IP</td>
+ <td>source address</td>
+ </tr>
+ <tr>
+ <td><tt>128.4.1.20</tt></td>
+ <td>IP</td>
+ <td>destination address</td>
+ </tr>
+ <tr>
+ <td><tt>3102453281.584327000</tt></td>
+ <td>NTP s</td>
+ <td>originate timestamp</td>
+ </tr>
+ <tr>
+ <td><tt>3102453281.586228000</tt></td>
+ <td>NTP s</td>
+ <td>receive timestamp</td>
+ </tr>
+ <tr>
+ <td><tt>3102453332.540806000 </tt></td>
+ <td>NTP s</td>
+ <td>transmit timestamp</td>
+ </tr>
<tr>
<td><tt>3102453332.541458000</tt></td>
<td>NTP s</td>
<td>destination timestamp</td>
</tr>
</table>
- <dt><tt>sysstats</tt>
- <dd>Record system statistics. Each hour one line is appended to the <tt>sysstats</tt> file set in the following format:<dd><tt>50928 2132.543 36 81965 0 9546 56 512 540 10 147 1</tt>
- <dd>
- <table width="100%" border="1" cellspacing="2" cellpadding="0">
- <tr>
- <td>Item</td>
- <td>Units</td>
- <td>Description</td>
- </tr>
- <tr>
- <td><tt>50928</tt></td>
- <td>MJD</td>
- <td>date</td>
- </tr>
- <tr>
- <td><tt>2132.543</tt></td>
- <td>s</td>
- <td>time past midnight</td>
- </tr>
- <tr>
- <td><tt>36</tt></td>
- <td>h</td>
- <td>time since restart</td>
- </tr>
- <tr>
- <td><tt>81965</tt></td>
- <td>#</td>
- <td>total packets received last hour</td>
- </tr>
- <tr>
- <td><tt>0</tt></td>
- <td>#</td>
- <td>packets received for this host last hour</td>
- </tr>
- <tr>
- <td><tt>9546</tt></td>
- <td>#</td>
- <td>current version packets last hour</td>
- </tr>
- <tr>
- <td><tt>56</tt></td>
- <td>#</td>
- <td>previous version packets last hour</td>
- </tr>
- <tr>
- <td><tt>512</tt></td>
- <td>#</td>
- <td>access denied packets last hour</td>
- </tr>
- <tr>
- <td><tt>540</tt></td>
- <td>#</td>
- <td>bad length or format packets last hour</td>
- </tr>
- <tr>
- <td><tt>10</tt></td>
- <td>#</td>
- <td>bad authentication packets last hour</td>
- </tr>
- <tr>
- <td><tt>147</tt></td>
- <td>#</td>
- <td>rate exceeded packets last hour</td>
- </tr>
+ <dt><tt>sysstats</tt>
+ <dd>Record system statistics. Each hour one line is appended to the <tt>sysstats</tt> file set in the following format:
+ <dd><tt>50928 2132.543 3600 81965 0 9546 56 512 540 10 4 147 1</tt>
+ <dd>
+ <table width="100%" border="1" cellspacing="2" cellpadding="0">
+ <tr>
+ <td>Item</td>
+ <td>Units</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>50928</tt></td>
+ <td>MJD</td>
+ <td>date</td>
+ </tr>
+ <tr>
+ <td><tt>2132.543</tt></td>
+ <td>s</td>
+ <td>time past midnight</td>
+ </tr>
+ <tr>
+ <td><tt>3600</tt></td>
+ <td>s</td>
+ <td>time since reset</td>
+ </tr>
+ <tr>
+ <td><tt>81965</tt></td>
+ <td>#</td>
+ <td>packets received</td>
+ </tr>
+ <tr>
+ <td><tt>0</tt></td>
+ <td>#</td>
+ <td>packets for this host</td>
+ </tr>
+ <tr>
+ <td><tt>9546</tt></td>
+ <td>#</td>
+ <td>current versions</td>
+ </tr>
+ <tr>
+ <td><tt>56</tt></td>
+ <td>#</td>
+ <td>old version</td>
+ </tr>
+ <tr>
+ <td><tt>512</tt></td>
+ <td>#</td>
+ <td>access denied</td>
+ </tr>
+ <tr>
+ <td><tt>540</tt></td>
+ <td>#</td>
+ <td>bad length or format</td>
+ </tr>
+ <tr>
+ <td><tt>10</tt></td>
+ <td>#</td>
+ <td>bad authentication</td>
+ </tr>
+ <tr>
+ <td><tt>4</tt></td>
+ <td>#</td>
+ <td>declined</td>
+ </tr>
+ <tr>
+ <td><tt>147</tt></td>
+ <td>#</td>
+ <td>rate exceeded</td>
+ </tr>
<tr>
<td><tt>1</tt></td>
<td>#</td>
- <td>kiss-o'-death packets sent last hour</td>
+ <td>kiss-o'-death packets sent</td>
</tr>
</table>
- <dt><tt>timingstats</tt>
- <dd>(Only available when the deamon is compiled with process time debugging support (--enable-debug-timing - costs performance). Record processing time statistics for various selected code paths.<dd><tt>53876 36.920 10.0.3.5 1 0.000014592 input processing delay</tt>
- <dd>
- <table width="100%" border="1" cellspacing="2" cellpadding="0">
- <tr>
- <td>Item</td>
- <td>Units</td>
- <td>Description</td>
- </tr>
- <tr>
- <td><tt>53876</tt></td>
- <td>MJD</td>
- <td>date</td>
- </tr>
- <tr>
- <td><tt>36.920</tt></td>
- <td>s</td>
- <td>time past midnight</td>
- </tr>
- <tr>
- <td><tt>10.0.3.5</tt></td>
- <td>IP</td>
- <td>server address</td>
- </tr>
- <tr>
- <td><tt>1</tt></td>
- <td>#</td>
- <td>event count</td>
- </tr>
- <tr>
- <td><tt>0.000014592</tt></td>
- <td>s</td>
- <td>total time</td>
- </tr>
- <tr>
- <td><tt><i>message</i></tt></td>
- <td>text</td>
- <td>code path description (see source)</td>
- </tr>
- </table>
- </dl>
+ <dt><tt>timingstats</tt>
+ <dd>(Only available when the deamon is compiled with process time debugging support (--enable-debug-timing - costs performance). Record processing time statistics for various selected code paths.
+ <dd><tt>53876 36.920 10.0.3.5 1 0.000014592 input processing delay</tt>
+ <dd>
+ <table width="100%" border="1" cellspacing="2" cellpadding="0">
+ <tr>
+ <td>Item</td>
+ <td>Units</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>53876</tt></td>
+ <td>MJD</td>
+ <td>date</td>
+ </tr>
+ <tr>
+ <td><tt>36.920</tt></td>
+ <td>s</td>
+ <td>time past midnight</td>
+ </tr>
+ <tr>
+ <td><tt>10.0.3.5</tt></td>
+ <td>IP</td>
+ <td>server address</td>
+ </tr>
+ <tr>
+ <td><tt>1</tt></td>
+ <td>#</td>
+ <td>event count</td>
+ </tr>
+ <tr>
+ <td><tt>0.000014592</tt></td>
+ <td>s</td>
+ <td>total time</td>
+ </tr>
+ <tr>
+ <td><tt><i>message</i></tt></td>
+ <td>text</td>
+ <td>code path description (see source)</td>
+ </tr>
+ </table>
+ </dl>
<hr>
- <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
+ <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
</body>
-</html>
+
+</html>
\ No newline at end of file
</head>
<body>
<h3><tt>ntpd</tt> System Log Messages</h3>
- <img src="pic/
alice47.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
- <p>The mushroom knows all the error codes, which is more than most of us do.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">01:09</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Saturday, November 24, 2007</csobj></p>
+ <img src="pic/
flatheads.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
+ <p>The log can be shrill at times.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:22</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 03, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<p><script type="text/javascript" language="javascript" src="scripts/install.txt"></script>
<p><tt><b>LOG_INFO</b></tt></p>
<dt><tt>proto_config: illegal item ?, value ?</tt>
<dd>Program error. Bugs can be reported <a href="bugs.html">here</a>.
- <dt><tt>pps sync enabled</tt>
+ <dt><tt>receive: autokey requires two-way communication</tt>
+ <dd>Configuration error on the <tt>broadcastclient</tt> command.
+ <dt><tt>receive: server <i>server</i> maaximum rate exceeded</tt>
+ <dd>A kiss-o'death packet has been received. The transmit rate is automatically reduced.<dt><tt>pps sync enabled</tt>
<dd>The PPS signal has been detected and enabled.
<dt><tt>transmit: encryption key ? not found</tt>
<dd>The encryption key is not defined or not trusted.
<body>
<h3>Configuration File Definition (Advanced)</h3>
- <img src="pic/
bustardfly.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
- <p>A typical NTP monitoring packet</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">19:46</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="223">Friday, June 16, 2006</csobj></p>
+ <img src="pic/
pogo7.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
+ <p>Racoon is shooting configuration bugs.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:20</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 03, 2008</csobj></p>
<br clear="left">
<hr>
<h4>Table of Contents</h4>
<body>
<h3><tt>ntpd</tt> - Network Time Protocol (NTP) daemon</h3>
- <img src="pic/alice47.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
- <p>The mushroom knows all the command line options.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">01:10</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Saturday, November 24, 2007</csobj></p>
+ <img src="pic/wingdorothy.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>The Wizard of Oz</i>, L. Frank Baum</a>
+ <p>You need help from the monkeys.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">19:34</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="266">Saturday, March 22, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/command.txt"></script>
<h4>Table of Contents</h4>
<ul>
- <li class="inline"><a href="#synop">Synopsis</a><br>
- <li class="inline"><a href="#descr">Description</a><br>
- <li class="inline"><a href="#op">How NTP Operates</a><br>
- <li class="inline"><a href="#freq">Frequency Discipline</a><br>
- <li class="inline"><a href="#modes">Operating Modes</a><br>
- <li class="inline"><a href="#poll">Poll Interval Control</a><br>
- <li class="inline"><a href="#leap">Leap Second Processing</a><br>
- <li class="inline"><a href="#notes">Additional Features</a><br>
-
-
-
-
- <li class="inline"><a href="#cmd">Command Line Options</a><br>
- <li class="inline"><a href="#cfg">The Configuration File</a><br>
- <li class="inline"><a href="#opt">Configuration Options</a><br>
+ <li class="inline"><a href="#synop">Synopsis</a>
+ <li class="inline"><a href="#descr">Description</a>
+ <li class="inline"><a href="#time">Setting the Time and Frequency</a>
+ <li class="inline"><a href="#modes">Operating Modes</a>
+ <li class="inline"><a href="#poll">Poll Interval Control</a>
+ <li class="inline"><a href="#leap">Leap Second Processing</a>
+ <li class="inline"><a href="#notes">Additional Features</a>
+ <li class="inline"><a href="#cmd">Command Line Options</a>
+ <li class="inline"><a href="#cfg">The Configuration File</a>
<li class="inline"><a href="#files">Files</a>
</ul>
<hr>
<h4 id="synop">Synopsis</h4>
<tt>ntpd [ -46aAbdDgLmnNqx ] [ -c <i>conffile</i> ] [ -f <i>driftfile</i> ] [ -i <i>jaildir</i> ] [ -k <i>keyfile</i> ] [ -l <i>logfile</i> ] [ -p <i>pidfile</i> ] [ -P <i>priority</i> ] [ -r <i>broadcastdelay</i> ] [ -s <i>statsdir</i> ] [ -t <i>key</i> ] [ -u <i>user</i>[:<i>group</i>] ] [ -U <i>interface_update_interval</i> ] [ -v <i>variable</i> ] [ -V <i>variable</i> ]</tt>
<h4 id="descr">Description</h4>
- <p>The <tt>ntpd</tt> program is an operating system daemon which sets and maintains the system time of day in synchronism with Internet standard time servers. It is a complete implementation of the Network Time Protocol (NTP) version 4, but also retains compatibility with version 3, as defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and RFC-1119, respectively. <tt>ntpd</tt> does most computations in 64-bit floating-point arithmetic and does relatively clumsy 64-bit fixed-point operations only when necessary to preserve the ultimate precision, about 232 picoseconds. While the ultimate precision is not achievable with ordinary workstations and networks of today, it may be required with future gigahertz CPU clocks and gigabit LANs.</p>
- <h4 id="op">How NTP Operates</h4>
- <p>The <tt>ntpd</tt> program operates by exchanging messages with one or more configured servers at designated poll intervals. When started, whether for the first or subsequent times, the program requires several exchanges from the majority of these servers so the signal processing and mitigation algorithms can accumulate and groom the data to set the clock. In order to protect the network from bunching, the initial poll interval for each server is delayed an interval randomized over a few seconds. At the default initial poll interval of 64 s, several minutes can elapse before the clock is set. The initial delay to set the clock can be reduced using the <tt>iburst</tt> keyword with the <tt>server</tt> configuration command, as described on the <a href="confopt.html">Server Options</a> page.</p>
- <p>Most operating systems and hardware of today incorporate a time-of-year (TOY) chip to maintain the time during periods when the power is off. When the machine is booted, the chip is used to initialize the operating system time. After the machine has synchronized to a NTP server, the operating system corrects the chip from time to time. In case there is no TOY chip or for some reason its time is more than 1000 s, called the <i>panic threshold</i>, from the server time, <tt>ntpd</tt> assumes something must be terribly wrong and the only reliable action is for the operator to intervene and set the clock by hand. This causes <tt>ntpd</tt> to exit with a panic message to the system log. The <tt>-g</tt> option overrides this check and the clock will be set to the server time regardless of the chip time. However, and to protect against broken hardware, such as when the CMOS battery fails or the clock counter becomes defective, once the clock has been set, an error greater than 1000 s will cause <tt>ntpd</tt> to exit anyway.</p>
- <p>Under ordinary conditions, <tt>ntpd</tt> adjusts the clock in small steps so that the timescale is effectively continuous and never runs backwards. Under conditions of extreme network congestion, the roundtrip delay jitter can exceed three seconds and the synchronization distance, which is equal to one-half the roundtrip delay plus error budget terms, can become very large. The <tt>ntpd</tt> algorithms discard offsets exceeding 128 ms, called the <i>step threshold</i>, unless the interval during which no sample offset is less than 128 ms exceeds 900 s, called the <i>stepout threshold</i>. The first sample after that, no matter what the offset, steps the clock to the indicated time. In practice this reduces the false alarm rate where the clock is stepped in error to a vanishingly low incidence.</p>
- <p>As the result of this behavior, once the clock has been set, it very rarely strays more than 128 ms, even under extreme cases of network congestion and jitter. Sometimes, in particular when <tt>ntpd</tt> is first started, the error might exceed 128 ms. This may on occasion cause the clock to be set backwards if the local clock time is more than 128 s in the future relative to the server. In some applications, this behavior may be unacceptable. If the <tt>-x</tt> option is included on the command line, the clock will always be slewed unless the offset exceeds 600 s (10 minutes), in which case it will be stepped.</p>
- <p>The issues should be carefully explored before deciding to use the <tt>-x</tt> option. The maximum slew rate possible is limited to 500 parts-per-million (PPM) as a consequence of the correctness principles on which the NTP protocol and algorithm design are based. As a result, the local clock can take a long time to converge to an acceptable offset, about 2,000 s for each second the clock is outside the acceptable range. During this interval the local clock will not be consistent with any other network clock and the system cannot be used for distributed applications that require correctly synchronized network time.</p>
- <h4 id="freq">Frequency Discipline</h4>
- <p>The <tt>ntpd</tt> behavior at startup depends on whether the frequency file, usually called <tt>ntp.drift</tt>, exists. This file contains the latest estimate of clock frequency offset. When <tt>ntpd</tt> is started and the file does not exist, <tt>ntpd</tt> enters a special mode designed to directly measure the particular clock frequency offset. This takes 15 minutes, after which the time and frequency are set to nominal values and <tt>ntpd</tt> enters normal mode, where the time and frequency are continuously adjusted.</p>
- <p>After one hour the frequency file is created and the current frequency offset written to it. When <tt>ntpd</tt> is started and the file does exist, <tt>ntpd</tt> initializes the frequency from the file and then enters normal mode immediately. In either case the current frequency offset is written to the file at hourly intervals.</p>
+ <p>The <tt>ntpd</tt> program is an operating system daemon that synchronises the system clock with remote NTP time servers or local reference clocks. It is a complete implementation of the Network Time Protocol (NTP) version 4, but also retains compatibility with version 3, as defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and RFC-1119, respectively. The program can operate in any of several modes, as described on the <a href="assoc.html">Association Management</a> page, and with both symmetric key and public key cryptography, as described on the <a href="manyopt.html">Authentication Options</a> page.</p>
+ <p>The <tt>ntpd</tt> program ordinarily requires a configuration file as desccribe on the Configuration Commands and Options collection above. However a client can discover remote servers and configure them automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. Further details are on the <a href="manyopt.html">Automatic Server Discovery</a> page.</p>
+ <p>Once the NTP software distribution has been compiled and installed and the configuration file constructed, the next step is to verify correct operation and fix any bugs that may result. Usually, the command line that starts the daemon is included in the system startup file, so it is executed only at system boot time; however, the daemon can be stopped and restarted from root at any time. Once started, the daemon will begin sending and receiving messages, as specified in the configuration file.</p>
+ <h4 id="time">Setting the Time and Frequency</h4>
+ <p>The <tt>ntpd</tt> program operates by exchanging messages with one or more servers at designated intervals ranging from about one minute to about 17 minutes. When started, the program requires several exchanges while the algorithms accumulate and groom the data before setting the clock. The initial delay to set the clock can be reduced using options on the <a href="confopt.html">Server Options</a> page.</p>
+ <p>Most compters today incorporate a time-of-year (TOY) chip to maintain the time during periods when the power is off. When the machine is booted, the chip is used to initialize the operating system time. In case there is no TOY chip or the TOY time is more than 1000 s from the server time, <tt>ntpd</tt> assumes something must be terribly wrong and exits with a panic message to the system operator. With the <tt>-g</tt> option the clock will be initially set to the server time regardless of the chip time. However, once the clock has been set, an error greater than 1000 s will cause <tt>ntpd</tt> to exit anyway.</p>
+ <p>Under ordinary conditions, <tt>ntpd</tt> slews the clock so that the time is effectively continuous and never runs backwards. If due to extreme network congestion an error spike exceeds the <i>step threshold</i>, by default 128 ms, the spike is discarded. However, if the error persists for more than the <i>stepout threshold</i>, by default 900 s, the system clock is stepped to the correct value. In practice the need for a step has is extremely rare and almost always the result of a hardware failure. With the <tt>-x</tt> option the step threshold is increased to 600 s. Other options are available using the <tt>tinker</tt> command on the <a href="miscopt.html">Miscellaneous Options</a> page.</p>
+ <p>The issues should be carefully considered before using these options. The maximum slew rate possible is limited to 500 parts-per-million (PPM) by the Unix kernel. As a result, the clock can take 2000 s for each second the clock is outside the acceptable range. During this interval the clock will not be consistent with any other network clock and the system cannot be used for distributed applications that require correctly synchronized network time.</p>
+ <p>The frequency file, usually called <tt>ntp.drift</tt>, contains the latest estimate of clock frequency. If this file does not exist when <tt>ntpd</tt> is started, it enters a special mode designed to measure the particular frequency directly. The measurement takes 15 minutes, after which the frequency is set and <tt>ntpd</tt> resumes normal mode where the time and frequency are continuously adjusted. The frequency file is updated at intervals of an hour or more depending on the measured clock stability.</p>
<h4 id="modes">Operating Modes</h4>
- <p><tt>ntpd</tt> can operate in any of several modes, including symmetric active/passive, client/server broadcast/multicast and manycast, as described in the <a href="assoc.html">Association Management</a> page. It normally operates continuously while adjusting the system clock time and frequency with respect to external sources. In some cases it may not be practical to run <tt>ntpd</tt> continuously. A common workaround has been to run the <tt>ntpdate</tt> program from a <tt>cron</tt> job at designated times. However, this program does not have the crafted signal processing, error checking and mitigation algorithms of <tt>ntpd</tt>. If the <tt>-q</tt> option is specified on the command line, <tt>ntpd</tt> will operate as in continous mode, but exit just after setting the clock for the first time. Most applications will probably want to specify the <tt>iburst</tt> keyword with the <tt>server</tt> configuration command. With this keyword a volley of messages is exchanged to groom the data and set the clock in about 10 s. If nothing is heard after a couple of minutes, the daemon times out and exits.</p>
- <p>A broadcast/multicast or manycast client can discover remote servers, compute server-client propagation delay correction factors and configure itself automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. An alternative to broadcast/multicast is manycast mode, in which a client broadcasts a request and one or more servers in range offer service. Further details are on the <a href="manyopt.html">Automatic NTP Configuration Options</a> page.</p>
- <p>By default, <tt>ntpd</tt> runs in continuous mode where each of possibly several external servers is polled at intervals determined by an intricate phase/frequncy-lock feedback loop. The feedback loop measures the incidental clock offset jitter and oscillator frequency wander and determines the best poll interval using a heuristic algorithm. Ordinarily, and in most operating environments, the feedback loop will start with 64 s poll intervals and eventually increase in steps to 1024 s. A small amount of random variation is introduced in order to avoid bunching. In addition, should a server become unreachable for some time, the poll interval is increased in steps to 1024 s in order to reduce network overhead.</p>
+ <p>The <tt>ntpd</tt> program normally operates continuously while adjusting the time and frequency, but in some cases it may not be practical to run it continuously. With the <tt>-q</tt> option <tt>ntpd</tt> operates as in continous mode, but exits just after setting the clock for the first time. Most applications will probably want to specify the <tt>iburst</tt> option with the <tt>server</tt> command. With this option a volley of messages is exchanged to groom the data and set the clock in about 10 s. If nothing is heard after a few minutes, the daemon times out and exits.</p>
<h4 id="poll">Poll Interval Control</h4>
- <p>NTP uses an intricate clock discipline algorithm to automatically control the poll interval for maximum accuracy consistent with minimum network load. The default minimum interval is 64 s and the maximum 1024 s, which is suitable for most conditions. The default minimum and maximum intervals can be changed using the <tt>tinker minpoll</tt> and <tt>tinker maxpoll </tt> commands, respectively. These values are used for all configured associations, unless overridden by the <tt>minpoll</tt> or <tt>minpoll</tt> options on the <tt>server</tt>configuration command.</p>
- <p>In some cases involving dial-up or ISDN toll services, it may be useful to set the minimum interval to 12 (4096 s) and maximum interval to 17 (36 h). Under normal operation conditions, once the clock discipline loop has stabilized the interval will be increased in steps from the minimum to the maximum. However, this assumes the residual clock frequency error is small enough for the discipline loop to capture and correct it. The capture range of the loop is 500 PPM with a 64-s interval decreasing by a factor of two for each interval doubling. At a 36-hr interval, for example, the capture range is only 0.24 PPM. If the frequency changes abruptly, due for instance a large change in temperature, one or more step adjustments may occur.is greater than this, the frequency file <tt>ntp.drift</tt></p>
+ <p>NTP uses an intricate heuristic algorithm to automatically control the poll interval for maximum accuracy consistent with minimum network overhead. The algorithm measures the incidental offset and jitter to determine the best poll interval. When <tt>ntpd</tt> starts, the interval is the default minimum 64 s. Under normal conditions when the clock discipline has stabilized, the interval increases in steps to the default maximum 1024 s. In addition, should a server become unreachable after some time, the interval increases in steps to the maximum in order to reduce network overhead.</p>
+ <p>The default poll interval range is suitable for most conditions, but can be changed using options on the <a href="confopt.html">Server Options</a> and <a href="miscopt.html">Miscellaneous Options</a> pages. However, when using maximum intervals much larger than the default, the residual clock frequency error must be small enough for the discipline loop to capture and correct. The capture range is 500 PPM with a 64-s interval decreasing by a factor of two for each interval doubling. At a 36-hr interval, for example, the capture range is only 0.24 PPM.</p>
<h4 id="huff">The huff-n'-puff Filter</h4>
- <p>In scenarios where a considerable amount of data are to be downloaded or uploaded over telephone modems, timekeeping quality can be seriously degraded. This occurs because the differential delays on the two directions of transmission can be quite large. In many cases the apparent time errors are so large as to exceed the step threshold and a step correction can occur during and after the data transfer is in progress.</p>
- <p>The huff-n'-puff filter is designed to correct the apparent time offset in these cases. It depends on knowledge of the propagation delay when no other traffic is present. In common scenarios this occurs during other than work hours. The filter maintains a shift register that remembers the minimum delay over the most recent interval measured usually in hours. Under conditions of severe delay, the filter corrects the apparent offset using the sign of the offset and the difference between the apparent delay and minimum delay. The name of the filter reflects the negative (huff) and positive (puff) correction, which depends on the sign of the offset.</p>
- <p>The filter is activated by the <tt>tinker huffpuff</tt> command, as described in the <a href="miscopt.html">Miscellaneous Options</a> page.</p>
+ <p>In scenarios where a considerable amount of data are to be downloaded or uploaded over telephone modems, timekeeping quality can be seriously degraded. This occurs because the differential delays on the two directions of transmission can be quite large. In many cases the apparent time errors are so large as to exceed the step threshold and a step correction can occur during and after the data transfer.</p>
+ <p>The huff-n'-puff filter is designed to correct the apparent time offset in these cases. It depends on knowledge of the propagation delay when no other traffic is present, such as during other than work hours. The filter remembers the minimum delay over the most recent interval measured usually in hours. Under conditions of severe delay, the filter corrects the apparent offset using the sign of the offset and the difference between the apparent delay and minimum delay. The name of the filter reflects the negative (huff) and positive (puff) correction, which depends on the sign of the offset. The filter is activated by the <tt>tinker huffpuff</tt> command, as described in the <a href="miscopt.html">Miscellaneous Options</a> page.</p>
<h4 id="leap">Leap Second Processing</h4>
- <p>As provided by international agreement, an extra second is sometimes inserted in Coordinated Universal Time (UTC) at the end of a selected month, usually June or December. The National Institutes of Standards and Technology (NIST) provides an historic leapseconds file at time.nist.gov for retrieval via FTP. When this file, usually called ntp.leap, is installed, <tt>ntpd</tt> reads it at startup and initializes three leapsecond values, the offset of International Atomic Time (TAI) after the last leap in the file, the NTP seconds of that leap and the NTP seconds when the leapseconds file expires.</p>
- <p>If a host does not have the leapsecond values, they can be obtained over the net using the Autokey security protocol. Ordinarily, the leapseconds file is installed on the primary servers and the values flow from them to dependent servers and eventually clients. When multiple servers are involved, the values with the latest expiration time are used.</p>
- <p>If the latest leap is in the past, nothing further is done other than to install the TAI offset in the kernel where it can be retrieved by the <tt>ntp_gettimeofday()</tt> system call. If the leap is in the future less than 28 days, the leap warning bits are set to insert one second. If in the future less than 23 hours, the kernel is armed to insert one second at the end of the current day. If the kernel is enabled, the leap is done automatically at that time; otherwise, the clock is stepped back one second at that time.</p>
+ <p>As provided by international agreement, an extra second is sometimes inserted in Coordinated Universal Time (UTC) at the end of a selected month, usually June or December. The National Institutes of Standards and Technology (NIST) provides an historic leapseconds file at <tt>time.nist.gov</tt> for retrieval via FTP. When this file, usually called <tt>ntp.leapseconds</tt>, is installed, <tt>ntpd</tt> reads it at startup and initializes three leapsecond values: the NTP seconds at the next leap event, the offset of UTC relative to International Atomic Time (TAI) after the leap and the NTP seconds when the leapseconds file expires.</p>
+ <p>If a host does not have the leapsecond values, they can be obtained over the net using the Autokey security protocol. Ordinarily, the leapseconds file is installed on the primary servers and the values flow from them via secondary servers to the clients. When multiple servers are involved, the values with the latest expiration time are used.</p>
+ <p>If the latest leap is in the past, nothing further is done other than to install the TAI offset. If the leap is in the future less than 28 days, the leap warning bits are set. If in the future less than 23 hours, the kernel is armed to insert one second at the end of the current day. If the kernel is enabled, the leap is done automatically at that time; otherwise, the clock is effectively stopped for one second at the leap. Additional details are in the <a href='http://www.eecis.udel.edu/~mills/leap.html'>The NTP Timescale and Leap Seconds</a> white paper</p>
<p>Dependent servers and clients tally the leap warning bits of surviving servers and reference clocks. When a majority of the survivors show warning, a leap is programmed at the end of the current month. During the month and day of insertion, they operate as above. In this way the leap is propagated at all dependent servers and clients.</p>
<h4 id="notes">Additional Features</h4>
- <p>If <tt>ntpd</tt>, is configured with NetInfo support, it will attempt to read its configuration from the NetInfo service if the default <tt></tt>ntp.conf</tt> file cannot be read and no file is specified by the <tt>-c</tt> option.</p>
+ <p>If <tt>ntpd</tt>, is configured with NetInfo support, it will attempt to read its configuration from the NetInfo service if the default <tt>ntp.conf</tt> file cannot be read and no file is specified by the <tt>-c</tt> option.</p>
<p>In contexts where a host name is expected, a <tt>-4</tt> qualifier preceding the host name forces DNS resolution to the IPv4 namespace, while a <tt>-6</tt> qualifier forces DNS resolution to the IPv6 namespace.</p>
<p>Various internal <tt>ntpd</tt> variables can be displayed and configuration options altered while the <tt>ntpd</tt> is running using the <tt><a href="ntpq.html">ntpq</a></tt> and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs.</p>
<p>When <tt>ntpd</tt> starts it looks at the value of <tt>umask</tt>, and if zero <tt>ntpd</tt> will set the <tt>umask</tt> to <tt>022</tt>.</p>
<h4 id="cmd">Command Line Options</h4>
<dl>
<dt><tt>-a</tt>
- <dd>Require cryptographic authentication for broadcast client, multicast client and symmetric passive associations. This is the default.
- <dt><tt>-A</tt>
- <dd>Do not require cryptographic authentication for broadcast client, multicast client and symmetric passive associations. This is almost never a good idea.
- <dt><tt>-b</tt>
+ <dd>Require cryptographic authentication for broadcast client, multicast client and symmetric passive associations. This is the same operation as the <tt>enable auth</tt> command and is the default.<dt><tt>-A</tt>
+ <dd>Do not require cryptographic authentication for broadcast client, multicast client and symmetric passive associations. This is the same operation as the <tt>disable auth</tt> command and almost never a good idea.<dt><tt>-b</tt>
<dd>Enable the client to synchronize to broadcast servers.
<dt><tt>-c <i>conffile</i></tt>
<dd>Specify the name and path of the configuration file, default <tt>/etc/ntp.conf</tt>.
<dt><tt>-D <i>level</i></tt>
<dd>Specify debugging level directly.
<dt><tt>-f <i>driftfile</i></tt>
- <dd>Specify the name and path of the frequency file, default <tt>/etc/ntp.drift</tt>. This is the same operation as the <tt>driftfile <i>driftfile</i></tt> configuration command.
- <dt><tt>-g</tt>
+ <dd>Specify the name and path of the frequency file, default <tt>/etc/ntp.drift</tt>. This is the same operation as the <tt>driftfile <i>driftfile</i></tt> command.<dt><tt>-g</tt>
<dd>Normally, <tt>ntpd</tt> exits with a message to the system log if the offset exceeds the panic threshold, which is 1000 s by default. This option allows the time to be set to any value without restriction; however, this can happen only once. If the threshold is exceeded after that, <tt>ntpd</tt> will exit with a message to the system log. This option can be used with the <tt>-q</tt> and <tt>-x</tt> options. See the <tt>tinker</tt> command for other options.
<dt><tt>-i <i>jaildir</i></tt>
- <dd>Chroot the server to the directory <i>jaildir</i>. This option also implies that the server attempts to drop root privileges at startup (otherwise, chroot gives very little additional security), and it is only available if the OS supports to run the server without full root privileges. You may need to also specify a <tt>-u</tt> option.
+ <dd>Chroot the server to the directory <i><tt>jaildir</tt></i>. This option also implies that the server attempts to drop root privileges at startup (otherwise, chroot gives very little additional security), and it is only available if the OS supports to run the server without full root privileges. You may need to also specify a <tt>-u</tt> option.
<dt><tt>-k <i>keyfile</i></tt>
- <dd>Specify the name and path of the symmetric key file, default <tt>/etc/ntp.keys</tt>. This is the same operation as the <tt>keys <i>keyfile</i></tt> configuration command.
- <dt><tt>-l <i>logfile</i></tt>
- <dd>Specify the name and path of the log file. The default is the system log file. This is the same operation as the <tt>logfile <i>logfile</i></tt> configuration command.
- <dt><tt>-L</tt>
+ <dd>Specify the name and path of the symmetric key file, default <tt>/etc/ntp.keys</tt>. This is the same operation as the <tt>keys <i>keyfile</i></tt> command.<dt><tt>-l <i>logfile</i></tt>
+ <dd>Specify the name and path of the log file. The default is the system log file. This is the same operation as the <tt>logfile <i>logfile</i></tt> command.<dt><tt>-L</tt>
<dd>Do not listen to virtual IPs. The default is to listen.
<dt><tt>-n</tt>
<dd>Don't fork.
<dt><tt>-N</tt>
<dd>To the extent permitted by the operating system, run the <tt>ntpd</tt> at the highest priority.
<dt><tt>-p <i>pidfile</i></tt>
- <dd>Specify the name and path of the file used to record the <tt>ntpd</tt> process ID. This is the same operation as the <tt>pidfile <i>pidfile</i></tt> configuration command.
- <dt><tt>-P <i>priority</i></tt>
+ <dd>Specify the name and path of the file used to record the <tt>ntpd</tt> process ID. This is the same operation as the <tt>pidfile <i>pidfile</i></tt> command.<dt><tt>-P <i>priority</i></tt>
<dd>To the extent permitted by the operating system, run the <tt>ntpd</tt> at the specified priority.
<dt><tt>-q</tt>
<dd>Exit the <tt>ntpd</tt> just after the first time the clock is set. This behavior mimics that of the <tt>ntpdate</tt> program, which is to be retired. The <tt>-g</tt> and <tt>-x</tt> options can be used with this option. Note: The kernel time discipline is disabled with this option.
<dt><tt>-r <i>broadcastdelay</i></tt>
<dd>Specify the default propagation delay from the broadcast/multicast server to this client. This is necessary only if the delay cannot be computed automatically by the protocol.
<dt><tt>-s <i>statsdir</i></tt>
- <dd>Specify the directory path for files created by the statistics facility. This is the same operation as the <tt>statsdir <i>statsdir</i></tt> configuration command.
- <dt><tt>-t <i>key</i></tt>
- <dd>Add a key number to the trusted key list. This option can occur more than once.
- <dt><tt>-u <i>user[:group]</i> </tt>
- <dd>Specify a user, and optionally a group, to switch to. This option is only available if the OS supports to run the server without full root privileges. Currently, this option is supported under NetBSD (configure with --enable-clockctl) and Linux (configure with --enable-linuxcaps).
- <dt><tt>-U <i>interface update interval</i></tt>
+ <dd>Specify the directory path for files created by the statistics facility. This is the same operation as the <tt>statsdir <i>statsdir</i></tt> command.<dt><tt>-t <i>key</i></tt>
+ <dd>Add a key number to the trusted key list. This option can occur more than once. This is the same operation as the <tt>trustedkey <i>key</i></tt> command. <dt><tt>-u <i>user[:group]</i> </tt>
+ <dd>Specify a user, and optionally a group, to switch to. This option is only available if the OS supports running the server without full root privileges. Currently, this option is supported under NetBSD (configure with <tt>--enable-clockctl</tt>) and Linux (configure with --<tt>enable-linuxcaps</tt>).<dt><tt>-U <i>interface update interval</i></tt>
<dd>Number of seconds to wait between interface list scans to pick up new and delete network interface. Set to 0 to disable dynamic interface list updating. The default is to scan every 5 minutes.</dd>
<dt><tt>-v <i>variable</i></tt>
<dt><tt>-V <i>variable</i></tt>
<dd>Normally, the time is slewed if the offset is less than the step threshold, which is 128 ms by default, and stepped if above the threshold. This option sets the threshold to 600 s, which is well within the accuracy window to set the clock manually. Note: Since the slew rate of typical Unix kernels is limited to 0.5 ms/s, each second of adjustment requires an amortization interval of 2000 s. Thus, an adjustment as much as 600 s will take almost 14 days to complete. This option can be used with the <tt>-g</tt> and <tt>-q</tt> options. See the <tt>tinker</tt> command for other options. Note: The kernel time discipline is disabled with this option.
</dl>
<h4 id="cfg">The Configuration File</h4>
- <p>Ordinarily, <tt>ntpd</tt> reads the <tt>ntp.conf</tt> configuration file at startup time in order to determine the synchronization sources and operating modes. It is also possible to specify a working, although limited, configuration entirely on the command line, obviating the need for a configuration file. This may be particularly useful when the local host is to be configured as a broadcast/multicast client, with all peers being determined by listening to broadcasts at run time.</p>
- <p>Usually, the configuration file is installed in the <tt>/etc</tt> directory, but could be installed elsewhere (see the <tt>-c <i>conffile</i></tt> command line option). The file format is similar to other Unix configuration files - comments begin with a <tt>#</tt> character and extend to the end of the line; blank lines are ignored.</p>
- <p>Configuration commands consist of an initial keyword followed by a list of arguments, some of which may be optional, separated by whitespace. Commands may not be continued over multiple lines. Arguments may be host names, host addresses written in numeric, dotted-quad form, integers, floating point numbers (when specifying times in seconds) and text strings. Optional arguments are delimited by <tt>[ ]</tt> in the following option pages, while alternatives are separated by <tt>|</tt>. The notation <tt>[ ... ]</tt> means an optional, indefinite repetition of the last item before the <tt>[ ... ]</tt>.</p>
- <h4 id="opt">Configuration Options</h4>
- <p><a href="confopt.html">Server Options</a><br>
- <a href="authopt.html">Authentication Options</a><br>
- <a href="monopt.html">Monitoring Options</a><br>
- <a href="accopt.html">Access Control Options</a><br>
- <a href="manyopt.html">Automatic NTP Configuration Options</a><br>
- <a href="clockopt.html">Reference Clock Options</a><br>
- <a href="miscopt.html">Miscellaneous Options</a></p>
+ <p>Ordinarily, <tt>ntpd</tt> reads the <tt>ntp.conf</tt> configuration file at startup in order to determine the synchronization sources and operating modes. It is also possible to specify a working, although limited, configuration entirely on the command line, obviating the need for a configuration file. This may be particularly useful when the local host is to be configured as a broadcast client, with servers determined by listening to broadcasts at run time.</p>
+ <p>Usually, the configuration file is installed as<tt>/etc/ntp.conf</tt>, but could be installed elsewhere (see the <tt>-c <i>conffile</i></tt> command line option). The file format is similar to other Unix configuration files - comments begin with a <tt>#</tt> character and extend to the end of the line; blank lines are ignored.</p>
+ <p>Configuration commands consist of an initial command keyword followed by a list of option keywords separated by whitespace. Commands may not be continued over multiple lines. Options may be host names, host addresses written in numeric, dotted-quad form, integers, floating point numbers (when specifying times in seconds) and text strings. Optional arguments are delimited by <tt>[ ]</tt> in the options pages, while alternatives are separated by <tt>|</tt>. The notation <tt>[ ... ]</tt> means an optional, indefinite repetition of the last item before the <tt>[ ... ]</tt>.</p>
<h4 id="files">Files</h4>
<table width="100%" border="1">
<tr>
</tr>
<tr>
<td width="30%">frequency file</td>
- <td width="30%"><tt>/etc/ntp.drift</tt></td>
+ <td width="30%">none</td>
<td width="20%"><tt>-f</tt></td>
<td width="20%"><tt>driftfile</tt></td>
</tr>
+ <tr>
+ <td width="30%">leapseconds file</td>
+ <td width="30%">none</td>
+ <td width="20%"></td>
+ <td width="20%"><tt>leapfile</tt></td>
+ </tr>
<tr>
<td width="30%">process ID file</td>
<td width="30%">none</td>
<body>
<h3><tt>ntpdsim</tt> - Network Time Protocol (NTP) simulator</h3>
- <img src="pic/alice47.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
- <p>The mushroom knows all the command line options.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">01:12</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Saturday, November 24, 2007</csobj></p>
+ <img src="pic/oz2.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>The Wizard of Oz</i>, L. Frank Baum</a>
+ <p>All in a row.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">15:55</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/manual.txt"></script>
<body>
<h3><tt>ntpdsim</tt> - Network Time Protocol (NTP) Simulator</h3>
- <img src="pic/alice47.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
- <p>The mushroom knows all the command line options.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">19:45</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="285">Saturday, January 19, 2008</csobj></p>
+ <img src="pic/oz2.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>The Wizard of Oz</i>, L. Frank Baum</a>
+ <p>All in a row.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">15:56</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/manual.txt"></script>
<h3><tt>ntpq</tt> - standard NTP query program</h3>
<img src="pic/bustardfly.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>A typical NTP monitoring packet</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">01:13</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="308">Saturday, November 24, 2007</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">23:58</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="223">Friday, April 04, 2008</csobj></p>
<br clear="left">
<h4>More Help</h4>
<script type="text/javascript" language="javascript" src="scripts/manual.txt"></script>
<dd>Print a list of the peers known to the server as well as a summary of their state. This is equivalent to the <tt>peers</tt> interactive command.
</dl>
<h4>Internal Commands</h4>
- <p>Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. The output of a command is normally sent to the standard output, but optionally the output of individual commands may be sent to a file by appending a <tt>></tt>, followed by a file name, to the command line. A number of interactive format commands are executed entirely within the <tt>ntpq</tt> program itself and do not result in NTP mode 6 requests being sent to a server. These are described following.</p>
+ <p>Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. The output of a command is normally sent to the standard output, but optionally the output of individual commands may be sent to a file by appending a <tt>></tt>, followed by a file name, to the command line. A number of interactive format commands are executed entirely within the <tt>ntpq</tt> program itself and do not result in NTP mode-6 requests being sent to a server. These are described following.</p>
<dl>
<dt><tt>? [<i>command_keyword</i>]</tt><br>
<tt>helpl [<i>command_keyword</i>]</tt>
- <dd>A <tt>?</tt> by itself will print a list of all the command keywords known to this incarnation of <tt>ntpq</tt>. A <tt>?</tt> followed by a command keyword will print function and usage information about the command. This command is probably a better source of information about <tt>ntpq</tt> than this manual page.
- <dt><tt>addvars <i>variable_name</i> [ = <i>value</i>] [...]</tt><br>
- <tt>rmvars <i>variable_name</i> [...]</tt><br>
+ <dd>A <tt>?</tt> by itself will print a list of all the command keywords known to <tt>ntpq</tt>. A <tt>?</tt> followed by a command keyword will print function and usage information about the command.
+ <dt><tt>addvars <i>name</i> [ = <i>value</i>] [...]</tt><br>
+ <tt>rmvars <i>name</i> [...]</tt><br>
<tt>clearvars</tt>
- <dd>The data carried by NTP mode 6 messages consists of a list of items of the form <tt><i>variable_name</i> = <i>value</i></tt>, where the <tt>= <i>value</i></tt> is ignored, and can be omitted, in requests to the server to read variables. <tt>ntpq</tt> maintains an internal list in which data to be included in control messages can be assembled, and sent using the <tt>readlist</tt> and <tt>writelist</tt> commands described below. The <tt>addvars</tt> command allows variables and their optional values to be added to the list. If more than one variable is to be added, the list should be comma-separated and not contain white space. The <tt>rmvars</tt> command can be used to remove individual variables from the list, while the <tt>clearlist</tt> command removes all variables from the list.
+ <dd>The arguments to this command consist of a list of items of the form <tt><i>name</i> = <i>value</i></tt>, where the <tt>= <i>value</i></tt> is ignored, and can be omitted in read requests. <tt>ntpq</tt> maintains an internal list in which data to be included in control messages can be assembled, and sent using the <tt>readlist</tt> and <tt>writelist</tt> commands described below. The <tt>addvars</tt> command allows variables and optional values to be added to the list. If more than one variable is to be added, the list should be comma-separated and not contain white space. The <tt>rmvars</tt> command can be used to remove individual variables from the list, while the <tt>clearlist</tt> command removes all variables from the list.
<dt><tt>cooked</tt>
- <dd>Causes output from query commands to be "cooked", so that variables which are recognized by <tt>ntpq</tt> will have their values reformatted for human consumption. Variables which <tt>ntpq</tt> thinks should have a decodable value but didn't are marked with a trailing <tt>?</tt>.
- <dt><tt>debug more | less | off</tt>
+ <dd>Display server messages in prettyprint format.<dt><tt>debug more | less | off</tt>
<dd>Turns internal query program debugging on and off.
<dt><tt>delay <i>milliseconds</i></tt>
<dd>Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable (unreliable) server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete.
- <dt><tt>host <i>hostname</i></tt>
- <dd>Set the host to which future queries will be sent. Hostname may be either a host name or a numeric address.
- <dt><tt>hostnames [yes | no]</tt>
+ <dt><tt>host <i>name</i></tt>
+ <dd>Set the host to which future queries will be sent. The name may be either a DNS name or a numeric address.<dt><tt>hostnames [yes | no]</tt>
<dd>If <tt>yes</tt> is specified, host names are printed in information displays. If <tt>no</tt> is specified, numeric addresses are printed instead. The default is <tt>yes</tt>, unless modified using the command line <tt>-n</tt> switch.
<dt><tt>keyid <i>keyid</i></tt>
<dd>This command specifies the key number to be used to authenticate configuration requests. This must correspond to a key number the server has been configured to use for this purpose.
<dt><tt>ntpversion 1 | 2 | 3 | 4</tt>
- <dd>Sets the NTP version number which <tt>ntpq</tt> claims in packets. Defaults to 2, Note that mode 6 control messages (and modes, for that matter) didn't exist in NTP version 1.
- <dt><tt>passwd</tt>
- <dd>This command prompts for a password (which will not be echoed) which will be used to authenticate configuration requests. The password must correspond to the key configured for NTP server for this purpose.
- <dt><tt>quit</tt>
+ <dd>Sets the NTP version number which <tt>ntpq</tt> claims in packets. Defaults to 2, Note that mode-6 control messages (and modes, for that matter) didn't exist in NTP version 1.<dt><tt>passwd</tt>
+ <dd>This command prompts for a password to authenticate configuration requests. The password must correspond to the key configured for NTP server for this purpose.<dt><tt>quit</tt>
<dd>Exit <tt>ntpq</tt>.
<dt><tt>raw</tt>
- <dd>Causes all output from query commands is printed as received from the remote server. The only formating/interpretation done on the data is to transform nonascii data into a printable (but barely understandable) form.
- <dt><tt>timeout <i>millseconds</i></tt>
+ <dd>Display server messages as received and without reformatting.<dt><tt>timeout <i>millseconds</i></tt>
<dd>Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. Note that since <tt>ntpq</tt> retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set.
</dl>
<h4>Control Message Commands</h4>
- <p>Each association known to an NTP server has a 16 bit integer association identifier. NTP control messages which carry peer variables must identify the peer the values correspond to by including its association ID. An association ID of 0 is special, and indicates the variables are system variables, whose names are drawn from a separate name space.</p>
- <p>Control message commands result in one or more NTP mode 6 messages being sent to the server, and cause the data returned to be printed in some format. Most commands currently implemented send a single message and expect a single response. The current exceptions are the peers command, which will send a preprogrammed series of messages to obtain the data it needs, and the mreadlist and mreadvar commands, which will iterate over a range of associations.</p>
+ <p>Association IDs are used to identify system, peer and clock variables. System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. Most control commands send a single mode-6 message to the server and expect a single response message. The exceptions are the <tt>peers</tt> command, which sends a series of messages, and the <tt>mreadlist</tt> and <tt>mreadvar</tt> commands, which iterate over a range of associations.</p>
<dl>
- <dt><tt>associations</tt>
- <dd>Obtains and prints a list of association identifiers and peer statuses for in-spec peers of the server being queried. The list is printed in columns. The first of these is an index numbering the associations from 1 for internal use, the second the actual association identifier returned by the server and the third the status word for the peer. This is followed by a number of columns containing data decoded from the status word. See the peers command for a decode of the <tt>condition</tt> field. Note that the data returned by the <tt>associations</tt> command is cached internally in <tt>ntpq</tt>. The index is then of use when dealing with stupid servers which use association identifiers which are hard for humans to type, in that for any subsequent commands which require an association identifier as an argument, the form &index may be used as an alternative.
- <dt><tt>clockvar [<i>assocID</i>] [<i>variable_name</i> [ = <i>value</i> [...]] [...]</tt>
- <dt><tt>cv [<i>assocID</i>] [<i>variable_name</i> [ = <i>value</i> [...] ][...]</tt>
- <dd>Requests that a list of the server's clock variables be sent. Servers which have a radio clock or other external synchronization will respond positively to this. If the association identifier is omitted or zero the request is for the variables of the <tt>system clock</tt> and will generally get a positive response from all servers with a clock. If the server treats clocks as pseudo-peers, and hence can possibly have more than one clock connected at once, referencing the appropriate peer association ID will show the variables of a particular clock. Omitting the variable list will cause the server to return a default variable display.
- <dt><tt>lassociations</tt>
- <dd>Obtains and prints a list of association identifiers and peer statuses for all associations for which the server is maintaining state. This command differs from the <tt>associations</tt> command only for servers which retain state for out-of-spec client associations (i.e., fuzzballs). Such associations are normally omitted from the display when the <tt>associations</tt> command is used, but are included in the output of <tt>lassociations</tt>.
- <dt><tt>lpassociations</tt>
- <dd>Print data for all associations, including out-of-spec client associations, from the internally cached list of associations. This command differs from <tt>passociations</tt> only when dealing with fuzzballs.
- <dt><tt>lpeers</tt>
- <dd>Like R peers, except a summary of all associations for which the server is maintaining state is printed. This can produce a much longer list of peers from fuzzball servers.
- <dt><tt>mreadlist <i>assocID</i> <i>assocID</i></tt><br>
- <tt>mrl <i>assocID</i> <i>assocID</i></tt>
- <dd>Like the <tt>readlist</tt> command, except the query is done for each of a range of (nonzero) association IDs. This range is determined from the association list cached by the most recent <tt>associations</tt> command.
- <dt><tt>mreadvar <i>assocID</i> <i>assocID</i> [ <i>variable_name</i> [ = <i>value</i>[ ... ]</tt><br>
+ <dt id="as"><tt>associations</tt>
+ <dd>Display a list of mobilized associations in the form<dd><tt>ind assid status conf reach auth condition last_event cnt</tt>
+ <dd>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Variable</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>ind</tt></td>
+ <td>index on this list</td>
+ </tr>
+ <tr>
+ <td><tt>assid</tt></td>
+ <td>association ID</td>
+ </tr>
+ <tr>
+ <td><tt>status</tt></td>
+ <td><a href="decode.html#peer">peer status word</a></td>
+ </tr>
+ <tr>
+ <td><tt>conf</tt></td>
+ <td><tt>yes</tt>: persistent, <tt>no</tt>: ephemeral</td>
+ </tr>
+ <tr>
+ <td><tt>reach</tt></td>
+ <td><tt>yes</tt>: reachable, <tt>no</tt>: unreachable</td>
+ </tr>
+ <tr>
+ <td><tt>auth</tt></td>
+ <td><tt>ok</tt>, <tt>yes</tt>, <tt>bad</tt> and <tt>none</tt></td>
+ </tr>
+ <tr>
+ <td><tt>condition</tt></td>
+ <td>source (see <a href="decode.html#peer">peer status word</a>)</td>
+ </tr>
+ <tr>
+ <td><tt>last_event</tt></td>
+ <td>event report (see <a href="decode.html#peer">peer status word</a>)</td>
+ </tr>
+ <tr>
+ <td><tt>cnt</tt></td>
+ <td>event count (see <a href="decode.html#peer">peer status word</a>)</td>
+ </tr>
+ </table>
+ <dt><tt>clockvar [<i>assocID</i>] [<i>name</i> [ = <i>value</i> [...]] [...]</tt>
+ <dt><tt>cv [<i>assocID</i>] [<i>name</i> [ = <i>value</i> [...] ][...]</tt>
+ <dd>Display a list of <a href="#clock">clock variables</a> for those assocations supporting a reference clock.
+ <dt><tt>keyid</tt>
+ <dd>Specify the key ID to use for write requests.<dt><tt>lassociations</tt>
+ <dd>Perform the same function as the associations command, execept display mobilized and unmobilized associations.<dt><tt>mreadvar <i>assocID</i> <i>assocID</i> [ <i>variable_name</i> [ = <i>value</i>[ ... ]</tt><br>
<tt>mrv <i>assocID</i> <i>assocID</i> [ <i>variable_name</i> [ = <i>value</i>[ ... ]</tt>
- <dd>Like the <tt>readvar</tt> command, except the query is done for each of a range of (nonzero) association IDs. This range is determined from the association list cached by the most recent <tt>associations</tt> command.
- <dt><tt>opeers</tt>
- <dd>An old form of the <tt>peers</tt> command with the reference ID replaced by the local interface address.
+ <dd>Perform the same function as the <tt>readvar</tt> command, except for a range of association IDs. This range is determined from the association list cached by the most recent <tt>associations</tt> command.
<dt><tt>passociations</tt>
- <dd>Displays association data concerning in-spec peers from the internally cached list of associations. This command performs identically to the <tt>associations</tt> except that it displays the internally stored data rather than making a new query.
- <dt><tt>peers</tt>
- <dd>Obtains a current list peers of the server, along with a summary of each peer's state. Summary information includes the address of the remote peer, the reference ID (0.0.0.0 if this is unknown), the stratum of the remote peer, the type of the peer (local, unicast, multicast or broadcast), when the last packet was received, the polling interval, in seconds, the reachability register, in octal, and the current estimated delay, offset and dispersion of the peer, all in milliseconds. The character at the left margin of each line shows the synchronization status of the association and is a valuable diagnostic tool. The encoding and meaning of this character, called the tally code, is given later in this page.
- <dt><tt>pstatus <i>assocID</i></tt>
- <dd>Sends a read status request to the server for the given association. The names and values of the peer variables returned will be printed. Note that the status word from the header is displayed preceding the variables, both in hexadecimal and in pidgeon English.
- <dt><tt>readlist [ <i>assocID</i> ]</tt><br>
- <tt>rl [ <i>assocID</i> ]</tt>
- <dd>Requests that the values of the variables in the internal variable list be returned by the server. If the association ID is omitted or is 0 the variables are assumed to be system variables. Otherwise they are treated as peer variables. If the internal variable list is empty a request is sent without data, which should induce the remote server to return a default display.
- <dt><tt>readvar <i>assocID</i> <i>variable_name</i> [ = <i>value</i> ] [ ...]</tt><br>
- <tt>rv <i>assocID</i> [ <i>variable_name</i> [ = <i>value</i> ] [...]</tt>
- <dd>Requests that the values of the specified variables be returned by the server by sending a read variables request. If the association ID is omitted or is given as zero the variables are system variables, otherwise they are peer variables and the values returned will be those of the corresponding peer. Omitting the variable list will send a request with no data which should induce the server to return a default display. The encoding and meaning of the variables derived from NTPv3 is given in RFC-1305; the encoding and meaning of the additional NTPv4 variables are given later in this page.
- <dt><tt>writevar <i>assocID</i> <i>variable_name</i> [ = <i>value</i> [ ...]</tt>
- <dd>Like the readvar request, except the specified variables are written instead of read.
- <dt><tt>writelist [ <i>assocID</i> ]</tt>
- <dd>Like the readlist request, except the internal list variables are written instead of read.
- </dl>
- <h4>Tally Codes</h4>
- <p>The character in the left margin in the <tt>peers</tt> billboard, called the tally code, shows the fate of each association in the clock selection process. Following is a list of these characters, the pigeon used in the <tt>rv</tt> command, and a short explanation of the condition revealed.</p>
- <dl>
- <dt><tt>space reject</tt>
- <dd>The peer is discarded as unreachable, synchronized to this server (synch loop) or outrageous synchronization distance.
- <dt><tt>x falsetick</tt>
- <dd>The peer is discarded by the intersection algorithm as a falseticker.
- <dt><tt>. excess</tt>
- <dd>The peer is discarded as not among the first ten peers sorted by synchronization distance and so is probably a poor candidate for further consideration.
- <dt><tt>- outlyer</tt>
- <dd>The peer is discarded by the clustering algorithm as an outlyer.
- <dt><tt>+ candidat</tt>
- <dd>The peer is a survivor and a candidate for the combining algorithm.
- <dt><tt># selected</tt>
- <dd>The peer is a survivor, but not among the first six peers sorted by synchronization distance. If the association is ephemeral, it may be demobilized to conserve resources.
- <dt><tt>* sys.peer</tt>
- <dd>The peer has been declared the system peer and lends its variables to the system variables.
- <dt><tt>o pps.peer</tt>
- <dd>The peer has been declared the system peer and lends its variables to thesystem variables. However, the actual system synchronization is derived from a pulse-per-second (PPS) signal, either indirectly via the PPS reference clock driver or directly via kernel interface.
- </dl>
- <h4>System Variables</h4>
- <p>The <tt>status, leap, stratum, precision, rootdelay, rootdispersion, refid, reftime, poll, offset, and frequency</tt> variables are described in RFC-1305 specification. Additional NTPv4 system variables include the following.</p>
- <dl>
- <dt><tt>version</tt>
- <dd>Everything you might need to know about the software version and generation time.
- <dt><tt>processor</tt>
- <dd>The processor and kernel identification string.
- <dt><tt>system</tt>
- <dd>The operating system version and release identifier.
- <dt><tt>state</tt>
- <dd>The state of the clock discipline state machine. The values are described in the architecture briefing on the NTP Project page linked from www.ntp.org.
- <dt><tt>peer</tt>
- <dd>The internal integer used to identify the association currently designated the system peer.
- <dt><tt>jitter</tt>
- <dd>The estimated time error of the system clock measured as an exponential average of RMS time differences.
- <dt><tt>stability</tt>
- <dd>The estimated frequency stability of the system clock measured as an exponential average of RMS frequency differences.
- </dl>
- <p>When the NTPv4 daemon is compiled with the OpenSSL software library, additional system variables are displayed, including some or all of the following, depending on the particular dance:</p>
- <dl>
- <dt><tt>flags</tt>
- <dd>The current flags word bits and message digest algorithm identifier (NID) in hex format. The high order 16 bits of the four-byte word contain the NID from the OpenSSL ligrary, while the low-order bits are interpreted as follows:
- <dd>
- <dl>
- <dt><tt>0x01</tt>
- <dd>autokey enabled
- <dt><tt>0x02</tt>
- <dd>NIST leapseconds file loaded
- <dt><tt>0x10</tt>
- <dd>PC identity scheme
- <dt><tt>0x20</tt>
- <dd>IFF identity scheme
- <dt><tt>0x40</tt>
- <dd>GQ identity scheme
- </dl>
- <dt><tt>hostname</tt>
- <dd>The name of the host as returned by the Unix <tt>gethostname()</tt> library function.
- <dt><tt>hostkey</tt>
- <dd>The NTP filestamp of the host key file.
- <dt><tt>cert</tt>
- <dd>A list of certificates held by the host. Each entry includes the subject, issuer, flags and NTP filestamp in order. The bits are interpreted as follows:
+ <dd>Perform the same function as the <tt>associations command</tt>, except that it uses previously stored data rather than making a new query.
+ <dt><tt>passwd</tt>
+ <dd>Specify the password to use for write requests.
+ <dt id="pe"><tt>peers</tt>
+ <dd>Display a list of associations in the form
+ <dd><tt>ind assid status conf reach auth condition last_event cnt</tt>
<dd>
- <dl>
- <dt><tt>0x01</tt>
- <dd>certificate has been signed by the server
- <dt><tt>0x02</tt>
- <dd>certificate is trusted
- <dt><tt>0x04</tt>
- <dd>certificate is private
- <dt><tt>0x08</tt>
- <dd>certificate contains errors and should not be trusted
- </dl>
- <dt><tt>leapseconds</tt>
- <dd>The NTP filestamp of the NIST leapseconds file.
- <dt><tt>refresh</tt>
- <dd>The NTP timestamp when the host public cryptographic values were refreshed and signed.
- <dt><tt>signature</tt>
- <dd>The host digest/signature scheme name from the OpenSSL library.
- <dt><tt>tai</tt>
- <dd>The TAI-UTC offset in seconds obtained from the NIST leapseconds table.
- </dl>
- <h4>Peer Variables</h4>
- <p>The <tt>status, srcadr, srcport, dstadr, dstport, leap, stratum, precision, rootdelay, rootdispersion, readh, hmode, pmode, hpoll, ppoll, offset, delay, dspersion, reftime</tt> variables are described in the RFC-1305 specification, as are the timestamps <tt>org, rec and xmt</tt>. Additional NTPv4 system variables include the following.</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Variable</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>remote</tt></td>
+ <td>index on this list</td>
+ </tr>
+ <tr>
+ <td><tt>refid</tt></td>
+ <td>association ID or <a href="decode.html#kiss">kiss code</a></td>
+ </tr>
+ <tr>
+ <td><tt>st</tt></td>
+ <td><a href="decode.html#peer">peer status word</a></td>
+ </tr>
+ <tr>
+ <td><tt>t</tt></td>
+ <td><tt>u</tt>: unicast, <tt>b</tt>: broadcast, <tt>l</tt>: local</td>
+ </tr>
+ <tr>
+ <td><tt>when</tt></td>
+ <td>sec/min/hr since last received packet</td>
+ </tr>
+ <tr>
+ <td><tt>poll</tt></td>
+ <td>poll interval (log<sub>2</sub> s)</td>
+ </tr>
+ <tr>
+ <td><tt>reach</tt></td>
+ <td>reach shift register (octal)</td>
+ </tr>
+ <tr>
+ <td><tt>delay</tt></td>
+ <td>roundtrip delay</td>
+ </tr>
+ <tr>
+ <td><tt>offset</tt></td>
+ <td>offset</td>
+ </tr>
+ <tr>
+ <td><tt>jitter</tt></td>
+ <td>jitter</td>
+ </tr>
+ </table>
+ <dt id="rv"><tt>readvar <i>assocID</i> <i>name</i> [ = <i>value</i> ] [,...]</tt><br>
+ <tt>rv <i>assocID</i> [ <i>name</i> ] [,...]</tt>
+ <dd>Display the specified variables. If the association ID is omitted or is given as zero, the variables are from the <a href="#system">system variables</a> name space, otherwise they are from the <a href="#peer">peer variables</a> name space. If no name is included, all operative variables in the name space are displayed. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts-per-million (PPM). Some NTP timestamps are represented in the format YYYYMMDDTTTT, where YYYY is the year, MM the month of year, DD the day of month and TTTT the time of day.<dt><tt>writevar <i>assocID</i> <i>name</i> = <i>value</i> [,...]</tt>
+ <dd>Write the specified variables. If the association ID is omitted or is given as zero, the variables are from the <a href="#system">system variables</a> name space, otherwise they are from the <a href="#peer">peer variables</a> name space.
+ <dt><tt>:config [...]</tt>
+ <dd>Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.</dl>
+ <h4 id="status">Status Words and Kiss Codes</h4>
+ <p>The current state of the operating program is shown in a set of status words maintained by the system and each association separately. These words are displayed in the <tt>rv</tt> and <tt>as</tt> commands both in hexadecimal and decoded short tip strings. The codes, tips and short explanations are on the <a href="decode.html">Event Messages and Status Words</a> page. The page also includes a list of system and peer messages, the code for the latest of which is included in the status word.</p>
+ <p>Information resulting from protocol machine state transitions is displayed using an informal set of ASCII strings called <a href="decode.html#kiss">kiss codes</a>. The original purpose was for kiss-o'-death (KoD) packets sent by the server to advise the client of an unusual condition. They are now displayed, when appropriate, in the reference identifier field in various billboards.</p>
+ <h4 id="system">System Variables</h4>
+ <p>The following system variables apear in the <tt>rv</tt> billboard. Not all variables are displayed in some configurations.</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Variable</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>status</tt></td>
+ <td><a href="decode.html#sys">system status word</a></td>
+ </tr>
+ <tr>
+ <td><tt>version</tt></td>
+ <td>NTP software version and build time</td>
+ </tr>
+ <tr>
+ <td><tt>processor</tt></td>
+ <td>hardware platform and version</td>
+ </tr>
+ <tr>
+ <td><tt>system</tt></td>
+ <td>operating system and version</td>
+ </tr>
+ <tr>
+ <td><tt>leap</tt></td>
+ <td>leap warning indicator (0-3)</td>
+ </tr>
+ <tr>
+ <td><tt>stratum</tt></td>
+ <td>stratum (1-15)</td>
+ </tr>
+ <tr>
+ <td><tt>precision</tt></td>
+ <td>precision (log<sub>2</sub> s)</td>
+ </tr>
+ <tr>
+ <td><tt>rootdelay</tt></td>
+ <td>total roundtrip delay to the primary reference clock</td>
+ </tr>
+ <tr>
+ <td><tt>rootdisp</tt></td>
+ <td>total dispersion to the primary reference clock</td>
+ </tr>
+ <tr>
+ <td><tt>peer</tt></td>
+ <td>system peer association ID</td>
+ </tr>
+ <tr>
+ <td><tt>tc</tt></td>
+ <td>time constant and poll exponent (log<sub>2</sub> s) (3-17)</td>
+ </tr>
+ <tr>
+ <td><tt>mintc</tt></td>
+ <td>minimum time constant (log<sub>2</sub> s) (3-10)</td>
+ </tr>
+ <tr>
+ <td><tt>clock</tt></td>
+ <td>date and time of day</td>
+ </tr>
+ <tr>
+ <td><tt>refid</tt></td>
+ <td>reference ID or <a href="decode.html#kiss">kiss code</a></td>
+ </tr>
+ <tr>
+ <td><tt>reftime</tt></td>
+ <td>reference time</td>
+ </tr>
+ <tr>
+ <td><tt>offset</tt></td>
+ <td>combined time offset</td>
+ </tr>
+ <tr>
+ <td><tt>sys_jitter</tt></td>
+ <td>combined system jitter</td>
+ </tr>
+ <tr>
+ <td><tt>frequency</tt></td>
+ <td>clock frequency offset (PPM)</td>
+ </tr>
+ <tr>
+ <td><tt>clk_wander</tt></td>
+ <td>clock frequency wander (PPM)</td>
+ </tr>
+ <tr>
+ <td><tt>clk_jitter</tt></td>
+ <td>clock jitter</td>
+ </tr>
+ <tr>
+ <td><tt>tai</tt></td>
+ <td>TAI-UTC offset (s)</td>
+ </tr>
+ <tr>
+ <td><tt>leapsec</tt></td>
+ <td>NTP seconds when the next leap second is/was inserted</td>
+ </tr>
+ <tr>
+ <td><tt>expire</tt></td>
+ <td>NTP seconds when the NIST leapseconds file expires</td>
+ </tr>
+ </table>
<dl>
- <dt><tt>flash</tt>
- <dd>The flash code for the most recent packet received. The encoding and meaning of these codes is given later in this page.
- <dt><tt>jitter</tt>
- <dd>The estimated time error of the peer clock measured as an exponential average of RMS time differences.
- <dt><tt>unreach</tt>
- <dd>The value of the counter which records the number of poll intervals since the last valid packet was received.
- </dl>
+ <dt>When the NTPv4 daemon is compiled with the OpenSSL software library, additional system variables are displayed, including some or all of the following, depending on the particular Autokey dance:</dl>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Variable</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>host</tt></td>
+ <td>Autokey host name</td>
+ </tr>
+ <tr>
+ <td><tt>group</tt></td>
+ <td>Autokey group name</td>
+ </tr>
+ <tr>
+ <td><tt>flags</tt></td>
+ <td>host flags (see Autokey specification)</td>
+ </tr>
+ <tr>
+ <td><tt>signature</tt></td>
+ <td>OpenSSL digest/signature scheme</td>
+ </tr>
+ <tr>
+ <td><tt>update</tt></td>
+ <td>NTP seconds at last signature update</td>
+ </tr>
+ <tr>
+ <td><tt>cert</tt></td>
+ <td>certificate subject, issuer and certificate flags</td>
+ </tr>
+ <tr>
+ <td><tt>until</tt></td>
+ <td>NTP seconds when the certificate expires</td>
+ </tr>
+ </table>
+ <h4 id="peer">Peer Variables</h4>
+ <p>The following system variables apear in the <tt>rv</tt> billboard for each association. Not all variables are displayed in some configurations.</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Variable</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>associd</tt></td>
+ <td>association ID</td>
+ </tr>
+ <tr>
+ <td><tt>status</tt></td>
+ <td><a href="decode.html#peer">peer status word</a></td>
+ </tr>
+ <tr>
+ <td><tt>srcadr<br>
+ srcport</tt></td>
+ <td>source (remote) IP address and port</td>
+ </tr>
+ <tr>
+ <td><tt>dstadr<br>
+ dstport</tt></td>
+ <td>destination (local) IP address and port</td>
+ </tr>
+ <tr>
+ <td><tt>leap</tt></td>
+ <td>leap indicator (0-3)</td>
+ </tr>
+ <tr>
+ <td><tt>stratum</tt></td>
+ <td>stratum (0-15)</td>
+ </tr>
+ <tr>
+ <td><tt>precision</tt></td>
+ <td>precision (log<sub>2</sub> s)</td>
+ </tr>
+ <tr>
+ <td><tt>rootdelay</tt></td>
+ <td>total roundtrip delay to the primary reference clock</td>
+ </tr>
+ <tr>
+ <td><tt>rootdisp</tt></td>
+ <td>total root dispersion to the primary reference clock</td>
+ </tr>
+ <tr>
+ <td><tt>refid</tt></td>
+ <td>reference ID or <a href="decode.html#kiss">kiss code</a></td>
+ </tr>
+ <tr>
+ <td><tt>reftime</tt></td>
+ <td>reference time</td>
+ </tr>
+ <tr>
+ <td><tt>reach</tt></td>
+ <td>reach register (octal)</td>
+ </tr>
+ <tr>
+ <td><tt>unreach</tt></td>
+ <td>unreach counter</td>
+ </tr>
+ <tr>
+ <td><tt>hmode</tt></td>
+ <td>host mode (1-6)</td>
+ </tr>
+ <tr>
+ <td><tt>pmode</tt></td>
+ <td>peer mode (1-5)</td>
+ </tr>
+ <tr>
+ <td><tt>hpoll</tt></td>
+ <td>host poll exponent (log<sub>2</sub> s) (3-17)</td>
+ </tr>
+ <tr>
+ <td><tt>ppoll</tt></td>
+ <td>peer poll exponent (log<sub>2</sub> s) (3-17)</td>
+ </tr>
+ <tr>
+ <td><tt>headway</tt></td>
+ <td>headway (s)</td>
+ </tr>
+ <tr>
+ <td><tt>flash</tt></td>
+ <td><a href="decode.html#flash">flash status word</a></td>
+ </tr>
+ <tr>
+ <td><tt>offset</tt></td>
+ <td>filter offset</td>
+ </tr>
+ <tr>
+ <td><tt>delay</tt></td>
+ <td>filter delay</td>
+ </tr>
+ <tr>
+ <td><tt>dispersion</tt></td>
+ <td>filter dispersion</td>
+ </tr>
+ <tr>
+ <td><tt>jitter</tt></td>
+ <td>filter jitter</td>
+ </tr>
+ </table>
<p>When the NTPv4 daemon is compiled with the OpenSSL software library, additional peer variables are displayed, including the following:</p>
- <dl>
- <dt><tt>flags</tt>
- <dd>The current flag bits. This word is the server host status word with additional bits used by the Autokey state machine. See the source code for the bit encoding.
- <dt><tt>hostname</tt>
- <dd>The server host name.
- <dt><tt>initkey <i>key</i></tt>
- <dd>The initial key used by the key list generator in the Autokey protocol.
- <dt><tt>initsequence <i>index</i></tt>
- <dd>The initial index used by the key list generator in the Autokey protocol.
- <dt><tt>signature</tt>
- <dd>The server message digest/signature scheme name from the OpenSSL software library.
- <dt><tt>timestamp <i>time</i></tt>
- <dd>The NTP timestamp when the last Autokey key list was generated and signed.
- </dl>
- <h4>Flash Codes</h4>
- <p>The <tt>flash</tt> code is a valuable debugging aid displayed in the peer variables list. It shows the results of the original sanity checks defined in the NTP specification RFC-1305 and additional ones added in NTPv4. There are 12 tests designated <tt>TEST1</tt> through <tt>TEST12</tt>. The tests are performed in a certain order designed to gain maximum diagnostic information while protecting against accidental or malicious errors. The <tt>flash</tt> variable is initialized to zero as each packet is received. If after each set of tests one or more bits are set, the packet is discarded.</p>
- <p>Tests <tt>TEST1</tt> through <tt>TEST3</tt> check the packet timestamps from which the offset and delay are calculated. If any bits are set, the packet is discarded; otherwise, the packet header variables are saved. <tt>TEST4</tt> and <tt>TEST5</tt> are associated with access control and cryptographic authentication. If any bits are set, the packet is discarded immediately with nothing changed.</p>
- <p>Tests <tt>TEST6</tt> through <tt>TEST8</tt> check the health of the server. If any bits are set, the packet is discarded; otherwise, the offset and delay relative to the server are calculated and saved. <tt>TEST9</tt> checks the health of the association itself. If any bits are set, the packet is discarded; otherwise, the saved variables are passed to the clock filter and mitigation algorithms.</p>
- <p>Tests <tt>TEST10</tt> through <tt>TEST12</tt> check the authentication state using Autokey public-key cryptography, as described in the <a href="authopt.html">Authentication Options</a> page. If any bits are set and the association has previously been marked reachable, the packet is discarded; otherwise, the originate and receive timestamps are saved, as required by the NTP protocol, and processing continues.</p>
- <p>The <tt>flash</tt> bits for each test are defined as follows.</p>
- <dl>
- <dt><tt>0x001 TEST1</tt>
- <dd>Duplicate packet. The packet is at best a casual retransmission and at worst a malicious replay.
- <dt><tt>0x002 TEST2</tt>
- <dd>Bogus packet. The packet is not a reply to a message previously sent. This can happen when the NTP daemon is restarted and before somebody else notices.
- <dt><tt>0x004 TEST3</tt>
- <dd>Unsynchronized. One or more timestamp fields are invalid. This normally happens when the first packet from a peer is received.
- <dt><tt>0x008 TEST4</tt>
- <dd>Access is denied. See the <a href="accopt.html">Access Control Options</a> page.
- <dt><tt>0x010 TEST5</tt>
- <dd>Cryptographic authentication fails. See the <a href="authopt.html">Authentication Options</a> page.
- <dt><tt>0x020TEST6</tt>
- <dd>The server is unsynchronized. Wind up its clock first.
- <dt><tt>0x040 TEST7</tt>
- <dd>The server stratum is at the maximum than 15. It is probably unsynchronized and its clock needs to be wound up.
- <dt><tt>0x080 TEST8</tt>
- <dd>Either the root delay or dispersion is greater than one second, which is highly unlikely unless the peer is unsynchronized to Mars.
- <dt><tt>0x100 TEST9</tt>
- <dd>Either the peer delay or dispersion is greater than one second, which is higly unlikely unless the peer is on Mars.
- <dt><tt>0x200 TEST10</tt>
- <dd>The autokey protocol has detected an authentication failure. See the <a href="authopt.html">Authentication Options</a> page.
- <dt><tt>0x400 TEST11</tt>
- <dd>The autokey protocol has not verified the server or peer is proventic and has valid public key credentials. See the <a href="authopt.html">Authentication Options</a> page.
- <dt><tt>0x800 TEST12</tt>
- <dd>A protocol or configuration error has occurred in the public key algorithms or a possible intrusion event has been detected. See the <a href="authopt.html">Authentication Options</a> page.
- </dl>
- <h4>Bugs</h4>
- <p>The peers command is non-atomic and may occasionally result in spurious error messages about invalid associations occurring and terminating the command. The timeout time is a fixed constant, which means you wait a long time for timeouts since it assumes sort of a worst case. The program should improve the timeout estimate as it sends queries to a particular host, but doesn't.</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Variable</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>flags</tt></td>
+ <td>peer flags (see Autokey specification)</td>
+ </tr>
+ <tr>
+ <td><tt>host</tt></td>
+ <td>Autokey server name</td>
+ </tr>
+ <tr>
+ <td><tt>signature</tt></td>
+ <td>initial session key ID</td>
+ </tr>
+ <tr>
+ <td><tt>initsequence</tt></td>
+ <td>initial key ID</td>
+ </tr>
+ <tr>
+ <td><tt>initkey</tt></td>
+ <td>initial key index</td>
+ </tr>
+ <tr>
+ <td><tt>timestamp</tt></td>
+ <td>Autokey signature timestamp</td>
+ </tr>
+ </table>
+ <h4>Clock Variables</h4>
+ <p>The following clock variables apear in the <tt>cv</tt> billboard for each association with a reference clock. Not all variables are displayed in some configurations.</p>
+ <table width="100%" border="1" cellspacing="2" cellpadding="2">
+ <tr>
+ <td>Variable</td>
+ <td>Description</td>
+ </tr>
+ <tr>
+ <td><tt>associd</tt></td>
+ <td>association ID</td>
+ </tr>
+ <tr>
+ <td><tt>status</tt></td>
+ <td><a href="decode.html#clock">clock status word</a></td>
+ </tr>
+ <tr>
+ <td><tt>device</tt></td>
+ <td>device description</td>
+ </tr>
+ <tr>
+ <td><tt>timecode</tt></td>
+ <td>ASCII timecode string (specific to device)</td>
+ </tr>
+ <tr>
+ <td><tt>poll</tt></td>
+ <td>poll messages sent</td>
+ </tr>
+ <tr>
+ <td><tt>noreply</tt></td>
+ <td>no reply</td>
+ </tr>
+ <tr>
+ <td><tt>badformat</tt></td>
+ <td>bad format</td>
+ </tr>
+ <tr>
+ <td><tt>baddata</tt></td>
+ <td>bad date or time</td>
+ </tr>
+ <tr>
+ <td><tt>fudgetime1</tt></td>
+ <td>fudge time 1</td>
+ </tr>
+ <tr>
+ <td><tt>fudgetime2</tt></td>
+ <td>fudge time 2</td>
+ </tr>
+ <tr>
+ <td><tt>stratum</tt></td>
+ <td>driver stratum</td>
+ </tr>
+ <tr>
+ <td><tt>refid</tt></td>
+ <td>driver reference ID</td>
+ </tr>
+ <tr>
+ <td><tt>flags</tt></td>
+ <td>driver flags</td>
+ </tr>
+ </table>
<hr>
<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
</body>
<head>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
<meta name="generator" content="HTML Tidy, see www.w3.org">
- <title>ntptime - read kernel time variables</title>
+ <title>ntptime - read and set kernel time variables</title>
<link href="scripts/style.css" type="text/css" rel="stylesheet">
</head>
<body>
- <h3><tt>ntptime</tt> - read kernel time variables</h3>
+ <h3><tt>ntptime</tt> - read and set kernel time variables</h3>
<img src="pic/pogo5.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>The turtle has been swimming in the kernel.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">18:46</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="246">Thursday, July 28, 2005</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">16:40</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="289">Wednesday, March 12, 2008</csobj></p>
<br clear="left">
<hr>
<h4>Synopsis</h4>
<h3>Quick Start</h3>
<img src="pic/panda.gif" alt="gif" align="left">FAX test image for SATNET (1979).
<p>The baby panda was scanned at University College London and used as a FAX test image for a demonstration of the DARPA Atlantic SATNET Program and the first transatlantic Internet connection in 1978. The computing system used for that demonstration was called the <a href="http://www.eecis.udel.edu/%7emills/database/papers/fuzz.ps">Fuzzball</a>. As it happened, this was also the first Internet multimedia presentation and the first to use NTP in regular operation. The image was widely copied and used for testing purpose throughout much of the 1980s.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">20:02</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="292">Monday, December 31, 2007</csobj></p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">16:25</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/install.txt"></script>
<hr>
<p>For the rank amateur the sheer volume of the documentation collection must be intimidating. However, it doesn't take much to fly the <tt>ntpd</tt> daemon with a simple configuration where a workstation needs to synchronize to some server elsewhere in the Internet. The first thing is to build the distribution for the particular workstation and install in the usual place. The <a href="build.html">Building and Installing the Distribution</a> page describes how to do this.</p>
- <p>While it is possible that certain configurations do not need a configuration file, most do. The file, called by default <tt>/etc/ntp.conf</tt>, need only contain one line specifying a remote server, for instance</p>
+ <p>While it is possible that certain configurations do not need a configuration file, most do. The file, called by default <tt>/etc/ntp.conf</tt>, need only contain one command specifying a remote server, for instance</p>
<p><tt>server foo.bar.com</tt></p>
<p>Choosing an appropriate remote server is somewhat of a black art, but a suboptimal choice is seldom a problem. There are about two dozen public time servers operated by the <a href="http://tf.nist.gov/tf-cgi/servers.cgi">National Institutes of Science and Technology (NIST)</a>, <a href="http://tycho.usno.navy.mil/ntp.html">US Naval Observatory (USNO)</a>, <a href="http://inms-ienm.nrc-cnrc.gc.ca/time_services/network_time_protocol_e.html"> Canadian Metrology Centre (CMC)</a> and many others available on the Internet. Lists of public primary and secondary NTP servers maintained on the <a href="http://support.ntp.org/bin/view/Servers/WebHome">Public NTP Time Servers</a> page, which is updated frequently.The lists are sorted by country and, in the case of the US, by state. Usually, the best choice is the nearest in geographical terms, but the terms of engagement specified in each list entry should be carefully respected.</p>
- <p>During operation <tt>ntpd</tt> measures and corrects for incidental clock frequency error and writes the current value to a file specified by the </p>
+ <p>During operation <tt>ntpd</tt> measures and corrects for incidental clock frequency error and occasionally writes the current value to a file specified by the</p>
<p><tt>driftfile /etc/ntp.drift</tt></p>
- <p>command in the configuration file. If <tt>ntpd</tt> is stopped and restarted, it initializes the frequency from this file. In this way the potentially lengthy interval to relearn the frequency error is avoided.</p>
+ <p>configuration command. If <tt>ntpd</tt> is stopped and restarted, it initializes the frequency from this file and avoids the potentially lengthy interval to relearn the correction.</p>
<p>That's all there is to it, unless some problem in network connectivity or local operating system configuration occurs. The most common problem is some firewall between the workstation and server. System administrators should understand NTP uses UDP port 123 as both the source and destination port and that NTP does not involve any operating system interaction other than to set the system clock. While almost all modern Unix systems have included NTP and UDP port 123 defined in the services file, this should be checked if <tt>ntpd</tt> fails to come up at all.</p>
<p>The best way to confirm NTP is working is using the <a href="ntpq.html"><tt>ntpq</tt></a> utility, although the <a href="ntpdc.html"><tt>ntpdc</tt></a> utility may be useful in extreme cases. See the documentation pages for further information. Don't forget to check for <a href="msyslog.html"> system log messages</a>. In the most extreme cases the <tt>-d</tt> option on the <tt>ntpd</tt> command line results in a blow-by-blow trace of the daemon operations. While the trace output can be cryptic, to say the least, it gives a general idea of what the program is doing and, in particular, details the arriving and departing packets and any errors found.</p>
<hr>
<body>
<h3>Rate Management and the Kiss-o'-Death Packet</h3>
- <img src="pic/alice61.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
- <p>Packet blizzard</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">06:03</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="296">Saturday, February 02, 2008</csobj></p>
+ <img src="pic/boom4.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
+ <p>Our junior managers and the administrators.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:39</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 24, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/config.txt"></script>
<li class="inline"><a href="#burst">Burst Control</a>
<li class="inline"><a href="#mah">Average Headway Time</a>
<li class="inline"><a href="#mgt">Guard Time</a>
- <li class="inline"><a href="#kod">The Kiss-o'-Death Packet</a>
+ <li class="inline"><a href="#kiss">The Kiss-o'-Death Packet</a>
</ul>
<hr>
<h4 id="intro">Introduction</h4>
+ <p>This page describes the various rate management provisions in NTPv4. Details about the configuration commands and options are given on the <a href="confopt.html">Configuration Options</a> page. Details about the cryptographic authentication schemes are given on the <a href="authopt.html">Authentication Options</a> page. Details about the automatic server discovery schemes are described on the <a href="manyopt.html">Automatic Server Discovery Schemes</a> page. Additional information is available in the papers, reports, memoranda and briefings on the <a href="http://www.eecis.udel.edu/~mills/ntp.html"> NTP Project</a> page.</p>
<p>Some national time metrology laboratories, including NIST and USNO, use the <tt>ntpd</tt> reference implementation in their very busy public time servers. They operate multiple servers behind load-balancing devices to support aggregate rates up to several thousand packets per second. The servers need to defend themselves against all manner of broken implementations that can clog the server and and network infrastructure. On the other hand, friendly <tt>ntpd</tt> clients need to avoid configurations that can result in unfriendly rates.</p>
<p>There are several features in <tt>ntpd</tt> designed to defend the servers, clients and network against accidental or intentional flood attack. On the other hand these features are also used to insure <tt>ntpd</tt> is a good citizen, even if configured in unfriendly ways. The ground rules are:</p>
<ul>
- <li>Send at the lowest rate consistent with the required nominal error regime.<li>Maintain strict minimum average headway and guard times, even if multiple burst options and/or the Autokey protocol are operating.<li>When the first packet of a burst is sent to a server, do not send further packets until the first packet has been received from the server.<li>Upon receiving a Kiss-o'-Death packet (see below), immediately reduce the sending rate.
+ <li>Send at the lowest rate consistent with the expected accuracy expectations.<li>Maintain strict minimum average headway and guard times, even if multiple burst options and/or the Autokey protocol are operating.<li>When the first packet of a burst is sent to a server, do not send further packets until the first packet has been received from the server.<li>Upon receiving a Kiss-o'-Death packet (see below), immediately reduce the sending rate.
</ul>
<p>Rate management involves four algorithms to manage resources: (1) poll rate control, (2) burst control, (3) average headway time and (4) guard time. These are described in following sections.</p>
<h4 id="poll">Poll Rate Control</h4>
- <p>In the <tt>ntpd</tt> design control of the poll interval is an intricate balance between nominal errors and network load. As a rule of thumb, the nominal errors double for a fourfold increase in poll interval. As the poll interval increases from 64 s to 1024 s, for example, the nominal errors ecrease by a factor of four. Nevertheless and unless the lowest possible nominal error is required, the well mannered NTP client should allow the interval to increase to the maximum when possible.</p>
- <p>The poll interval is proportional to the time constant of the feedback loop which disciplines the system clock. The optimum time constant depends on the network time jitter and the clock oscillator frequency wander. Errors due to jitter are reduced as the time constant increases, while errors due to wander are decreased as the time constant decreases. The two error characteristics intersect at a point called the Allan intercept, which represents the ideal time constant. The <tt>ntpd</tt> poll interval algorithms slowly increases the poll interval when jitter dominates the error budget, but quickly reduces the interval when wander dominates it.</p>
- <p>In <tt>ntpd</tt> the poll interval is represented in log<sub>2</sub> s, so the actual values span the range 6-10. The algorithm uses a jiggle counter which operates over the range from -30 to +30 and is initialized at 0. If the measured offset is less than four times the measured average jitter, the counter is increased by the poll interval; if not, it is decreased by twice the poll interval. If the counter reaches +30, the poll interval is incremented by 1; if the counter reaches -30, the poll interval is decremented by 1. In either case the counter is set to 0.</p>
+ <p>Control of the poll interval is an intricate balance between expected acuracy and network load. The poll interval is constrained by the lower limit <tt>minpoll</tt> and upper limit <tt>maxpoll</tt> options of the <tt>server</tt> command and represented by the poll exponent in log<sub>2</sub> s units. The limits default to 6 (64 s) and 10 (1024 s), respectively, which are appropriate for the vast majority of cases. The default limits can be changed with these options to a minimum set by the <tt>average</tt> option of the <tt>discard</tt> command (see below) to a maximum of 17 (36 h). Unless the best possible accuracy is required, the well mannered NTP client automatically increases the poll interval to the maximum when possible, whether or not the server is reachable. The current poll interval for each association is displayed by the <tt>ntpq</tt> program <a href="ntpq.html#pe"><tt>pe</tt></a> command. The global poll interval/time constant is displayed as the poll system variable by the rv command. The minimum global poll interval/time constant is displayed as the minpoll system variable by the <a href="ntpq.html#pe"><tt>rv</tt></a> command.</p>
+ <p>As a rule of thumb, the expected errors increase by a factor of two as the poll interval increases by a factor of four. The <tt>ntpd</tt> poll interval algorithm slowly increases the poll interval when jitter dominates the error budget, but quickly reduces the interval when wander dominates it. The algorithm uses a jiggle counter which operates over the range from <font face="symbol">-</font>30 to +30 and is initialized at 0. If the measured offset is less than four times the measured average jitter, the counter is increased by the pollcurrent exponent; if not, it is decreased by twice the poll exponent. If the counter reaches +30, the poll exponent is incremented by 1; if the counter reaches <font face="symbol">-</font>30, the exponent is decremented by 1. In either case the counter is set to 0.</p>
+ <p>The poll interval is proportional to the time constant of the feedback loop which disciplines the system clock. The optimum time constant depends on the network time jitter and the clock oscillator frequency wander. Errors due to jitter decrease as the time constant increases, while errors due to wander decrease as the time constant decreases. The two error characteristics intersect at a point called the Allan intercept, which represents the ideal time constant. With a compromise Allan intercept of 2000 s, the optimim poll interval is about 64 s, which corresponds to a poll exponent of 6.</p>
+ <p>There is normally no need to change the poll limits, as the poll interval is managed automatically as a function of prevailing jitter and wander. The most common exceptions are the following.</p>
+ <ul>
+ <li>With fast, lightly loaded LANs and modern processors, the nominal Allan intercept is about 500 s. In these cases the expected errors can be further reduced using a poll exponent of 4 (16 s). In the case of the pulse-per-second (PPS) driver, this is the recommended value. <li>With symmetric modes the most stable behavior results when both peers are configured in symmetric active mode with matching poll intervals of 6 (64 s).<li>The poll interval should not be modified for reference clocks, with the single exception the ACTS telephone modem driver. In this case the recommended minimum and maximum intervals are 12 (1.1 h) and 17 (36 h), respectively.</ul>
<h4 id="burst">Burst Control</h4>
- <p>Occasionally it is necessary to send packets at intervals less than the poll interval. For instance, with the burst and iburst options, the poll algorithm sends a burst of several packets at 2-s intervals. The <tt>ntpd</tt> poll algorithm avoids sending needless packets if the server is not responding. If a burst is to be sent, the client sends only a single packet. When the first packet is received from the server, the client continues with the remaining packets in the burst. If the first packet is not received within 64 s, it will be sent again for two additional retries before giving up. The result is to minimize network load if the server is not responding.</p>
- <p>For the iburst option the number of packets in the burst is six, which is the number normally needed to synchronize the clock; for the burst option, the number of packets in the burst is determined by the difference between the poll interval and the minimum poll interval set by the <tt>minpoll</tt> option of the <tt>server</tt> command. For instance, at a poll interval of 6 (64 s), only a single packet is sent for every poll, while the full number of eight packets is sent at poll intervals of 9 (512 s) or more.</p>
+ <p>Occasionally it is necessary to send packets at intervals less than the poll interval. For instance, with the <tt>burst</tt> and <tt>iburst</tt> options of the <tt>server</tt> command, the poll algorithm sends a burst of several packets at 2-s intervals. The <tt>ntpd</tt> poll algorithm avoids sending needless packets if the server is not responding. The client begins a burst with a single packet. When the first packet is received from the server, the client continues with the remaining packets in the burst. If the first packet is not received within 64 s, it will be sent again for two additional retries before beginning backoff. The result is to minimize network load if the server is not responding.</p>
+ <p>For the <tt>iburst</tt> option the number of packets in the burst is six, which is the number normally needed to synchronize the clock; for the <tt>burst</tt> option, the number of packets in the burst is determined by the difference between the poll interval and the minimum poll interval set by the <tt>minpoll</tt> option of the <a href="confopt.html#server"><tt>server</tt></a> command. For instance, with a poll exponent of 6 (64 s), only a single packet is sent for every poll, while the full number of eight packets is sent at poll intervals of 9 (512 s) or more.</p>
<h4 id="mah">Average Headway Time</h4>
- <p>There are features in <tt>ntpd</tt> to manage the interval between one packet and the next. These features make use of a set of counters: an output counter for each client association and an input counter for each distinct client address. Each counter increments by a value called the headway when a packet is processed and decrements by one each second. The default headway in <tt>ntpd</tt> is 16 s, but this can be changed using the <tt>average</tt> option of the <tt>discard</tt> command.</p>
- <p>If the iburst or burst options are present, the poll algorithm sends a burst of packets instead of a single packet at each poll opportunity. The NTPv4 specification requires that bursts contain no more than eight packets; so, starting from an output counter value of zero, the maximum counter value or ouput ceiling can be no more than eight times the minimum poll interval set by the <tt>minpoll</tt> option of the <tt>server</tt> command. However, if the burst starts with a counter value other than zero, there is a potential to exceed the ceiling. The poll algorithm avoids this by computing an additional headway time so that the next packet sent will not exceed the ceiling. Additional headway time can result from Autokey protocol operations. Designs such as this are often called leaky buckets.</p>
- <p>The <tt>ntpd</tt> input packet routine uses a special list of entries, one for each distinct client address found. Each entry includes an IP address, input counter and time of the most recent arrival. The entries are ordered by time of arrival, most recent first. As each packet arrives, the IP source address is compared to the IP address in each entry in turn. If a match is found the entry is removed and inserted first on the list. If the IP source address does not match any entry, a new entry is created and inserted first, possibly discarding the last entry on the list if it is full. Observers will note this is the same algorithm used for page replacement in virtual memory systems.</p>
- <p>In the virtual memory algorithm the entry of interest is the last, whereas here the entry of interest is the first. The input counter is decreased by the time since it was last referenced, but not below zero. If the value of the counter plus the headway is greater than the input ceiling set by the <tt>average</tt> option of the <tt>discard</tt> command, the packet is discarded. Otherwise, the counter is increased by the headway and the packet is processed. The result is, if the client maintains a maximum average headway not less than the input ceiling and transmits no more than eight packets in a burst, the input counter will not exceed the input ceiling.</p>
+ <p>There are two features in <tt>ntpd</tt> to manage the interval between one packet and the next. These features make use of a set of counters: a client output counter for each association and a server input counter for each distinct client address. Each counter increments by a value called the headway when a packet is processed and decrements by one each second. The default minimum average headway in <tt>ntpd</tt> is 8 s, but this can be changed using the <tt>average</tt> option of the <a href="miscopt.html#discard"><tt>discard</tt></a> command, but not less than 3 (8 s).</p>
+ <p>If the <tt>iburst</tt> or <tt>burst</tt> options are present, the poll algorithm sends a burst of packets instead of a single packet at each poll opportunity. The NTPv4 specification requires that bursts contain no more than eight packets; so, starting from an output counter value of zero, the maximum counter value or ouput ceiling can be no more than eight times the minimum poll interval set by the <tt>minpoll</tt> option of the <a href="confopt.html#server"><tt>server</tt></a> command. However, if the burst starts with a counter value other than zero, there is a potential to exceed the ceiling. The poll algorithm avoids this by computing an additional headway time so that the next packet sent will not exceed the ceiling. Additional headway time can result from Autokey protocol operations. Designs such as this are often called leaky buckets. The current headway is displayed as the headway peer variable by the <tt>ntpq</tt> <a href="ntpq.html#pe"><tt>rv</tt></a> command.</p>
+ <p>The <tt>ntpd</tt> input packet routine uses a special list of entries, one for each distinct client address found. Each entry includes an IP address, input counter and interval since the last packet arrival. The entries are ordered by interval from the smallest to the largest. As each packet arrives, the IP source address is compared to the IP address in each entry in turn. If a match is found the entry is removed and inserted first on the list. If the IP source address does not match any entry, a new entry is created and inserted first, possibly discarding the last entry on the list if it is full. Observers will note this is the same algorithm used for page replacement in virtual memory systems.</p>
+ <p>In the virtual memory algorithm the entry of interest is the last, whereas here the entry of interest is the first. The input counter is decreased by the interval since it was last referenced, but not below zero. If the value of the counter plus the headway is greater than the input ceiling set by the <tt>average</tt> option, the packet is discarded. Otherwise, the counter is increased by the headway and the packet is processed. The result is, if the client maintains a maximum average headway not less than the input ceiling and transmits no more than eight packets in a burst, the input counter will not exceed the ceiling.</p>
<h4 id="mgt">Guard Time</h4>
- <p>A review of past client abuse incidence shows the most frequent scenario is a broken client that attempts to send a number of packets at rates of one per second or more. There have been occasions where this abuse has persisted for days at a time. These scenarios are the most damaging, as they can threaten not only the victim server but the network infrastructure as well.</p>
- <p>In the <tt>ntpd</tt> server design the minimum headway between the last packet received and the current packet is called the guard time. If the headway is less than the guard time, the packet is discarded. The guard time defaults to 2 s, but this can be changed using the <tt>minimum</tt> option of the <tt>discard</tt> ommand.</p>
- <h4 id="kod">The Kiss-o'-Death Packet</h4>
- <p>As an optional feature <tt>ntpd</tt> can send a special packet called the Kiss-o'-Death (KoD) packet when either the average headway or guard time is violated. The KoD is a packet with leap bits 11, stratum 0 and reference ID field other than 0. In this case the reference ID field is a four-character ASCII string, called the kiss code, showing the reason for the KoD. The KoD is enabled by the <tt>limited kod</tt> options to the <tt>restrict</tt> command.</p>
- <p>At present, only one kiss code <tt>RATE</tt> is used to tell the client to slow down. In order to make sure the client notices the KoD, the receive and transmit timestamps are set to the transmit timestamp of the client packet and all other fields left as in the client packet. Thus, even if the client ignores the KoD, it cannot do any useful time computations. KoDs themselves are rate limited in the same way as arriving packets in order to deflect a flood attack.</p>
- <p>There is some controversy about the KoD provisions. The nature of the datagram service supporting NTP provides no way to throttle clients other than behaving badly. Clients are strongly advised to support the KoD, but there are no legal or societal statutes requiring it. The reference implementation responds to a KoD by temporarily increasing the ouptut counter and thus the headway.</p>
+ <p>A review of past client abuse incidence shows the most frequent scenario is a broken client that attempts to send a number of packets at rates of one per second or more. On one occasion due to a defective client design, over 750,000 clients fell into this mode. There have been occasions where this abuse has persisted for days at a time. These scenarios are the most damaging, as they can threaten not only the victim server but the network infrastructure as well.</p>
+ <p>In the <tt>ntpd</tt> design the minimum headway between the last packet received and the current packet is called the guard time. If the headway is less than the guard time, the packet is discarded. The guard time defaults to 2 s, but this can be changed using the <tt>minimum</tt> option of the <a href="miscopt.html#discard"><tt>discard</tt></a> ommand.</p>
+ <h4 id="kiss">The Kiss-of-Death Packet</h4>
+ <p>Ordinarily, packets denied service are simply dropped with no further action except incrementing statistics counters. Sometimes a more proactive response is needed to cause the client to slow down. A special packet format has been created for this purpose called the kiss-o'-death (KoD) packet. KoD packets have leap indicator 3, stratum 0 and the reference identifier set to a four-byte ASCII code. At present, only one code <tt>RATE</tt> is sent by the server if the <tt>limited</tt> and <tt>kod</tt> flags are set in the <a href="accopt.html#restrict"><tt>restrict</tt></a> command and the rate limit is exceeded.</p>
+ <p>A client receiving a KoD packet is expected to slow down; however, no explicit mechanism is specified in the protocol to do this. In the current reference implementation, the server sets the packet poll to the greater of (a) minimum average headway and (b) client packet poll. The client sets the peer poll field to the maximum of (a) minimum average headway and (b) server packet poll. For KoD packets (only), the minimum peer poll is clamped not less than the peer poll and the headway temporarily increased. </p>
+ <p>At present there is only one KoD packet with code <tt>RATE.</tt> In order to make sure the client notices the KoD, the receive and transmit timestamps are set to the transmit timestamp of the client packet and all other fields left as in the client packet. Thus, even if the client ignores the KoD, it cannot do any useful time computations. KoDs themselves are rate limited in the same way as arriving packets in order to deflect a flood attack.</p>
<hr>
<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
</body>
<body>
<h3>NTP Version 4 Release Notes</h3>
<img src="pic/hornraba.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
- <p>The rabbit toots to make sure you read this</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">19:47</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="276">Tuesday, January 01, 2008</csobj></p>
+ <p>The rabbit toots to make sure you read this.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">16:10</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="250">Sunday, March 02, 2008</csobj></p>
.<br clear="left">
<hr>
<h4>NTP Version 4 Release Notes</h4>
--- /dev/null
+document.write("<h4>Access Control Commands</h4><p><ul>\
+<li class='inline'><a href='accopt.html#discard'>discard - specify headway parameters</a><br>\
+<li class='inline'><a href='accopt.html#restrict'>restrict - specify access restrictions</a><br>\
+<li class='inline'><a href='comdex.html'>Command Index</a></p>\
+</ul>")
\ No newline at end of file
--- /dev/null
+document.write("<h4>Authentication Commands</h4><p><ul>\
+<li class='inline'><a href='authopt.html#autokey'>autokey - specify autokey regeneration interval</a><br>\
+<li class='inline'><a href='authopt.html#controlkey'>driftfile - specify control key ID</a><br>\
+<li class='inline'><a href='authopt.html#crypto'>crypto - configure Autokey parameters</a><br>\
+<li class='inline'><a href='authopt.html#keys'>keys - specify MD5 keys file</a><br>\
+<li class='inline'><a href='authopt.html#keysdir'>keysdir - specify Autokey key directory</a><br>\
+<li class='inline'><a href='authopt.html#requestkey'>includefile - specify include file</a><br>\
+<li class='inline'><a href='authopt.html#revoke'>revoke - specify Autokey randomization interval</a><br>\
+<li class='inline'><a href='authopt.html#trustedkey'>trustedkey - specify trusted key IDs</a><br>\
+<li class='inline'><a href='comdex.html'>Command Index</a></p>\
+</ul>")
\ No newline at end of file
--- /dev/null
+document.write("<h4>Reference Clock Commands</h4><p><ul>\
+<li class='inline'><a href='clockopt.html#server'>server - specify reference clock server</a><br>\
+<li class='inline'><a href='clockopt.html#fudge'>fudge - specify fudge parameters</a><br>\
+<li class='inline'><a href='comdex.html'>Command Index</a></p>\
+</ul>")
\ No newline at end of file
document.write("<ul><p>Configuration Commands and Options<br><ul>\
+<li class='inline'><a href='comdex.html'>Command Index</a><br>\
<li class='inline'><a href='confopt.html'>Server Options</a><br>\
<li class='inline'><a href='accopt.html'>Access Control Options</a><br>\
<li class='inline'><a href='authopt.html'>Authentication Options</a><br>\
<ul>\
<li class='inline'><a href='assoc.html'>Association Management</a><br>\
<li class='inline'><a href='rate.html'>Rate Management and the Kiss-o'-Death Packet</a><br>\
-<li class='inline'><a href='manyopt.html'>Automatic Server Discovery Schemes</a><br>\
+<li class='inline'><a href='manyopt.html'>Automatic Server Discovery</a><br>\
<li class='inline'><a href='sitemap.html'>Site Map</a></p>\
</ul></ul>")
\ No newline at end of file
--- /dev/null
+document.write("<h4>Server Commands</h4><p><ul>\
+<li class='inline'><a href='confopt.html#server'>server - configure client association</a><br>\
+<li class='inline'><a href='confopt.html#server'>peer - configure symmetric peer association</a><br>\
+<li class='inline'><a href='confopt.html#server'>broadcast - configure broadcast server association</a><br>\
+<li class='inline'><a href='confopt.html#server'>manycastclient - configure manycast client association</a><br>\
+<li class='inline'><a href='confopt.html#server'>pool - configure pool association</a><br>\
+<li class='inline'><a href='confopt.html#broadcastclient'>broadcastclient - enable broadcast client</a><br>\
+<li class='inline'><a href='confopt.html#manycastserver'>manycastserver - enable manycast server</a><br>\
+<li class='inline'><a href='confopt.html#multicastclient'>multicastclient - enable multicast client</a><br>\
+<li class='inline'><a href='comdex.html'>Command Index</a></p>\
+</ul>")
\ No newline at end of file
document.write("<ul><p>External Links<br><ul>\
<li class='inline'><a href='http://www.eecis.udel.edu/~mills/book.html'>Computer Network Time Synchronization - The Network Time Protocol (book)</a><br>\
-<li class='inline'><a href='http://www.ntp.org/index.html'>NTP: The Network Time Protocol (home page)</a><br>\
-<li class='inline'><a href='http://www.eecis.udel.edu/~mills/ntp.html'>Network Time Protocol Research Project (home page)</a><br>\
+<li class='inline'><a href='http://www.ntp.org/index.html'>NTP Public Services Project (home page)</a><br>\
+<li class='inline'><a href='http://www.eecis.udel.edu/~mills/ntp.html'>NTP Research Project (home page)</a><br>\
<li class='inline'><a href='http://www.eecis.udel.edu/~mills/exec.html'>Executive Summary: Computer Network Time Synchronization</a><br>\
-<li class='inline'><a href='http://www.eecis.udel.edu/~mills/leap.html'>NTP Timestamp Calculations</a><br>\
+<li class='inline'><a href='http://www.eecis.udel.edu/~mills/leap.html'>The NTP Timescale and Leap Seconds</a><br>\
+<li class='inline'><a href='http://www.eecis.udel.edu/~mills/time.html'>NTP Timestamp Calculations</a><br>\
<li class='inline'><a href='http://www.eecis.udel.edu/~mills/y2k.html'>The NTP Era and Era Numbering</a><br>\
-<li class='inline'><a <li class='inline'><a href='http://www.eecis.udel.edu/~mills/autocfg.html'>Autonomous Configuration</a><br>\
+<li class='inline'><a href='http://www.eecis.udel.edu/~mills/stamp.html'>Timestamp Capture Principles</a><br>\
+<li class='inline'><a href='http://www.eecis.udel.edu/~mills/autocfg.html'>Autonomous Configuration</a><br>\
<li class='inline'><a href='http://www.eecis.udel.edu/~mills/autokey.html'>Autonomous Authentication</a><br>\
<li class='inline'><a href='http://www.eecis.udel.edu/~mills/proto.html'>Autokey Protocol</a><br>\
<li class='inline'><a href='http://www.eecis.udel.edu/~mills/ident.html'>Autokey Identity Schemes</a><br>\
document.write("<ul><p>Build and Install<br><ul>\
<li class='inline'><a href='build.html'>Building and Installing the Distribution</a><br>\
<li class='inline'><a href='quick.html'>Quick Start</a><br>\
-<li class='inline'><a href='release.html'>Release Notess</a><br>\
-<li class='inline'><a href='config.html'>Configuration Options</a><br>\
+<li class='inline'><a href='release.html'>Release Notes</a><br>\
+<li class='inline'><a href='config.html'>Build Options</a><br>\
<li class='inline'><a href='debug.html'>NTP Debugging Techniques</a><br>\
<li class='inline'><a href='rdebug.html'>Debugging Reference Clock Drivers</a><br>\
+<li class='inline'><a href='decode.html'><tt>ntpd</tt> Event Messages and Status Words</a><br>\
<li class='inline'><a href='msyslog.html'><tt>ntpd</tt> System Log Messages</a><br>\
<li class='inline'><a href='bugs.html'>NTP Bug Reporting Procedures</a><br>\
<li class='inline'><a href='sitemap.html'>Site Map</a></p>\
<li class='inline'><a href='ntpq.html'><tt>ntpq</tt> - standard NTP query program</a><br>\
<li class='inline'><a href='ntpdc.html'><tt>ntpdc</tt> - special NTP query program</a><br>\
<li class='inline'><a href='ntpdate.html'><tt>ntpdate</tt> - set the date and time via NTP</a><br>\
+<li class='inline'><a href='sntp.html'><tt>sntp</tt> - Simple Network Time Protocol (SNTP) client</a><br>\
<li class='inline'><a href='ntptrace.html'><tt>ntptrace</tt> - trace a chain of NTP servers back to the primary source</a><br>\
<li class='inline'><a href='tickadj.html'><tt>tickadj</tt> - set time-related kernel variables</a><br>\
-<li class='inline'><a href='ntptime.html'><tt>ntptime</tt> - read kernel time variables</a><br>\
+<li class='inline'><a href='ntptime.html'><tt>ntptime</tt> - read and set kernel time variables</a><br>\
<li class='inline'><a href='keygen.html'><tt>ntp-keygen</tt> - generate public and private keys</a><br>\
<li class='inline'><a href='ntpdsim_new.html'><tt>ntpdsim</tt> - Network Time Protocol (NTP) simulator</a><br>\
-<li class='inline'><a href='sntp.html'><tt>sntp</tt> - Simple Network Time Protocol (SNTP) Client</a><br>\
<li class='inline'><a href='sitemap.html'>Site Map</a></p>\
</ul></ul>")
\ No newline at end of file
--- /dev/null
+document.write("<h4>Miscellaneous Commands</h4><p><ul>\
+<li class='inline'><a href='miscopt.html#broadcastdelay'>broadcastdelay - specify broadcast delay</a><br>\
+<li class='inline'><a href='miscopt.html#driftfile'>driftfile - specify frequency file</a><br>\
+<li class='inline'><a href='miscopt.html#enable'>enable - enable options</a><br>\
+<li class='inline'><a href='miscopt.html#enable'>disable - disable options</a><br>\
+<li class='inline'><a href='miscopt.html#includefile'>includefile - specify include file</a><br>\
+<li class='inline'><a href='miscopt.html#leapfile'>leapfile - specify leapseconds file</a><br>\
+<li class='inline'><a href='miscopt.html#logconfig'>logconfig - configure log file</a><br>\
+<li class='inline'><a href='miscopt.html#phone'>phone - specify modem phone numbers</a><br>\
+<li class='inline'><a href='miscopt.html#setvar'>setvar - set system variables</a><br>\
+<li class='inline'><a href='miscopt.html#tinker'>tinker - modify sacred system parameters (dangerous)</a><br>\
+<li class='inline'><a href='miscopt.html#tos'>tos - modify service parameters</a><br>\
+<li class='inline'><a href='miscopt.html#trap'>trap - set trap address</a><br>\
+<li class='inline'><a href='miscopt.html#ttl'>ttl - set time to live</a><br>\
+<li class='inline'><a href='comdex.html'>Command Index</a></p>\
+</ul>")
\ No newline at end of file
--- /dev/null
+document.write("<h4>Monitoring Commands</h4><p><ul>\
+<li class='inline'><a href='monopt.html#filegen'>filegen - specify monitor files</a><br>\
+<li class='inline'><a href='monopt.html#statsdir'>statsdir - specify monitor files directory</a><br>\
+<li class='inline'><a href='comdex.html'>Command Index</a></p>\
+</ul>")
\ No newline at end of file
<body>
<h3>Site Map</h3>
- <img src="pic/barnstable.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html"><i>P.T. Bridgeport Bear</i>; from <i>Pogo</i>, Walt Kelly</a>
- <p>Pleased to meet you.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">20:40</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="292">Monday, December 31, 2007</csobj></p>
+ <img src="pic/alice15.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice in Wonderland</i>, Lewis Carroll</a>
+ <p>Welcome to the tea party.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:10</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 03, 2008</csobj></p>
<br clear="left">
<h4>Related Links</h4>
<script type="text/javascript" language="javascript" src="scripts/install.txt"></script>
<script type="text/javascript" language="javascript" src="scripts/external.txt"></script>
<hr>
<div align="center">
- <img src="pic/pogo1a.gif" alt="gif"></div>
+ <img src="pic/tribeb.gif" alt="gif"></div>
<br>
<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
</body>
<head>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
- <title>Simple Network Time Protocol (SNTP) Client</title>
+ <title><tt>sntp</tt> - Simple Network Time Protocol (SNTP) Client</title>
<link href="scripts/style.css" type="text/css" rel="stylesheet">
</head>
<body>
- <h3>Simple Network Time Protocol (SNTP) Client</h3>
+ <h3><tt>sntp</tt> - Simple Network Time Protocol (SNTP) Client</h3>
<img src="pic/dogsnake.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
- <p>S is for snakeoil</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">19:21</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="294">Monday, November 26, 2007</csobj></p>
+ <p>S is for snakeoil.</p>
+ <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">16:31</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="289">Wednesday, March 12, 2008</csobj></p>
<br clear="left">
<hr>
<h4>Synopsis</h4>
#define TEST2 0x0002 /* bogus packet */
#define TEST3 0x0004 /* protocol unsynchronized */
#define TEST4 0x0008 /* access denied */
-#define TEST5 0x0010 /* authentication error */
+#define TEST5 0x0010 /* bad authentication */
#define TEST6 0x0020 /* bad synch or stratum */
-#define TEST7 0x0040 /* bad header data */
-#define TEST8 0x0080 /* autokey error */
-#define TEST9 0x0100 /* crypto error */
+#define TEST7 0x0040 /* bad header */
+#define TEST8 0x0080 /* bad autokey */
+#define TEST9 0x0100 /* bad crypto */
#define PKT_TEST_MASK (TEST1 | TEST2 | TEST3 | TEST4 | TEST5 |\
TEST6 | TEST7 | TEST8 | TEST9)
/*
*/
keyid_t keyid; /* current key ID */
#ifdef OPENSSL
-#define clear_to_zero assoc
+#define clear_to_zero opcode
+ u_int32 opcode; /* last request opcode */
associd_t assoc; /* peer association ID */
u_int32 crypto; /* peer status word */
EVP_PKEY *pkey; /* public key */
const EVP_MD *digest; /* message digest algorithm */
char *subject; /* certificate subject name */
char *issuer; /* certificate issuer name */
+ struct cert_info *xinfo; /* issuer certificate */
keyid_t pkeyid; /* previous key ID */
+ keyid_t hcookie; /* host cookie */
keyid_t pcookie; /* peer cookie */
const struct pkey_info *ident_pkey; /* identity key */
BIGNUM *iffval; /* identity challenge (IFF, GQ, MV) */
const BIGNUM *grpkey; /* identity challenge key (GQ) */
- struct value cookval; /* cookie values */
+ struct value cookval; /* receive cookie values */
struct value recval; /* receive autokey values */
struct exten *cmmd; /* extension pointer */
u_long refresh; /* next refresh epoch */
double delay; /* peer roundtrip delay */
double jitter; /* peer jitter (squares) */
double disp; /* peer dispersion */
- double estbdelay; /* clock offset to broadcast server */
/*
* Variables used to correct for packet length and asymmetry.
u_long sent; /* packets sent */
u_long received; /* packets received */
- u_long processed; /* packets processed by the protocol */
- u_long badauth; /* packets cryptosum failed */
- u_long bogusorg; /* packets bogus origin */
- u_long oldpkt; /* packets duplicate packet */
- u_long seldisptoolarge; /* packets dispersion too large */
- u_long selbroken; /* not used */
+ u_long processed; /* packets processed */
+ u_long badauth; /* bad authentication (TEST5) */
+ u_long bogusorg; /* bogus origin (TEST2, TEST3) */
+ u_long oldpkt; /* old duplicate (TEST1) */
+ u_long seldisptoolarge; /* bad header (TEST6, TEST7) */
+ u_long selbroken; /* KoD received */
};
/*
* Values for peer.flags
*/
#define FLAG_CONFIG 0x0001 /* association was configured */
-#define FLAG_AUTHENABLE 0x0002 /* authentication required */
+#define FLAG_PREEMPT 0x0002 /* preemptable association */
#define FLAG_AUTHENTIC 0x0004 /* last message was authentic */
-#define FLAG_SKEY 0x0008 /* autokey authentication */
-#define FLAG_MCAST 0x0010 /* multicast client mode */
-#define FLAG_REFCLOCK 0x0020 /* this is actually a reference clock */
-#define FLAG_SYSPEER 0x0040 /* this is one of the selected peers */
-#define FLAG_PREFER 0x0080 /* this is the preferred peer */
-#define FLAG_BURST 0x0100 /* burst mode */
-#define FLAG_IBURST 0x0200 /* initial burst mode */
-#define FLAG_NOSELECT 0x0400 /* never select */
-#define FLAG_ASSOC 0x0800 /* autokey request */
-#define FLAG_FIXPOLL 0x1000 /* stick at minpoll */
-#define FLAG_TRUE 0x2000 /* select truechimer */
-#define FLAG_PREEMPT 0x4000 /* preemptable association */
-#define FLAG_ASYM 0x8000 /* asymmetric delay compensation */
+#define FLAG_REFCLOCK 0x0008 /* this is actually a reference clock */
+#define FLAG_SYSPEER 0x0010 /* system peer */
+#define FLAG_PREFER 0x0020 /* prefer peer */
+#define FLAG_BURST 0x0040 /* burst mode */
+#define FLAG_FIXPOLL 0x0080 /* stick at minpoll */
+#define FLAG_IBURST 0x0100 /* initial burst mode */
+#define FLAG_NOSELECT 0x0200 /* never select */
+#define FLAG_TRUE 0x0400 /* force truechimer */
+#ifdef OPENSSL
+#define FLAG_SKEY 0x1000 /* autokey authentication */
+#define FLAG_ASSOC 0x2000 /* autokey request */
+#endif /* OPENSSL */
+
/*
* Definitions for the clear() routine. We use memset() to clear
* the parts of the peer structure which go to zero. These are
* System event codes
*/
#define EVNT_UNSPEC 0 /* unspecified */
-#define EVNT_SYSRESTART 1 /* system restart */
-#define EVNT_SYSFAULT 2 /* wsystem or hardware fault */
-#define EVNT_SYNCCHG 3 /* new leap or synch change */
-#define EVNT_PEERSTCHG 4 /* new source or stratum */
-#define EVNT_CLOCKRESET 5 /* clock reset */
-#define EVNT_BADDATETIM 6 /* invalid time or date */
-#define EVNT_CLOCKEXCPT 7 /* reference clock exception */
-
+#define EVNT_NSET 1 /* freq not set */
+#define EVNT_FSET 2 /* freq set */
+#define EVNT_SPIK 3 /* spike detect */
+#define EVNT_FREQ 4 /* freq mode */
+#define EVNT_SYNC 5 /* clock sync */
+#define EVNT_SYSRESTART 6 /* restart */
+#define EVNT_SYSFAULT 7 /* panic stop */
+#define EVNT_NOPEER 8 /* no sys peer */
+#define EVNT_ARMED 9 /* leap armed */
+#define EVNT_DISARMED 10 /* leap disarmed */
+#define EVNT_LEAP 11 /* leap event */
+#define EVNT_CLOCKRESET 12 /* clock step */
+#define EVNT_KERN 13 /* kernel event */
/*
* Peer event codes
*/
-#define EVNT_PEERIPERR (1 | PEER_EVENT) /* IP error */
-#define EVNT_PEERAUTH (2 | PEER_EVENT) /* authentication failure */
-#define EVNT_UNREACH (3 | PEER_EVENT) /* change to unreachable */
-#define EVNT_REACH (4 | PEER_EVENT) /* change to reachable */
-#define EVNT_PEERCLOCK (5 | PEER_EVENT) /* clock exception */
+#define PEVNT_MOBIL (1 | PEER_EVENT) /* mobilize */
+#define PEVNT_DEMOBIL (2 | PEER_EVENT) /* demobilize */
+#define PEVNT_UNREACH (3 | PEER_EVENT) /* unreachable */
+#define PEVNT_REACH (4 | PEER_EVENT) /* reachable */
+#define PEVNT_RESTART (5 | PEER_EVENT) /* restart */
+#define PEVNT_REPLY (6 | PEER_EVENT) /* no reply */
+#define PEVNT_RATE (7 | PEER_EVENT) /* rate exceeded */
+#define PEVNT_DENY (8 | PEER_EVENT) /* access denied */
+#define PEVNT_ARMED (9 | PEER_EVENT) /* leap armed */
+#define PEVNT_NEWPEER (10 | PEER_EVENT) /* sys peer*/
+#define PEVNT_CLOCK (11 | PEER_EVENT) /* clock event */
+#define PEVNT_AUTH (12 | PEER_EVENT) /* bad auth */
+#define PEVNT_POPCORN (13 | PEER_EVENT) /* popcorn */
/*
* Clock event codes
*/
#define CEVNT_NOMINAL 0 /* unspecified */
-#define CEVNT_TIMEOUT 1 /* poll timeout */
-#define CEVNT_BADREPLY 2 /* bad reply format */
-#define CEVNT_FAULT 3 /* hardware or software fault */
-#define CEVNT_PROP 4 /* propagation failure */
-#define CEVNT_BADDATE 5 /* bad date format or value */
-#define CEVNT_BADTIME 6 /* bad time format or value */
+#define CEVNT_TIMEOUT 1 /* no reply */
+#define CEVNT_BADREPLY 2 /* bad format */
+#define CEVNT_FAULT 3 /* fault */
+#define CEVNT_PROP 4 /* bad signal */
+#define CEVNT_BADDATE 5 /* bad date */
+#define CEVNT_BADTIME 6 /* bad time */
#define CEVNT_MAX CEVNT_BADTIME
/*
/*
* Opcodes
*/
-#define CTL_OP_UNSPEC 0
-#define CTL_OP_READSTAT 1
-#define CTL_OP_READVAR 2
-#define CTL_OP_WRITEVAR 3
-#define CTL_OP_READCLOCK 4
-#define CTL_OP_WRITECLOCK 5
-#define CTL_OP_SETTRAP 6
-#define CTL_OP_ASYNCMSG 7
-#define CTL_OP_CONFIGURE 8
-#define CTL_OP_UNSETTRAP 31
+#define CTL_OP_UNSPEC 0 /* unspeciffied */
+#define CTL_OP_READSTAT 1 /* read status */
+#define CTL_OP_READVAR 2 /* read variables */
+#define CTL_OP_WRITEVAR 3 /* write variables */
+#define CTL_OP_READCLOCK 4 /* read clock variables */
+#define CTL_OP_WRITECLOCK 5 /* write clock variables */
+#define CTL_OP_SETTRAP 6 /* set trap address */
+#define CTL_OP_ASYNCMSG 7 /* asynchronous message */
+#define CTL_OP_CONFIGURE 8 /* configuration message */
+#define CTL_OP_UNSETTRAP 31 /* unset trap */
/*
* {En,De}coding of the system status word
*/
-#define CTL_SST_TS_UNSPEC 0 /* time source unspecified */
-#define CTL_SST_TS_ATOM 1 /* time source calibrated atomic */
-#define CTL_SST_TS_LF 2 /* time source VLF or LF radio */
-#define CTL_SST_TS_HF 3 /* time source HF radio */
-#define CTL_SST_TS_UHF 4 /* time source UHF radio */
-#define CTL_SST_TS_LOCAL 5 /* time source LOCAL */
-#define CTL_SST_TS_NTP 6 /* time source NTP */
-#define CTL_SST_TS_UDPTIME 7 /* time source UDP/TIME */
-#define CTL_SST_TS_WRSTWTCH 8 /* time source is wristwatch */
-#define CTL_SST_TS_TELEPHONE 9 /* time source is telephone modem */
-#define CTL_SST_TS_PPS 0x20 /* time source is PPS signal */
+#define CTL_SST_TS_UNSPEC 0 /* unspec */
+#define CTL_SST_TS_ATOM 1 /* pps */
+#define CTL_SST_TS_LF 2 /* lf radio */
+#define CTL_SST_TS_HF 3 /* hf radio */
+#define CTL_SST_TS_UHF 4 /* uhf radio */
+#define CTL_SST_TS_LOCAL 5 /* local */
+#define CTL_SST_TS_NTP 6 /* ntp */
+#define CTL_SST_TS_UDPTIME 7 /* other */
+#define CTL_SST_TS_WRSTWTCH 8 /* wristwatch */
+#define CTL_SST_TS_TELEPHONE 9 /* telephone */
#define CTL_SYS_MAXEVENTS 15
#define CTL_PST_AUTHENABLE 0x40
#define CTL_PST_AUTHENTIC 0x20
#define CTL_PST_REACH 0x10
-#define CTL_PST_UNSPEC 0x08
+#define CTL_PST_BCAST 0x08
#define CTL_PST_SEL_REJECT 0 /* reject */
#define CTL_PST_SEL_SANE 1 /* x falsetick */
#define CTL_PST_SEL_CORRECT 2 /* . excess */
#define CTL_PST_SEL_SELCAND 3 /* - outlyer */
-#define CTL_PST_SEL_SYNCCAND 4 /* + candidat */
-#define CTL_PST_SEL_DISTSYSPEER 5 /* # selected */
+#define CTL_PST_SEL_SYNCCAND 4 /* + candidate */
+#define CTL_PST_SEL_EXCESS 5 /* # backup */
#define CTL_PST_SEL_SYSPEER 6 /* * sys.peer */
#define CTL_PST_SEL_PPS 7 /* o pps.peer */
#define CS_REFTIME 7
#define CS_POLL 8
#define CS_PEERID 9
-#define CS_STATE 10
-#define CS_OFFSET 11
-#define CS_DRIFT 12
-#define CS_JITTER 13
-#define CS_ERROR 14
-#define CS_CLOCK 15
-#define CS_PROCESSOR 16
-#define CS_SYSTEM 17
-#define CS_VERSION 18
-#define CS_STABIL 19
-#define CS_VARLIST 20
-#define CS_TAI 21
-#define CS_LEAPTAB 22
-#define CS_LEAPEND 23
+#define CS_OFFSET 10
+#define CS_DRIFT 11
+#define CS_JITTER 12
+#define CS_ERROR 13
+#define CS_CLOCK 14
+#define CS_PROCESSOR 15
+#define CS_SYSTEM 16
+#define CS_VERSION 17
+#define CS_STABIL 18
+#define CS_VARLIST 19
+#define CS_TAI 20
+#define CS_LEAPTAB 21
+#define CS_LEAPEND 22
+#define CS_RATE 23
#ifdef OPENSSL
#define CS_FLAGS 24
#define CS_HOST 25
#define CS_GROUP 30
#define CS_MAXCODE CS_GROUP
#else
-#define CS_MAXCODE CS_LEAPEND
+#define CS_MAXCODE CS_RATE
#endif /* OPENSSL */
/*
#define CP_VARLIST 37
#define CP_IN 38
#define CP_OUT 39
+#define CP_RATE 40
#ifdef OPENSSL
-#define CP_FLAGS 40
-#define CP_HOST 41
-#define CP_VALID 42
-#define CP_INITSEQ 43
-#define CP_INITKEY 44
-#define CP_INITTSP 45
-#define CP_DIGEST 46
+#define CP_FLAGS 41
+#define CP_HOST 42
+#define CP_VALID 43
+#define CP_INITSEQ 44
+#define CP_INITKEY 45
+#define CP_INITTSP 46
+#define CP_DIGEST 47
#define CP_MAXCODE CP_DIGEST
#else
-#define CP_MAXCODE CP_OUT
+#define CP_MAXCODE CP_RATE
#endif /* OPENSSL */
/*
* The following bits are used by the client during the protocol
* exchange.
*/
-#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
+#define CRYPTO_FLAG_CERT 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV 0x0400 /* signature verified */
-#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
+#define CRYPTO_FLAG_COOK 0x0800 /* cookie verifed */
#define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */
#define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */
-#define CRYPTO_FLAG_LEAP 0x4000 /* leapseconds table verified */
+#define CRYPTO_FLAG_LEAP 0x4000 /* leapsecond values verified */
+#define CRYPTO_FLAG_ALL 0x7f00 /* all mask */
/*
* Flags used for certificate management
#define CRYPTO_CERT CRYPTO_CMD(2) /* certificate */
#define CRYPTO_COOK CRYPTO_CMD(3) /* cookie value */
#define CRYPTO_AUTO CRYPTO_CMD(4) /* autokey values */
-#define CRYPTO_TAI CRYPTO_CMD(5) /* leapsecond values */
+#define CRYPTO_LEAP CRYPTO_CMD(5) /* leapsecond values */
#define CRYPTO_SIGN CRYPTO_CMD(6) /* certificate sign */
#define CRYPTO_IFF CRYPTO_CMD(7) /* IFF identity scheme */
#define CRYPTO_GQ CRYPTO_CMD(8) /* GQ identity scheme */
#define XEVNT_VFY XEVNT_CMD(9) /* certificate not verified */
#define XEVNT_PER XEVNT_CMD(10) /* host certificate expired */
#define XEVNT_CKY XEVNT_CMD(11) /* bad or missing cookie */
-#define XEVNT_DAT XEVNT_CMD(12) /* bad or missing leapseconds table */
+#define XEVNT_DAT XEVNT_CMD(12) /* bad or missing leapseconds */
#define XEVNT_CRT XEVNT_CMD(13) /* bad or missing certificate */
#define XEVNT_ID XEVNT_CMD(14) /* bad or missing group key */
#define XEVNT_ERR XEVNT_CMD(15) /* protocol error */
-#define XEVNT_SRV XEVNT_CMD(16) /* server certificate expired */
/*
* Miscellaneous crypto stuff
*/
#define NTP_MAXSESSION 100 /* maximum session key list entries */
-#define NTP_AUTOMAX 3600 /* default max session key lifetime */
-#define KEY_REVOKE 86400 /* default key revoke timeout */
-#define NTP_MAXEXTEN 1024 /* maximum extension field size */
-#define NTP_REFRESH (7 * 86400) /* refresh interval */
+#define NTP_MAXEXTEN 1024 /* maximum extension field size */
+#define NTP_AUTOMAX 12 /* default key list timeout (log2 s) */
+#define KEY_REVOKE 17 /* default key revoke timeout (log2 s) */
+#define NTP_REFRESH 19 /* default restart timeout (log2 s) */
+#define NTP_MAXKEY 65535 /* maximum symmetric key ID */
/*
* The autokey structure holds the values used to authenticate key IDs.
extern void init_logging (char const *, int);
extern void setup_logfile (void);
extern void process_control (struct recvbuf *, int);
-extern void report_event (int, struct peer *);
+extern void report_event (int, struct peer *, const char *);
/* ntp_control.c */
/*
#endif
/* ntp_loopfilter.c */
-extern void init_loopfilter (void);
-extern int local_clock (struct peer *, u_long, double);
-extern void adj_host_clock (void);
-extern void loop_config (int, double);
-extern void huffpuff (void);
+extern void init_loopfilter(void);
+extern int local_clock(struct peer *, u_long, double);
+extern void adj_host_clock(void);
+extern void loop_config(int, double);
+extern void huffpuff(void);
extern u_long sys_clocktime;
extern u_int sys_tai;
-extern int clock_stepcnt;
/* ntp_monitor.c */
extern void init_mon (void);
extern void refresh_all_peerinterfaces (void);
extern void unpeer (struct peer *);
extern void clear_all (void);
-
-#ifdef OPENSSL
-extern void expire_all (void);
-#endif /* OPENSSL */
+extern int score_all (struct peer *);
extern struct peer *findmanycastpeer (struct recvbuf *);
/* ntp_crypto.c */
#ifdef OPENSSL
extern int crypto_recv (struct peer *, struct recvbuf *);
-extern int crypto_xmit (struct pkt *, struct sockaddr_storage *,
- int *, struct exten *, keyid_t);
+extern int crypto_xmit (struct peer *, struct pkt *,
+ struct recvbuf *, int *,
+ struct exten *, keyid_t);
extern keyid_t session_key (struct sockaddr_storage *,
struct sockaddr_storage *, keyid_t,
keyid_t, u_long);
extern void write_stats (void);
extern void stats_config (int, const char *);
extern void record_peer_stats (struct sockaddr_storage *, int, double, double, double, double);
+extern void record_proto_stats (char *);
extern void record_loop_stats (double, double, double, double, int);
extern void record_clock_stats (struct sockaddr_storage *, const char *);
extern void record_raw_stats (struct sockaddr_storage *, struct sockaddr_storage *, l_fp *, l_fp *, l_fp *, l_fp *);
-extern void record_sys_stats (void);
extern u_long leap_month(u_long);
extern void record_crypto_stats (struct sockaddr_storage *, const char *);
#ifdef DEBUG
extern double old_drift;
extern int drift_file_sw;
extern double wander_threshold;
+extern double wander_resid;
+
/*
* Variable declarations for ntpd.
*/
-
/* ntp_config.c */
extern char const * progname;
extern char *sys_phone[]; /* ACTS phone numbers */
extern double clock_phi; /* dispersion rate (s/s) */
extern double clock_minstep; /* step timeout (s) */
extern double clock_codec; /* codec frequency */
-extern u_long pps_control; /* last pps sample time */
#ifdef KERNEL_PLL
extern int pll_status; /* status bits for kernel pll */
#endif /* KERNEL_PLL */
/*
* Statistics counters
*/
-extern u_long sys_stattime; /* time when we started recording */
+extern u_long sys_stattime; /* time since reset */
+extern u_long sys_received; /* packets received */
+extern u_long sys_processed; /* packets for this host */
extern u_long sys_restricted; /* restricted packets */
-extern u_long sys_oldversion; /* old version packets */
-extern u_long sys_newversion; /* new version packets */
-extern u_long sys_declined; /* packets declined */
+extern u_long sys_newversion; /* current version */
+extern u_long sys_oldversion; /* old version */
+extern u_long sys_restricted; /* access denied */
extern u_long sys_badlength; /* bad length or format */
-extern u_long sys_processed; /* packets for this host */
extern u_long sys_badauth; /* bad authentication */
-extern u_long sys_limitrejected; /* rate limit exceeded */
-extern u_long sys_received; /* packets received */
+extern u_long sys_declined; /* declined */
+extern u_long sys_limitrejected; /* rate exceeded */
extern u_long sys_kodsent; /* KoD sent */
/* ntp_refclock.c */
/* ntp_restrict.c */
extern struct restrictlist *restrictlist; /* the ipv4 restriction list */
extern struct restrictlist6 *restrictlist6; /* the ipv6 restriction list */
-extern int res_min_interval;
+extern int ntp_minpkt;
extern int ntp_minpoll;
extern int mon_age; /* monitor preempt age */
};
/*
- * Leap values
+ * Leap status (leap)
*/
static
struct codestring leap_codes[] = {
{ LEAP_NOWARNING, "leap_none" },
{ LEAP_ADDSECOND, "leap_add_sec" },
{ LEAP_DELSECOND, "leap_del_sec" },
- { LEAP_NOTINSYNC, "sync_alarm" },
- { -1, "leap" }
+ { LEAP_NOTINSYNC, "leap_alarm" },
+ { -1, "leap" }
};
/*
- * Clock source
+ * Clock source status (sync)
*/
static
struct codestring sync_codes[] = {
{ CTL_SST_TS_UNSPEC, "sync_unspec" },
- { CTL_SST_TS_ATOM, "sync_atomic" },
- { CTL_SST_TS_LF, "sync_lf_clock" },
- { CTL_SST_TS_HF, "sync_hf_clock" },
- { CTL_SST_TS_UHF, "sync_uhf_clock" },
- { CTL_SST_TS_LOCAL, "sync_local_proto" },
+ { CTL_SST_TS_ATOM, "sync_pps" },
+ { CTL_SST_TS_LF, "sync_lf_radio" },
+ { CTL_SST_TS_HF, "sync_hf_radio" },
+ { CTL_SST_TS_UHF, "sync_uhf_radio" },
+ { CTL_SST_TS_LOCAL, "sync_local" },
{ CTL_SST_TS_NTP, "sync_ntp" },
- { CTL_SST_TS_UDPTIME, "sync_udp/time" },
+ { CTL_SST_TS_UDPTIME, "sync_other" },
{ CTL_SST_TS_WRSTWTCH, "sync_wristwatch" },
{ CTL_SST_TS_TELEPHONE, "sync_telephone" },
{ -1, "sync" }
};
-
/*
- * Peer selection
+ * Peer selection status (sel)
*/
static
struct codestring select_codes[] = {
- { CTL_PST_SEL_REJECT, "selreject" },
+ { CTL_PST_SEL_REJECT, "sel_reject" },
{ CTL_PST_SEL_SANE, "sel_falsetick" },
{ CTL_PST_SEL_CORRECT, "sel_excess" },
{ CTL_PST_SEL_SELCAND, "sel_outlyer" },
- { CTL_PST_SEL_SYNCCAND, "sel_candidat" },
- { CTL_PST_SEL_DISTSYSPEER, "sel_selected" },
+ { CTL_PST_SEL_SYNCCAND, "sel_candidate" },
+ { CTL_PST_SEL_EXCESS, "sel_backup" },
{ CTL_PST_SEL_SYSPEER, "sel_sys.peer" },
{ CTL_PST_SEL_PPS, "sel_pps.peer" },
{ -1, "sel" }
};
-
/*
- * Clock status
+ * Clock status (clk)
*/
static
struct codestring clock_codes[] = {
- { CTL_CLK_OKAY, "clk_okay" },
- { CTL_CLK_NOREPLY, "clk_noreply" },
- { CTL_CLK_BADFORMAT, "clk_badformat" },
+ { CTL_CLK_OKAY, "clk_unspec" },
+ { CTL_CLK_NOREPLY, "clk_no_reply" },
+ { CTL_CLK_BADFORMAT, "clk_bad_format" },
{ CTL_CLK_FAULT, "clk_fault" },
- { CTL_CLK_PROPAGATION, "clk_badsignal" },
- { CTL_CLK_BADDATE, "clk_baddate" },
- { CTL_CLK_BADTIME, "clk_badtime" },
+ { CTL_CLK_PROPAGATION, "clk_bad_signal" },
+ { CTL_CLK_BADDATE, "clk_bad_date" },
+ { CTL_CLK_BADTIME, "clk_bad_time" },
{ -1, "clk" }
};
+/*
+ * Flash bits
+ */
+static
+struct codestring flash_codes[] = {
+ { TEST1, "pkt_dup" },
+ { TEST2, "pkt_bogus" },
+ { TEST3, "pkt_unsync" },
+ { TEST4, "pkt_denied" },
+ { TEST5, "pkt_auth" },
+ { TEST6, "pkt_stratum" },
+ { TEST7, "pkt_header" },
+ { TEST8, "pkt_autokey" },
+ { TEST9, "pkt_crypto" },
+ { TEST10, "peer_stratum" },
+ { TEST11, "peer_dist" },
+ { TEST12, "peer_loop" },
+ { TEST13, "peer_unreach" },
+ { -1, "flash" }
+};
/*
- * System Events
+ * System events (sys)
*/
static
struct codestring sys_codes[] = {
- { EVNT_UNSPEC, "event_unspec" },
- { EVNT_SYSRESTART, "event_restart" },
- { EVNT_SYSFAULT, "event_fault" },
- { EVNT_SYNCCHG, "event_sync_chg" },
- { EVNT_PEERSTCHG, "event_peer/strat_chg" },
- { EVNT_CLOCKRESET, "event_clock_reset" },
- { EVNT_BADDATETIM, "event_bad_date" },
- { EVNT_CLOCKEXCPT, "event_clock_excptn" },
- { -1, "event" }
+ { EVNT_UNSPEC, "unspecified" },
+ { EVNT_NSET, "freq_not_set" },
+ { EVNT_FSET, "freq_set" },
+ { EVNT_SPIK, "spike_detect" },
+ { EVNT_FREQ, "freq_mode" },
+ { EVNT_SYNC, "clock_sync" },
+ { EVNT_SYSRESTART, "restart" },
+ { EVNT_SYSFAULT, "panic_stop" },
+ { EVNT_NOPEER, "no_sys_peer" },
+ { EVNT_ARMED, "leap_armed" },
+ { EVNT_DISARMED, "leap_disarmed" },
+ { EVNT_LEAP, "leap_event" },
+ { EVNT_CLOCKRESET, "clock_step" },
+ { EVNT_KERN, "kern" },
+ { -1, "" }
};
/*
- * Peer events
+ * Peer events (peer)
*/
static
struct codestring peer_codes[] = {
- { EVNT_UNSPEC, "event_unspec" },
- { EVNT_PEERIPERR & ~PEER_EVENT, "event_ip_err" },
- { EVNT_PEERAUTH & ~PEER_EVENT, "event_authen" },
- { EVNT_UNREACH & ~PEER_EVENT, "event_unreach" },
- { EVNT_REACH & ~PEER_EVENT, "event_reach" },
- { EVNT_PEERCLOCK & ~PEER_EVENT, "event_peer_clock" },
-#if 0
- { EVNT_PEERSTRAT & ~PEER_EVENT, "event_stratum_chg" },
-#endif
- { -1, "event" }
+ { PEVNT_MOBIL & ~PEER_EVENT, "mobilize" },
+ { PEVNT_DEMOBIL & ~PEER_EVENT, "demobilize" },
+ { PEVNT_UNREACH & ~PEER_EVENT, "unreachable" },
+ { PEVNT_REACH & ~PEER_EVENT, "reachable" },
+ { PEVNT_RESTART & ~PEER_EVENT, "restart" },
+ { PEVNT_REPLY & ~PEER_EVENT, "no_reply" },
+ { PEVNT_RATE & ~PEER_EVENT, "rate_exceeded" },
+ { PEVNT_DENY & ~PEER_EVENT, "access_denied" },
+ { PEVNT_ARMED & ~PEER_EVENT, "leap_armed" },
+ { PEVNT_NEWPEER & ~PEER_EVENT, "sys_peer" },
+ { PEVNT_CLOCK & ~PEER_EVENT, "clock" },
+ { PEVNT_AUTH & ~PEER_EVENT, "bad_auth" },
+ { PEVNT_POPCORN & ~PEER_EVENT, "popcorn" },
+ { -1, "" }
};
#ifdef OPENSSL
/*
- * Crypto events
+ * Crypto events (cryp)
*/
static
struct codestring crypto_codes[] = {
{ XEVNT_SGL & ~CRPT_EVENT, "bad_signature_length" },
{ XEVNT_SIG & ~CRPT_EVENT, "signature_not_verified" },
{ XEVNT_VFY & ~CRPT_EVENT, "certificate_not_verified" },
- { XEVNT_PER & ~CRPT_EVENT, "host certificate_expired" },
+ { XEVNT_PER & ~CRPT_EVENT, "host_certificate_expired" },
{ XEVNT_CKY & ~CRPT_EVENT, "bad_or_missing_cookie" },
- { XEVNT_DAT & ~CRPT_EVENT, "bad_or_missing_leapsecond_table" },
+ { XEVNT_DAT & ~CRPT_EVENT, "bad_or_missing_leapseconds" },
{ XEVNT_CRT & ~CRPT_EVENT, "bad_or_missing_certificate" },
- { XEVNT_ID & ~CRPT_EVENT, "bad_or_missing_group_key" },
+ { XEVNT_ID & ~CRPT_EVENT, "bad_or_missing_group key" },
{ XEVNT_ERR & ~CRPT_EVENT, "protocol_error" },
- { XEVNT_SRV & ~CRPT_EVENT, "server_certificate_expired" },
- { -1, "crypto" }
+ { -1, "" }
};
#endif /* OPENSSL */
switch (type) {
case TYPE_SYS:
- (void)strcpy(cb, getcode(CTL_SYS_LI(st), leap_codes));
- (void)strcat(cb, ", ");
- (void)strcat(cb, getcode(CTL_SYS_SOURCE(st) & ~CTL_SST_TS_PPS, sync_codes));
- if (CTL_SYS_SOURCE(st) & CTL_SST_TS_PPS)
- (void)strcat(cb, "/PPS");
- (void)strcat(cb, ", ");
- (void)strcat(cb, getevents(CTL_SYS_NEVNT(st)));
- (void)strcat(cb, ", ");
- (void)strcat(cb, getcode(CTL_SYS_EVENT(st), sys_codes));
+ strcpy(cb, getcode(CTL_SYS_LI(st), leap_codes));
+ strcat(cb, ", ");
+ strcat(cb, getcode(CTL_SYS_SOURCE(st), sync_codes));
+ strcat(cb, ", ");
+ strcat(cb, getevents(CTL_SYS_NEVNT(st)));
+ strcat(cb, ", ");
+ strcat(cb, getcode(CTL_SYS_EVENT(st), sys_codes));
break;
case TYPE_PEER:
+
/*
* Handcraft the bits
*/
pst = (u_char) CTL_PEER_STATVAL(st);
- if (!(pst & CTL_PST_REACH)) {
- (void)strcpy(cb, "unreach");
- } else {
- (void)strcpy(cb, "reach");
-
- }
if (pst & CTL_PST_CONFIG)
- (void)strcat(cb, ", conf");
+ strcpy(cb, "conf");
if (pst & CTL_PST_AUTHENABLE) {
- if (!(pst & CTL_PST_REACH) || (pst & CTL_PST_AUTHENTIC))
- (void)strcat(cb, ", auth");
+ if (pst & CTL_PST_CONFIG)
+ strcat(cb, ", authenb");
+ else
+ strcat(cb, "authenb");
+ }
+ if (pst & CTL_PST_AUTHENTIC) {
+ if (pst & (CTL_PST_CONFIG | CTL_PST_AUTHENABLE))
+ strcat(cb, ", auth");
+ else
+ strcat(cb, "auth");
+ }
+ if (pst & CTL_PST_REACH) {
+ if (pst & (CTL_PST_CONFIG | CTL_PST_AUTHENABLE |
+ CTL_PST_AUTHENTIC))
+ strcat(cb, ", reach");
+ else
+ strcat(cb, "reach");
+ }
+ if (pst & CTL_PST_BCAST) {
+ if (pst & (CTL_PST_CONFIG | CTL_PST_AUTHENABLE |
+ CTL_PST_AUTHENTIC | CTL_PST_REACH))
+ strcat(cb, ", bcst");
else
- (void)strcat(cb, ", unauth");
+ strcat(cb, "bcst");
}
/*
* Now the codes
*/
- if ((pst & 0x7) != CTL_PST_SEL_REJECT) {
- (void)strcat(cb, ", ");
- (void)strcat(cb, getcode(pst & 0x7, select_codes));
- }
- (void)strcat(cb, ", ");
- (void)strcat(cb, getevents(CTL_PEER_NEVNT(st)));
+ strcat(cb, ", ");
+ strcat(cb, getcode(pst & 0x7, select_codes));
+ strcat(cb, ", ");
+ strcat(cb, getevents(CTL_PEER_NEVNT(st)));
if (CTL_PEER_EVENT(st) != EVNT_UNSPEC) {
- (void)strcat(cb, ", ");
- (void)strcat(cb, getcode(CTL_PEER_EVENT(st),
- peer_codes));
+ strcat(cb, ", ");
+ strcat(cb, getcode(CTL_PEER_EVENT(st),
+ peer_codes));
}
break;
case TYPE_CLOCK:
- (void)strcpy(cb, getcode(((st)>>8) & 0xff, clock_codes));
- (void)strcat(cb, ", last_");
- (void)strcat(cb, getcode((st) & 0xff, clock_codes));
+ strcat(cb, ", ");
+ strcat(cb, getevents(CTL_SYS_NEVNT(st)));
+ strcat(cb, ", ");
+ strcat(cb, getcode((st) & 0xf, clock_codes));
break;
}
return cb;
{
return getcode(num, clock_codes);
}
-
-const char *
-sysstatstr(
- int status
- )
-{
- return statustoa(TYPE_SYS, status);
-}
-
-const char *
-peerstatstr(
- int status
- )
-{
- return statustoa(TYPE_PEER, status);
-}
-
-const char *
-clockstatstr(
- int status
- )
-{
- return statustoa(TYPE_CLOCK, status);
-}
break;
case T_Key:
my_node->peerkey = my_val->value.i;
- my_node->peerflags |= FLAG_AUTHENABLE;
break;
case T_Version:
my_node->peerversion = my_val->value.i;
{ "peerstats", T_Peerstats, NO_ARG },
{ "rawstats", T_Rawstats, NO_ARG },
{ "sysstats", T_Sysstats, NO_ARG },
+ { "protostats", T_Protostats, NO_ARG },
/* filegen_option */
{ "disable", T_Disable, NO_ARG },
{ "enable", T_Enable, NO_ARG },
{ "beacon", T_Beacon, NO_ARG },
{ "orphan", T_Orphan, NO_ARG },
/* access_control_flag */
+ { "flake", T_Flake, NO_ARG },
{ "ignore", T_Ignore, NO_ARG },
{ "limited", T_Limited, NO_ARG },
{ "kod", T_Kod, NO_ARG },
ntp_minpoll = my_opt->value.i;
break;
case T_Minimum:
- res_min_interval = 1 << my_opt->value.i;
+ ntp_minpkt = my_opt->value.i;
break;
case T_Monitor:
mon_age = my_opt->value.i;
static void
config_ntpd(void)
{
+ config_monitor();
config_auth();
config_tos();
- config_monitor();
config_access();
config_tinker();
config_system_opts();
{ CS_ROOTDISPERSION, RO, "rootdisp" }, /* 5 */
{ CS_REFID, RO, "refid" }, /* 6 */
{ CS_REFTIME, RO, "reftime" }, /* 7 */
- { CS_POLL, RO, "poll" }, /* 8 */
+ { CS_POLL, RO, "tc" }, /* 8 */
{ CS_PEERID, RO, "peer" }, /* 9 */
- { CS_STATE, RO, "state" }, /* 10 */
- { CS_OFFSET, RO, "offset" }, /* 11 */
- { CS_DRIFT, RO, "frequency" }, /* 12 */
- { CS_JITTER, RO, "jitter" }, /* 13 */
- { CS_ERROR, RO, "noise" }, /* 14 */
- { CS_CLOCK, RO, "clock" }, /* 15 */
- { CS_PROCESSOR, RO, "processor" }, /* 16 */
- { CS_SYSTEM, RO, "system" }, /* 17 */
- { CS_VERSION, RO, "version" }, /* 18 */
- { CS_STABIL, RO, "stability" }, /* 19 */
- { CS_VARLIST, RO, "sys_var_list" }, /* 20 */
- { CS_TAI, RO, "tai" }, /* 21 */
- { CS_LEAPTAB, RO, "leapsec" }, /* 22 */
- { CS_LEAPEND, RO, "expire" }, /* 23 */
+ { CS_OFFSET, RO, "offset" }, /* 10 */
+ { CS_DRIFT, RO, "frequency" }, /* 11 */
+ { CS_JITTER, RO, "sys_jitter" }, /* 12 */
+ { CS_ERROR, RO, "clk_jitter" }, /* 13 */
+ { CS_CLOCK, RO, "clock" }, /* 14 */
+ { CS_PROCESSOR, RO, "processor" }, /* 15 */
+ { CS_SYSTEM, RO, "system" }, /* 16 */
+ { CS_VERSION, RO, "version" }, /* 17 */
+ { CS_STABIL, RO, "clk_wander" }, /* 18 */
+ { CS_VARLIST, RO, "sys_var_list" }, /* 19 */
+ { CS_TAI, RO, "tai" }, /* 20 */
+ { CS_LEAPTAB, RO, "leapsec" }, /* 21 */
+ { CS_LEAPEND, RO, "expire" }, /* 22 */
+ { CS_RATE, RO, "mintc" }, /* 23 */
#ifdef OPENSSL
{ CS_FLAGS, RO, "flags" }, /* 24 */
{ CS_HOST, RO, "host" }, /* 25 */
CS_PRECISION,
CS_ROOTDELAY,
CS_ROOTDISPERSION,
- CS_PEERID,
CS_REFID,
CS_REFTIME,
- CS_POLL,
CS_CLOCK,
- CS_STATE,
+ CS_PEERID,
+ CS_POLL,
+ CS_RATE,
CS_OFFSET,
CS_DRIFT,
CS_JITTER,
{ CP_VARLIST, RO, "peer_var_list" }, /* 37 */
{ CP_IN, RO, "in" }, /* 38 */
{ CP_OUT, RO, "out" }, /* 39 */
+ { CP_RATE, RO, "headway" }, /* 40 */
#ifdef OPENSSL
- { CP_FLAGS, RO, "flags" }, /* 40 */
- { CP_HOST, RO, "host" }, /* 41 */
- { CP_VALID, RO, "valid" }, /* 42 */
- { CP_INITSEQ, RO, "initsequence" }, /* 43 */
- { CP_INITKEY, RO, "initkey" }, /* 44 */
- { CP_INITTSP, RO, "timestamp" }, /* 45 */
- { CP_DIGEST, RO, "signature" }, /* 46 */
+ { CP_FLAGS, RO, "flags" }, /* 41 */
+ { CP_HOST, RO, "host" }, /* 42 */
+ { CP_VALID, RO, "valid" }, /* 43 */
+ { CP_INITSEQ, RO, "initsequence" }, /* 44 */
+ { CP_INITKEY, RO, "initkey" }, /* 45 */
+ { CP_INITTSP, RO, "timestamp" }, /* 46 */
+ { CP_DIGEST, RO, "signature" }, /* 47 */
#endif /* OPENSSL */
- { 0, EOV, "" } /* 40/47 */
+ { 0, EOV, "" } /* 41/48 */
};
CP_ROOTDELAY,
CP_ROOTDISPERSION,
CP_REFID,
+ CP_REFTIME,
+ CP_REC,
CP_REACH,
CP_UNREACH,
CP_HMODE,
CP_PMODE,
CP_HPOLL,
CP_PPOLL,
+ CP_RATE,
CP_FLASH,
CP_KEYID,
CP_TTL,
CP_DELAY,
CP_DISPERSION,
CP_JITTER,
- CP_REFTIME,
- CP_ORG,
- CP_REC,
- CP_XMT,
CP_FILTDELAY,
CP_FILTOFFSET,
CP_FILTERROR,
register struct peer *peer
)
{
- register u_short status;
+ u_short status;
status = peer->status;
- if (peer->flags & FLAG_CONFIG)
+ if (!(peer->flags & FLAG_PREEMPT))
status |= CTL_PST_CONFIG;
- if (peer->flags & FLAG_AUTHENABLE)
+ if (peer->keyid != 0)
status |= CTL_PST_AUTHENABLE;
if (peer->flags & FLAG_AUTHENTIC)
status |= CTL_PST_AUTHENTIC;
if (peer->reach != 0)
status |= CTL_PST_REACH;
+ if (peer->cast_flags & (MDF_BCAST | MDF_MCAST | MDF_ACAST))
+ status |= CTL_PST_BCAST;
return (u_short)CTL_PEER_STATUS(status, peer->num_events,
- peer->last_event);
+ peer->last_event);
}
struct refclockstat *this_clock
)
{
- return ((u_short)(((this_clock->currentstatus) << 8) |
- (this_clock->lastevent)));
+ return (u_short)CTL_PEER_STATUS(0, this_clock->lastevent,
+ this_clock->currentstatus);
}
#endif
if (sys_peer != 0) {
if (sys_peer->sstclktype != CTL_SST_TS_UNSPEC) {
this_clock = sys_peer->sstclktype;
- if (pps_control)
- this_clock |= CTL_SST_TS_PPS;
} else {
if (sys_peer->refclktype < sizeof(clocktypes))
this_clock =
clocktypes[sys_peer->refclktype];
- if (pps_control)
- this_clock |= CTL_SST_TS_PPS;
}
}
+#else /* REFCLOCK */
+ if (sys_peer != 0)
+ this_clock = CTL_SST_TS_NTP;
#endif /* REFCLOCK */
return (u_short)CTL_SYS_STATUS(sys_leap, this_clock,
- ctl_sys_num_events, ctl_sys_last_event);
+ ctl_sys_num_events, ctl_sys_last_event);
}
sys_peer->associd);
break;
- case CS_STATE:
- ctl_putuint(sys_var[CS_STATE].text, (unsigned)state);
- break;
-
case CS_OFFSET:
ctl_putdbl(sys_var[CS_OFFSET].text, last_offset * 1e3);
break;
leap_expire);
break;
+ case CS_RATE:
+ ctl_putuint(sys_var[CS_RATE].text, ntp_minpoll);
+ break;
+
#ifdef OPENSSL
case CS_FLAGS:
if (crypto_flags)
break;
case CS_PUBLIC:
- if (hostval.fstamp != 0)
+ if (hostval.tstamp != 0)
ctl_putfs(sys_var[CS_PUBLIC].text,
ntohl(hostval.tstamp));
break;
case CP_CONFIG:
ctl_putuint(peer_var[CP_CONFIG].text,
- (unsigned)((peer->flags & FLAG_CONFIG) != 0));
+ (unsigned)((peer->flags & FLAG_PREEMPT) == 0));
break;
case CP_AUTHENABLE:
ctl_putuint(peer_var[CP_AUTHENABLE].text,
- (unsigned)((peer->flags & FLAG_AUTHENABLE) != 0));
+ (unsigned)(peer->keyid != 0));
break;
case CP_AUTHENTIC:
ctl_putuint(peer_var[CP_AUTHENTIC].text,
- (unsigned)((peer->flags & FLAG_AUTHENTIC) != 0));
+ (unsigned)((peer->flags & FLAG_AUTHENTIC) != 0));
break;
case CP_SRCADR:
ctl_putadr(peer_var[CP_SRCADR].text, 0,
- &peer->srcadr);
+ &peer->srcadr);
break;
case CP_SRCPORT:
ctl_putuint(peer_var[CP_SRCPORT].text,
- ntohs(((struct sockaddr_in*)&peer->srcadr)->sin_port));
+ ntohs(((struct sockaddr_in*)&peer->srcadr)->sin_port));
break;
case CP_DSTADR:
ntohs(((struct sockaddr_in*)&peer->dstadr->sin)->sin_port) : 0));
break;
- case CP_OUT:
+ case CP_IN:
if (peer->r21 > 0)
ctl_putdbl(peer_var[CP_IN].text,
peer->r21 / 1e3);
break;
- case CP_IN:
+ case CP_OUT:
if (peer->r34 >0)
ctl_putdbl(peer_var[CP_OUT].text,
peer->r34 / 1e3);
break;
+ case CP_RATE:
+ ctl_putuint(peer_var[CP_RATE].text, peer->throttle);
+ break;
+
case CP_LEAP:
ctl_putuint(peer_var[CP_LEAP].text, peer->leap);
break;
break;
case CP_TTL:
- ctl_putint(peer_var[CP_TTL].text, sys_ttl[peer->ttl]);
+ if (peer->ttl > 0)
+ ctl_putint(peer_var[CP_TTL].text,
+ sys_ttl[peer->ttl]);
break;
case CP_UNREACH:
case CP_TIMER:
ctl_putuint(peer_var[CP_TIMER].text,
- peer->nextdate - current_time);
+ peer->nextdate - current_time);
break;
case CP_DELAY:
case CP_OFFSET:
ctl_putdbl(peer_var[CP_OFFSET].text, peer->offset *
- 1e3);
+ 1e3);
break;
case CP_JITTER:
case CP_DISPERSION:
ctl_putdbl(peer_var[CP_DISPERSION].text, peer->disp *
- 1e3);
+ 1e3);
break;
case CP_KEYID:
if (peer->keyid > NTP_MAXKEY)
ctl_puthex(peer_var[CP_KEYID].text, peer->keyid);
else
- ctl_putuint(peer_var[CP_KEYID].text, peer->keyid);
+ ctl_putuint(peer_var[CP_KEYID].text,
+ peer->keyid);
break;
case CP_FILTDELAY:
ctl_putarray(peer_var[CP_FILTDELAY].text,
- peer->filter_delay, (int)peer->filter_nextpt);
+ peer->filter_delay, (int)peer->filter_nextpt);
break;
case CP_FILTOFFSET:
ctl_putarray(peer_var[CP_FILTOFFSET].text,
- peer->filter_offset, (int)peer->filter_nextpt);
+ peer->filter_offset, (int)peer->filter_nextpt);
break;
case CP_FILTERROR:
ctl_putarray(peer_var[CP_FILTERROR].text,
- peer->filter_disp, (int)peer->filter_nextpt);
+ peer->filter_disp, (int)peer->filter_nextpt);
break;
case CP_PMODE:
*/
void
report_event(
- int err,
- struct peer *peer
+ int err, /* error code */
+ struct peer *peer, /* peer structure pointer */
+ const char *str /* protostats string */
)
{
- register int i;
+ char statstr[NTP_MAXSTRLEN];
+ int i;
/*
* Record error code in proper spots, but have mercy on the
* log file.
*/
- if (!(err & (PEER_EVENT | CRPT_EVENT))) {
+ if (peer == NULL) {
if (ctl_sys_num_events < CTL_SYS_MAXEVENTS)
ctl_sys_num_events++;
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "0.0.0.0 %04x %02x system event: %s",
+ ctlsysstatus(), err, eventstr(err));
+ if (str != NULL) {
+ strcat(statstr, " ");
+ strcat(statstr, str);
+ }
if (ctl_sys_last_event != (u_char)err) {
NLOG(NLOG_SYSEVENT)
- msyslog(LOG_INFO, "system event '%s' (0x%02x) status '%s' (0x%02x)",
- eventstr(err), err,
- sysstatstr(ctlsysstatus()), ctlsysstatus());
-#ifdef DEBUG
- if (debug)
- printf("report_event: system event '%s' (0x%02x) status '%s' (0x%02x)\n",
- eventstr(err), err,
- sysstatstr(ctlsysstatus()),
- ctlsysstatus());
-#endif
+ msyslog(LOG_INFO, statstr);
ctl_sys_last_event = (u_char)err;
}
- } else if (peer != 0) {
+ } else {
char *src;
#ifdef REFCLOCK
else
#endif
src = stoa(&peer->srcadr);
-
peer->last_event = (u_char)(err & ~PEER_EVENT);
if (peer->num_events < CTL_PEER_MAXEVENTS)
peer->num_events++;
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "%s %04x %02x peer event: %s", src,
+ ctlpeerstatus(peer), err, eventstr(err));
+ if (str != NULL) {
+ strcat(statstr, " ");
+ strcat(statstr, str);
+ }
NLOG(NLOG_PEEREVENT)
- msyslog(LOG_INFO, "peer %s event '%s' (0x%02x) status '%s' (0x%02x)",
- src, eventstr(err), err,
- peerstatstr(ctlpeerstatus(peer)),
- ctlpeerstatus(peer));
-#ifdef DEBUG
- if (debug)
- printf( "peer %s event '%s' (0x%02x) status '%s' (0x%02x)\n",
- src, eventstr(err), err,
- peerstatstr(ctlpeerstatus(peer)),
- ctlpeerstatus(peer));
-#endif
- } else {
- msyslog(LOG_ERR,
- "report_event: err '%s' (0x%02x), no peer",
- eventstr(err), err);
-#ifdef DEBUG
- printf(
- "report_event: peer event '%s' (0x%02x), no peer\n",
- eventstr(err), err);
-#endif
- return;
+ msyslog(LOG_INFO, statstr);
}
+ record_proto_stats(statstr);
+#if DEBUG
+ if (debug)
+ printf("event at %lu %s\n", current_time, statstr);
+#endif
/*
* If no trappers, return.
#endif /* OPENSSL */
ctl_putsys(i);
}
-#ifdef REFCLOCK
- /*
- * for clock exception events: add clock variables to
- * reflect info on exception
- */
- if (err == EVNT_CLOCKEXCPT) {
- struct refclockstat clock_stat;
- struct ctl_var *kv;
-
- clock_stat.kv_list = (struct ctl_var *)0;
- refclock_control(&peer->srcadr,
- (struct refclockstat *)0, &clock_stat);
- ctl_puthex("refclockstatus",
- ctlclkstatus(&clock_stat));
- for (i = 1; i <= CC_MAXCODE; i++)
- ctl_putclock(i, &clock_stat, 0);
- for (kv = clock_stat.kv_list; kv &&
- !(kv->flags & EOV); kv++)
- if (kv->flags & DEF)
- ctl_putdata(kv->text,
- strlen(kv->text), 0);
- free_varlist(clock_stat.kv_list);
- }
-#endif /* REFCLOCK */
} else {
rpkt.associd = htons(peer->associd);
rpkt.status = htons(ctlpeerstatus(peer));
* for clock exception events: add clock variables to
* reflect info on exception
*/
- if (err == EVNT_PEERCLOCK) {
+ if (err == PEVNT_CLOCK) {
struct refclockstat clock_stat;
struct ctl_var *kv;
* dim only when the association is demobilized.
*
* CRYPTO_FLAG_ENAB Lit upon acceptance of a CRYPTO_ASSOC message
- * CRYPTO_FLAG_VALID Lit when a self-digned trusted certificate is
+ * CRYPTO_FLAG_CERT Lit when a self-digned trusted certificate is
* accepted.
* CRYPTO_FLAG_VRFY Lit when identity is confirmed.
* CRYPTO_FLAG_PROV Lit when the first signature is verified.
- * CRYPTO_FLAG_AGREE Lit when a valid cookie is accepted.
+ * CRYPTO_FLAG_COOK Lit when a valid cookie is accepted.
* CRYPTO_FLAG_AUTO Lit when valid autokey values are accepted.
* CRYPTO_FLAG_SIGN Lit when the server signed certificate is
* accepted.
- * CRYPTO_FLAG_TAI Lit when the leapsecond values are accepted.
+ * CRYPTO_FLAG_LEAP Lit when the leapsecond values are accepted.
*/
/*
* Cryptodefines
static u_long asn2ntp (ASN1_TIME *);
static struct cert_info *cert_parse (u_char *, long, tstamp_t);
static int cert_sign (struct exten *, struct value *);
-static int cert_valid (struct cert_info *, EVP_PKEY *);
static struct cert_info *cert_install (struct exten *, struct peer *);
+static int cert_hike (struct peer *, struct cert_info *);
static void cert_free (struct cert_info *);
-static struct pkey_info *crypto_key (char *, char *);
+static struct pkey_info *crypto_key (char *, char *, struct
+ sockaddr_storage *);
static void bighash (BIGNUM *, BIGNUM *);
static struct cert_info *crypto_cert (char *);
*
* Returns
* XEVNT_OK success
- * XEVNT_PER host certificate expired
* XEVNT_ERR protocol error
*
* This routine constructs a pseudo-random sequence by repeatedly
* cookie if client mode or the host cookie if symmetric modes.
*/
mpoll = 1 << min(peer->ppoll, peer->hpoll);
- lifetime = min(sys_automax, NTP_MAXSESSION * mpoll);
+ lifetime = min(1 << sys_automax, NTP_MAXSESSION * mpoll);
if (peer->hmode == MODE_BROADCAST)
cookie = 0;
else
#ifdef DEBUG
if (debug)
printf("make_keys: %d %08x %08x ts %u fs %u poll %d\n",
- ntohl(ap->seq), ntohl(ap->key), cookie,
- ntohl(vp->tstamp), ntohl(vp->fstamp), peer->hpoll);
+ peer->keynumber, keyid, cookie, ntohl(vp->tstamp),
+ ntohl(vp->fstamp), peer->hpoll);
#endif
return (XEVNT_OK);
}
*
* Returns
* XEVNT_OK success
- * XEVNT_LEN bad field format or length
* XEVNT_ERR protocol error
+ * XEVNT_LEN bad field format or length
*/
int
crypto_recv(
code |= CRYPTO_ERROR;
}
- /*
- * Little vulnerability bandage here. If a perp tosses a
- * fake association ID over the fence, we better toss it
- * out. Only the first one counts.
- */
- if (peer->assoc == 0)
- peer->assoc = associd;
if (len >= VALUE_LEN) {
tstamp = ntohl(ep->tstamp);
fstamp = ntohl(ep->fstamp);
/*
* If our state machine is running when this
- * message arrives, the other fellow has reset
- * and so must we. Otherwise, pass the extension
- * field to the transmit side.
+ * message arrives, the other fellow might have
+ * restarted. However, this could be an
+ * intruder, so just clamp the poll interval and
+ * find out for ourselves. Otherwise, pass the
+ * extension field to the transmit side.
*/
- if (peer->crypto & CRYPTO_FLAG_VALID) {
+ if (peer->crypto & CRYPTO_FLAG_CERT) {
rval = XEVNT_ERR;
break;
}
+ if (peer->cmmd) {
+ if (peer->assoc != associd) {
+ rval = XEVNT_ERR;
+ break;
+ }
+ }
fp = emalloc(len);
memcpy(fp, ep, len);
- temp32 = CRYPTO_RESP;
- fp->opcode |= htonl(temp32);
+ fp->associd = htonl(peer->associd);
peer->cmmd = fp;
/* fall through */
* Discard the message if it has already been
* stored or the message has been amputated.
*/
- if (peer->crypto)
+ if (peer->crypto) {
+ if (peer->assoc != associd)
+ rval = XEVNT_ERR;
break;
-
+ }
if (vallen == 0 || vallen > MAXHOSTNAME ||
len < VALUE_LEN + vallen) {
rval = XEVNT_LEN;
#ifdef DEBUG
if (debug)
printf(
- "crypto_recv: ident host 0x%x server 0x%x\n",
- crypto_flags, fstamp);
+ "crypto_recv: ident host 0x%x %d server 0x%x %d\n",
+ crypto_flags, peer->associd, fstamp,
+ peer->assoc);
#endif
temp32 = crypto_flags & CRYPTO_FLAG_MASK;
rval = XEVNT_KEY;
break;
}
- fstamp |= CRYPTO_FLAG_VALID |
+ fstamp |= CRYPTO_FLAG_CERT |
CRYPTO_FLAG_VRFY | CRYPTO_FLAG_SIGN;
/*
MODE_PASSIVE) {
if ((temp32 && !(fstamp &
CRYPTO_FLAG_MASK)) ||
- (!(temp32 && (fstamp &
- CRYPTO_FLAG_MASK)))) {
+ (!temp32 && (fstamp &
+ CRYPTO_FLAG_MASK))) {
rval = XEVNT_KEY;
break;
}
- /*
- * It is an error if the client supports
- * identity, but the server does not.
- */
- } else if (hismode == MODE_SERVER) {
- if (temp32 && !(fstamp &
- CRYPTO_FLAG_MASK)) {
- rval = XEVNT_KEY;
- break;
- }
}
/*
/*
* Save status word, host name and message
- * digest/signature type. As this is the first
- * time we heard of this guy, initialize the
- * retry counter.
+ * digest/signature type. If this is from a
+ * broadcast and the association ID has changed,
+ * request the autokey values.
*/
- if (peer->retry == 0)
- peer->retry = NTP_RETRY;
- poll_update(peer, peer->hpoll);
+ peer->assoc = associd;
+ if (peer->cast_flags & MDF_BCLNT)
+ fstamp |= CRYPTO_FLAG_COOK;
+ else if (hismode == MODE_SERVER)
+ fstamp |= CRYPTO_FLAG_AUTO;
+ if (!(fstamp & CRYPTO_FLAG_LEAP))
+ fstamp |= CRYPTO_FLAG_LEAP;
+ RAND_bytes((u_char *)&peer->hcookie, 4);
peer->crypto = fstamp;
peer->digest = dp;
+ if (peer->subject != NULL)
+ free(peer->subject);
peer->subject = emalloc(vallen + 1);
memcpy(peer->subject, ep->pkt, vallen);
peer->subject[vallen] = '\0';
+ if (peer->issuer != NULL)
+ free(peer->issuer);
peer->issuer = emalloc(vallen + 1);
strcpy(peer->issuer, peer->subject);
snprintf(statstr, NTP_MAXSTRLEN,
- "flags 0x%x host %s signature %s", fstamp,
- peer->subject, OBJ_nid2ln(temp32));
+ "assoc %d %d host %s %s", peer->associd,
+ peer->assoc, peer->subject,
+ OBJ_nid2ln(temp32));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
if (debug)
case CRYPTO_CERT | CRYPTO_RESP:
/*
- * Discard the message if invalid.
+ * Discard the message if empty or invalid.
*/
+ if (len < VALUE_LEN)
+ break;
+
if ((rval = crypto_verify(ep, NULL, peer)) !=
XEVNT_OK)
break;
/*
* Scan the certificate list to delete old
* versions and link the newest version first on
- * the list.
+ * the list. Then, verify the signature. If the
+ * certificate is bad or missing, just ignore
+ * it.
*/
if ((xinfo = cert_install(ep, peer)) == NULL) {
rval = XEVNT_CRT;
break;
}
-
- /*
- * If we snatch the certificate before the
- * server certificate has been signed by its
- * server, it will be self signed. When it is,
- * we chase the certificate issuer, which the
- * server has, and keep going until a self
- * signed trusted certificate is found. Be sure
- * to update the issuer field, since it may
- * change.
- */
- if (peer->issuer != NULL)
- free(peer->issuer);
- peer->issuer = emalloc(strlen(xinfo->issuer) +
- 1);
- strcpy(peer->issuer, xinfo->issuer);
+ if ((rval = cert_hike(peer, xinfo)) != XEVNT_OK)
+ break;
/*
* We plug in the public key and lifetime from
peer->flash &= ~TEST8;
temp32 = xinfo->nid;
snprintf(statstr, NTP_MAXSTRLEN,
- "cert %s 0x%x %s (%u) fs %u",
- xinfo->subject, xinfo->flags,
+ "cert %s %s 0x%x %s (%u) fs %u",
+ xinfo->subject, xinfo->issuer, xinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
case CRYPTO_IFF | CRYPTO_RESP:
/*
- * Discard the message if invalid or certificate
- * trail not trusted.
+ * Discard the message if invalid.
*/
- if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
- rval = XEVNT_ERR;
- break;
- }
if ((rval = crypto_verify(ep, NULL, peer)) !=
XEVNT_OK)
break;
/*
- * If the the challenge matches the response,
- * the certificate public key, as well as the
- * server public key, signatyre and identity are
+ * If the challenge matches the response, the
+ * server public key, signature and identity are
* all verified at the same time. The server is
* declared trusted, so we skip further
- * certificate stages and move immediately to
- * the cookie stage.
+ * certificate exchanges and move immediately to
+ * the cookie exchange.
*/
if ((rval = crypto_iff(ep, peer)) != XEVNT_OK)
break;
case CRYPTO_GQ | CRYPTO_RESP:
/*
- * Discard the message if invalid or certificate
- * trail not trusted.
+ * Discard the message if invalid
*/
- if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
- rval = XEVNT_ERR;
- break;
- }
if ((rval = crypto_verify(ep, NULL, peer)) !=
XEVNT_OK)
break;
/*
- * If the the challenge matches the response,
- * the certificate public key, as well as the
- * server public key, signatyre and identity are
+ * If the challenge matches the response, the
+ * server public key, signature and identity are
* all verified at the same time. The server is
* declared trusted, so we skip further
- * certificate stages and move immediately to
- * the cookie stage.
+ * certificate exchanges and move immediately to
+ * the cookie exchange.
*/
if ((rval = crypto_gq(ep, peer)) != XEVNT_OK)
break;
case CRYPTO_MV | CRYPTO_RESP:
/*
- * Discard the message if invalid or certificate
- * trail not trusted.
+ * Discard the message if invalid.
*/
- if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
- rval = XEVNT_ERR;
- break;
- }
if ((rval = crypto_verify(ep, NULL, peer)) !=
XEVNT_OK)
break;
/*
- * If the the challenge matches the response,
- * the certificate public key, as well as the
- * server public key, signatyre and identity are
+ * If the challenge matches the response, the
+ * server public key, signature and identity are
* all verified at the same time. The server is
* declared trusted, so we skip further
- * certificate stages and move immediately to
- * the cookie stage.
+ * certificate exchanges and move immediately to
+ * the cookie exchange.
*/
if ((rval = crypto_mv(ep, peer)) != XEVNT_OK)
break;
#endif
break;
- /*
- * Cookie request in symmetric modes. Roll a random
- * cookie and install in symmetric mode. Encrypt for the
- * response, which is transmitted later.
- */
- case CRYPTO_COOK:
-
- /*
- * Discard the message if invalid.
- */
- if ((rval = crypto_verify(ep, NULL, peer)) !=
- XEVNT_OK)
- break;
-
- /*
- * Pass the extension field to the transmit
- * side. If already agreed, walk away.
- */
- fp = emalloc(len);
- memcpy(fp, ep, len);
- temp32 = CRYPTO_RESP;
- fp->opcode |= htonl(temp32);
- peer->cmmd = fp;
- if (!(peer->crypto & CRYPTO_FLAG_VRFY) ||
- peer->crypto & CRYPTO_FLAG_AGREE) {
- peer->flash &= ~TEST8;
- break;
- }
-
- /*
- * Install cookie values and light the cookie
- * bit. The transmit side will pick up and
- * encrypt it for the response.
- */
- key_expire(peer);
- peer->cookval.tstamp = ep->tstamp;
- peer->cookval.fstamp = ep->fstamp;
- RAND_bytes((u_char *)&peer->pcookie, 4);
- peer->crypto &= ~CRYPTO_FLAG_AUTO;
- peer->crypto |= CRYPTO_FLAG_AGREE;
- peer->flash &= ~TEST8;
- snprintf(statstr, NTP_MAXSTRLEN,
- "cook %x ts %u fs %u", peer->pcookie,
- ntohl(ep->tstamp), ntohl(ep->fstamp));
- record_crypto_stats(&peer->srcadr, statstr);
-#ifdef DEBUG
- if (debug)
- printf("crypto_recv: %s\n", statstr);
-#endif
- break;
/*
* Cookie response in client and symmetric modes. If the
case CRYPTO_COOK | CRYPTO_RESP:
/*
- * Discard the message if invalid or identity
- * not confirmed or signature not verified with
- * respect to the cookie values.
+ * Discard the message if invalid or signature
+ * not verified with respect to the cookie
+ * values.
*/
- if (!(peer->crypto & CRYPTO_FLAG_VRFY)) {
- rval = XEVNT_ERR;
- break;
- }
if ((rval = crypto_verify(ep, &peer->cookval,
peer)) != XEVNT_OK)
break;
* are done here.
*/
key_expire(peer);
- peer->cookval.tstamp = ep->tstamp;
- peer->cookval.fstamp = ep->fstamp;
- if (peer->crypto & CRYPTO_FLAG_AGREE)
- peer->pcookie ^= cookie;
+ if (hismode == MODE_ACTIVE || hismode ==
+ MODE_PASSIVE)
+ peer->pcookie = peer->hcookie ^ cookie;
else
peer->pcookie = cookie;
- if (peer->hmode == MODE_CLIENT &&
- !(peer->cast_flags & MDF_BCLNT))
- peer->crypto |= CRYPTO_FLAG_AUTO;
- else
- peer->crypto &= ~CRYPTO_FLAG_AUTO;
- peer->crypto |= CRYPTO_FLAG_AGREE;
+ peer->crypto |= CRYPTO_FLAG_COOK;
peer->flash &= ~TEST8;
snprintf(statstr, NTP_MAXSTRLEN,
"cook %x ts %u fs %u", peer->pcookie,
case CRYPTO_AUTO | CRYPTO_RESP:
/*
- * Discard the message if a CRYPTO_ASSOC
- * message has not been received. This is to
- * suppress spurious protocol errors if this is
- * the first message received by a broadcast
- * client.
+ * Discard the message if invalid or signature
+ * not verified with respect to the receive
+ * autokey values.
*/
- if (!(peer->crypto))
+ if ((rval = crypto_verify(ep, &peer->recval,
+ peer)) != XEVNT_OK)
break;
/*
- * Discard the message if invalid or identity
- * not confirmed or signature not verified with
- * respect to the receive autokey values.
+ * Discard the message if a broadcast client and
+ * the association ID does not match. This might
+ * happen if a broacast server restarts the
+ * protocol. A protocol restart will occur at
+ * the next ASSOC message.
*/
- if (!(peer->crypto & CRYPTO_FLAG_VRFY)) {
- rval = XEVNT_ERR;
- break;
- }
- if ((rval = crypto_verify(ep, &peer->recval,
- peer)) != XEVNT_OK)
+ if (peer->cast_flags & MDF_BCLNT &&
+ peer->assoc != associd)
break;
/*
case CRYPTO_SIGN | CRYPTO_RESP:
/*
- * Discard the message if invalid or not
- * proventic.
+ * Discard the message if invalid.
*/
- if (!(peer->crypto & CRYPTO_FLAG_VRFY)) {
- rval = XEVNT_ERR;
- break;
- }
if ((rval = crypto_verify(ep, NULL, peer)) !=
XEVNT_OK)
break;
peer->flash &= ~TEST8;
temp32 = xinfo->nid;
snprintf(statstr, NTP_MAXSTRLEN,
- "sign %s 0x%x %s (%u) fs %u", xinfo->issuer,
- xinfo->flags, OBJ_nid2ln(temp32), temp32,
+ "sign %s %s 0x%x %s (%u) fs %u",
+ xinfo->subject, xinfo->issuer, xinfo->flags,
+ OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
break;
/*
- * Install leapseconds values in symmetric modes. This
- * table is proventicated to the NIST primary servers,
- * either by copying the file containing the table from
- * a NIST server to a trusted server or directly using
- * this protocol. While the entire table is installed at
- * the server, presently only the current TAI offset is
- * provided via the kernel to other applications.
+ * Install leapseconds values. While the leapsecond
+ * values epoch, TAI offset and values expiration epoch
+ * are retained, only the current TAI offset is provided
+ * via the kernel to other applications.
*/
- case CRYPTO_TAI:
+ case CRYPTO_LEAP | CRYPTO_RESP:
/*
- * Discard the message if invalid.
+ * Discard the message if invalid We can't
+ * compare the value timestamps here, as they
+ * can be updated by different servers.
*/
if ((rval = crypto_verify(ep, NULL, peer)) !=
XEVNT_OK)
break;
- /*
- * Pass the extension field to the transmit
- * side. Continue below if leapseconds values
- * accompanies the message.
- */
- fp = emalloc(len);
- memcpy(fp, ep, len);
- temp32 = CRYPTO_RESP;
- fp->opcode |= htonl(temp32);
- peer->cmmd = fp;
- if (!(peer->crypto & CRYPTO_FLAG_VRFY) || len <=
- VALUE_LEN) {
- peer->flash &= ~TEST8;
- break;
- }
- /* fall through */
-
- case CRYPTO_TAI | CRYPTO_RESP:
-
- /*
- * If this is a response, discard the message if
- * signature not verified with respect to the
- * leapseconds values.
- */
- if (peer->cmmd == NULL) {
- if ((rval = crypto_verify(ep, NULL,
- peer)) != XEVNT_OK)
- break;
- }
-
/*
* If the packet leap values are more recent
* than the stored ones, install the new leap
leap_sec = ntohl(ep->pkt[1]);
leap_expire = ntohl(ep->pkt[2]);
crypto_update();
- msyslog(LOG_NOTICE,
- "leap epoch %lu expire %lu TAI offset %d from %s",
- leap_sec, leap_expire, leap_tai,
- stoa(&peer->srcadr));
}
peer->crypto |= CRYPTO_FLAG_LEAP;
peer->flash &= ~TEST8;
* We come here in symmetric modes for miscellaneous
* commands that have value fields but are processed on
* the transmit side. All we need do here is check for
- * valid field length. Remaining checks are below and on
- * the transmit side.
+ * valid field length. Note that ASSOC is handled
+ * separately.
*/
case CRYPTO_CERT:
case CRYPTO_IFF:
case CRYPTO_GQ:
case CRYPTO_MV:
+ case CRYPTO_COOK:
case CRYPTO_SIGN:
if (len < VALUE_LEN) {
rval = XEVNT_LEN;
/* fall through */
/*
- * We come here for miscellaneous requests and unknown
- * requests and responses. If an unknown response or
- * error, forget it. If a request, save the extension
- * field for later. Unknown requests will be caught on
- * the transmit side.
+ * We come here in symmetric modes for requests
+ * requiring a response (above plus AUTO and LEAP) and
+ * for responses. If a request, save the extension field
+ * for later; invalid requests will be caught on the
+ * transmit side. If an error or invalid response,
+ * declare a protocol error.
*/
default:
if (code & (CRYPTO_RESP | CRYPTO_ERROR)) {
rval = XEVNT_ERR;
- } else if ((rval = crypto_verify(ep, NULL,
- peer)) == XEVNT_OK) {
+ } else if (peer->cmmd == NULL) {
fp = emalloc(len);
memcpy(fp, ep, len);
- temp32 = CRYPTO_RESP;
- fp->opcode |= htonl(temp32);
peer->cmmd = fp;
}
}
/*
- * We don't log length/format/timestamp errors and
- * duplicates, which are log clogging vulnerabilities.
* The first error found terminates the extension field
- * scan and we return the laundry to the caller. A
- * length/format/timestamp error on transmit is
- * cheerfully ignored, as the message is not sent.
+ * scan and we return the laundry to the caller.
*/
- if (rval > XEVNT_TSP) {
+ if (rval != XEVNT_OK) {
snprintf(statstr, NTP_MAXSTRLEN,
- "error %x opcode %x ts %u fs %u", rval,
- code, tstamp, fstamp);
+ "%04x %d %02x %s", htonl(ep->opcode),
+ associd, rval, eventstr(rval));
record_crypto_stats(&peer->srcadr, statstr);
- report_event(rval, peer);
#ifdef DEBUG
if (debug)
printf("crypto_recv: %s\n", statstr);
#endif
- } else if (rval > XEVNT_OK && (code & CRYPTO_RESP)) {
- rval = XEVNT_OK;
+ return (rval);
}
authlen += (len + 3) / 4 * 4;
}
*
* Returns
* XEVNT_OK success
- * XEVNT_LEN bad field format or length
* XEVNT_CRT bad or missing certificate
* XEVNT_ERR protocol error
- * XEVNT_SRV server certificate expired
+ * XEVNT_LEN bad field format or length
+ * XEVNT_PER host certificate expired
*/
int
crypto_xmit(
+ struct peer *peer, /* peer structure pointer */
struct pkt *xpkt, /* transmit packet pointer */
- struct sockaddr_storage *srcadr_sin, /* active runway */
+ struct recvbuf *rbufp, /* receive buffer pointer */
int *start, /* offset to extension field */
struct exten *ep, /* extension pointer */
keyid_t cookie /* session cookie */
)
{
- u_int32 *pkt; /* packet pointer */
- struct peer *peer; /* peer structure pointer */
- u_int opcode; /* extension field opcode */
struct exten *fp; /* extension pointers */
struct cert_info *cp, *xp, *yp; /* cert info/value pointer */
+ struct sockaddr_storage *srcadr_sin; /* source address */
+ u_int32 *pkt; /* packet pointer */
+ u_int opcode; /* extension field opcode */
char certname[MAXHOSTNAME + 1]; /* subject name buffer */
char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
tstamp_t tstamp;
* synchronized, light the error bit and go home.
*/
pkt = (u_int32 *)xpkt + *start / 4;
+ if (peer != NULL)
+ srcadr_sin = &peer->srcadr;
+ else
+ srcadr_sin = &rbufp->recv_srcadr;
fp = (struct exten *)pkt;
opcode = ntohl(ep->opcode);
+ if (!(opcode & CRYPTO_RESP))
+ peer->opcode = ep->opcode;
associd = (associd_t) ntohl(ep->associd);
fp->associd = ep->associd;
len = 8;
case CRYPTO_SIGN:
if (tstamp < cert_host->first || tstamp >
cert_host->last)
- rval = XEVNT_SRV;
+ rval = XEVNT_PER;
else
rval = crypto_send(fp, &cert_host->cert, &len);
break;
}
/*
- * Be careful who you trust. If not yet synchronized or
- * certificate not found, give back an empty response.
- * If certificate is beyond the lifetime, return an
- * error. This is to avoid a bad dude trying to get an
- * expired certificate re-signed. Otherwise, send it.
+ * Be careful who you trust. If the certificate is not
+ * found, return an empty response. Note that we dont
+ * enforce lifetimes here.
*
- * Note the timestamp and filestamp are taken from the
+ * The timestamp and filestamp are taken from the
* certificate value structure. For all certificates the
* timestamp is the latest signature update time. For
* host and imported certificates the filestamp is the
* creation epoch. For signed certificates the filestamp
* is the creation epoch of the trusted certificate at
- * the base of the certificate trail. In principle, this
+ * the root of the certificate trail. In principle, this
* allows strong checking for signature masquerade.
*/
if (xp == NULL)
xp = yp;
- if (tstamp == 0 || xp == NULL)
+ if (xp == NULL)
break;
- else if (tstamp < xp->first || tstamp > xp->last)
- rval = XEVNT_SRV;
- else
- rval = crypto_send(fp, &xp->cert, &len);
+ if (tstamp == 0)
+ break;
+
+ rval = crypto_send(fp, &xp->cert, &len);
break;
/*
* Send challenge in Schnorr (IFF) identity scheme.
*/
case CRYPTO_IFF:
- if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
- rval = XEVNT_ERR;
- break;
- }
if ((rval = crypto_alice(peer, &vtemp)) == XEVNT_OK) {
rval = crypto_send(fp, &vtemp, &len);
value_free(&vtemp);
* Send challenge in Guillou-Quisquater (GQ) identity scheme.
*/
case CRYPTO_GQ:
- if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
- rval = XEVNT_ERR;
- break;
- }
if ((rval = crypto_alice2(peer, &vtemp)) == XEVNT_OK) {
rval = crypto_send(fp, &vtemp, &len);
value_free(&vtemp);
* Send challenge in MV identity scheme.
*/
case CRYPTO_MV:
- if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
- rval = XEVNT_ERR;
- break;
- }
if ((rval = crypto_alice3(peer, &vtemp)) == XEVNT_OK) {
rval = crypto_send(fp, &vtemp, &len);
value_free(&vtemp);
if (PKT_MODE(xpkt->li_vn_mode) == MODE_SERVER) {
tcookie = cookie;
} else {
- if ((peer = findpeerbyassoc(associd)) == NULL) {
- rval = XEVNT_ERR;
- break;
- }
- tcookie = peer->pcookie;
+ tcookie = peer->hcookie;
}
if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) ==
XEVNT_OK) {
* old message, in which case light the error bit.
*/
case CRYPTO_AUTO | CRYPTO_RESP:
- if ((peer = findpeerbyassoc(associd)) == NULL) {
- rval = XEVNT_ERR;
- break;
+ if (peer == NULL) {
+ if ((peer = findpeerbyassoc(associd)) == NULL) {
+ rval = XEVNT_ERR;
+ break;
+ }
}
peer->flags &= ~FLAG_ASSOC;
rval = crypto_send(fp, &peer->sndval, &len);
* the tai structure. If no table has been loaded, just send an
* empty request.
*/
- case CRYPTO_TAI:
- case CRYPTO_TAI | CRYPTO_RESP:
+ case CRYPTO_LEAP | CRYPTO_RESP:
rval = crypto_send(fp, &tai_leap, &len);
break;
* puppy; if a response, return so the sender can flame, too.
*/
if (rval != XEVNT_OK) {
- opcode |= CRYPTO_ERROR;
- snprintf(statstr, NTP_MAXSTRLEN, "error %x opcode %x",
- rval, opcode);
+ u_int32 uint32;
+
+ uint32 = CRYPTO_ERROR;
+ opcode |= uint32;
+ fp->opcode |= htonl(uint32);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "%04x %d %02x %s", opcode, associd, rval,
+ eventstr(rval));
record_crypto_stats(srcadr_sin, statstr);
- report_event(rval, NULL);
#ifdef DEBUG
if (debug)
printf("crypto_xmit: %s\n", statstr);
/*
- * crypto_verify - parse and verify the extension field and value
+ * crypto_verify - verify the extension field value and signature
*
* Returns
* XEVNT_OK success
- * XEVNT_LEN bad field format or length
- * XEVNT_TSP bad timestamp
+ * XEVNT_ERR protocol error
* XEVNT_FSP bad filestamp
+ * XEVNT_LEN bad field format or length
* XEVNT_PUB bad or missing public key
* XEVNT_SGL bad signature length
* XEVNT_SIG signature not verified
- * XEVNT_ERR protocol error
+ * XEVNT_TSP bad timestamp
*/
static int
crypto_verify(
int i;
/*
- * We require valid opcode and field lengths, timestamp,
- * filestamp, public key, digest, signature length and
- * signature, where relevant. Note that preliminary length
- * checks are done in the main loop.
+ * We are extremely parannoyed. We require valid opcode, length,
+ * association ID, timestamp, filestamp, public key, digest,
+ * signature length and signature, where relevant. Note that
+ * preliminary length checks are done in the main loop.
*/
len = ntohl(ep->opcode) & 0x0000ffff;
opcode = ntohl(ep->opcode) & 0xffff0000;
/*
- * Check for valid operation code and protocol. The opcode must
- * not have the error bit set. If a response, it must have a
- * value header. If a request and does not contain a value
- * header, no need for further checking.
+ * Check for valid value header opcode, association ID and
+ & extension field length. The request and response opcodes must
+ & match and the response ID must match the association ID. The
+ * autokey values response is the exception, as it can be sent
+ * unsolicited.
*/
if (opcode & CRYPTO_ERROR)
return (XEVNT_ERR);
- if (opcode & CRYPTO_RESP) {
- if (len < VALUE_LEN)
- return (XEVNT_LEN);
+ if (len < VALUE_LEN)
+ return (XEVNT_LEN);
+
+ if (opcode == (CRYPTO_AUTO | CRYPTO_RESP)) {
+ if (ntohl(ep->associd) != peer->assoc)
+ return (XEVNT_ERR);
} else {
- if (len < VALUE_LEN)
- return (XEVNT_OK);
+ if (((htonl(peer->opcode) & 0x3fff0000) !=
+ (opcode & 0x3fff0000)) || ntohl(ep->associd) !=
+ peer->associd)
+ return (XEVNT_ERR);
}
/*
- * We have a value header. Check for valid field lengths. The
- * field length must be long enough to contain the value header,
- * value and signature. Note both the value and signature fields
- * are rounded up to the next word.
+ * We have a valid value header. Check for valid value and
+ * signature field lengths. The extension field length must be
+ * long enough to contain the value header, value and signature.
+ * Note both the value and signature field lengths are rounded
+ * up to the next word.
*/
vallen = ntohl(ep->vallen);
+ if (vallen == 0)
+ return (XEVNT_LEN);
+
i = (vallen + 3) / 4;
siglen = ntohl(ep->pkt[i++]);
if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) /
4) * 4)
return (XEVNT_LEN);
- /*
- * Punt if this is a response with no data. Punt if this is a
- * request and a previous response is pending.
- */
- if (opcode & CRYPTO_RESP) {
- if (vallen == 0)
- return (XEVNT_LEN);
- } else {
- if (peer->cmmd != NULL)
- return (XEVNT_LEN);
- }
-
/*
* Check for valid timestamp and filestamp. If the timestamp is
* zero, the sender is not synchronized and signatures are
* disregarded. If not, the timestamp must not precede the
* filestamp. The timestamp and filestamp must not precede the
- * corresponding values in the value structure, if present. Once
- * the autokey values have been installed, the timestamp must
- * always be later than the corresponding value in the value
- * structure. Duplicate timestamps are illegal once the cookie
- * has been validated.
- */
+ * corresponding values in the value structure, if present. */
tstamp = ntohl(ep->tstamp);
fstamp = ntohl(ep->fstamp);
if (tstamp == 0)
if (vp != NULL) {
tstamp1 = ntohl(vp->tstamp);
fstamp1 = ntohl(vp->fstamp);
- if ((tstamp < tstamp1 || (tstamp == tstamp1 &&
- (peer->crypto & CRYPTO_FLAG_AUTO))))
- return (XEVNT_TSP);
+ if (tstamp1 != 0 && fstamp1 != 0) {
+ if (tstamp < tstamp1)
+ return (XEVNT_TSP);
- if ((tstamp < fstamp1 || fstamp < fstamp1))
- return (XEVNT_FSP);
+ if ((tstamp < fstamp1 || fstamp < fstamp1))
+ return (XEVNT_FSP);
+ }
}
/*
*
* Returns
* XEVNT_OK success
- * XEVNT_PUB bad or missing public key
* XEVNT_CKY bad or missing cookie
+ * XEVNT_PUB bad or missing public key
*/
static int
crypto_encrypt(
if (peer->crypto & CRYPTO_FLAG_IFF) {
snprintf(filename, MAXFILENAME, "ntpkey_iffpar_%s",
peer->issuer);
- peer->ident_pkey = crypto_key(filename, NULL);
+ peer->ident_pkey = crypto_key(filename, NULL,
+ &peer->srcadr);
if (peer->ident_pkey != NULL)
return (CRYPTO_IFF);
}
if (peer->crypto & CRYPTO_FLAG_GQ) {
snprintf(filename, MAXFILENAME, "ntpkey_gqpar_%s",
peer->issuer);
- peer->ident_pkey = crypto_key(filename, NULL);
+ peer->ident_pkey = crypto_key(filename, NULL,
+ &peer->srcadr);
if (peer->ident_pkey != NULL)
return (CRYPTO_GQ);
}
if (peer->crypto & CRYPTO_FLAG_MV) {
snprintf(filename, MAXFILENAME, "ntpkey_mvpar_%s",
peer->issuer);
- peer->ident_pkey = crypto_key(filename, NULL);
+ peer->ident_pkey = crypto_key(filename, NULL,
+ &peer->srcadr);
if (peer->ident_pkey != NULL)
return (CRYPTO_MV);
}
return (ep);
ep->opcode = htonl(opcode + len);
-
- /*
- * If a request, send our ID; if a response, send the
- * requestor's ID.
- */
ep->associd = htonl(associd);
ep->tstamp = htonl(tstamp);
ep->fstamp = hostval.tstamp;
if (str != NULL) {
ep->vallen = htonl(strlen(str));
memcpy((char *)ep->pkt, str, strlen(str));
- } else {
- ep->pkt[0] = peer->associd;
}
return (ep);
}
EVP_MD_CTX ctx; /* message digest context */
struct cert_info *cp; /* certificate info/value */
char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
- tstamp_t tstamp; /* NTP timestamp */
u_int32 *ptr;
u_int len;
- tstamp = crypto_time();
- if (tstamp == 0)
+ hostval.tstamp = htonl(crypto_time());
+ if (hostval.tstamp == 0)
return;
- hostval.tstamp = htonl(tstamp);
/*
* Sign public key and timestamps. The filestamp is derived from
if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
tai_leap.siglen = htonl(len);
if (leap_sec > 0)
- crypto_flags |= CRYPTO_FLAG_TAI;
- snprintf(statstr, NTP_MAXSTRLEN, "update at %lu ts %u",
- current_time, ntohl(hostval.tstamp));
+ crypto_flags |= CRYPTO_FLAG_LEAP;
+ snprintf(statstr, NTP_MAXSTRLEN, "signature update ts %u",
+ ntohl(hostval.tstamp));
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
*
* Returns
* XEVNT_OK success
- * XEVNT_PUB bad or missing public key
* XEVNT_ID bad or missing group key
+ * XEVNT_PUB bad or missing public key
*/
static int
crypto_alice(
*
* Returns
* XEVNT_OK success
- * XEVNT_ID bad or missing group key
* XEVNT_ERR protocol error
+ * XEVNT_ID bad or missing group key
*/
static int
crypto_bob(
*
* Returns
* XEVNT_OK success
- * XEVNT_PUB bad or missing public key
- * XEVNT_ID bad or missing group key
* XEVNT_FSP bad filestamp
+ * XEVNT_ID bad or missing group key
+ * XEVNT_PUB bad or missing public key
*/
int
crypto_iff(
*
* Returns
* XEVNT_OK success
- * XEVNT_PUB bad or missing public key
* XEVNT_ID bad or missing group key
+ * XEVNT_PUB bad or missing public key
*/
static int
crypto_alice2(
*
* Returns
* XEVNT_OK success
- * XEVNT_ID bad or missing group key
* XEVNT_ERR protocol error
+ * XEVNT_ID bad or missing group key
*/
static int
crypto_bob2(
*
* Returns
* XEVNT_OK success
- * XEVNT_PUB bad or missing public key
- * XEVNT_ID bad or missing group keys
* XEVNT_ERR protocol error
* XEVNT_FSP bad filestamp
+ * XEVNT_ID bad or missing group keys
+ * XEVNT_PUB bad or missing public key
*/
int
crypto_gq(
*
* Returns
* XEVNT_OK success
- * XEVNT_PUB bad or missing public key
* XEVNT_ID bad or missing group key
+ * XEVNT_PUB bad or missing public key
*/
static int
crypto_alice3(
*
* Returns
* XEVNT_OK success
- * XEVNT_PUB bad or missing public key
- * XEVNT_ID bad or missing group key
* XEVNT_ERR protocol error
* XEVNT_FSP bad filestamp
+ * XEVNT_ID bad or missing group key
+ * XEVNT_PUB bad or missing public key
*/
int
crypto_mv(
* remains valid until its expiration.
*
* Returns
+ * XEVNT_CRT bad or missing certificate
* XEVNT_OK success
+ * XEVNT_PER host certificate expired
* XEVNT_PUB bad or missing public key
- * XEVNT_CRT bad or missing certificate
* XEVNT_VFY certificate not verified
- * XEVNT_PER host certificate expired
*/
static int
cert_sign(
X509_free(req);
/*
- * Sign and verify the certificate.
+ * Sign and verify the client certificate, but only if the host
+ * certificate has not expired.
*/
+ if (tstamp < cert_host->first || tstamp > cert_host->last) {
+ X509_free(cert);
+ return (XEVNT_PER);
+ }
X509_sign(cert, sign_pkey, sign_digest);
if (!X509_verify(cert, sign_pkey)) {
msyslog(LOG_ERR, "cert_sign: %s",
}
-/*
- * cert_valid - verify certificate with given public key
- *
- * This is pretty ugly, as the certificate has to be verified in the
- * OpenSSL X509 structure, not in the DER format in the info/value
- * structure.
- *
- * Returns
- * XEVNT_OK success
- * XEVNT_VFY certificate not verified
- */
-int
-cert_valid(
- struct cert_info *cinf, /* certificate information structure */
- EVP_PKEY *pkey /* public key */
- )
-{
- X509 *cert; /* X509 certificate */
- u_char *ptr;
-
- if (cinf->flags & CERT_SIGN)
- return (XEVNT_OK);
-
- ptr = (u_char *)cinf->cert.ptr;
- cert = d2i_X509(NULL, &ptr, ntohl(cinf->cert.vallen));
- if (cert == NULL || !X509_verify(cert, pkey))
- return (XEVNT_VFY);
-
- X509_free(cert);
- return (XEVNT_OK);
-}
-
-
/*
* cert_install - install certificate in certificate cache
*
* This routine encodes an extension field into a certificate info/value
* structure. It searches the certificate list for duplicates and
- * expunges whichever is older. It then searches the list for other
- * certificates that might be verified by this latest one. Finally, it
- * inserts this certificate first on the list.
+ * expunges whichever is older. Finally, it inserts this certificate
+ * first on the list.
+ *
+ * Returns certificate info pointer if valid, NULL if not.
*/
struct cert_info *
cert_install(
/*
* Parse and validate the signed certificate. If valid,
- * construct the info/value structure; otherwise, scamper home.
+ * construct the info/value structure; otherwise, scamper home
+ * empty handed.
*/
if ((cp = cert_parse((u_char *)ep->pkt, (long)ntohl(ep->vallen),
(tstamp_t)ntohl(ep->fstamp))) == NULL)
* the same subject and issuer. If another is found with the
* same or older filestamp, unlink it and return the goodies to
* the heap. If another is found with a later filestamp, discard
- * the new one and leave the building.
+ * the new one and leave the building with the old one.
*
* Make a note to study this issue again. An earlier certificate
* with a long lifetime might be overtaken by a later
cp->link = cinfo;
cinfo = cp;
}
+ cp->flags |= CERT_VALID;
+ crypto_update();
+ return (cp);
+}
- /*
- * Scan the certificate list to see if Y is signed by X. This is
- * independent of order.
- */
- for (yp = cinfo; yp != NULL; yp = yp->link) {
- for (xp = cinfo; xp != NULL; xp = xp->link) {
-
- /*
- * If the issuer of certificate Y matches the
- * subject of certificate X, verify the
- * signature of Y using the public key of X. If
- * so, X signs Y.
- */
- if (strcmp(yp->issuer, xp->subject) != 0 ||
- xp->flags & CERT_ERROR)
- continue;
-
- if (cert_valid(yp, xp->pkey) != XEVNT_OK) {
- yp->flags |= CERT_ERROR;
- continue;
- }
- /*
- * The signature Y is valid only if it begins
- * during the lifetime of X; however, it is not
- * necessarily an error, since some other
- * certificate might sign Y.
- */
- if (yp->first < xp->first || yp->first >
- xp->last)
- continue;
-
- yp->flags |= CERT_SIGN;
+/*
+ * cert_hike - verify the signature using the issuer public key
+ *
+ * Returns
+ * XEVNT_OK success
+ * XEVNT_CRT bad or missing certificate
+ * XEVNT_PER host certificate expired
+ * XEVNT_VFY certificate not verified
+ */
+int
+cert_hike(
+ struct peer *peer, /* peer structure pointer */
+ struct cert_info *yp /* issuer certificate */
+ )
+{
+ struct cert_info *xp; /* subject certificate */
+ X509 *cert; /* X509 certificate */
+ u_char *ptr;
- /*
- * If X is trusted, then Y is trusted. Note that
- * we might stumble over a self-signed
- * certificate that is not trusted, at least
- * temporarily. This can happen when a dude
- * first comes up, but has not synchronized the
- * clock and had its certificate signed by its
- * server. In case of broken certificate trail,
- * this might result in a loop that could
- * persist until timeout.
- */
- if (!(xp->flags & (CERT_TRUST | CERT_VALID)))
- continue;
+ /*
+ * Save the issuer on the new certificate, but remember the old
+ * one.
+ */
+ if (peer->issuer != NULL)
+ free(peer->issuer);
+ peer->issuer = emalloc(strlen(yp->issuer) + 1);
+ strcpy(peer->issuer, yp->issuer);
+ xp = peer->xinfo;
+ peer->xinfo = yp;
- yp->flags |= CERT_VALID;
+ /*
+ * If subject Y matches issuer Y, then the certificate trail is
+ * complete. If Y is not trusted, the server certificate has yet
+ * been signed, so keep trying. Otherwise, save the group key
+ * and light the valid bit. If the host certificate is trusted,
+ * do not execute a sign exchange. If no identity scheme is in
+ * use, light the identity and proventic bits.
+ */
+ if (strcmp(yp->subject, yp->issuer) == 0) {
+ if (!(yp->flags & CERT_TRUST))
+ return (XEVNT_OK);
- /*
- * If subject Y matches the server subject name,
- * then Y has completed the certificate trail.
- * Save the group key and light the valid bit.
- */
- if (strcmp(yp->subject, peer->subject) != 0)
- continue;
+ peer->grpkey = yp->grpkey;
+ peer->crypto |= CRYPTO_FLAG_CERT;
+ if (!(peer->crypto & CRYPTO_FLAG_MASK))
+ peer->crypto |= CRYPTO_FLAG_VRFY |
+ CRYPTO_FLAG_PROV;
- peer->grpkey = xp->grpkey;
- peer->crypto |= CRYPTO_FLAG_VALID;
+ /*
+ * If the server has an an identity scheme, fetch the
+ * identity credentials. If not, the identity is
+ * verified only by the trusted certificate. The next
+ * signature will set the server proventic.
+ */
+ if (!(peer->crypto & CRYPTO_FLAG_MASK) ||
+ sys_groupname == NULL)
+ peer->crypto |= CRYPTO_FLAG_VRFY;
+ }
- /*
- * If the server has an an identity scheme,
- * fetch the identity credentials. If not, the
- * identity is verified only by the trusted
- * certificate. The next signature will set the
- * server proventic.
- */
- if ((peer->crypto & CRYPTO_FLAG_MASK) &&
- sys_groupname != NULL)
- continue;
+ /*
+ * If X exists, verify signature X using public key Y.
+ */
+ if (xp == NULL)
+ return (XEVNT_OK);
- peer->crypto |= CRYPTO_FLAG_VRFY;
- }
+ ptr = (u_char *)xp->cert.ptr;
+ cert = d2i_X509(NULL, &ptr, ntohl(xp->cert.vallen));
+ if (cert == NULL) {
+ xp->flags |= CERT_ERROR;
+ return (XEVNT_CRT);
+ }
+ if (!X509_verify(cert, yp->pkey)) {
+ X509_free(cert);
+ xp->flags |= CERT_ERROR;
+ return (XEVNT_VFY);
}
+ X509_free(cert);
/*
- * That was awesome. Now update the timestamps and signatures.
+ * Signature X is valid only if it begins during the
+ * lifetime of Y.
*/
- crypto_update();
- return (cp);
+ if (xp->first < yp->first || xp->first > yp->last) {
+ xp->flags |= CERT_ERROR;
+ return (XEVNT_PER);
+ }
+ xp->flags |= CERT_SIGN;
+ return (XEVNT_OK);
}
static struct pkey_info *
crypto_key(
char *cp, /* file name */
- char *passwd1 /* password */
+ char *passwd1, /* password */
+ struct sockaddr_storage *addr /* IP address */
)
{
FILE *str; /* file handle */
*/
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d",&linkname[2],
+ snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],
EVP_PKEY_size(pkey) * 8);
+ record_crypto_stats(addr, statstr);
#ifdef DEBUG
if (debug)
printf("crypto_key: %s\n", statstr);
{
struct pkey_info *pinfo; /* private/public key */
char filename[MAXFILENAME]; /* file name buffer */
+ char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
l_fp seed; /* crypto PRNG seed as NTP timestamp */
u_int len;
int bytes;
* sign key.
*/
snprintf(filename, MAXFILENAME, "ntpkey_host_%s", sys_hostname);
- pinfo = crypto_key(filename, passwd);
+ pinfo = crypto_key(filename, passwd, NULL);
if (pinfo == NULL) {
msyslog(LOG_ERR,
"crypto_setup: host key file %s not found or corrupt",
if (sign_file != NULL) {
snprintf(filename, MAXFILENAME, "ntpkey_sign_%s",
sign_file);
- pinfo = crypto_key(filename, passwd);
+ pinfo = crypto_key(filename, passwd, NULL);
if (pinfo != NULL)
sign_pkey = pinfo->pkey;
}
*/
snprintf(filename, MAXFILENAME, "ntpkey_iffkey_%s",
sys_groupname);
- iffkey_info = crypto_key(filename, passwd);
+ iffkey_info = crypto_key(filename, passwd, NULL);
if (iffkey_info != NULL)
crypto_flags |= CRYPTO_FLAG_IFF;
*/
snprintf(filename, MAXFILENAME, "ntpkey_gqkey_%s",
sys_groupname);
- gqkey_info = crypto_key(filename, passwd);
+ gqkey_info = crypto_key(filename, passwd, NULL);
if (gqkey_info != NULL)
crypto_flags |= CRYPTO_FLAG_GQ;
*/
snprintf(filename, MAXFILENAME, "ntpkey_mvkey_%s",
sys_groupname);
- mvkey_info = crypto_key(filename, passwd);
+ mvkey_info = crypto_key(filename, passwd, NULL);
if (mvkey_info != NULL)
crypto_flags |= CRYPTO_FLAG_MV;
}
* We met the enemy and he is us. Now strike up the dance.
*/
crypto_flags |= CRYPTO_FLAG_ENAB | (cinfo->nid << 16);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "setup 0x%x host %s %s\n", crypto_flags, sys_hostname,
+ OBJ_nid2ln(cinfo->nid));
+ record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
- printf(
- "crypto_setup: flags 0x%x host %s signature %s\n",
- crypto_flags, sys_hostname, OBJ_nid2ln(cinfo->nid));
+ printf("crypto_setup: %s\n", statstr);
#endif
}
resolver_exit(1);
}
if (intval[TOK_MINPOLL] < ntp_minpoll ||
- intval[TOK_MINPOLL] > ntp_minpoll) {
+ intval[TOK_MINPOLL] > NTP_MAXPOLL) {
msyslog(LOG_ERR, "invalid MINPOLL value (%ld) in file %s",
intval[TOK_MINPOLL], name);
resolver_exit(1);
}
- if ((intval[TOK_FLAGS] & ~(FLAG_AUTHENABLE | FLAG_PREFER |
- FLAG_NOSELECT | FLAG_BURST | FLAG_IBURST | FLAG_SKEY))
- != 0) {
+ if ((intval[TOK_FLAGS] & ~(FLAG_PREFER | FLAG_NOSELECT |
+ FLAG_BURST | FLAG_IBURST | FLAG_SKEY)) != 0) {
msyslog(LOG_ERR, "invalid flags (%ld) in file %s",
intval[TOK_FLAGS], name);
resolver_exit(1);
}
flags = 0;
- if (intval[TOK_FLAGS] & FLAG_AUTHENABLE)
- flags |= CONF_FLAG_AUTHENABLE;
if (intval[TOK_FLAGS] & FLAG_PREFER)
flags |= CONF_FLAG_PREFER;
if (intval[TOK_FLAGS] & FLAG_NOSELECT)
#define CLOCK_PHI 15e-6 /* max frequency error (s/s) */
#define CLOCK_PLL 16. /* PLL loop gain (log2) */
#define CLOCK_AVG 8. /* parameter averaging constant */
-#define CLOCK_FLL (NTP_MAXPOLL + CLOCK_AVG) /* FLL loop gain */
+#define CLOCK_FLL .25 /* FLL loop gain */
#define CLOCK_ALLAN 11 /* Allan intercept (log2 s) */
#define CLOCK_DAY 86400. /* one day in seconds (s) */
#define CLOCK_JUNE (CLOCK_DAY * 30) /* June in seconds (s) */
#define CLOCK_PGATE 4. /* poll-adjust gate */
#define PPS_MAXAGE 120 /* kernel pps signal timeout (s) */
#define FREQTOD(x) ((x) / 65536e6) /* NTP to double */
-#define DTOFREQ(x) ((int32)((x) * 65536e6)) /* NTP to double */
+#define DTOFREQ(x) ((int32)((x) * 65536e6)) /* double to NTP */
/*
* Clock discipline state machine. This is used to control the
*
* State < step > step Comments
* ========================================================
- * NSET FREQ step, FREQ no frequency set
+ * NSET FREQ step, FREQ freq not set
*
- * FSET SYNC step, SYNC frequency set
+ * FSET SYNC step, SYNC freq set
*
- * FREQ if (mu < 900) if (mu < 900) set freq
+ * FREQ if (mu < 900) if (mu < 900) set freq direct
* ignore ignore
* else else
* freq, SYNC freq, step, SYNC
*
- * SYNC SYNC if (mu < 900) adjust phase/freq
- * ignore
- * else
- * SPIK
+ * SYNC SYNC SPIK, ignore adjust phase/freq
*
- * SPIK SYNC step, SYNC set phase
+ * SPIK SYNC if (mu < 900) adjust phase/freq
+ * ignore
+ * step, SYNC
*/
-#define S_NSET 0 /* clock never set */
-#define S_FSET 1 /* frequency set */
-#define S_SPIK 2 /* spike detected */
-#define S_FREQ 3 /* frequency mode */
-#define S_SYNC 4 /* clock synchronized */
-
/*
* Kernel PLL/PPS state machine. This is used with the kernel PLL
* modifications described in the documentation.
* includes TAI offset and is identified by the symbol NTP_API with
* value 4.
*
- * Each update to a prefer peer sets pps_stratum if it survives the
- * intersection algorithm and its time is within range. The PPS time
- * discipline is enabled (STA_PPSTIME bit set in the status word) when
- * pps_stratum is true and the PPS frequency discipline is enabled. If
- * the PPS time discipline is enabled and the kernel reports a PPS
- * signal is present, the pps_control variable is set to the current
- * time. If the current time is later than pps_control by PPS_MAXAGE
- * (120 s), this variable is set to zero.
+ * Each PPS time/frequency discipline can be enabled by the atom driver
+ * or another driver. If enabled, the STA_PPSTIME and STA_FREQ bits are
+ * set in the kernel status word; otherwise, these bits are cleared.
+ * These bits are also cleard if the kernel reports an error.
*
* If an external clock is present, the clock driver sets STA_CLK in the
* status word. When the local clock driver sees this bit, it updates
double clock_stability; /* frequency stability (wander) (s/s) */
double clock_codec; /* audio codec frequency (samples/s) */
u_long clock_epoch; /* interval since last update */
-u_long pps_control; /* last pps update */
u_int sys_tai; /* TAI offset from UTC */
static void rstclock (int, double); /* transition function */
-static double direct_freq(double); /* direct set frequency */
+static void direct_freq(double); /* direct set frequency */
+static void set_freq(double); /* set frequency */
#ifdef KERNEL_PLL
static struct timex ntv; /* ntp_adjtime() parameters */
* Clock state machine variables
*/
int state; /* clock discipline state */
-u_char sys_poll = NTP_MINPOLL; /* time constant/poll (log2 s) */
+u_char sys_poll; /* time constant/poll (log2 s) */
int tc_counter; /* jiggle counter */
double last_offset; /* last offset (s) */
-int clock_stepcnt; /* step counter */
+static int clock_stepcnt; /* step counter */
/*
* Huff-n'-puff filter variables
init_loopfilter(void)
{
/*
- * Initialize state variables. Initially, we expect no frequency
- * file, so set the state to S_NSET. If a frequency file is
- * present, it will be detected later and the state set to
- * S_FSET.
+ * Initialize state variables.
*/
- rstclock(S_NSET, 0);
+ sys_poll = ntp_minpoll;
clock_jitter = LOGTOD(sys_precision);
}
int osys_poll; /* old system poll */
double clock_frequency; /* clock frequency */
double dtemp, etemp; /* double temps */
+ char tbuf[80]; /* report buffer */
/*
* If the loop is opened or the NIST LOCKCLOCK is in use,
*/
if (fabs(fp_offset) > clock_panic && clock_panic > 0 &&
!allow_panic) {
- msyslog(LOG_ERR,
- "time correction of %.0f seconds exceeds sanity limit (%.0f); set clock manually to the correct UTC time.",
+ snprintf(tbuf, sizeof(tbuf),
+ "%+.0f s; set clock manually within %.0f s.",
fp_offset, clock_panic);
+ report_event(EVNT_SYSFAULT, NULL, tbuf);
return (-1);
}
if (mode_ntpdate) {
if (fabs(fp_offset) > clock_max && clock_max > 0) {
step_systime(fp_offset);
- msyslog(LOG_NOTICE, "time reset %+.6f s",
+ msyslog(LOG_NOTICE, "ntpd: time set %+.6f s",
fp_offset);
printf("ntpd: time set %+.6fs\n", fp_offset);
} else {
adj_systime(fp_offset);
- msyslog(LOG_NOTICE, "time slew %+.6f s",
+ msyslog(LOG_NOTICE, "ntpd: time slew %+.6f s",
fp_offset);
printf("ntpd: time slew %+.6fs\n", fp_offset);
}
* thresholds interact with commands and command line options.
*
* Note the kernel is disabled if step is disabled or greater
- * than 0.5 s or in ntpdate mode..
+ * than 0.5 s or in ntpdate mode.
*/
osys_poll = sys_poll;
if (sys_poll < peer->minpoll)
switch (state) {
/*
- * In S_SYNC state we ignore the first outlyer amd
- * switch to S_SPIK state.
+ * In SYNC state we ignore the first outlyer amd switch
+ * to SPIK state.
*/
- case S_SYNC:
- state = S_SPIK;
+ case EVNT_SYNC:
+ snprintf(tbuf, sizeof(tbuf), "%+.6f s",
+ fp_offset);
+ report_event(EVNT_SPIK, NULL, tbuf);
+ state = EVNT_SPIK;
return (0);
/*
- * In S_FREQ state we ignore outlyers and inlyers. At
- * the first outlyer after the stepout threshold,
- * compute the apparent frequency correction and step
- * the phase.
+ * In FREQ state we ignore outlyers and inlyers. At the
+ * first outlyer after the stepout threshold, compute
+ * the apparent frequency correction and step the phase.
*/
- case S_FREQ:
+ case EVNT_FREQ:
if (clock_epoch < clock_minstep)
return (0);
- clock_frequency = direct_freq(fp_offset);
+ direct_freq(fp_offset);
/* fall through to S_SPIK */
/*
- * In S_SPIK state we ignore succeeding outlyers until
+ * In SPIK state we ignore succeeding outlyers until
* either an inlyer is found or the stepout threshold is
* exceeded.
*/
- case S_SPIK:
+ case EVNT_SPIK:
if (clock_epoch < clock_minstep)
return (0);
/* fall through to default */
/*
- * We get here by default in S_NSET and S_FSET states
- * and from above in S_FREQ or S_SPIK states.
+ * We get here by default in NSET and FSET states and
+ * from above in FREQ or SPIK states.
*
- * In S_NSET state an initial frequency correction is
- * not available, usually because the frequency file has
- * not yet been written. Since the time is outside the
- * step threshold, the clock is stepped. The frequency
- * will be set directly following the stepout interval.
+ * In NSET state an initial frequency correction is not
+ * available, usually because the frequency file has not
+ * yet been written. Since the time is outside the step
+ * threshold, the clock is stepped. The frequency will
+ * be set directly following the stepout interval.
*
- * In S_FSET state the initial frequency has been set
- * from the frequency file. Since the time is outside
- * the step threshold, the clock is stepped immediately,
+ * In FSET state the initial frequency has been set from
+ * the frequency file. Since the time is outside the
+ * step threshold, the clock is stepped immediately,
* rather than after the stepout interval. Guys get
* nervous if it takes 15 minutes to set the clock for
* the first time.
*
- * In S_FREQ and S_SPIK states the stepout threshold has
+ * In FREQ and SPIK states the stepout threshold has
* expired and the phase is still above the step
* threshold. Note that a single spike greater than the
* step threshold is always suppressed, even with a
* long time constant.
*/
default:
- step_systime(fp_offset);
- msyslog(LOG_NOTICE, "time reset %+.6f s",
+ snprintf(tbuf, sizeof(tbuf), "%+.6f s",
fp_offset);
+ report_event(EVNT_CLOCKRESET, NULL, tbuf);
+ step_systime(fp_offset);
reinit_timer();
tc_counter = 0;
clock_jitter = LOGTOD(sys_precision);
rval = 2;
clock_stepcnt++;
- if (state == S_NSET || clock_stepcnt > 2) {
- rstclock(S_FREQ, 0);
+ if (state == EVNT_NSET || clock_stepcnt > 2) {
+ clock_stepcnt = 0;
+ rstclock(EVNT_FREQ, 0);
return (rval);
}
break;
}
- rstclock(S_SYNC, 0);
+ rstclock(EVNT_SYNC, 0);
} else {
/*
LOGTOD(sys_precision)));
clock_jitter = SQRT(etemp + (dtemp - etemp) /
CLOCK_AVG);
+ clock_stepcnt = 0;
switch (state) {
/*
- * In S_NSET state this is the first update received and
+ * In NSET state this is the first update received and
* the frequency has not been initialized. Adjust the
* phase, but do not adjust the frequency until after
* the stepout threshold.
*/
- case S_NSET:
- rstclock(S_FREQ, fp_offset);
+ case EVNT_NSET:
+ rstclock(EVNT_FREQ, fp_offset);
break;
/*
- * In S_FSET state this is the first update received and
+ * In FSET state this is the first update received and
* the frequency has been initialized. Adjust the phase,
* but do not adjust the frequency until the next
* update.
*/
- case S_FSET:
- rstclock(S_SYNC, fp_offset);
+ case EVNT_FSET:
+ rstclock(EVNT_SYNC, fp_offset);
break;
/*
- * In S_FREQ state ignore updates until the stepout
+ * In FREQ state ignore updates until the stepout
* threshold. After that, compute the new frequency, but
* do not adjust the phase or frequency until the next
* update.
*/
- case S_FREQ:
+ case EVNT_FREQ:
if (clock_epoch < clock_minstep)
return (0);
- clock_frequency = direct_freq(fp_offset);
- rstclock(S_SYNC, 0);
+ direct_freq(fp_offset);
+ rstclock(EVNT_SYNC, 0);
break;
/*
- * We get here by default in S_SYNC and S_SPIK states.
- * Here we compute the frequency update due to PLL and
- * FLL contributions.
+ * We get here by default in SYNC and SPIK states. Here
+ * we compute the frequency update due to PLL and FLL
+ * contributions.
*/
default:
allow_panic = FALSE;
* The FLL and PLL frequency gain constants
* depend on the time constant and Allan
* intercept. The PLL is always used, but
- * becomes ineffective above the Allan
- * intercept. The FLL is not used below one-half
- * the Allan intercept. Above that the loop gain
- * increases in steps to 1 / CLOCK_AVG.
+ * becomes ineffective at and above the Allan
+ * intercept. The FLL is used at and above the
+ * Allan intercept.
*/
- if (sys_poll > allan_xpt - 1) {
- dtemp = CLOCK_FLL - sys_poll;
+ if (sys_poll >= allan_xpt)
clock_frequency += (fp_offset -
- last_offset) / (max(clock_epoch,
- allan_xpt) * dtemp);
- }
+ clock_offset) /
+ max(ULOGTOD(sys_poll),
+ clock_epoch) * CLOCK_FLL;
/*
* For the PLL the integration interval
* interval and time constant. This allows
* oversampling, but not undersampling.
*/
- etemp = min(clock_epoch,
- (u_long)ULOGTOD(sys_poll));
+ etemp = min(ULOGTOD(sys_poll), clock_epoch);
dtemp = 4 * CLOCK_PLL * ULOGTOD(sys_poll);
clock_frequency += fp_offset * etemp / (dtemp *
dtemp);
- rstclock(S_SYNC, fp_offset);
+ rstclock(EVNT_SYNC, fp_offset);
break;
}
}
ntv.status = STA_PLL;
/*
- * If the PPS signal is up and enabled, light
- * the frequency bit. If the PPS driver is
- * working, light the phase bit as well. If not,
- * douse the lights, since somebody else may
- * have left the switch on.
+ * Enable/disable the PPS if requested.
*/
- if (pps_enable && pll_status & STA_PPSSIGNAL) {
- ntv.status |= STA_PPSFREQ;
- if (pps_stratum < STRATUM_UNSPEC)
- ntv.status |= STA_PPSTIME;
+ if (pps_enable) {
+ if (!(pll_status & STA_PPSTIME))
+ report_event(EVNT_KERN,
+ NULL, "PPS enabled");
+ ntv.status |= STA_PPSTIME | STA_PPSFREQ;
} else {
- ntv.status &= ~(STA_PPSFREQ |
- STA_PPSTIME);
+ if (pll_status & STA_PPSTIME)
+ report_event(EVNT_KERN,
+ NULL, "PPS disabled");
+ ntv.status &= ~(STA_PPSTIME |
+ STA_PPSFREQ);
}
if (sys_leap == LEAP_ADDSECOND)
ntv.status |= STA_INS;
/*
* Pass the stuff to the kernel. If it squeals, turn off
- * the pig. In any case, fetch the kernel offset and
- * frequency and pretend we did it here.
+ * the pps. In any case, fetch the kernel offset,
+ * frequency and jitter.
*/
if (ntp_adjtime(&ntv) == TIME_ERROR) {
- ntv.status &= ~(STA_PPSFREQ | STA_PPSTIME);
- msyslog(LOG_ERR,
- "kernel time sync error %04x", ntv.status);
- } else {
- if ((ntv.status ^ pll_status) & ~STA_FLL)
- NLOG(NLOG_SYNCSTATUS)
- msyslog(LOG_INFO,
- "kernel time sync status change %04x",
- ntv.status);
+ if (!(ntv.status & STA_PPSSIGNAL))
+ report_event(EVNT_KERN, NULL,
+ "PPS no signal");
}
pll_status = ntv.status;
#ifdef STA_NANO
* If the kernel PPS is lit, monitor its performance.
*/
if (ntv.status & STA_PPSTIME) {
- pps_control = current_time;
#ifdef STA_NANO
clock_jitter = ntv.jitter / 1e9;
#else /* STA_NANO */
kern_enable))
return;
- /*
- * Declare PPS kernel unsync if the pps signal has not been
- * heard for a few minutes.
- */
- if (pps_control && current_time - pps_control > PPS_MAXAGE) {
- if (pps_control)
- NLOG(NLOG_SYNCSTATUS)
- msyslog(LOG_INFO, "pps sync disabled");
- pps_control = 0;
- }
-
/*
* Implement the phase and frequency adjustments. The gain
- * factor (denominator) is not allowed to increase beyond the
- * Allan intercept. It doesn't make sense to average phase noise
- * beyond this point and it helps to damp residual offset with a
- * longer time constant.
+ * factor (denominator) is not allowed to increase above half
+ * the Allan intercept. It doesn't make sense to average phase
+ * noise in this case and helps to reduce frequency convergence
+ * time.
*/
adjustment = clock_offset / (CLOCK_PLL * ULOGTOD(min(sys_poll,
- allan_xpt)));
+ allan_xpt - 1)));
clock_offset -= adjustment;
adj_systime(adjustment + drift_comp);
#endif /* LOCKCLOCK */
printf("local_clock: mu %lu state %d poll %d count %d\n",
clock_epoch, trans, sys_poll, tc_counter);
#endif
+ if (trans != state && trans != EVNT_FSET)
+ report_event(trans, NULL, NULL);
state = trans;
last_offset = clock_offset = offset;
clock_epoch = 0;
* updates are suppresed until the end of the measurement interval while
* the offset is amortized. At the end of the interval the frequency is
* calculated from the current offset, residual offset, length of the
- * interval and residual frequency component.
+ * interval and residual frequency component. At the same time the
+ * frequenchy file is armed for update at the next hourly stats.
*/
-static double direct_freq(
+static void direct_freq(
double fp_offset
)
{
-#ifdef KERNEL_PLL
- double freq = 0;
+#ifdef KERNEL_PLL
/*
- * If the kernel is enabled, we need the residual offset and
- * frequency to calculate the frequency correction.
+ * If the kernel is enabled, we need the residual offset to
+ * calculate the frequency correction.
*/
if (pll_control && kern_enable) {
memset(&ntv, 0, sizeof(ntv));
#else /* STA_NANO */
clock_offset = ntv.offset / 1e6;
#endif /* STA_NANO */
- freq = (fp_offset - clock_offset) / clock_epoch +
- FREQTOD(ntv.freq);
- if (freq != 0) {
- ntv.modes = MOD_FREQUENCY;
- ntv.freq = DTOFREQ(freq);
- ntp_adjtime(&ntv);
- msyslog(LOG_NOTICE,
- "kernel frequency set %.3f PPM", freq *
- 1e6);
- ntp_adjtime(&ntv);
- }
- return (freq);
+ drift_comp = FREQTOD(ntv.freq);
+ }
+#endif /* KERNEL_PLL */
+ set_freq((fp_offset - clock_offset) / clock_epoch + drift_comp);
+ wander_resid = 0;
+ return;
+}
+
+
+/*
+ * set_freq - set clock frequency
+ */
+static void
+set_freq(
+ double freq /* frequency update */
+ )
+{
+ char tbuf[80];
+
+ drift_comp = freq;
+
+#ifdef KERNEL_PLL
+ /*
+ * If the kernel is enabled, update the kernel frequency.
+ */
+ if (pll_control && kern_enable) {
+ memset(&ntv, 0, sizeof(ntv));
+ ntp_adjtime(&ntv);
+ ntv.modes = MOD_FREQUENCY;
+ ntv.freq = DTOFREQ(drift_comp);
+ ntp_adjtime(&ntv);
+ snprintf(tbuf, sizeof(tbuf), "kernel %.3f PPM",
+ drift_comp * 1e6);
+ report_event(EVNT_FSET, NULL, tbuf);
+ ntp_adjtime(&ntv);
} else {
- return ((fp_offset - clock_offset) / clock_epoch +
- drift_comp);
+ snprintf(tbuf, sizeof(tbuf), "ntpd %.3f PPM",
+ drift_comp * 1e6);
+ report_event(EVNT_FSET, NULL, tbuf);
}
#else /* KERNEL_PLL */
- return ((fp_offset - clock_offset) / clock_epoch + drift_comp);
+ snprintf(tbuf, sizeof(tbuf), "ntpd %.3f PPM", drift_comp *
+ 1e6);
+ report_event(EVNT_FSET, NULL, tbuf);
#endif /* KERNEL_PLL */
-
}
-
/*
* huff-n'-puff filter
*/
if (pll_status & STA_CLK)
ext_enable = 1;
#endif /* STA_NANO */
- msyslog(LOG_NOTICE,
- "kernel time sync enabled %04x",
- ntv.status);
+ report_event(EVNT_KERN, NULL,
+ "kernel time sync enabled");
}
#endif /* KERNEL_PLL */
#endif /* LOCKCLOCK */
/*
* Initialize the frequency. If the frequency file is missing or
- * broken, set the initial frequency to zero. The state remains
- * S_NSET. Otherwise, set the initial frequency to the given
- * value and the state to S_FSET.
+ * broken, set the initial frequency to zero and set the state
+ * to NSET. Otherwise, set the initial frequency to the given
+ * value and the state to FSET.
*/
case LOOP_DRIFTCOMP:
#ifndef LOCKCLOCK
if (freq > NTP_MAXFREQ || freq < -NTP_MAXFREQ) {
drift_comp = 0;
+ rstclock(EVNT_NSET, 0);
break;
}
- drift_comp = freq;
- rstclock(S_FSET, 0);
+ set_freq(freq);
+ rstclock(EVNT_FSET, 0);
-#ifdef KERNEL_PLL
- /*
- * If the kernel is enabled, load the frequency.
- */
- if (pll_control && kern_enable) {
- memset((char *)&ntv, 0, sizeof(ntv));
- ntv.freq = DTOFREQ(drift_comp);
- ntv.modes = MOD_FREQUENCY;
- ntp_adjtime(&ntv);
- }
-#endif /* KERNEL_PLL */
#endif /* LOCKCLOCK */
break;
ntv.modes = MOD_STATUS;
ntv.status = 0;
ntp_adjtime(&ntv);
- msyslog(LOG_NOTICE,
- "kernel time sync disabled %04x",
- ntv.status);
+ report_event(EVNT_KERN, NULL,
+ "kernel time sync disabledx");
}
#endif /* KERNEL_PLL */
#endif /* LOCKCLOCK */
break;
case LOOP_FREQ: /* initial frequency (freq) */
- drift_comp = freq / 1e6;
- rstclock(S_FSET, 0);
+ set_freq(freq / 1e6);
+ rstclock(EVNT_FSET, 0);
break;
case LOOP_HUFFPUFF: /* huff-n'-puff length (huffpuff) */
#endif
/*
- * I'm still not sure I like what I've done here. It certainly consumes
- * memory like it is going out of style, and also may not be as low
- * overhead as I'd imagined.
+ * Record statistics based on source address, mode and version. The
+ * receive procedure calls us with the incoming rbufp before it does
+ * anything else. While at it, implement rate controls for inbound
+ * traffic.
*
- * Anyway, we record statistics based on source address, mode and
- * version (for now, anyway. Check the code). The receive procedure
- * calls us with the incoming rbufp before it does anything else.
- *
- * Each entry is doubly linked into two lists, a hash table and a
- * most-recently-used list. When a packet arrives it is looked up in
- * the hash table. If found, the statistics are updated and the entry
+ * Each entry is doubly linked into two lists, a hash table and a most-
+ * recently-used (MRU) list. When a packet arrives it is looked up in
+ * the hash table. If found, the statistics are updated and the entry
* relinked at the head of the MRU list. If not found, a new entry is
* allocated, initialized and linked into both the hash table and at the
* head of the MRU list.
* the memory limit. Then we free memory by grabbing entries off the
* tail for the MRU list, unlinking from the hash table, and
* reinitializing.
- *
- * trimmed back memory consumption ... jdg 8/94
*/
/*
* Limits on the number of structures allocated. This limit is picked
- * with the illicit knowlege that we can only return somewhat less
- * than 8K bytes in a mode 7 response packet, and that each structure
- * will require about 20 bytes of space in the response.
+ * with the illicit knowlege that we can only return somewhat less than
+ * 8K bytes in a mode 7 response packet, and that each structure will
+ * require about 20 bytes of space in the response.
*
* ... I don't believe the above is true anymore ... jdg
*/
/*
* List of free structures structures, and counters of free and total
- * structures. The free structures are linked with the hash_next field.
+ * structures. The free structures are linked with the hash_next field.
*/
static struct mon_data *mon_free; /* free list or null if none */
static int mon_total_mem; /* total structures allocated */
static int mon_mem_increments; /* times called malloc() */
/*
- * Parameters of the RES_LIMITED restriction option. With the defaults a
- * packet will be discarded if the interval betweem packets is less than
- * 1 s, as well as when the average interval is less than 16 s.
+ * Parameters of the RES_LIMITED restriction option. We define headway
+ * as the idle time between packets. A packet is discarded if the
+ * headway is less than the minimum, as well as if the average headway
+ * is less than eight times the increment.
*/
-int ntp_minpoll = NTP_MINPOLL + 1; /* avg interpkt interval */
-int res_min_interval = 1 << NTP_MINPKT; /* min interpkt interval */
+int ntp_minpkt = NTP_MINPKT; /* minimum (log 2 s) */
+int ntp_minpoll = NTP_MINPOLL; /* increment (log 2 s) */
/*
* Initialization state. We may be monitoring, we may not. If
mode = PKT_MODE(pkt->li_vn_mode);
md = mon_hash[hash];
while (md != NULL) {
- int leak, limit;
+ int head; /* headway increment */
+ int leak; /* new headway */
+ int limit; /* average threshold */
/*
* Match address only to conserve MRU size.
/*
* At this point the most recent arrival is
- * first in the MRU list. If the minimum and
- * average thresholds are not exceeded, increase
- * the counter by the interval. If not, light
- * the rate bit only. The packet will be
- * discarded in the protocol module. Note we
- * give a 1-s tolerance for the minimum and a 2-
- * s tolerance for the average.
+ * first in the MRU list. Decrease the counter
+ * by the headway, but not less than zero.
*/
md->leak -= interval;
if (md->leak < 0)
md->leak = 0;
- leak = md->leak + (1 << ntp_minpoll);
- limit = NTP_SHIFT * (1 << ntp_minpoll) + 2;
+ head = 1 << ntp_minpoll;
+ leak = md->leak + head;
+ limit = NTP_SHIFT * head;
#ifdef DEBUG
if (debug > 1)
printf("restrict: interval %d headway %d limit %d\n",
interval, leak, limit);
#endif
- if (interval >= res_min_interval - 1 && leak <
- limit) {
- md->leak = leak;
+
+ /*
+ * If the minimum and average thresholds are not
+ * exceeded, douse the RES_LIMITED and RES_KOD
+ * bits and increase the counter by the headway
+ * increment. Note that we give a 1-s grace for
+ * the minimum threshold and a 2-s grace for the
+ * headway increment. If one or both thresholds
+ * are exceeded and the old counter is less than
+ * the average threshold, set the counter to the
+ * average threshold plus the inrcrment and
+ * leave the RES_KOD bit lit. Othewise, leave
+ * the counter alone and douse the RES_KOD bit.
+ * This rate-limits the KoDs to no less than the
+ * average headway.
+ */
+ if (interval + 1 >= (1 << ntp_minpkt) &&
+ leak < limit) {
+ md->leak = leak - 2;
md->flags &= ~(RES_LIMITED | RES_KOD);
} else if (md->leak < limit) {
- md->leak = limit + (1 << ntp_minpoll);
+ md->leak = limit + head;
} else {
md->flags &= ~RES_KOD;
}
T_Flag2 = 292,
T_Flag3 = 293,
T_Flag4 = 294,
- T_Floor = 295,
- T_Freq = 296,
- T_Fudge = 297,
- T_Host = 298,
- T_Huffpuff = 299,
- T_IPv4_address = 300,
- T_IPv6_address = 301,
- T_Iburst = 302,
- T_Ident = 303,
- T_Ignore = 304,
- T_Includefile = 305,
- T_Integer = 306,
- T_Interface = 307,
- T_Kernel = 308,
- T_Key = 309,
- T_Keys = 310,
- T_Keysdir = 311,
- T_Kod = 312,
- T_Leap = 313,
- T_Leapfile = 314,
- T_Limited = 315,
- T_Link = 316,
- T_Logconfig = 317,
- T_Logfile = 318,
- T_Loopstats = 319,
- T_Lowpriotrap = 320,
- T_Manycastclient = 321,
- T_Manycastserver = 322,
- T_Mask = 323,
- T_Maxclock = 324,
- T_Maxdist = 325,
- T_Maxhop = 326,
- T_Maxpoll = 327,
- T_Minclock = 328,
- T_Mindist = 329,
- T_Minimum = 330,
- T_Minpoll = 331,
- T_Minsane = 332,
- T_Mode = 333,
- T_Monitor = 334,
- T_Month = 335,
- T_Multicastclient = 336,
- T_Nolink = 337,
- T_Nomodify = 338,
- T_None = 339,
- T_Nopeer = 340,
- T_Noquery = 341,
- T_Noselect = 342,
- T_Noserve = 343,
- T_Notrap = 344,
- T_Notrust = 345,
- T_Novolley = 346,
- T_Ntp = 347,
- T_Ntpport = 348,
- T_Orphan = 349,
- T_Panic = 350,
- T_Peer = 351,
- T_Peerstats = 352,
- T_Phone = 353,
- T_Pid = 354,
- T_Pidfile = 355,
- T_Pool = 356,
- T_Port = 357,
- T_Pps = 358,
- T_Preempt = 359,
- T_Prefer = 360,
- T_Pw = 361,
- T_Qos = 362,
- T_RandFile = 363,
- T_Rawstats = 364,
- T_Refid = 365,
- T_Requestkey = 366,
- T_Restrict = 367,
- T_Revoke = 368,
- T_Server = 369,
- T_Setvar = 370,
- T_Sign = 371,
- T_Statistics = 372,
- T_Stats = 373,
- T_Statsdir = 374,
- T_Step = 375,
- T_Stepout = 376,
- T_Stratum = 377,
- T_String = 378,
- T_Sysstats = 379,
- T_Tick = 380,
- T_Time1 = 381,
- T_Time2 = 382,
- T_Tinker = 383,
- T_Tos = 384,
- T_Trap = 385,
- T_True = 386,
- T_Trustedkey = 387,
- T_Ttl = 388,
- T_Type = 389,
- T_Version = 390,
- T_Week = 391,
- T_Year = 392,
- T_Flag = 393,
- T_Void = 394,
- T_EOC = 395,
- T_Simulate = 396,
- T_Beep_Delay = 397,
- T_Sim_Duration = 398,
- T_Server_Offset = 399,
- T_Duration = 400,
- T_Freq_Offset = 401,
- T_Wander = 402,
- T_Jitter = 403,
- T_Prop_Delay = 404,
- T_Proc_Delay = 405
+ T_Flake = 295,
+ T_Floor = 296,
+ T_Freq = 297,
+ T_Fudge = 298,
+ T_Host = 299,
+ T_Huffpuff = 300,
+ T_IPv4_address = 301,
+ T_IPv6_address = 302,
+ T_Iburst = 303,
+ T_Ident = 304,
+ T_Ignore = 305,
+ T_Includefile = 306,
+ T_Integer = 307,
+ T_Interface = 308,
+ T_Kernel = 309,
+ T_Key = 310,
+ T_Keys = 311,
+ T_Keysdir = 312,
+ T_Kod = 313,
+ T_Leap = 314,
+ T_Leapfile = 315,
+ T_Limited = 316,
+ T_Link = 317,
+ T_Logconfig = 318,
+ T_Logfile = 319,
+ T_Loopstats = 320,
+ T_Lowpriotrap = 321,
+ T_Manycastclient = 322,
+ T_Manycastserver = 323,
+ T_Mask = 324,
+ T_Maxclock = 325,
+ T_Maxdist = 326,
+ T_Maxhop = 327,
+ T_Maxpoll = 328,
+ T_Minclock = 329,
+ T_Mindist = 330,
+ T_Minimum = 331,
+ T_Minpoll = 332,
+ T_Minsane = 333,
+ T_Mode = 334,
+ T_Monitor = 335,
+ T_Month = 336,
+ T_Multicastclient = 337,
+ T_Nolink = 338,
+ T_Nomodify = 339,
+ T_None = 340,
+ T_Nopeer = 341,
+ T_Noquery = 342,
+ T_Noselect = 343,
+ T_Noserve = 344,
+ T_Notrap = 345,
+ T_Notrust = 346,
+ T_Novolley = 347,
+ T_Ntp = 348,
+ T_Ntpport = 349,
+ T_Orphan = 350,
+ T_Panic = 351,
+ T_Peer = 352,
+ T_Peerstats = 353,
+ T_Phone = 354,
+ T_Pid = 355,
+ T_Pidfile = 356,
+ T_Pool = 357,
+ T_Port = 358,
+ T_Pps = 359,
+ T_Preempt = 360,
+ T_Prefer = 361,
+ T_Protostats = 362,
+ T_Pw = 363,
+ T_Qos = 364,
+ T_RandFile = 365,
+ T_Rawstats = 366,
+ T_Refid = 367,
+ T_Requestkey = 368,
+ T_Restrict = 369,
+ T_Revoke = 370,
+ T_Server = 371,
+ T_Setvar = 372,
+ T_Sign = 373,
+ T_Statistics = 374,
+ T_Stats = 375,
+ T_Statsdir = 376,
+ T_Step = 377,
+ T_Stepout = 378,
+ T_Stratum = 379,
+ T_String = 380,
+ T_Sysstats = 381,
+ T_Tick = 382,
+ T_Time1 = 383,
+ T_Time2 = 384,
+ T_Tinker = 385,
+ T_Tos = 386,
+ T_Trap = 387,
+ T_True = 388,
+ T_Trustedkey = 389,
+ T_Ttl = 390,
+ T_Type = 391,
+ T_Version = 392,
+ T_Week = 393,
+ T_Year = 394,
+ T_Flag = 395,
+ T_Void = 396,
+ T_EOC = 397,
+ T_Simulate = 398,
+ T_Beep_Delay = 399,
+ T_Sim_Duration = 400,
+ T_Server_Offset = 401,
+ T_Duration = 402,
+ T_Freq_Offset = 403,
+ T_Wander = 404,
+ T_Jitter = 405,
+ T_Prop_Delay = 406,
+ T_Proc_Delay = 407
};
#endif
/* Tokens. */
#define T_Flag2 292
#define T_Flag3 293
#define T_Flag4 294
-#define T_Floor 295
-#define T_Freq 296
-#define T_Fudge 297
-#define T_Host 298
-#define T_Huffpuff 299
-#define T_IPv4_address 300
-#define T_IPv6_address 301
-#define T_Iburst 302
-#define T_Ident 303
-#define T_Ignore 304
-#define T_Includefile 305
-#define T_Integer 306
-#define T_Interface 307
-#define T_Kernel 308
-#define T_Key 309
-#define T_Keys 310
-#define T_Keysdir 311
-#define T_Kod 312
-#define T_Leap 313
-#define T_Leapfile 314
-#define T_Limited 315
-#define T_Link 316
-#define T_Logconfig 317
-#define T_Logfile 318
-#define T_Loopstats 319
-#define T_Lowpriotrap 320
-#define T_Manycastclient 321
-#define T_Manycastserver 322
-#define T_Mask 323
-#define T_Maxclock 324
-#define T_Maxdist 325
-#define T_Maxhop 326
-#define T_Maxpoll 327
-#define T_Minclock 328
-#define T_Mindist 329
-#define T_Minimum 330
-#define T_Minpoll 331
-#define T_Minsane 332
-#define T_Mode 333
-#define T_Monitor 334
-#define T_Month 335
-#define T_Multicastclient 336
-#define T_Nolink 337
-#define T_Nomodify 338
-#define T_None 339
-#define T_Nopeer 340
-#define T_Noquery 341
-#define T_Noselect 342
-#define T_Noserve 343
-#define T_Notrap 344
-#define T_Notrust 345
-#define T_Novolley 346
-#define T_Ntp 347
-#define T_Ntpport 348
-#define T_Orphan 349
-#define T_Panic 350
-#define T_Peer 351
-#define T_Peerstats 352
-#define T_Phone 353
-#define T_Pid 354
-#define T_Pidfile 355
-#define T_Pool 356
-#define T_Port 357
-#define T_Pps 358
-#define T_Preempt 359
-#define T_Prefer 360
-#define T_Pw 361
-#define T_Qos 362
-#define T_RandFile 363
-#define T_Rawstats 364
-#define T_Refid 365
-#define T_Requestkey 366
-#define T_Restrict 367
-#define T_Revoke 368
-#define T_Server 369
-#define T_Setvar 370
-#define T_Sign 371
-#define T_Statistics 372
-#define T_Stats 373
-#define T_Statsdir 374
-#define T_Step 375
-#define T_Stepout 376
-#define T_Stratum 377
-#define T_String 378
-#define T_Sysstats 379
-#define T_Tick 380
-#define T_Time1 381
-#define T_Time2 382
-#define T_Tinker 383
-#define T_Tos 384
-#define T_Trap 385
-#define T_True 386
-#define T_Trustedkey 387
-#define T_Ttl 388
-#define T_Type 389
-#define T_Version 390
-#define T_Week 391
-#define T_Year 392
-#define T_Flag 393
-#define T_Void 394
-#define T_EOC 395
-#define T_Simulate 396
-#define T_Beep_Delay 397
-#define T_Sim_Duration 398
-#define T_Server_Offset 399
-#define T_Duration 400
-#define T_Freq_Offset 401
-#define T_Wander 402
-#define T_Jitter 403
-#define T_Prop_Delay 404
-#define T_Proc_Delay 405
+#define T_Flake 295
+#define T_Floor 296
+#define T_Freq 297
+#define T_Fudge 298
+#define T_Host 299
+#define T_Huffpuff 300
+#define T_IPv4_address 301
+#define T_IPv6_address 302
+#define T_Iburst 303
+#define T_Ident 304
+#define T_Ignore 305
+#define T_Includefile 306
+#define T_Integer 307
+#define T_Interface 308
+#define T_Kernel 309
+#define T_Key 310
+#define T_Keys 311
+#define T_Keysdir 312
+#define T_Kod 313
+#define T_Leap 314
+#define T_Leapfile 315
+#define T_Limited 316
+#define T_Link 317
+#define T_Logconfig 318
+#define T_Logfile 319
+#define T_Loopstats 320
+#define T_Lowpriotrap 321
+#define T_Manycastclient 322
+#define T_Manycastserver 323
+#define T_Mask 324
+#define T_Maxclock 325
+#define T_Maxdist 326
+#define T_Maxhop 327
+#define T_Maxpoll 328
+#define T_Minclock 329
+#define T_Mindist 330
+#define T_Minimum 331
+#define T_Minpoll 332
+#define T_Minsane 333
+#define T_Mode 334
+#define T_Monitor 335
+#define T_Month 336
+#define T_Multicastclient 337
+#define T_Nolink 338
+#define T_Nomodify 339
+#define T_None 340
+#define T_Nopeer 341
+#define T_Noquery 342
+#define T_Noselect 343
+#define T_Noserve 344
+#define T_Notrap 345
+#define T_Notrust 346
+#define T_Novolley 347
+#define T_Ntp 348
+#define T_Ntpport 349
+#define T_Orphan 350
+#define T_Panic 351
+#define T_Peer 352
+#define T_Peerstats 353
+#define T_Phone 354
+#define T_Pid 355
+#define T_Pidfile 356
+#define T_Pool 357
+#define T_Port 358
+#define T_Pps 359
+#define T_Preempt 360
+#define T_Prefer 361
+#define T_Protostats 362
+#define T_Pw 363
+#define T_Qos 364
+#define T_RandFile 365
+#define T_Rawstats 366
+#define T_Refid 367
+#define T_Requestkey 368
+#define T_Restrict 369
+#define T_Revoke 370
+#define T_Server 371
+#define T_Setvar 372
+#define T_Sign 373
+#define T_Statistics 374
+#define T_Stats 375
+#define T_Statsdir 376
+#define T_Step 377
+#define T_Stepout 378
+#define T_Stratum 379
+#define T_String 380
+#define T_Sysstats 381
+#define T_Tick 382
+#define T_Time1 383
+#define T_Time2 384
+#define T_Tinker 385
+#define T_Tos 386
+#define T_Trap 387
+#define T_True 388
+#define T_Trustedkey 389
+#define T_Ttl 390
+#define T_Type 391
+#define T_Version 392
+#define T_Week 393
+#define T_Year 394
+#define T_Flag 395
+#define T_Void 396
+#define T_EOC 397
+#define T_Simulate 398
+#define T_Beep_Delay 399
+#define T_Sim_Duration 400
+#define T_Server_Offset 401
+#define T_Duration 402
+#define T_Freq_Offset 403
+#define T_Wander 404
+#define T_Jitter 405
+#define T_Prop_Delay 406
+#define T_Proc_Delay 407
script_info *Sim_script;
}
/* Line 193 of yacc.c. */
-#line 449 "../../ntpd/ntp_parser.c"
+#line 453 "../../ntpd/ntp_parser.c"
YYSTYPE;
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
/* Line 216 of yacc.c. */
-#line 462 "../../ntpd/ntp_parser.c"
+#line 466 "../../ntpd/ntp_parser.c"
#ifdef short
# undef short
#endif
/* YYFINAL -- State number of the termination state. */
-#define YYFINAL 163
+#define YYFINAL 164
/* YYLAST -- Last index in YYTABLE. */
-#define YYLAST 464
+#define YYLAST 513
/* YYNTOKENS -- Number of terminals. */
-#define YYNTOKENS 156
+#define YYNTOKENS 158
/* YYNNTS -- Number of nonterminals. */
#define YYNNTS 64
/* YYNRULES -- Number of rules. */
-#define YYNRULES 226
+#define YYNRULES 228
/* YYNRULES -- Number of states. */
-#define YYNSTATES 356
+#define YYNSTATES 358
/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX. */
#define YYUNDEFTOK 2
-#define YYMAXUTOK 405
+#define YYMAXUTOK 407
#define YYTRANSLATE(YYX) \
((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 152, 2, 153, 2, 2, 2, 2,
+ 2, 2, 2, 154, 2, 155, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 151, 2, 2, 2, 2, 2, 2, 2, 2,
+ 2, 153, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 154, 2, 155, 2, 2, 2, 2,
+ 2, 2, 2, 156, 2, 157, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
115, 116, 117, 118, 119, 120, 121, 122, 123, 124,
125, 126, 127, 128, 129, 130, 131, 132, 133, 134,
135, 136, 137, 138, 139, 140, 141, 142, 143, 144,
- 145, 146, 147, 148, 149, 150
+ 145, 146, 147, 148, 149, 150, 151, 152
};
#if YYDEBUG
143, 146, 149, 152, 155, 158, 161, 164, 167, 169,
172, 175, 178, 181, 184, 187, 190, 193, 196, 199,
202, 205, 208, 212, 215, 217, 219, 221, 223, 225,
- 227, 229, 232, 234, 237, 240, 242, 244, 246, 248,
- 250, 252, 254, 256, 258, 260, 262, 265, 269, 273,
- 279, 280, 283, 285, 287, 289, 291, 293, 295, 297,
- 299, 301, 303, 305, 307, 310, 312, 315, 318, 321,
- 325, 328, 330, 333, 336, 339, 342, 345, 348, 351,
- 354, 357, 360, 363, 365, 367, 369, 371, 373, 375,
- 377, 379, 382, 385, 387, 390, 393, 396, 399, 402,
- 405, 408, 412, 414, 417, 420, 423, 426, 429, 432,
- 435, 438, 441, 444, 447, 451, 454, 457, 459, 462,
- 463, 468, 472, 475, 477, 480, 483, 486, 488, 491,
- 493, 495, 497, 499, 502, 504, 507, 509, 512, 514,
- 516, 518, 520, 522, 524, 530, 532, 536, 539, 543,
- 547, 550, 552, 558, 563, 567, 569, 571, 574, 576,
- 583, 587, 590, 594, 598, 602, 606
+ 227, 229, 231, 234, 236, 239, 242, 244, 246, 248,
+ 250, 252, 254, 256, 258, 260, 262, 264, 267, 271,
+ 275, 281, 282, 285, 287, 289, 291, 293, 295, 297,
+ 299, 301, 303, 305, 307, 309, 311, 314, 316, 319,
+ 322, 325, 329, 332, 334, 337, 340, 343, 346, 349,
+ 352, 355, 358, 361, 364, 367, 369, 371, 373, 375,
+ 377, 379, 381, 383, 386, 389, 391, 394, 397, 400,
+ 403, 406, 409, 412, 416, 418, 421, 424, 427, 430,
+ 433, 436, 439, 442, 445, 448, 451, 455, 458, 461,
+ 463, 466, 467, 472, 476, 479, 481, 484, 487, 490,
+ 492, 495, 497, 499, 501, 503, 506, 508, 511, 513,
+ 516, 518, 520, 522, 524, 526, 528, 534, 536, 540,
+ 543, 547, 551, 554, 556, 562, 567, 571, 573, 575,
+ 578, 580, 587, 591, 594, 598, 602, 606, 610
};
/* YYRHS -- A `-1'-separated list of the rules' RHS. */
static const yytype_int16 yyrhs[] =
{
- 157, 0, -1, 158, -1, 158, 159, 140, -1, 159,
- 140, -1, 1, 140, -1, -1, 160, -1, 166, -1,
- 167, -1, 174, -1, 180, -1, 171, -1, 185, -1,
- 188, -1, 191, -1, 194, -1, 207, -1, 161, 162,
- 164, -1, 161, 162, -1, 114, -1, 101, -1, 96,
- -1, 11, -1, 66, -1, 163, -1, 123, -1, 51,
- 123, -1, 45, -1, 46, -1, 164, 165, -1, 165,
- -1, 6, -1, 14, -1, 47, -1, 54, 51, -1,
- 76, 51, -1, 72, 51, -1, 87, -1, 104, -1,
- 105, -1, 131, -1, 133, 51, -1, 78, 51, -1,
- 135, 51, -1, 12, -1, 12, 91, -1, 67, 204,
- -1, 81, 204, -1, 6, 51, -1, 20, 51, -1,
- 21, 168, -1, 55, 123, -1, 56, 123, -1, 111,
- 51, -1, 132, 202, -1, 169, -1, -1, 169, 170,
- -1, 170, -1, 43, 123, -1, 48, 123, -1, 106,
- 123, -1, 108, 123, -1, 113, 51, -1, 116, 123,
- -1, 129, 172, -1, 172, 173, -1, 173, -1, 17,
- 51, -1, 40, 51, -1, 19, 205, -1, 94, 51,
- -1, 74, 206, -1, 70, 206, -1, 73, 206, -1,
- 69, 206, -1, 77, 51, -1, 10, 51, -1, 71,
- 51, -1, 117, 175, -1, 119, 123, -1, 35, 176,
- 177, -1, 175, 176, -1, 176, -1, 18, -1, 22,
- -1, 64, -1, 97, -1, 109, -1, 124, -1, 177,
- 178, -1, 178, -1, 34, 123, -1, 134, 179, -1,
- 61, -1, 82, -1, 31, -1, 25, -1, 84, -1,
- 99, -1, 23, -1, 136, -1, 80, -1, 137, -1,
- 3, -1, 26, 183, -1, 112, 162, 181, -1, 112,
- 24, 181, -1, 112, 163, 68, 163, 181, -1, -1,
- 181, 182, -1, 49, -1, 57, -1, 60, -1, 65,
- -1, 83, -1, 85, -1, 86, -1, 88, -1, 89,
- -1, 90, -1, 93, -1, 135, -1, 183, 184, -1,
- 184, -1, 8, 51, -1, 75, 51, -1, 79, 51,
- -1, 42, 162, 186, -1, 186, 187, -1, 187, -1,
- 126, 206, -1, 127, 206, -1, 122, 51, -1, 110,
- 123, -1, 36, 205, -1, 37, 205, -1, 38, 205,
- -1, 39, 205, -1, 31, 189, -1, 25, 189, -1,
- 189, 190, -1, 190, -1, 5, -1, 9, -1, 15,
- -1, 53, -1, 79, -1, 92, -1, 118, -1, 128,
- 192, -1, 192, 193, -1, 193, -1, 4, 206, -1,
- 27, 206, -1, 41, 206, -1, 44, 206, -1, 95,
- 206, -1, 120, 206, -1, 121, 206, -1, 50, 123,
- 159, -1, 32, -1, 13, 206, -1, 16, 51, -1,
- 125, 206, -1, 29, 195, -1, 59, 123, -1, 100,
- 123, -1, 63, 123, -1, 7, 51, -1, 62, 199,
- -1, 98, 203, -1, 115, 196, -1, 130, 163, 197,
- -1, 133, 202, -1, 107, 123, -1, 123, -1, 123,
- 28, -1, -1, 123, 151, 123, 24, -1, 123, 151,
- 123, -1, 197, 198, -1, 198, -1, 102, 51, -1,
- 52, 163, -1, 199, 200, -1, 200, -1, 201, 123,
- -1, 123, -1, 152, -1, 153, -1, 151, -1, 202,
- 51, -1, 51, -1, 203, 123, -1, 123, -1, 204,
- 162, -1, 162, -1, 51, -1, 131, -1, 33, -1,
- 51, -1, 28, -1, 208, 154, 209, 211, 155, -1,
- 141, -1, 209, 210, 140, -1, 210, 140, -1, 142,
- 151, 206, -1, 143, 151, 206, -1, 211, 212, -1,
- 212, -1, 214, 154, 213, 216, 155, -1, 144, 151,
- 206, 140, -1, 114, 151, 215, -1, 163, -1, 123,
- -1, 216, 217, -1, 217, -1, 145, 151, 206, 154,
- 218, 155, -1, 218, 219, 140, -1, 219, 140, -1,
- 146, 151, 206, -1, 147, 151, 206, -1, 148, 151,
- 206, -1, 149, 151, 206, -1, 150, 151, 206, -1
+ 159, 0, -1, 160, -1, 160, 161, 142, -1, 161,
+ 142, -1, 1, 142, -1, -1, 162, -1, 168, -1,
+ 169, -1, 176, -1, 182, -1, 173, -1, 187, -1,
+ 190, -1, 193, -1, 196, -1, 209, -1, 163, 164,
+ 166, -1, 163, 164, -1, 116, -1, 102, -1, 97,
+ -1, 11, -1, 67, -1, 165, -1, 125, -1, 52,
+ 125, -1, 46, -1, 47, -1, 166, 167, -1, 167,
+ -1, 6, -1, 14, -1, 48, -1, 55, 52, -1,
+ 77, 52, -1, 73, 52, -1, 88, -1, 105, -1,
+ 106, -1, 133, -1, 135, 52, -1, 79, 52, -1,
+ 137, 52, -1, 12, -1, 12, 92, -1, 68, 206,
+ -1, 82, 206, -1, 6, 52, -1, 20, 52, -1,
+ 21, 170, -1, 56, 125, -1, 57, 125, -1, 113,
+ 52, -1, 134, 204, -1, 171, -1, -1, 171, 172,
+ -1, 172, -1, 44, 125, -1, 49, 125, -1, 108,
+ 125, -1, 110, 125, -1, 115, 52, -1, 118, 125,
+ -1, 131, 174, -1, 174, 175, -1, 175, -1, 17,
+ 52, -1, 41, 52, -1, 19, 207, -1, 95, 52,
+ -1, 75, 208, -1, 71, 208, -1, 74, 208, -1,
+ 70, 208, -1, 78, 52, -1, 10, 52, -1, 72,
+ 52, -1, 119, 177, -1, 121, 125, -1, 35, 178,
+ 179, -1, 177, 178, -1, 178, -1, 18, -1, 22,
+ -1, 65, -1, 98, -1, 111, -1, 126, -1, 107,
+ -1, 179, 180, -1, 180, -1, 34, 125, -1, 136,
+ 181, -1, 62, -1, 83, -1, 31, -1, 25, -1,
+ 85, -1, 100, -1, 23, -1, 138, -1, 81, -1,
+ 139, -1, 3, -1, 26, 185, -1, 114, 164, 183,
+ -1, 114, 24, 183, -1, 114, 165, 69, 165, 183,
+ -1, -1, 183, 184, -1, 40, -1, 50, -1, 58,
+ -1, 61, -1, 66, -1, 84, -1, 86, -1, 87,
+ -1, 89, -1, 90, -1, 91, -1, 94, -1, 137,
+ -1, 185, 186, -1, 186, -1, 8, 52, -1, 76,
+ 52, -1, 80, 52, -1, 43, 164, 188, -1, 188,
+ 189, -1, 189, -1, 128, 208, -1, 129, 208, -1,
+ 124, 52, -1, 112, 125, -1, 36, 207, -1, 37,
+ 207, -1, 38, 207, -1, 39, 207, -1, 31, 191,
+ -1, 25, 191, -1, 191, 192, -1, 192, -1, 5,
+ -1, 9, -1, 15, -1, 54, -1, 80, -1, 93,
+ -1, 120, -1, 130, 194, -1, 194, 195, -1, 195,
+ -1, 4, 208, -1, 27, 208, -1, 42, 208, -1,
+ 45, 208, -1, 96, 208, -1, 122, 208, -1, 123,
+ 208, -1, 51, 125, 161, -1, 32, -1, 13, 208,
+ -1, 16, 52, -1, 127, 208, -1, 29, 197, -1,
+ 60, 125, -1, 101, 125, -1, 64, 125, -1, 7,
+ 52, -1, 63, 201, -1, 99, 205, -1, 117, 198,
+ -1, 132, 165, 199, -1, 135, 204, -1, 109, 125,
+ -1, 125, -1, 125, 28, -1, -1, 125, 153, 125,
+ 24, -1, 125, 153, 125, -1, 199, 200, -1, 200,
+ -1, 103, 52, -1, 53, 165, -1, 201, 202, -1,
+ 202, -1, 203, 125, -1, 125, -1, 154, -1, 155,
+ -1, 153, -1, 204, 52, -1, 52, -1, 205, 125,
+ -1, 125, -1, 206, 164, -1, 164, -1, 52, -1,
+ 133, -1, 33, -1, 52, -1, 28, -1, 210, 156,
+ 211, 213, 157, -1, 143, -1, 211, 212, 142, -1,
+ 212, 142, -1, 144, 153, 208, -1, 145, 153, 208,
+ -1, 213, 214, -1, 214, -1, 216, 156, 215, 218,
+ 157, -1, 146, 153, 208, 142, -1, 116, 153, 217,
+ -1, 165, -1, 125, -1, 218, 219, -1, 219, -1,
+ 147, 153, 208, 156, 220, 157, -1, 220, 221, 142,
+ -1, 221, 142, -1, 148, 153, 208, -1, 149, 153,
+ 208, -1, 150, 153, 208, -1, 151, 153, 208, -1,
+ 152, 153, 208, -1
};
/* YYRLINE[YYN] -- source line where rule number YYN was defined. */
static const yytype_uint16 yyrline[] =
{
- 0, 279, 279, 283, 284, 289, 300, 301, 302, 303,
- 304, 305, 306, 307, 308, 309, 310, 311, 319, 325,
- 334, 335, 336, 337, 338, 342, 343, 344, 360, 361,
- 365, 366, 371, 372, 373, 374, 375, 376, 377, 378,
- 379, 380, 381, 382, 383, 393, 395, 397, 399, 410,
- 412, 414, 421, 423, 425, 427, 432, 434, 438, 439,
- 443, 445, 447, 449, 451, 453, 463, 468, 469, 473,
- 475, 477, 479, 481, 483, 485, 487, 489, 491, 493,
- 503, 505, 507, 515, 516, 520, 522, 524, 526, 528,
- 530, 535, 536, 540, 541, 542, 543, 544, 545, 549,
- 550, 551, 552, 553, 554, 555, 564, 566, 571, 576,
- 584, 585, 589, 590, 591, 592, 593, 594, 595, 596,
- 597, 598, 599, 600, 604, 605, 609, 610, 611, 619,
- 624, 625, 629, 631, 633, 635, 637, 639, 641, 643,
- 652, 654, 659, 660, 664, 665, 666, 667, 668, 669,
- 671, 679, 683, 684, 688, 689, 690, 691, 692, 693,
- 694, 702, 718, 724, 726, 728, 730, 732, 735, 737,
- 739, 742, 744, 746, 748, 750, 752, 756, 758, 761,
- 766, 768, 774, 775, 779, 780, 785, 786, 790, 791,
- 808, 809, 810, 819, 820, 824, 825, 829, 830, 834,
- 843, 844, 848, 849, 857, 872, 876, 877, 881, 882,
- 886, 887, 891, 896, 900, 904, 905, 909, 910, 914,
- 919, 920, 924, 926, 928, 930, 932
+ 0, 281, 281, 285, 286, 291, 302, 303, 304, 305,
+ 306, 307, 308, 309, 310, 311, 312, 313, 321, 327,
+ 336, 337, 338, 339, 340, 344, 345, 346, 362, 363,
+ 367, 368, 373, 374, 375, 376, 377, 378, 379, 380,
+ 381, 382, 383, 384, 385, 395, 397, 399, 401, 412,
+ 414, 416, 423, 425, 427, 429, 434, 436, 440, 441,
+ 445, 447, 449, 451, 453, 455, 465, 470, 471, 475,
+ 477, 479, 481, 483, 485, 487, 489, 491, 493, 495,
+ 505, 507, 509, 517, 518, 522, 524, 526, 528, 530,
+ 532, 534, 539, 540, 544, 545, 546, 547, 548, 549,
+ 553, 554, 555, 556, 557, 558, 559, 568, 570, 575,
+ 580, 588, 589, 593, 594, 595, 596, 597, 598, 599,
+ 600, 601, 602, 603, 604, 605, 609, 610, 614, 615,
+ 616, 624, 629, 630, 634, 636, 638, 640, 642, 644,
+ 646, 648, 657, 659, 664, 665, 669, 670, 671, 672,
+ 673, 674, 676, 684, 688, 689, 693, 694, 695, 696,
+ 697, 698, 699, 707, 723, 729, 731, 733, 735, 737,
+ 740, 742, 744, 747, 749, 751, 753, 755, 757, 761,
+ 763, 766, 771, 773, 779, 780, 784, 785, 790, 791,
+ 795, 796, 813, 814, 815, 824, 825, 829, 830, 834,
+ 835, 839, 848, 849, 853, 854, 862, 877, 881, 882,
+ 886, 887, 891, 892, 896, 901, 905, 909, 910, 914,
+ 915, 919, 924, 925, 929, 931, 933, 935, 937
};
#endif
"T_ControlKey", "T_Crypto", "T_Cryptostats", "T_Day", "T_Default",
"T_Disable", "T_Discard", "T_Dispersion", "T_Double", "T_Driftfile",
"T_WanderThreshold", "T_Enable", "T_End", "T_False", "T_File",
- "T_Filegen", "T_Flag1", "T_Flag2", "T_Flag3", "T_Flag4", "T_Floor",
- "T_Freq", "T_Fudge", "T_Host", "T_Huffpuff", "T_IPv4_address",
+ "T_Filegen", "T_Flag1", "T_Flag2", "T_Flag3", "T_Flag4", "T_Flake",
+ "T_Floor", "T_Freq", "T_Fudge", "T_Host", "T_Huffpuff", "T_IPv4_address",
"T_IPv6_address", "T_Iburst", "T_Ident", "T_Ignore", "T_Includefile",
"T_Integer", "T_Interface", "T_Kernel", "T_Key", "T_Keys", "T_Keysdir",
"T_Kod", "T_Leap", "T_Leapfile", "T_Limited", "T_Link", "T_Logconfig",
"T_Noselect", "T_Noserve", "T_Notrap", "T_Notrust", "T_Novolley",
"T_Ntp", "T_Ntpport", "T_Orphan", "T_Panic", "T_Peer", "T_Peerstats",
"T_Phone", "T_Pid", "T_Pidfile", "T_Pool", "T_Port", "T_Pps",
- "T_Preempt", "T_Prefer", "T_Pw", "T_Qos", "T_RandFile", "T_Rawstats",
- "T_Refid", "T_Requestkey", "T_Restrict", "T_Revoke", "T_Server",
- "T_Setvar", "T_Sign", "T_Statistics", "T_Stats", "T_Statsdir", "T_Step",
- "T_Stepout", "T_Stratum", "T_String", "T_Sysstats", "T_Tick", "T_Time1",
- "T_Time2", "T_Tinker", "T_Tos", "T_Trap", "T_True", "T_Trustedkey",
- "T_Ttl", "T_Type", "T_Version", "T_Week", "T_Year", "T_Flag", "T_Void",
- "T_EOC", "T_Simulate", "T_Beep_Delay", "T_Sim_Duration",
- "T_Server_Offset", "T_Duration", "T_Freq_Offset", "T_Wander", "T_Jitter",
- "T_Prop_Delay", "T_Proc_Delay", "'='", "'+'", "'-'", "'{'", "'}'",
- "$accept", "configuration", "command_list", "command", "server_command",
- "client_type", "address", "ip_address", "option_list", "option",
- "other_mode_command", "authentication_command", "crypto_command_line",
- "crypto_command_list", "crypto_command", "orphan_mode_command",
- "tos_option_list", "tos_option", "monitoring_command", "stats_list",
- "stat", "filegen_option_list", "filegen_option", "filegen_type",
- "access_control_command", "ac_flag_list", "access_control_flag",
- "discard_option_list", "discard_option", "fudge_command",
- "fudge_factor_list", "fudge_factor", "system_option_command",
- "system_option_list", "system_option", "tinker_command",
- "tinker_option_list", "tinker_option", "miscellaneous_command",
- "drift_parm", "variable_assign", "trap_option_list", "trap_option",
- "log_config_list", "log_config_command", "log_config_prefix",
- "integer_list", "string_list", "address_list", "boolean", "number",
- "simulate_command", "sim_conf_start", "sim_init_statement_list",
- "sim_init_statement", "sim_server_list", "sim_server",
- "sim_server_offset", "sim_server_name", "sim_address", "sim_act_list",
- "sim_act", "sim_act_stmt_list", "sim_act_stmt", 0
+ "T_Preempt", "T_Prefer", "T_Protostats", "T_Pw", "T_Qos", "T_RandFile",
+ "T_Rawstats", "T_Refid", "T_Requestkey", "T_Restrict", "T_Revoke",
+ "T_Server", "T_Setvar", "T_Sign", "T_Statistics", "T_Stats",
+ "T_Statsdir", "T_Step", "T_Stepout", "T_Stratum", "T_String",
+ "T_Sysstats", "T_Tick", "T_Time1", "T_Time2", "T_Tinker", "T_Tos",
+ "T_Trap", "T_True", "T_Trustedkey", "T_Ttl", "T_Type", "T_Version",
+ "T_Week", "T_Year", "T_Flag", "T_Void", "T_EOC", "T_Simulate",
+ "T_Beep_Delay", "T_Sim_Duration", "T_Server_Offset", "T_Duration",
+ "T_Freq_Offset", "T_Wander", "T_Jitter", "T_Prop_Delay", "T_Proc_Delay",
+ "'='", "'+'", "'-'", "'{'", "'}'", "$accept", "configuration",
+ "command_list", "command", "server_command", "client_type", "address",
+ "ip_address", "option_list", "option", "other_mode_command",
+ "authentication_command", "crypto_command_line", "crypto_command_list",
+ "crypto_command", "orphan_mode_command", "tos_option_list", "tos_option",
+ "monitoring_command", "stats_list", "stat", "filegen_option_list",
+ "filegen_option", "filegen_type", "access_control_command",
+ "ac_flag_list", "access_control_flag", "discard_option_list",
+ "discard_option", "fudge_command", "fudge_factor_list", "fudge_factor",
+ "system_option_command", "system_option_list", "system_option",
+ "tinker_command", "tinker_option_list", "tinker_option",
+ "miscellaneous_command", "drift_parm", "variable_assign",
+ "trap_option_list", "trap_option", "log_config_list",
+ "log_config_command", "log_config_prefix", "integer_list", "string_list",
+ "address_list", "boolean", "number", "simulate_command",
+ "sim_conf_start", "sim_init_statement_list", "sim_init_statement",
+ "sim_server_list", "sim_server", "sim_server_offset", "sim_server_name",
+ "sim_address", "sim_act_list", "sim_act", "sim_act_stmt_list",
+ "sim_act_stmt", 0
};
#endif
375, 376, 377, 378, 379, 380, 381, 382, 383, 384,
385, 386, 387, 388, 389, 390, 391, 392, 393, 394,
395, 396, 397, 398, 399, 400, 401, 402, 403, 404,
- 405, 61, 43, 45, 123, 125
+ 405, 406, 407, 61, 43, 45, 123, 125
};
# endif
/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives. */
static const yytype_uint8 yyr1[] =
{
- 0, 156, 157, 158, 158, 158, 159, 159, 159, 159,
- 159, 159, 159, 159, 159, 159, 159, 159, 160, 160,
- 161, 161, 161, 161, 161, 162, 162, 162, 163, 163,
- 164, 164, 165, 165, 165, 165, 165, 165, 165, 165,
- 165, 165, 165, 165, 165, 166, 166, 166, 166, 167,
- 167, 167, 167, 167, 167, 167, 168, 168, 169, 169,
- 170, 170, 170, 170, 170, 170, 171, 172, 172, 173,
- 173, 173, 173, 173, 173, 173, 173, 173, 173, 173,
- 174, 174, 174, 175, 175, 176, 176, 176, 176, 176,
- 176, 177, 177, 178, 178, 178, 178, 178, 178, 179,
- 179, 179, 179, 179, 179, 179, 180, 180, 180, 180,
- 181, 181, 182, 182, 182, 182, 182, 182, 182, 182,
- 182, 182, 182, 182, 183, 183, 184, 184, 184, 185,
- 186, 186, 187, 187, 187, 187, 187, 187, 187, 187,
- 188, 188, 189, 189, 190, 190, 190, 190, 190, 190,
- 190, 191, 192, 192, 193, 193, 193, 193, 193, 193,
- 193, 194, 194, 194, 194, 194, 194, 194, 194, 194,
- 194, 194, 194, 194, 194, 194, 194, 195, 195, 195,
- 196, 196, 197, 197, 198, 198, 199, 199, 200, 200,
- 201, 201, 201, 202, 202, 203, 203, 204, 204, 205,
- 205, 205, 206, 206, 207, 208, 209, 209, 210, 210,
- 211, 211, 212, 213, 214, 215, 215, 216, 216, 217,
- 218, 218, 219, 219, 219, 219, 219
+ 0, 158, 159, 160, 160, 160, 161, 161, 161, 161,
+ 161, 161, 161, 161, 161, 161, 161, 161, 162, 162,
+ 163, 163, 163, 163, 163, 164, 164, 164, 165, 165,
+ 166, 166, 167, 167, 167, 167, 167, 167, 167, 167,
+ 167, 167, 167, 167, 167, 168, 168, 168, 168, 169,
+ 169, 169, 169, 169, 169, 169, 170, 170, 171, 171,
+ 172, 172, 172, 172, 172, 172, 173, 174, 174, 175,
+ 175, 175, 175, 175, 175, 175, 175, 175, 175, 175,
+ 176, 176, 176, 177, 177, 178, 178, 178, 178, 178,
+ 178, 178, 179, 179, 180, 180, 180, 180, 180, 180,
+ 181, 181, 181, 181, 181, 181, 181, 182, 182, 182,
+ 182, 183, 183, 184, 184, 184, 184, 184, 184, 184,
+ 184, 184, 184, 184, 184, 184, 185, 185, 186, 186,
+ 186, 187, 188, 188, 189, 189, 189, 189, 189, 189,
+ 189, 189, 190, 190, 191, 191, 192, 192, 192, 192,
+ 192, 192, 192, 193, 194, 194, 195, 195, 195, 195,
+ 195, 195, 195, 196, 196, 196, 196, 196, 196, 196,
+ 196, 196, 196, 196, 196, 196, 196, 196, 196, 197,
+ 197, 197, 198, 198, 199, 199, 200, 200, 201, 201,
+ 202, 202, 203, 203, 203, 204, 204, 205, 205, 206,
+ 206, 207, 207, 207, 208, 208, 209, 210, 211, 211,
+ 212, 212, 213, 213, 214, 215, 216, 217, 217, 218,
+ 218, 219, 220, 220, 221, 221, 221, 221, 221
};
/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN. */
2, 2, 2, 2, 2, 2, 2, 2, 1, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 3, 2, 1, 1, 1, 1, 1, 1,
- 1, 2, 1, 2, 2, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 2, 3, 3, 5,
- 0, 2, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 2, 1, 2, 2, 2, 3,
- 2, 1, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 1, 1, 1, 1, 1, 1, 1,
- 1, 2, 2, 1, 2, 2, 2, 2, 2, 2,
- 2, 3, 1, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 3, 2, 2, 1, 2, 0,
- 4, 3, 2, 1, 2, 2, 2, 1, 2, 1,
- 1, 1, 1, 2, 1, 2, 1, 2, 1, 1,
- 1, 1, 1, 1, 5, 1, 3, 2, 3, 3,
- 2, 1, 5, 4, 3, 1, 1, 2, 1, 6,
- 3, 2, 3, 3, 3, 3, 3
+ 1, 1, 2, 1, 2, 2, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1, 1, 1, 2, 3, 3,
+ 5, 0, 2, 1, 1, 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1, 1, 2, 1, 2, 2,
+ 2, 3, 2, 1, 2, 2, 2, 2, 2, 2,
+ 2, 2, 2, 2, 2, 1, 1, 1, 1, 1,
+ 1, 1, 1, 2, 2, 1, 2, 2, 2, 2,
+ 2, 2, 2, 3, 1, 2, 2, 2, 2, 2,
+ 2, 2, 2, 2, 2, 2, 3, 2, 2, 1,
+ 2, 0, 4, 3, 2, 1, 2, 2, 2, 1,
+ 2, 1, 1, 1, 1, 2, 1, 2, 1, 2,
+ 1, 1, 1, 1, 1, 1, 5, 1, 3, 2,
+ 3, 3, 2, 1, 5, 4, 3, 1, 1, 2,
+ 1, 6, 3, 2, 3, 3, 3, 3, 3
};
/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
static const yytype_uint8 yydefact[] =
{
0, 0, 0, 0, 23, 45, 0, 0, 0, 57,
- 0, 0, 179, 0, 162, 0, 0, 0, 0, 0,
+ 0, 0, 181, 0, 164, 0, 0, 0, 0, 0,
0, 0, 0, 24, 0, 0, 22, 0, 0, 21,
0, 0, 0, 20, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 205, 0, 2, 0, 7, 0, 8,
+ 0, 0, 0, 207, 0, 2, 0, 7, 0, 8,
9, 12, 10, 11, 13, 14, 15, 16, 17, 0,
- 5, 49, 170, 46, 203, 202, 163, 164, 50, 0,
- 0, 0, 0, 0, 0, 51, 56, 59, 144, 145,
- 146, 147, 148, 149, 150, 141, 143, 0, 0, 0,
- 106, 125, 177, 166, 140, 85, 86, 87, 88, 89,
- 90, 0, 28, 29, 0, 26, 0, 25, 6, 52,
- 53, 167, 189, 192, 190, 191, 171, 187, 0, 169,
- 198, 47, 48, 196, 172, 168, 176, 54, 110, 110,
- 25, 0, 173, 80, 84, 81, 165, 0, 0, 0,
- 0, 0, 0, 0, 151, 153, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 66, 68, 0,
- 194, 55, 175, 1, 0, 4, 19, 0, 60, 61,
- 62, 63, 64, 65, 58, 142, 126, 127, 128, 124,
- 178, 98, 97, 0, 95, 96, 0, 82, 92, 27,
- 0, 0, 0, 0, 0, 0, 0, 0, 129, 131,
- 161, 186, 188, 197, 195, 108, 107, 0, 0, 83,
- 154, 155, 156, 157, 158, 159, 160, 152, 78, 69,
- 201, 199, 200, 71, 70, 76, 74, 79, 75, 73,
- 77, 72, 67, 0, 0, 174, 183, 193, 3, 32,
- 33, 34, 0, 0, 0, 0, 38, 39, 40, 41,
- 0, 0, 18, 31, 0, 0, 0, 0, 93, 105,
- 101, 103, 99, 100, 102, 104, 94, 91, 136, 137,
- 138, 139, 135, 134, 132, 133, 130, 112, 113, 114,
- 115, 116, 117, 118, 119, 120, 121, 122, 123, 111,
- 110, 181, 185, 184, 182, 35, 37, 36, 43, 42,
- 44, 30, 0, 0, 0, 0, 0, 211, 0, 207,
- 109, 180, 208, 209, 0, 206, 204, 210, 0, 216,
- 215, 214, 0, 0, 0, 0, 0, 218, 0, 0,
- 212, 217, 213, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 219, 0, 221,
- 222, 223, 224, 225, 226, 220
+ 5, 49, 172, 46, 205, 204, 165, 166, 50, 0,
+ 0, 0, 0, 0, 0, 51, 56, 59, 146, 147,
+ 148, 149, 150, 151, 152, 143, 145, 0, 0, 0,
+ 107, 127, 179, 168, 142, 85, 86, 87, 88, 91,
+ 89, 90, 0, 28, 29, 0, 26, 0, 25, 6,
+ 52, 53, 169, 191, 194, 192, 193, 173, 189, 0,
+ 171, 200, 47, 48, 198, 174, 170, 178, 54, 111,
+ 111, 25, 0, 175, 80, 84, 81, 167, 0, 0,
+ 0, 0, 0, 0, 0, 153, 155, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 66, 68,
+ 0, 196, 55, 177, 1, 0, 4, 19, 0, 60,
+ 61, 62, 63, 64, 65, 58, 144, 128, 129, 130,
+ 126, 180, 99, 98, 0, 96, 97, 0, 82, 93,
+ 27, 0, 0, 0, 0, 0, 0, 0, 0, 131,
+ 133, 163, 188, 190, 199, 197, 109, 108, 0, 0,
+ 83, 156, 157, 158, 159, 160, 161, 162, 154, 78,
+ 69, 203, 201, 202, 71, 70, 76, 74, 79, 75,
+ 73, 77, 72, 67, 0, 0, 176, 185, 195, 3,
+ 32, 33, 34, 0, 0, 0, 0, 38, 39, 40,
+ 41, 0, 0, 18, 31, 0, 0, 0, 0, 94,
+ 106, 102, 104, 100, 101, 103, 105, 95, 92, 138,
+ 139, 140, 141, 137, 136, 134, 135, 132, 113, 114,
+ 115, 116, 117, 118, 119, 120, 121, 122, 123, 124,
+ 125, 112, 111, 183, 187, 186, 184, 35, 37, 36,
+ 43, 42, 44, 30, 0, 0, 0, 0, 0, 213,
+ 0, 209, 110, 182, 210, 211, 0, 208, 206, 212,
+ 0, 218, 217, 216, 0, 0, 0, 0, 0, 220,
+ 0, 0, 214, 219, 215, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 221,
+ 0, 223, 224, 225, 226, 227, 228, 222
};
/* YYDEFGOTO[NTERM-NUM]. */
static const yytype_int16 yydefgoto[] =
{
- -1, 44, 45, 46, 47, 48, 120, 107, 252, 253,
- 49, 50, 75, 76, 77, 51, 157, 158, 52, 133,
- 101, 187, 188, 266, 53, 205, 289, 90, 91, 54,
- 198, 199, 55, 85, 86, 56, 144, 145, 57, 93,
- 132, 235, 236, 116, 117, 118, 161, 124, 121, 223,
- 66, 58, 59, 256, 257, 306, 307, 323, 308, 321,
- 326, 327, 340, 341
+ -1, 44, 45, 46, 47, 48, 121, 108, 253, 254,
+ 49, 50, 75, 76, 77, 51, 158, 159, 52, 134,
+ 102, 188, 189, 267, 53, 206, 291, 90, 91, 54,
+ 199, 200, 55, 85, 86, 56, 145, 146, 57, 93,
+ 133, 236, 237, 117, 118, 119, 162, 125, 122, 224,
+ 66, 58, 59, 257, 258, 308, 309, 325, 310, 323,
+ 328, 329, 342, 343
};
/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
STATE-NUM. */
-#define YYPACT_NINF -138
+#define YYPACT_NINF -129
static const yytype_int16 yypact[] =
{
- 11, -137, -44, -26, -138, -80, 5, -13, -10, 132,
- 1, 7, -68, 1, -138, -14, -32, -52, -42, -33,
- -29, -64, -24, -138, -32, -32, -138, -15, -8, -138,
- -2, 82, 6, -138, 12, -14, 15, 5, 93, 370,
- 86, 94, 94, -138, 79, 161, 13, -138, -32, -138,
- -138, -138, -138, -138, -138, -138, -138, -138, -138, -7,
- -138, -138, -138, -138, -138, -138, -138, -138, -138, 43,
- 46, 47, 55, 111, 61, -138, 132, -138, -138, -138,
- -138, -138, -138, -138, -138, 1, -138, 134, 138, 140,
- 7, -138, 155, -138, 1, -138, -138, -138, -138, -138,
- -138, 14, -138, -138, 71, -138, 336, -138, 304, -138,
- -138, -138, -138, -138, -138, -138, -64, -138, 72, -138,
- -138, -32, -32, -138, 74, -138, -138, -138, -138, -138,
- 133, 49, -138, -14, -138, -138, -138, 5, 5, 5,
- 5, 5, 5, 5, 93, -138, 153, 154, -4, 167,
- 5, 5, 170, 5, 5, 171, 174, 370, -138, -18,
- -138, 175, 175, -138, 95, -138, 165, 22, -138, -138,
- -138, -138, -138, -138, -138, -138, -138, -138, -138, -138,
- -138, -138, -138, 110, -138, -138, 62, 14, -138, -138,
- -4, -4, -4, -4, 113, 183, 5, 5, 336, -138,
- -138, -138, -138, -138, -138, 293, 293, 86, 116, -138,
- -138, -138, -138, -138, -138, -138, -138, -138, -138, -138,
- -138, -138, -138, -138, -138, -138, -138, -138, -138, -138,
- -138, -138, -138, 86, 193, -18, -138, -138, -138, -138,
- -138, -138, 195, 196, 198, 199, -138, -138, -138, -138,
- 200, 202, 165, -138, 103, 104, -79, 118, -138, -138,
- -138, -138, -138, -138, -138, -138, -138, -138, -138, -138,
- -138, -138, -138, -138, -138, -138, -138, -138, -138, -138,
- -138, -138, -138, -138, -138, -138, -138, -138, -138, -138,
- -138, 232, -138, -138, -138, -138, -138, -138, -138, -138,
- -138, -138, 5, 5, 109, 123, -86, -138, 117, -138,
- 293, -138, -138, -138, -25, -138, -138, -138, 120, -138,
- -138, -138, 126, 122, 5, 128, -83, -138, 141, 5,
- -138, -138, -138, 130, 8, 131, 137, 144, 146, 148,
- 60, 145, 5, 5, 5, 5, 5, -138, 163, -138,
- -138, -138, -138, -138, -138, -138
+ 11, -126, -18, -7, -129, -45, -13, 7, 13, 124,
+ 43, 0, -53, 43, -129, 64, -27, -48, -40, -29,
+ -9, -104, -6, -129, -27, -27, -129, 12, 14, -129,
+ 19, 42, 9, -129, 22, 64, 23, -13, -1, 418,
+ -33, 48, 48, -129, 152, 215, 16, -129, -27, -129,
+ -129, -129, -129, -129, -129, -129, -129, -129, -129, 3,
+ -129, -129, -129, -129, -129, -129, -129, -129, -129, 31,
+ 44, 47, 49, 115, 51, -129, 124, -129, -129, -129,
+ -129, -129, -129, -129, -129, 43, -129, 118, 126, 127,
+ 0, -129, 154, -129, 43, -129, -129, -129, -129, -129,
+ -129, -129, 4, -129, -129, 55, -129, 162, -129, 348,
+ -129, -129, -129, -129, -129, -129, -129, -104, -129, 60,
+ -129, -129, -27, -27, -129, 61, -129, -129, -129, -129,
+ -129, 122, 34, -129, 64, -129, -129, -129, -13, -13,
+ -13, -13, -13, -13, -13, -1, -129, 140, 157, -22,
+ 158, -13, -13, 160, -13, -13, 168, 171, 418, -129,
+ -46, -129, 172, 172, -129, 72, -129, 78, -81, -129,
+ -129, -129, -129, -129, -129, -129, -129, -129, -129, -129,
+ -129, -129, -129, -129, 100, -129, -129, 50, 4, -129,
+ -129, -22, -22, -22, -22, 104, 178, -13, -13, 162,
+ -129, -129, -129, -129, -129, -129, 335, 335, -33, 108,
+ -129, -129, -129, -129, -129, -129, -129, -129, -129, -129,
+ -129, -129, -129, -129, -129, -129, -129, -129, -129, -129,
+ -129, -129, -129, -129, -33, 185, -46, -129, -129, -129,
+ -129, -129, -129, 186, 191, 193, 196, -129, -129, -129,
+ -129, 197, 199, 78, -129, 99, 101, -56, 111, -129,
+ -129, -129, -129, -129, -129, -129, -129, -129, -129, -129,
+ -129, -129, -129, -129, -129, -129, -129, -129, -129, -129,
+ -129, -129, -129, -129, -129, -129, -129, -129, -129, -129,
+ -129, -129, -129, 233, -129, -129, -129, -129, -129, -129,
+ -129, -129, -129, -129, -13, -13, 106, 119, -88, -129,
+ 107, -129, 335, -129, -129, -129, -42, -129, -129, -129,
+ 114, -129, -129, -129, 109, 117, -13, 112, -66, -129,
+ 128, -13, -129, -129, -129, 113, 56, 120, 123, 131,
+ 134, 135, 45, 138, -13, -13, -13, -13, -13, -129,
+ 139, -129, -129, -129, -129, -129, -129, -129
};
/* YYPGOTO[NTERM-NUM]. */
static const yytype_int16 yypgoto[] =
{
- -138, -138, -138, -40, -138, -138, 28, -31, -138, 52,
- -138, -138, -138, -138, 236, -138, -138, 156, -138, -138,
- -9, -138, 87, -138, -138, -127, -138, -138, 224, -138,
- -138, 121, -138, 305, -36, -138, -138, 177, -138, -138,
- -138, -138, 88, -138, 206, -138, 284, -138, 302, 39,
- -37, -138, -138, -138, 75, -138, 26, -138, -138, -138,
- -138, 2, -138, -6
+ -129, -129, -129, -39, -129, -129, 133, -31, -129, 24,
+ -129, -129, -129, -129, 216, -129, -129, 137, -129, -129,
+ -25, -129, 105, -129, -129, -128, -129, -129, 206, -129,
+ -129, 102, -129, 285, 5, -129, -129, 155, -129, -129,
+ -129, -129, 63, -129, 187, -129, 260, -129, 278, 25,
+ -37, -129, -129, -129, 58, -129, -3, -129, -129, -129,
+ -129, -15, -129, -36
};
/* YYTABLE[YYPACT[STATE-NUM]]. What to do in state STATE-NUM. If
#define YYTABLE_NINF -7
static const yytype_int16 yytable[] =
{
- 136, 130, 206, 60, 95, 164, 78, 61, 96, 159,
- 79, 63, 1, 102, 103, 87, 80, 2, 3, 104,
- 102, 103, 4, 5, 6, 62, 134, 7, 304, 220,
- 128, 8, 9, 64, 233, 304, 10, 11, 67, 181,
- 12, 68, 13, 14, 106, 182, 15, 221, 183, 175,
- 97, 102, 103, 16, 81, 92, 65, 104, 175, 112,
- 129, 17, 325, 254, 255, 259, 18, 19, 200, 316,
- 20, 108, 330, 21, 22, 184, 166, 23, 24, 163,
- 82, 109, 88, 98, 234, 260, 89, 113, 114, 115,
- 110, 105, 25, 83, 111, 99, 185, 137, 319, 119,
- 210, 211, 212, 213, 214, 215, 216, 26, 123, 27,
- 100, 28, 29, 225, 226, 125, 228, 229, 30, 84,
- 138, 126, 31, 32, 209, 33, 34, 222, 35, 105,
- 36, 102, 103, 127, 139, 131, 37, 140, 135, 38,
- 39, 40, 261, 41, 42, 160, 262, 167, 186, 203,
- 203, -6, 43, 165, 335, 336, 337, 338, 339, 274,
- 275, 263, 172, 310, 254, 255, 168, 2, 3, 169,
- 170, 239, 4, 5, 6, 69, 290, 7, 171, 240,
- 70, 8, 9, 180, 173, 176, 10, 11, 141, 177,
- 12, 178, 13, 14, 189, 202, 15, 204, 264, 265,
- 208, 207, 292, 16, 218, 219, 335, 336, 337, 338,
- 339, 17, 241, 142, 143, 347, 18, 19, 224, 242,
- 20, 227, 230, 21, 22, 231, 237, 23, 24, 268,
- 269, 270, 271, 258, 273, 238, 272, 243, 71, 291,
- 72, 244, 25, 245, 293, 73, 295, 296, 74, 297,
- 298, 299, 246, 300, 302, 303, 311, 26, 309, 27,
- 314, 28, 29, 315, 322, 312, 313, 325, 30, 247,
- 248, 318, 31, 32, 267, 33, 34, 324, 35, 329,
- 36, 332, 342, 320, 334, 349, 37, 328, 343, 38,
- 39, 40, 333, 41, 42, 344, 249, 345, 250, 346,
- 251, -6, 43, 355, 301, 350, 351, 352, 353, 354,
- 2, 3, 174, 232, 179, 4, 5, 6, 94, 276,
- 7, 217, 201, 294, 8, 9, 162, 122, 331, 10,
- 11, 305, 317, 12, 348, 13, 14, 0, 0, 15,
- 0, 0, 277, 0, 0, 0, 16, 0, 0, 0,
- 278, 0, 0, 279, 17, 0, 0, 0, 280, 18,
- 19, 0, 0, 20, 0, 0, 21, 22, 0, 0,
- 23, 24, 190, 191, 192, 193, 281, 0, 282, 283,
- 146, 284, 285, 286, 0, 25, 287, 147, 0, 148,
+ 137, 131, 207, 138, 103, 104, 165, 234, 87, 160,
+ 135, 221, 1, 103, 104, 64, 60, 2, 3, 103,
+ 104, 113, 4, 5, 6, 105, 139, 7, 306, 182,
+ 222, 8, 9, 129, 61, 183, 10, 11, 184, 65,
+ 12, 140, 13, 14, 141, 62, 15, 63, 78, 114,
+ 115, 116, 79, 260, 16, 103, 104, 235, 80, 67,
+ 306, 105, 17, 255, 256, 68, 185, 18, 19, 318,
+ 201, 20, 92, 261, 21, 22, 88, 109, 23, 24,
+ 89, 327, 95, 321, 240, 110, 96, 186, 255, 256,
+ 176, 332, 241, 25, 128, 142, 111, 81, 106, 176,
+ 161, 211, 212, 213, 214, 215, 216, 217, 26, 210,
+ 27, 223, 28, 29, 226, 227, 112, 229, 230, 120,
+ 30, 143, 144, 82, 31, 32, 242, 33, 34, 97,
+ 35, 262, 36, 243, 106, 263, 83, 124, 37, 126,
+ 187, 38, 39, 40, 127, 41, 42, 132, 136, 107,
+ 264, 244, 164, -6, 43, 245, 169, 246, 166, 168,
+ 275, 276, 98, 84, 312, 130, 247, 173, 69, 170,
+ 177, 99, 171, 70, 172, 100, 174, 292, 178, 179,
+ 190, 167, 181, 248, 249, 203, 205, 209, 265, 266,
+ 101, 208, 219, 337, 338, 339, 340, 341, 191, 192,
+ 193, 194, 349, 294, 337, 338, 339, 340, 341, 220,
+ 225, 250, 228, 251, 239, 252, 269, 270, 271, 272,
+ 231, 2, 3, 232, 238, 259, 4, 5, 6, 273,
+ 274, 7, 71, 293, 72, 8, 9, 295, 297, 73,
+ 10, 11, 74, 298, 12, 299, 13, 14, 300, 301,
+ 15, 302, 304, 311, 305, 204, 204, 313, 16, 316,
+ 324, 317, 326, 320, 327, 331, 17, 314, 315, 336,
+ 334, 18, 19, 344, 195, 20, 345, 303, 21, 22,
+ 351, 357, 23, 24, 346, 322, 196, 347, 348, 330,
+ 197, 198, 175, 268, 335, 233, 180, 25, 94, 296,
+ 218, 277, 163, 123, 202, 319, 350, 352, 353, 354,
+ 355, 356, 26, 333, 27, 307, 28, 29, 0, 0,
+ 0, 0, 0, 0, 30, 0, 0, 0, 31, 32,
+ 0, 33, 34, 0, 35, 0, 36, 0, 0, 0,
+ 0, 0, 37, 0, 0, 38, 39, 40, 0, 41,
+ 42, 0, 0, 0, 2, 3, 0, -6, 43, 4,
+ 5, 6, 0, 0, 7, 0, 0, 0, 8, 9,
+ 0, 0, 0, 10, 11, 278, 0, 12, 0, 13,
+ 14, 0, 0, 15, 0, 279, 0, 0, 0, 0,
+ 0, 16, 0, 280, 0, 0, 281, 0, 0, 17,
+ 0, 282, 0, 0, 18, 19, 0, 0, 20, 0,
+ 0, 21, 22, 0, 0, 23, 24, 0, 0, 283,
+ 0, 284, 285, 0, 286, 287, 288, 0, 147, 289,
+ 25, 0, 0, 0, 0, 148, 0, 149, 0, 0,
+ 0, 0, 0, 0, 0, 26, 0, 27, 0, 28,
+ 29, 0, 0, 0, 0, 0, 0, 30, 0, 150,
+ 0, 31, 32, 0, 33, 34, 0, 35, 0, 36,
+ 0, 0, 290, 0, 0, 37, 0, 0, 38, 39,
+ 40, 0, 41, 42, 0, 0, 0, 0, 151, 152,
+ 153, 43, 154, 155, 0, 0, 156, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 26, 0, 27, 0, 28, 29, 0, 0, 0, 0,
- 149, 30, 0, 0, 0, 31, 32, 0, 33, 34,
- 0, 35, 0, 36, 0, 0, 0, 0, 288, 37,
- 0, 0, 38, 39, 40, 0, 41, 42, 0, 150,
- 151, 152, 0, 153, 154, 43, 194, 155, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 195, 0,
- 0, 0, 196, 197, 156
+ 0, 0, 0, 157
};
static const yytype_int16 yycheck[] =
{
- 37, 32, 129, 140, 18, 45, 5, 51, 22, 40,
- 9, 91, 1, 45, 46, 8, 15, 6, 7, 51,
- 45, 46, 11, 12, 13, 51, 35, 16, 114, 33,
- 24, 20, 21, 28, 52, 114, 25, 26, 51, 25,
- 29, 51, 31, 32, 16, 31, 35, 51, 34, 85,
- 64, 45, 46, 42, 53, 123, 51, 51, 94, 123,
- 32, 50, 145, 142, 143, 3, 55, 56, 108, 155,
- 59, 123, 155, 62, 63, 61, 48, 66, 67, 0,
- 79, 123, 75, 97, 102, 23, 79, 151, 152, 153,
- 123, 123, 81, 92, 123, 109, 82, 4, 123, 123,
- 137, 138, 139, 140, 141, 142, 143, 96, 123, 98,
- 124, 100, 101, 150, 151, 123, 153, 154, 107, 118,
- 27, 123, 111, 112, 133, 114, 115, 131, 117, 123,
- 119, 45, 46, 51, 41, 123, 125, 44, 123, 128,
- 129, 130, 80, 132, 133, 51, 84, 154, 134, 121,
- 122, 140, 141, 140, 146, 147, 148, 149, 150, 196,
- 197, 99, 51, 290, 142, 143, 123, 6, 7, 123,
- 123, 6, 11, 12, 13, 43, 207, 16, 123, 14,
- 48, 20, 21, 28, 123, 51, 25, 26, 95, 51,
- 29, 51, 31, 32, 123, 123, 35, 123, 136, 137,
- 151, 68, 233, 42, 51, 51, 146, 147, 148, 149,
- 150, 50, 47, 120, 121, 155, 55, 56, 51, 54,
- 59, 51, 51, 62, 63, 51, 51, 66, 67, 190,
- 191, 192, 193, 123, 51, 140, 123, 72, 106, 123,
- 108, 76, 81, 78, 51, 113, 51, 51, 116, 51,
- 51, 51, 87, 51, 151, 151, 24, 96, 140, 98,
- 151, 100, 101, 140, 144, 302, 303, 145, 107, 104,
- 105, 154, 111, 112, 187, 114, 115, 151, 117, 151,
- 119, 140, 151, 314, 154, 140, 125, 324, 151, 128,
- 129, 130, 329, 132, 133, 151, 131, 151, 133, 151,
- 135, 140, 141, 140, 252, 342, 343, 344, 345, 346,
- 6, 7, 76, 157, 90, 11, 12, 13, 13, 198,
- 16, 144, 116, 235, 20, 21, 42, 25, 326, 25,
- 26, 256, 306, 29, 340, 31, 32, -1, -1, 35,
- -1, -1, 49, -1, -1, -1, 42, -1, -1, -1,
- 57, -1, -1, 60, 50, -1, -1, -1, 65, 55,
- 56, -1, -1, 59, -1, -1, 62, 63, -1, -1,
- 66, 67, 36, 37, 38, 39, 83, -1, 85, 86,
- 10, 88, 89, 90, -1, 81, 93, 17, -1, 19,
+ 37, 32, 130, 4, 46, 47, 45, 53, 8, 40,
+ 35, 33, 1, 46, 47, 28, 142, 6, 7, 46,
+ 47, 125, 11, 12, 13, 52, 27, 16, 116, 25,
+ 52, 20, 21, 24, 52, 31, 25, 26, 34, 52,
+ 29, 42, 31, 32, 45, 52, 35, 92, 5, 153,
+ 154, 155, 9, 3, 43, 46, 47, 103, 15, 52,
+ 116, 52, 51, 144, 145, 52, 62, 56, 57, 157,
+ 109, 60, 125, 23, 63, 64, 76, 125, 67, 68,
+ 80, 147, 18, 125, 6, 125, 22, 83, 144, 145,
+ 85, 157, 14, 82, 52, 96, 125, 54, 125, 94,
+ 52, 138, 139, 140, 141, 142, 143, 144, 97, 134,
+ 99, 133, 101, 102, 151, 152, 125, 154, 155, 125,
+ 109, 122, 123, 80, 113, 114, 48, 116, 117, 65,
+ 119, 81, 121, 55, 125, 85, 93, 125, 127, 125,
+ 136, 130, 131, 132, 125, 134, 135, 125, 125, 16,
+ 100, 73, 0, 142, 143, 77, 125, 79, 142, 156,
+ 197, 198, 98, 120, 292, 32, 88, 52, 44, 125,
+ 52, 107, 125, 49, 125, 111, 125, 208, 52, 52,
+ 125, 48, 28, 105, 106, 125, 125, 153, 138, 139,
+ 126, 69, 52, 148, 149, 150, 151, 152, 36, 37,
+ 38, 39, 157, 234, 148, 149, 150, 151, 152, 52,
+ 52, 133, 52, 135, 142, 137, 191, 192, 193, 194,
+ 52, 6, 7, 52, 52, 125, 11, 12, 13, 125,
+ 52, 16, 108, 125, 110, 20, 21, 52, 52, 115,
+ 25, 26, 118, 52, 29, 52, 31, 32, 52, 52,
+ 35, 52, 153, 142, 153, 122, 123, 24, 43, 153,
+ 146, 142, 153, 156, 147, 153, 51, 304, 305, 156,
+ 142, 56, 57, 153, 112, 60, 153, 253, 63, 64,
+ 142, 142, 67, 68, 153, 316, 124, 153, 153, 326,
+ 128, 129, 76, 188, 331, 158, 90, 82, 13, 236,
+ 145, 199, 42, 25, 117, 308, 342, 344, 345, 346,
+ 347, 348, 97, 328, 99, 257, 101, 102, -1, -1,
+ -1, -1, -1, -1, 109, -1, -1, -1, 113, 114,
+ -1, 116, 117, -1, 119, -1, 121, -1, -1, -1,
+ -1, -1, 127, -1, -1, 130, 131, 132, -1, 134,
+ 135, -1, -1, -1, 6, 7, -1, 142, 143, 11,
+ 12, 13, -1, -1, 16, -1, -1, -1, 20, 21,
+ -1, -1, -1, 25, 26, 40, -1, 29, -1, 31,
+ 32, -1, -1, 35, -1, 50, -1, -1, -1, -1,
+ -1, 43, -1, 58, -1, -1, 61, -1, -1, 51,
+ -1, 66, -1, -1, 56, 57, -1, -1, 60, -1,
+ -1, 63, 64, -1, -1, 67, 68, -1, -1, 84,
+ -1, 86, 87, -1, 89, 90, 91, -1, 10, 94,
+ 82, -1, -1, -1, -1, 17, -1, 19, -1, -1,
+ -1, -1, -1, -1, -1, 97, -1, 99, -1, 101,
+ 102, -1, -1, -1, -1, -1, -1, 109, -1, 41,
+ -1, 113, 114, -1, 116, 117, -1, 119, -1, 121,
+ -1, -1, 137, -1, -1, 127, -1, -1, 130, 131,
+ 132, -1, 134, 135, -1, -1, -1, -1, 70, 71,
+ 72, 143, 74, 75, -1, -1, 78, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- 96, -1, 98, -1, 100, 101, -1, -1, -1, -1,
- 40, 107, -1, -1, -1, 111, 112, -1, 114, 115,
- -1, 117, -1, 119, -1, -1, -1, -1, 135, 125,
- -1, -1, 128, 129, 130, -1, 132, 133, -1, 69,
- 70, 71, -1, 73, 74, 141, 110, 77, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, 122, -1,
- -1, -1, 126, 127, 94
+ -1, -1, -1, 95
};
/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
static const yytype_uint8 yystos[] =
{
0, 1, 6, 7, 11, 12, 13, 16, 20, 21,
- 25, 26, 29, 31, 32, 35, 42, 50, 55, 56,
- 59, 62, 63, 66, 67, 81, 96, 98, 100, 101,
- 107, 111, 112, 114, 115, 117, 119, 125, 128, 129,
- 130, 132, 133, 141, 157, 158, 159, 160, 161, 166,
- 167, 171, 174, 180, 185, 188, 191, 194, 207, 208,
- 140, 51, 51, 91, 28, 51, 206, 51, 51, 43,
- 48, 106, 108, 113, 116, 168, 169, 170, 5, 9,
- 15, 53, 79, 92, 118, 189, 190, 8, 75, 79,
- 183, 184, 123, 195, 189, 18, 22, 64, 97, 109,
- 124, 176, 45, 46, 51, 123, 162, 163, 123, 123,
- 123, 123, 123, 151, 152, 153, 199, 200, 201, 123,
- 162, 204, 204, 123, 203, 123, 123, 51, 24, 162,
- 163, 123, 196, 175, 176, 123, 206, 4, 27, 41,
- 44, 95, 120, 121, 192, 193, 10, 17, 19, 40,
- 69, 70, 71, 73, 74, 77, 94, 172, 173, 163,
- 51, 202, 202, 0, 159, 140, 162, 154, 123, 123,
- 123, 123, 51, 123, 170, 190, 51, 51, 51, 184,
- 28, 25, 31, 34, 61, 82, 134, 177, 178, 123,
- 36, 37, 38, 39, 110, 122, 126, 127, 186, 187,
- 159, 200, 123, 162, 123, 181, 181, 68, 151, 176,
- 206, 206, 206, 206, 206, 206, 206, 193, 51, 51,
- 33, 51, 131, 205, 51, 206, 206, 51, 206, 206,
- 51, 51, 173, 52, 102, 197, 198, 51, 140, 6,
- 14, 47, 54, 72, 76, 78, 87, 104, 105, 131,
- 133, 135, 164, 165, 142, 143, 209, 210, 123, 3,
- 23, 80, 84, 99, 136, 137, 179, 178, 205, 205,
- 205, 205, 123, 51, 206, 206, 187, 49, 57, 60,
- 65, 83, 85, 86, 88, 89, 90, 93, 135, 182,
- 163, 123, 163, 51, 198, 51, 51, 51, 51, 51,
- 51, 165, 151, 151, 114, 210, 211, 212, 214, 140,
- 181, 24, 206, 206, 151, 140, 155, 212, 154, 123,
- 163, 215, 144, 213, 151, 145, 216, 217, 206, 151,
- 155, 217, 140, 206, 154, 146, 147, 148, 149, 150,
- 218, 219, 151, 151, 151, 151, 151, 155, 219, 140,
- 206, 206, 206, 206, 206, 140
+ 25, 26, 29, 31, 32, 35, 43, 51, 56, 57,
+ 60, 63, 64, 67, 68, 82, 97, 99, 101, 102,
+ 109, 113, 114, 116, 117, 119, 121, 127, 130, 131,
+ 132, 134, 135, 143, 159, 160, 161, 162, 163, 168,
+ 169, 173, 176, 182, 187, 190, 193, 196, 209, 210,
+ 142, 52, 52, 92, 28, 52, 208, 52, 52, 44,
+ 49, 108, 110, 115, 118, 170, 171, 172, 5, 9,
+ 15, 54, 80, 93, 120, 191, 192, 8, 76, 80,
+ 185, 186, 125, 197, 191, 18, 22, 65, 98, 107,
+ 111, 126, 178, 46, 47, 52, 125, 164, 165, 125,
+ 125, 125, 125, 125, 153, 154, 155, 201, 202, 203,
+ 125, 164, 206, 206, 125, 205, 125, 125, 52, 24,
+ 164, 165, 125, 198, 177, 178, 125, 208, 4, 27,
+ 42, 45, 96, 122, 123, 194, 195, 10, 17, 19,
+ 41, 70, 71, 72, 74, 75, 78, 95, 174, 175,
+ 165, 52, 204, 204, 0, 161, 142, 164, 156, 125,
+ 125, 125, 125, 52, 125, 172, 192, 52, 52, 52,
+ 186, 28, 25, 31, 34, 62, 83, 136, 179, 180,
+ 125, 36, 37, 38, 39, 112, 124, 128, 129, 188,
+ 189, 161, 202, 125, 164, 125, 183, 183, 69, 153,
+ 178, 208, 208, 208, 208, 208, 208, 208, 195, 52,
+ 52, 33, 52, 133, 207, 52, 208, 208, 52, 208,
+ 208, 52, 52, 175, 53, 103, 199, 200, 52, 142,
+ 6, 14, 48, 55, 73, 77, 79, 88, 105, 106,
+ 133, 135, 137, 166, 167, 144, 145, 211, 212, 125,
+ 3, 23, 81, 85, 100, 138, 139, 181, 180, 207,
+ 207, 207, 207, 125, 52, 208, 208, 189, 40, 50,
+ 58, 61, 66, 84, 86, 87, 89, 90, 91, 94,
+ 137, 184, 165, 125, 165, 52, 200, 52, 52, 52,
+ 52, 52, 52, 167, 153, 153, 116, 212, 213, 214,
+ 216, 142, 183, 24, 208, 208, 153, 142, 157, 214,
+ 156, 125, 165, 217, 146, 215, 153, 147, 218, 219,
+ 208, 153, 157, 219, 142, 208, 156, 148, 149, 150,
+ 151, 152, 220, 221, 153, 153, 153, 153, 153, 157,
+ 221, 142, 208, 208, 208, 208, 208, 142
};
#define yyerrok (yyerrstatus = 0)
switch (yyn)
{
case 5:
-#line 290 "ntp_parser.y"
+#line 292 "ntp_parser.y"
{
if (input_from_file == 1) {
msyslog(LOG_INFO, "parse error %s line %d ignored\n",
break;
case 18:
-#line 320 "ntp_parser.y"
+#line 322 "ntp_parser.y"
{
struct peer_node *my_node = create_peer_node((yyvsp[(1) - (3)].Integer), (yyvsp[(2) - (3)].Address_node), (yyvsp[(3) - (3)].Queue));
if (my_node)
break;
case 19:
-#line 326 "ntp_parser.y"
+#line 328 "ntp_parser.y"
{
struct peer_node *my_node = create_peer_node((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].Address_node), NULL);
if (my_node)
break;
case 20:
-#line 334 "ntp_parser.y"
+#line 336 "ntp_parser.y"
{ (yyval.Integer) = T_Server; }
break;
case 21:
-#line 335 "ntp_parser.y"
+#line 337 "ntp_parser.y"
{ (yyval.Integer) = T_Pool; }
break;
case 22:
-#line 336 "ntp_parser.y"
+#line 338 "ntp_parser.y"
{ (yyval.Integer) = T_Peer; }
break;
case 23:
-#line 337 "ntp_parser.y"
+#line 339 "ntp_parser.y"
{ (yyval.Integer) = T_Broadcast; }
break;
case 24:
-#line 338 "ntp_parser.y"
+#line 340 "ntp_parser.y"
{ (yyval.Integer) = T_Manycastclient; }
break;
case 25:
-#line 342 "ntp_parser.y"
+#line 344 "ntp_parser.y"
{ (yyval.Address_node) = (yyvsp[(1) - (1)].Address_node); }
break;
case 26:
-#line 343 "ntp_parser.y"
+#line 345 "ntp_parser.y"
{ (yyval.Address_node) = create_address_node((yyvsp[(1) - (1)].String), default_ai_family); }
break;
case 27:
-#line 345 "ntp_parser.y"
+#line 347 "ntp_parser.y"
{
if ((yyvsp[(1) - (2)].Integer) == -4)
(yyval.Address_node) = create_address_node((yyvsp[(2) - (2)].String), AF_INET);
break;
case 28:
-#line 360 "ntp_parser.y"
+#line 362 "ntp_parser.y"
{ (yyval.Address_node) = create_address_node((yyvsp[(1) - (1)].String), AF_INET); }
break;
case 29:
-#line 361 "ntp_parser.y"
+#line 363 "ntp_parser.y"
{ (yyval.Address_node) = create_address_node((yyvsp[(1) - (1)].String), AF_INET6); }
break;
case 30:
-#line 365 "ntp_parser.y"
+#line 367 "ntp_parser.y"
{ (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 31:
-#line 366 "ntp_parser.y"
+#line 368 "ntp_parser.y"
{ (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 32:
-#line 371 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, FLAG_SKEY | FLAG_AUTHENABLE); }
+#line 373 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, FLAG_SKEY); }
break;
case 33:
-#line 372 "ntp_parser.y"
+#line 374 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Flag, FLAG_BURST); }
break;
case 34:
-#line 373 "ntp_parser.y"
+#line 375 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Flag, FLAG_IBURST); }
break;
case 35:
-#line 374 "ntp_parser.y"
+#line 376 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Key, (yyvsp[(2) - (2)].Integer)); }
break;
case 36:
-#line 375 "ntp_parser.y"
+#line 377 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Minpoll, (yyvsp[(2) - (2)].Integer)); }
break;
case 37:
-#line 376 "ntp_parser.y"
+#line 378 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Maxpoll, (yyvsp[(2) - (2)].Integer)); }
break;
case 38:
-#line 377 "ntp_parser.y"
+#line 379 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Flag, FLAG_NOSELECT);}
break;
case 39:
-#line 378 "ntp_parser.y"
+#line 380 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Flag, FLAG_PREEMPT); }
break;
case 40:
-#line 379 "ntp_parser.y"
+#line 381 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Flag, FLAG_PREFER); }
break;
case 41:
-#line 380 "ntp_parser.y"
+#line 382 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Flag, FLAG_TRUE); }
break;
case 42:
-#line 381 "ntp_parser.y"
+#line 383 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Ttl, (yyvsp[(2) - (2)].Integer)); }
break;
case 43:
-#line 382 "ntp_parser.y"
+#line 384 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Mode, (yyvsp[(2) - (2)].Integer)); }
break;
case 44:
-#line 383 "ntp_parser.y"
+#line 385 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_ival(T_Version, (yyvsp[(2) - (2)].Integer)); }
break;
case 45:
-#line 394 "ntp_parser.y"
+#line 396 "ntp_parser.y"
{ my_config.broadcastclient = SIMPLE; }
break;
case 46:
-#line 396 "ntp_parser.y"
+#line 398 "ntp_parser.y"
{ my_config.broadcastclient = NOVOLLEY; }
break;
case 47:
-#line 398 "ntp_parser.y"
+#line 400 "ntp_parser.y"
{ append_queue(my_config.manycastserver, (yyvsp[(2) - (2)].Queue)); }
break;
case 48:
-#line 400 "ntp_parser.y"
+#line 402 "ntp_parser.y"
{ append_queue(my_config.multicastclient, (yyvsp[(2) - (2)].Queue)); }
break;
case 49:
-#line 411 "ntp_parser.y"
+#line 413 "ntp_parser.y"
{ my_config.auth.autokey = (yyvsp[(2) - (2)].Integer); }
break;
case 50:
-#line 413 "ntp_parser.y"
+#line 415 "ntp_parser.y"
{ my_config.auth.control_key = (yyvsp[(2) - (2)].Integer); }
break;
case 51:
-#line 415 "ntp_parser.y"
+#line 417 "ntp_parser.y"
{ if (my_config.auth.crypto_cmd_list != NULL)
append_queue(my_config.auth.crypto_cmd_list, (yyvsp[(2) - (2)].Queue));
else
break;
case 52:
-#line 422 "ntp_parser.y"
+#line 424 "ntp_parser.y"
{ my_config.auth.keys = (yyvsp[(2) - (2)].String); }
break;
case 53:
-#line 424 "ntp_parser.y"
+#line 426 "ntp_parser.y"
{ my_config.auth.keysdir = (yyvsp[(2) - (2)].String); }
break;
case 54:
-#line 426 "ntp_parser.y"
+#line 428 "ntp_parser.y"
{ my_config.auth.requested_key = (yyvsp[(2) - (2)].Integer); }
break;
case 55:
-#line 428 "ntp_parser.y"
+#line 430 "ntp_parser.y"
{ my_config.auth.trusted_key_list = (yyvsp[(2) - (2)].Queue); }
break;
case 57:
-#line 434 "ntp_parser.y"
+#line 436 "ntp_parser.y"
{ (yyval.Queue) = NULL; }
break;
case 58:
-#line 438 "ntp_parser.y"
+#line 440 "ntp_parser.y"
{ (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 59:
-#line 439 "ntp_parser.y"
+#line 441 "ntp_parser.y"
{ (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 60:
-#line 444 "ntp_parser.y"
+#line 446 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_sval(CRYPTO_CONF_PRIV, (yyvsp[(2) - (2)].String)); }
break;
case 61:
-#line 446 "ntp_parser.y"
+#line 448 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_sval(CRYPTO_CONF_IDENT, (yyvsp[(2) - (2)].String)); }
break;
case 62:
-#line 448 "ntp_parser.y"
+#line 450 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_sval(CRYPTO_CONF_PW, (yyvsp[(2) - (2)].String)); }
break;
case 63:
-#line 450 "ntp_parser.y"
+#line 452 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_sval(CRYPTO_CONF_RAND, (yyvsp[(2) - (2)].String)); }
break;
case 64:
-#line 452 "ntp_parser.y"
+#line 454 "ntp_parser.y"
{ my_config.auth.revoke = (yyvsp[(2) - (2)].Integer); }
break;
case 65:
-#line 454 "ntp_parser.y"
+#line 456 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_sval(CRYPTO_CONF_SIGN, (yyvsp[(2) - (2)].String)); }
break;
case 66:
-#line 464 "ntp_parser.y"
+#line 466 "ntp_parser.y"
{ append_queue(my_config.orphan_cmds,(yyvsp[(2) - (2)].Queue)); }
break;
case 67:
-#line 468 "ntp_parser.y"
+#line 470 "ntp_parser.y"
{ (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 68:
-#line 469 "ntp_parser.y"
+#line 471 "ntp_parser.y"
{ (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 69:
-#line 474 "ntp_parser.y"
+#line 476 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_CEILING, (double)(yyvsp[(2) - (2)].Integer)); }
break;
case 70:
-#line 476 "ntp_parser.y"
+#line 478 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_FLOOR, (double)(yyvsp[(2) - (2)].Integer)); }
break;
case 71:
-#line 478 "ntp_parser.y"
+#line 480 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_COHORT, (double)(yyvsp[(2) - (2)].Integer)); }
break;
case 72:
-#line 480 "ntp_parser.y"
+#line 482 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_ORPHAN, (double)(yyvsp[(2) - (2)].Integer)); }
break;
case 73:
-#line 482 "ntp_parser.y"
+#line 484 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_MINDISP, (yyvsp[(2) - (2)].Double)); }
break;
case 74:
-#line 484 "ntp_parser.y"
+#line 486 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_MAXDIST, (yyvsp[(2) - (2)].Double)); }
break;
case 75:
-#line 486 "ntp_parser.y"
+#line 488 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_MINCLOCK, (yyvsp[(2) - (2)].Double)); }
break;
case 76:
-#line 488 "ntp_parser.y"
+#line 490 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_MAXCLOCK, (yyvsp[(2) - (2)].Double)); }
break;
case 77:
-#line 490 "ntp_parser.y"
+#line 492 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_MINSANE, (double)(yyvsp[(2) - (2)].Integer)); }
break;
case 78:
-#line 492 "ntp_parser.y"
+#line 494 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_BEACON, (double)(yyvsp[(2) - (2)].Integer)); }
break;
case 79:
-#line 494 "ntp_parser.y"
+#line 496 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(PROTO_MAXHOP, (double)(yyvsp[(2) - (2)].Integer)); }
break;
case 80:
-#line 504 "ntp_parser.y"
+#line 506 "ntp_parser.y"
{ append_queue(my_config.stats_list, (yyvsp[(2) - (2)].Queue)); }
break;
case 81:
-#line 506 "ntp_parser.y"
+#line 508 "ntp_parser.y"
{ my_config.stats_dir = (yyvsp[(2) - (2)].String); }
break;
case 82:
-#line 508 "ntp_parser.y"
+#line 510 "ntp_parser.y"
{
enqueue(my_config.filegen_opts,
create_filegen_node((yyvsp[(2) - (3)].VoidPtr), (yyvsp[(3) - (3)].Queue)));
break;
case 83:
-#line 515 "ntp_parser.y"
+#line 517 "ntp_parser.y"
{ (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].VoidPtr)); }
break;
case 84:
-#line 516 "ntp_parser.y"
+#line 518 "ntp_parser.y"
{ (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].VoidPtr)); }
break;
case 85:
-#line 521 "ntp_parser.y"
+#line 523 "ntp_parser.y"
{ (yyval.VoidPtr) = create_pval("clockstats"); }
break;
case 86:
-#line 523 "ntp_parser.y"
+#line 525 "ntp_parser.y"
{ (yyval.VoidPtr) = create_pval("cryptostats"); }
break;
case 87:
-#line 525 "ntp_parser.y"
+#line 527 "ntp_parser.y"
{ (yyval.VoidPtr) = create_pval("loopstats"); }
break;
case 88:
-#line 527 "ntp_parser.y"
+#line 529 "ntp_parser.y"
{ (yyval.VoidPtr) = create_pval("peerstats"); }
break;
case 89:
-#line 529 "ntp_parser.y"
+#line 531 "ntp_parser.y"
{ (yyval.VoidPtr) = create_pval("rawstats"); }
break;
case 90:
-#line 531 "ntp_parser.y"
+#line 533 "ntp_parser.y"
{ (yyval.VoidPtr) = create_pval("sysstats"); }
break;
case 91:
#line 535 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
+ { (yyval.VoidPtr) = create_pval("protostats"); }
break;
case 92:
-#line 536 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
+#line 539 "ntp_parser.y"
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 93:
#line 540 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_sval(T_File, (yyvsp[(2) - (2)].String)); }
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 94:
-#line 541 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Type, (yyvsp[(2) - (2)].Integer)); }
+#line 544 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_sval(T_File, (yyvsp[(2) - (2)].String)); }
break;
case 95:
-#line 542 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, T_Link); }
+#line 545 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Type, (yyvsp[(2) - (2)].Integer)); }
break;
case 96:
-#line 543 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, T_Nolink); }
+#line 546 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, T_Link); }
break;
case 97:
-#line 544 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, T_Enable); }
+#line 547 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, T_Nolink); }
break;
case 98:
-#line 545 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, T_Disable); }
+#line 548 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, T_Enable); }
break;
case 99:
#line 549 "ntp_parser.y"
- { (yyval.Integer) = FILEGEN_NONE; }
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, T_Disable); }
break;
case 100:
-#line 550 "ntp_parser.y"
- { (yyval.Integer) = FILEGEN_PID; }
+#line 553 "ntp_parser.y"
+ { (yyval.Integer) = FILEGEN_NONE; }
break;
case 101:
-#line 551 "ntp_parser.y"
- { (yyval.Integer) = FILEGEN_DAY; }
+#line 554 "ntp_parser.y"
+ { (yyval.Integer) = FILEGEN_PID; }
break;
case 102:
-#line 552 "ntp_parser.y"
- { (yyval.Integer) = FILEGEN_WEEK; }
+#line 555 "ntp_parser.y"
+ { (yyval.Integer) = FILEGEN_DAY; }
break;
case 103:
-#line 553 "ntp_parser.y"
- { (yyval.Integer) = FILEGEN_MONTH; }
+#line 556 "ntp_parser.y"
+ { (yyval.Integer) = FILEGEN_WEEK; }
break;
case 104:
-#line 554 "ntp_parser.y"
- { (yyval.Integer) = FILEGEN_YEAR; }
+#line 557 "ntp_parser.y"
+ { (yyval.Integer) = FILEGEN_MONTH; }
break;
case 105:
-#line 555 "ntp_parser.y"
- { (yyval.Integer) = FILEGEN_AGE; }
+#line 558 "ntp_parser.y"
+ { (yyval.Integer) = FILEGEN_YEAR; }
break;
case 106:
-#line 565 "ntp_parser.y"
- { append_queue(my_config.discard_opts, (yyvsp[(2) - (2)].Queue)); }
+#line 559 "ntp_parser.y"
+ { (yyval.Integer) = FILEGEN_AGE; }
break;
case 107:
-#line 567 "ntp_parser.y"
+#line 569 "ntp_parser.y"
+ { append_queue(my_config.discard_opts, (yyvsp[(2) - (2)].Queue)); }
+ break;
+
+ case 108:
+#line 571 "ntp_parser.y"
{
enqueue(my_config.restrict_opts,
create_restrict_node((yyvsp[(2) - (3)].Address_node), NULL, (yyvsp[(3) - (3)].Queue), ip_file->line_no));
}
break;
- case 108:
-#line 572 "ntp_parser.y"
+ case 109:
+#line 576 "ntp_parser.y"
{
enqueue(my_config.restrict_opts,
create_restrict_node(NULL, NULL, (yyvsp[(3) - (3)].Queue), ip_file->line_no));
}
break;
- case 109:
-#line 577 "ntp_parser.y"
+ case 110:
+#line 581 "ntp_parser.y"
{
enqueue(my_config.restrict_opts,
create_restrict_node((yyvsp[(2) - (5)].Address_node), (yyvsp[(4) - (5)].Address_node), (yyvsp[(5) - (5)].Queue), ip_file->line_no));
}
break;
- case 110:
-#line 584 "ntp_parser.y"
- { (yyval.Queue) = create_queue(); }
- break;
-
case 111:
-#line 585 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].VoidPtr)); }
+#line 588 "ntp_parser.y"
+ { (yyval.Queue) = create_queue(); }
break;
case 112:
#line 589 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_IGNORE); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].VoidPtr)); }
break;
case 113:
-#line 590 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_KOD); }
+#line 593 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_TIMEOUT); }
break;
case 114:
-#line 591 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_LIMITED); }
+#line 594 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_IGNORE); }
break;
case 115:
-#line 592 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_LPTRAP); }
+#line 595 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_KOD); }
break;
case 116:
-#line 593 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_NOMODIFY); }
+#line 596 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_LIMITED); }
break;
case 117:
-#line 594 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_NOPEER); }
+#line 597 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_LPTRAP); }
break;
case 118:
-#line 595 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_NOQUERY); }
+#line 598 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_NOMODIFY); }
break;
case 119:
-#line 596 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_DONTSERVE); }
+#line 599 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_NOPEER); }
break;
case 120:
-#line 597 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_NOTRAP); }
+#line 600 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_NOQUERY); }
break;
case 121:
-#line 598 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_DONTTRUST); }
+#line 601 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_DONTSERVE); }
break;
case 122:
-#line 599 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RESM_NTPONLY); }
+#line 602 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_NOTRAP); }
break;
case 123:
-#line 600 "ntp_parser.y"
- { (yyval.VoidPtr) = create_ival(RES_VERSION); }
+#line 603 "ntp_parser.y"
+ { (yyval.VoidPtr) = create_ival(RES_DONTTRUST); }
break;
case 124:
#line 604 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
+ { (yyval.VoidPtr) = create_ival(RESM_NTPONLY); }
break;
case 125:
#line 605 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
+ { (yyval.VoidPtr) = create_ival(RES_VERSION); }
break;
case 126:
#line 609 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Average, (yyvsp[(2) - (2)].Integer)); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 127:
#line 610 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Minimum, (yyvsp[(2) - (2)].Integer)); }
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 128:
-#line 611 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Monitor, (yyvsp[(2) - (2)].Integer)); }
+#line 614 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Average, (yyvsp[(2) - (2)].Integer)); }
break;
case 129:
-#line 620 "ntp_parser.y"
- { enqueue(my_config.fudge, create_addr_opts_node((yyvsp[(2) - (3)].Address_node), (yyvsp[(3) - (3)].Queue))); }
+#line 615 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Minimum, (yyvsp[(2) - (2)].Integer)); }
break;
case 130:
-#line 624 "ntp_parser.y"
- { enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
+#line 616 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Monitor, (yyvsp[(2) - (2)].Integer)); }
break;
case 131:
#line 625 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
+ { enqueue(my_config.fudge, create_addr_opts_node((yyvsp[(2) - (3)].Address_node), (yyvsp[(3) - (3)].Queue))); }
break;
case 132:
-#line 630 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(CLK_HAVETIME1, (yyvsp[(2) - (2)].Double)); }
+#line 629 "ntp_parser.y"
+ { enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 133:
-#line 632 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(CLK_HAVETIME2, (yyvsp[(2) - (2)].Double)); }
+#line 630 "ntp_parser.y"
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 134:
-#line 634 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(CLK_HAVEVAL1, (yyvsp[(2) - (2)].Integer)); }
+#line 635 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(CLK_HAVETIME1, (yyvsp[(2) - (2)].Double)); }
break;
case 135:
-#line 636 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_sval(CLK_HAVEVAL2, (yyvsp[(2) - (2)].String)); }
+#line 637 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(CLK_HAVETIME2, (yyvsp[(2) - (2)].Double)); }
break;
case 136:
-#line 638 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(CLK_HAVEFLAG1, (yyvsp[(2) - (2)].Integer)); }
+#line 639 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(CLK_HAVEVAL1, (yyvsp[(2) - (2)].Integer)); }
break;
case 137:
-#line 640 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(CLK_HAVEFLAG2, (yyvsp[(2) - (2)].Integer)); }
+#line 641 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_sval(CLK_HAVEVAL2, (yyvsp[(2) - (2)].String)); }
break;
case 138:
-#line 642 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(CLK_HAVEFLAG3, (yyvsp[(2) - (2)].Integer)); }
+#line 643 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(CLK_HAVEFLAG1, (yyvsp[(2) - (2)].Integer)); }
break;
case 139:
-#line 644 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(CLK_HAVEFLAG4, (yyvsp[(2) - (2)].Integer)); }
+#line 645 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(CLK_HAVEFLAG2, (yyvsp[(2) - (2)].Integer)); }
break;
case 140:
-#line 653 "ntp_parser.y"
- { append_queue(my_config.enable_opts,(yyvsp[(2) - (2)].Queue)); }
+#line 647 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(CLK_HAVEFLAG3, (yyvsp[(2) - (2)].Integer)); }
break;
case 141:
-#line 655 "ntp_parser.y"
- { append_queue(my_config.disable_opts,(yyvsp[(2) - (2)].Queue)); }
+#line 649 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(CLK_HAVEFLAG4, (yyvsp[(2) - (2)].Integer)); }
break;
case 142:
-#line 659 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
+#line 658 "ntp_parser.y"
+ { append_queue(my_config.enable_opts,(yyvsp[(2) - (2)].Queue)); }
break;
case 143:
#line 660 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
+ { append_queue(my_config.disable_opts,(yyvsp[(2) - (2)].Queue)); }
break;
case 144:
#line 664 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_AUTHENTICATE); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 145:
#line 665 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_BROADCLIENT); }
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 146:
-#line 666 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_CAL); }
+#line 669 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_AUTHENTICATE); }
break;
case 147:
-#line 667 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_KERNEL); }
+#line 670 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_BROADCLIENT); }
break;
case 148:
-#line 668 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_MONITOR); }
+#line 671 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_CAL); }
break;
case 149:
-#line 669 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_NTP); }
+#line 672 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_KERNEL); }
break;
case 150:
-#line 671 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_FILEGEN); }
+#line 673 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_MONITOR); }
break;
case 151:
-#line 679 "ntp_parser.y"
- { append_queue(my_config.tinker, (yyvsp[(2) - (2)].Queue)); }
+#line 674 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_NTP); }
break;
case 152:
-#line 683 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
+#line 676 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Flag, PROTO_FILEGEN); }
break;
case 153:
#line 684 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
+ { append_queue(my_config.tinker, (yyvsp[(2) - (2)].Queue)); }
break;
case 154:
#line 688 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(LOOP_ALLAN, (yyvsp[(2) - (2)].Double)); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 155:
#line 689 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(LOOP_PHI, (yyvsp[(2) - (2)].Double)); }
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 156:
-#line 690 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(LOOP_FREQ, (yyvsp[(2) - (2)].Double)); }
+#line 693 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(LOOP_ALLAN, (yyvsp[(2) - (2)].Double)); }
break;
case 157:
-#line 691 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(LOOP_HUFFPUFF, (yyvsp[(2) - (2)].Double)); }
+#line 694 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(LOOP_PHI, (yyvsp[(2) - (2)].Double)); }
break;
case 158:
-#line 692 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(LOOP_PANIC, (yyvsp[(2) - (2)].Double)); }
+#line 695 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(LOOP_FREQ, (yyvsp[(2) - (2)].Double)); }
break;
case 159:
-#line 693 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(LOOP_MAX, (yyvsp[(2) - (2)].Double)); }
+#line 696 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(LOOP_HUFFPUFF, (yyvsp[(2) - (2)].Double)); }
break;
case 160:
-#line 694 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(LOOP_MINSTEP, (yyvsp[(2) - (2)].Double)); }
+#line 697 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(LOOP_PANIC, (yyvsp[(2) - (2)].Double)); }
break;
case 161:
-#line 703 "ntp_parser.y"
+#line 698 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(LOOP_MAX, (yyvsp[(2) - (2)].Double)); }
+ break;
+
+ case 162:
+#line 699 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_dval(LOOP_MINSTEP, (yyvsp[(2) - (2)].Double)); }
+ break;
+
+ case 163:
+#line 708 "ntp_parser.y"
{
if (curr_include_level >= MAXINCLUDELEVEL) {
fprintf(stderr, "getconfig: Maximum include file level exceeded.\n");
}
break;
- case 162:
-#line 719 "ntp_parser.y"
+ case 164:
+#line 724 "ntp_parser.y"
{
while (curr_include_level != -1)
FCLOSE(fp[curr_include_level--]);
}
break;
- case 163:
-#line 725 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_dval(T_Broadcastdelay, (yyvsp[(2) - (2)].Double))); }
- break;
-
- case 164:
-#line 727 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_ival(T_Calldelay, (yyvsp[(2) - (2)].Integer))); }
- break;
-
case 165:
-#line 729 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_dval(T_Tick, (yyvsp[(2) - (2)].Double))); }
+#line 730 "ntp_parser.y"
+ { enqueue(my_config.vars, create_attr_dval(T_Broadcastdelay, (yyvsp[(2) - (2)].Double))); }
break;
case 166:
-#line 731 "ntp_parser.y"
- { /* Null action, possibly all null parms */ }
+#line 732 "ntp_parser.y"
+ { enqueue(my_config.vars, create_attr_ival(T_Calldelay, (yyvsp[(2) - (2)].Integer))); }
break;
case 167:
-#line 733 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_sval(T_Leapfile, (yyvsp[(2) - (2)].String))); }
+#line 734 "ntp_parser.y"
+ { enqueue(my_config.vars, create_attr_dval(T_Tick, (yyvsp[(2) - (2)].Double))); }
break;
case 168:
#line 736 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_sval(T_Pidfile, (yyvsp[(2) - (2)].String))); }
+ { /* Null action, possibly all null parms */ }
break;
case 169:
#line 738 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_sval(T_Logfile, (yyvsp[(2) - (2)].String))); }
+ { enqueue(my_config.vars, create_attr_sval(T_Leapfile, (yyvsp[(2) - (2)].String))); }
break;
case 170:
-#line 740 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_ival(T_Automax, (yyvsp[(2) - (2)].Integer))); }
+#line 741 "ntp_parser.y"
+ { enqueue(my_config.vars, create_attr_sval(T_Pidfile, (yyvsp[(2) - (2)].String))); }
break;
case 171:
#line 743 "ntp_parser.y"
- { append_queue(my_config.logconfig, (yyvsp[(2) - (2)].Queue)); }
+ { enqueue(my_config.vars, create_attr_sval(T_Logfile, (yyvsp[(2) - (2)].String))); }
break;
case 172:
#line 745 "ntp_parser.y"
- { append_queue(my_config.phone, (yyvsp[(2) - (2)].Queue)); }
+ { enqueue(my_config.vars, create_attr_ival(T_Automax, (yyvsp[(2) - (2)].Integer))); }
break;
case 173:
-#line 747 "ntp_parser.y"
- { enqueue(my_config.setvar, (yyvsp[(2) - (2)].Set_var)); }
+#line 748 "ntp_parser.y"
+ { append_queue(my_config.logconfig, (yyvsp[(2) - (2)].Queue)); }
break;
case 174:
-#line 749 "ntp_parser.y"
- { enqueue(my_config.trap, create_addr_opts_node((yyvsp[(2) - (3)].Address_node), (yyvsp[(3) - (3)].Queue))); }
+#line 750 "ntp_parser.y"
+ { append_queue(my_config.phone, (yyvsp[(2) - (2)].Queue)); }
break;
case 175:
-#line 751 "ntp_parser.y"
- { append_queue(my_config.ttl, (yyvsp[(2) - (2)].Queue)); }
+#line 752 "ntp_parser.y"
+ { enqueue(my_config.setvar, (yyvsp[(2) - (2)].Set_var)); }
break;
case 176:
-#line 753 "ntp_parser.y"
- { enqueue(my_config.qos, create_attr_sval(T_Qos, (yyvsp[(2) - (2)].String))); }
+#line 754 "ntp_parser.y"
+ { enqueue(my_config.trap, create_addr_opts_node((yyvsp[(2) - (3)].Address_node), (yyvsp[(3) - (3)].Queue))); }
break;
case 177:
-#line 757 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_sval(T_Driftfile, (yyvsp[(1) - (1)].String))); }
+#line 756 "ntp_parser.y"
+ { append_queue(my_config.ttl, (yyvsp[(2) - (2)].Queue)); }
break;
case 178:
-#line 759 "ntp_parser.y"
- { enqueue(my_config.vars, create_attr_dval(T_WanderThreshold, (yyvsp[(2) - (2)].Double)));
- enqueue(my_config.vars, create_attr_sval(T_Driftfile, (yyvsp[(1) - (2)].String))); }
+#line 758 "ntp_parser.y"
+ { enqueue(my_config.qos, create_attr_sval(T_Qos, (yyvsp[(2) - (2)].String))); }
break;
case 179:
-#line 761 "ntp_parser.y"
- { /* Null driftfile, indicated by null string "\0" */
- enqueue(my_config.vars, create_attr_sval(T_Driftfile, "\0")); }
+#line 762 "ntp_parser.y"
+ { enqueue(my_config.vars, create_attr_sval(T_Driftfile, (yyvsp[(1) - (1)].String))); }
break;
case 180:
-#line 767 "ntp_parser.y"
- { (yyval.Set_var) = create_setvar_node((yyvsp[(1) - (4)].String), (yyvsp[(3) - (4)].String), DEF); }
+#line 764 "ntp_parser.y"
+ { enqueue(my_config.vars, create_attr_dval(T_WanderThreshold, (yyvsp[(2) - (2)].Double)));
+ enqueue(my_config.vars, create_attr_sval(T_Driftfile, (yyvsp[(1) - (2)].String))); }
break;
case 181:
-#line 769 "ntp_parser.y"
- { (yyval.Set_var) = create_setvar_node((yyvsp[(1) - (3)].String), (yyvsp[(3) - (3)].String), 0); }
+#line 766 "ntp_parser.y"
+ { /* Null driftfile, indicated by null string "\0" */
+ enqueue(my_config.vars, create_attr_sval(T_Driftfile, "\0")); }
break;
case 182:
-#line 774 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
+#line 772 "ntp_parser.y"
+ { (yyval.Set_var) = create_setvar_node((yyvsp[(1) - (4)].String), (yyvsp[(3) - (4)].String), DEF); }
break;
case 183:
-#line 775 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
+#line 774 "ntp_parser.y"
+ { (yyval.Set_var) = create_setvar_node((yyvsp[(1) - (3)].String), (yyvsp[(3) - (3)].String), 0); }
break;
case 184:
#line 779 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_ival(T_Port, (yyvsp[(2) - (2)].Integer)); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 185:
#line 780 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_pval(T_Interface, (yyvsp[(2) - (2)].Address_node)); }
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
break;
case 186:
-#line 785 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
+#line 784 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_ival(T_Port, (yyvsp[(2) - (2)].Integer)); }
break;
case 187:
-#line 786 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
+#line 785 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_pval(T_Interface, (yyvsp[(2) - (2)].Address_node)); }
break;
case 188:
#line 790 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String)); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Attr_val)); }
break;
case 189:
-#line 792 "ntp_parser.y"
+#line 791 "ntp_parser.y"
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Attr_val)); }
+ break;
+
+ case 190:
+#line 795 "ntp_parser.y"
+ { (yyval.Attr_val) = create_attr_sval((yyvsp[(1) - (2)].Integer), (yyvsp[(2) - (2)].String)); }
+ break;
+
+ case 191:
+#line 797 "ntp_parser.y"
{
/* YUCK!! This is needed because '+' and '-' are not special characters
* while '=' is.
}
break;
- case 190:
-#line 808 "ntp_parser.y"
- { (yyval.Integer) = '+'; }
- break;
-
- case 191:
-#line 809 "ntp_parser.y"
- { (yyval.Integer) = '-'; }
- break;
-
case 192:
-#line 810 "ntp_parser.y"
- { (yyval.Integer) = '='; }
+#line 813 "ntp_parser.y"
+ { (yyval.Integer) = '+'; }
break;
case 193:
-#line 819 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), create_ival((yyvsp[(2) - (2)].Integer))); }
+#line 814 "ntp_parser.y"
+ { (yyval.Integer) = '-'; }
break;
case 194:
-#line 820 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue(create_ival((yyvsp[(1) - (1)].Integer))); }
+#line 815 "ntp_parser.y"
+ { (yyval.Integer) = '='; }
break;
case 195:
#line 824 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), create_pval((yyvsp[(2) - (2)].String))); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), create_ival((yyvsp[(2) - (2)].Integer))); }
break;
case 196:
#line 825 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue(create_pval((yyvsp[(1) - (1)].String))); }
+ { (yyval.Queue) = enqueue_in_new_queue(create_ival((yyvsp[(1) - (1)].Integer))); }
break;
case 197:
#line 829 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Address_node)); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), create_pval((yyvsp[(2) - (2)].String))); }
break;
case 198:
#line 830 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Address_node)); }
+ { (yyval.Queue) = enqueue_in_new_queue(create_pval((yyvsp[(1) - (1)].String))); }
break;
case 199:
+#line 834 "ntp_parser.y"
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Address_node)); }
+ break;
+
+ case 200:
#line 835 "ntp_parser.y"
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Address_node)); }
+ break;
+
+ case 201:
+#line 840 "ntp_parser.y"
{
if ((yyvsp[(1) - (1)].Integer) != 0 && (yyvsp[(1) - (1)].Integer) != 1) {
yyerror("Integer value is not boolean (0 or 1). Assuming 1");
}
break;
- case 200:
-#line 843 "ntp_parser.y"
+ case 202:
+#line 848 "ntp_parser.y"
{ (yyval.Integer) = 1; }
break;
- case 201:
-#line 844 "ntp_parser.y"
+ case 203:
+#line 849 "ntp_parser.y"
{ (yyval.Integer) = 0; }
break;
- case 202:
-#line 848 "ntp_parser.y"
+ case 204:
+#line 853 "ntp_parser.y"
{ (yyval.Double) = (double)(yyvsp[(1) - (1)].Integer); }
break;
- case 203:
-#line 849 "ntp_parser.y"
+ case 205:
+#line 854 "ntp_parser.y"
{ (yyval.Double) = (yyvsp[(1) - (1)].Double); }
break;
- case 204:
-#line 858 "ntp_parser.y"
+ case 206:
+#line 863 "ntp_parser.y"
{
my_config.sim_details = create_sim_node((yyvsp[(3) - (5)].Queue), (yyvsp[(4) - (5)].Queue));
}
break;
- case 205:
-#line 872 "ntp_parser.y"
- { old_config_style = 0; }
- break;
-
- case 206:
-#line 876 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (3)].Queue), (yyvsp[(2) - (3)].Attr_val)); }
- break;
-
case 207:
#line 877 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (2)].Attr_val)); }
+ { old_config_style = 0; }
break;
case 208:
#line 881 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(T_Beep_Delay, (yyvsp[(3) - (3)].Double)); }
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (3)].Queue), (yyvsp[(2) - (3)].Attr_val)); }
break;
case 209:
#line 882 "ntp_parser.y"
- { (yyval.Attr_val) = create_attr_dval(T_Sim_Duration, (yyvsp[(3) - (3)].Double)); }
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (2)].Attr_val)); }
break;
case 210:
#line 886 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Sim_server)); }
+ { (yyval.Attr_val) = create_attr_dval(T_Beep_Delay, (yyvsp[(3) - (3)].Double)); }
break;
case 211:
#line 887 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Sim_server)); }
+ { (yyval.Attr_val) = create_attr_dval(T_Sim_Duration, (yyvsp[(3) - (3)].Double)); }
break;
case 212:
-#line 892 "ntp_parser.y"
- { (yyval.Sim_server) = create_sim_server((yyvsp[(1) - (5)].Address_node), (yyvsp[(3) - (5)].Double), (yyvsp[(4) - (5)].Queue)); }
+#line 891 "ntp_parser.y"
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Sim_server)); }
break;
case 213:
-#line 896 "ntp_parser.y"
- { (yyval.Double) = (yyvsp[(3) - (4)].Double); }
+#line 892 "ntp_parser.y"
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Sim_server)); }
break;
case 214:
-#line 900 "ntp_parser.y"
- { (yyval.Address_node) = (yyvsp[(3) - (3)].Address_node); }
+#line 897 "ntp_parser.y"
+ { (yyval.Sim_server) = create_sim_server((yyvsp[(1) - (5)].Address_node), (yyvsp[(3) - (5)].Double), (yyvsp[(4) - (5)].Queue)); }
break;
case 215:
-#line 904 "ntp_parser.y"
- { (yyval.Address_node) = (yyvsp[(1) - (1)].Address_node); }
+#line 901 "ntp_parser.y"
+ { (yyval.Double) = (yyvsp[(3) - (4)].Double); }
break;
case 216:
#line 905 "ntp_parser.y"
- { (yyval.Address_node) = create_address_node((yyvsp[(1) - (1)].String), T_String); }
+ { (yyval.Address_node) = (yyvsp[(3) - (3)].Address_node); }
break;
case 217:
#line 909 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Sim_script)); }
+ { (yyval.Address_node) = (yyvsp[(1) - (1)].Address_node); }
break;
case 218:
#line 910 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Sim_script)); }
+ { (yyval.Address_node) = create_address_node((yyvsp[(1) - (1)].String), T_String); }
break;
case 219:
-#line 915 "ntp_parser.y"
- { (yyval.Sim_script) = create_sim_script_info((yyvsp[(3) - (6)].Double), (yyvsp[(5) - (6)].Queue)); }
+#line 914 "ntp_parser.y"
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (2)].Queue), (yyvsp[(2) - (2)].Sim_script)); }
break;
case 220:
-#line 919 "ntp_parser.y"
- { (yyval.Queue) = enqueue((yyvsp[(1) - (3)].Queue), (yyvsp[(2) - (3)].Attr_val)); }
+#line 915 "ntp_parser.y"
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (1)].Sim_script)); }
break;
case 221:
#line 920 "ntp_parser.y"
- { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (2)].Attr_val)); }
+ { (yyval.Sim_script) = create_sim_script_info((yyvsp[(3) - (6)].Double), (yyvsp[(5) - (6)].Queue)); }
break;
case 222:
+#line 924 "ntp_parser.y"
+ { (yyval.Queue) = enqueue((yyvsp[(1) - (3)].Queue), (yyvsp[(2) - (3)].Attr_val)); }
+ break;
+
+ case 223:
#line 925 "ntp_parser.y"
+ { (yyval.Queue) = enqueue_in_new_queue((yyvsp[(1) - (2)].Attr_val)); }
+ break;
+
+ case 224:
+#line 930 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(T_Freq_Offset, (yyvsp[(3) - (3)].Double)); }
break;
- case 223:
-#line 927 "ntp_parser.y"
+ case 225:
+#line 932 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(T_Wander, (yyvsp[(3) - (3)].Double)); }
break;
- case 224:
-#line 929 "ntp_parser.y"
+ case 226:
+#line 934 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(T_Jitter, (yyvsp[(3) - (3)].Double)); }
break;
- case 225:
-#line 931 "ntp_parser.y"
+ case 227:
+#line 936 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(T_Prop_Delay, (yyvsp[(3) - (3)].Double)); }
break;
- case 226:
-#line 933 "ntp_parser.y"
+ case 228:
+#line 938 "ntp_parser.y"
{ (yyval.Attr_val) = create_attr_dval(T_Proc_Delay, (yyvsp[(3) - (3)].Double)); }
break;
/* Line 1267 of yacc.c. */
-#line 3202 "../../ntpd/ntp_parser.c"
+#line 3228 "../../ntpd/ntp_parser.c"
default: break;
}
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
}
-#line 937 "ntp_parser.y"
+#line 942 "ntp_parser.y"
/* KEYWORDS
T_Flag2 = 292,
T_Flag3 = 293,
T_Flag4 = 294,
- T_Floor = 295,
- T_Freq = 296,
- T_Fudge = 297,
- T_Host = 298,
- T_Huffpuff = 299,
- T_IPv4_address = 300,
- T_IPv6_address = 301,
- T_Iburst = 302,
- T_Ident = 303,
- T_Ignore = 304,
- T_Includefile = 305,
- T_Integer = 306,
- T_Interface = 307,
- T_Kernel = 308,
- T_Key = 309,
- T_Keys = 310,
- T_Keysdir = 311,
- T_Kod = 312,
- T_Leap = 313,
- T_Leapfile = 314,
- T_Limited = 315,
- T_Link = 316,
- T_Logconfig = 317,
- T_Logfile = 318,
- T_Loopstats = 319,
- T_Lowpriotrap = 320,
- T_Manycastclient = 321,
- T_Manycastserver = 322,
- T_Mask = 323,
- T_Maxclock = 324,
- T_Maxdist = 325,
- T_Maxhop = 326,
- T_Maxpoll = 327,
- T_Minclock = 328,
- T_Mindist = 329,
- T_Minimum = 330,
- T_Minpoll = 331,
- T_Minsane = 332,
- T_Mode = 333,
- T_Monitor = 334,
- T_Month = 335,
- T_Multicastclient = 336,
- T_Nolink = 337,
- T_Nomodify = 338,
- T_None = 339,
- T_Nopeer = 340,
- T_Noquery = 341,
- T_Noselect = 342,
- T_Noserve = 343,
- T_Notrap = 344,
- T_Notrust = 345,
- T_Novolley = 346,
- T_Ntp = 347,
- T_Ntpport = 348,
- T_Orphan = 349,
- T_Panic = 350,
- T_Peer = 351,
- T_Peerstats = 352,
- T_Phone = 353,
- T_Pid = 354,
- T_Pidfile = 355,
- T_Pool = 356,
- T_Port = 357,
- T_Pps = 358,
- T_Preempt = 359,
- T_Prefer = 360,
- T_Pw = 361,
- T_Qos = 362,
- T_RandFile = 363,
- T_Rawstats = 364,
- T_Refid = 365,
- T_Requestkey = 366,
- T_Restrict = 367,
- T_Revoke = 368,
- T_Server = 369,
- T_Setvar = 370,
- T_Sign = 371,
- T_Statistics = 372,
- T_Stats = 373,
- T_Statsdir = 374,
- T_Step = 375,
- T_Stepout = 376,
- T_Stratum = 377,
- T_String = 378,
- T_Sysstats = 379,
- T_Tick = 380,
- T_Time1 = 381,
- T_Time2 = 382,
- T_Tinker = 383,
- T_Tos = 384,
- T_Trap = 385,
- T_True = 386,
- T_Trustedkey = 387,
- T_Ttl = 388,
- T_Type = 389,
- T_Version = 390,
- T_Week = 391,
- T_Year = 392,
- T_Flag = 393,
- T_Void = 394,
- T_EOC = 395,
- T_Simulate = 396,
- T_Beep_Delay = 397,
- T_Sim_Duration = 398,
- T_Server_Offset = 399,
- T_Duration = 400,
- T_Freq_Offset = 401,
- T_Wander = 402,
- T_Jitter = 403,
- T_Prop_Delay = 404,
- T_Proc_Delay = 405
+ T_Flake = 295,
+ T_Floor = 296,
+ T_Freq = 297,
+ T_Fudge = 298,
+ T_Host = 299,
+ T_Huffpuff = 300,
+ T_IPv4_address = 301,
+ T_IPv6_address = 302,
+ T_Iburst = 303,
+ T_Ident = 304,
+ T_Ignore = 305,
+ T_Includefile = 306,
+ T_Integer = 307,
+ T_Interface = 308,
+ T_Kernel = 309,
+ T_Key = 310,
+ T_Keys = 311,
+ T_Keysdir = 312,
+ T_Kod = 313,
+ T_Leap = 314,
+ T_Leapfile = 315,
+ T_Limited = 316,
+ T_Link = 317,
+ T_Logconfig = 318,
+ T_Logfile = 319,
+ T_Loopstats = 320,
+ T_Lowpriotrap = 321,
+ T_Manycastclient = 322,
+ T_Manycastserver = 323,
+ T_Mask = 324,
+ T_Maxclock = 325,
+ T_Maxdist = 326,
+ T_Maxhop = 327,
+ T_Maxpoll = 328,
+ T_Minclock = 329,
+ T_Mindist = 330,
+ T_Minimum = 331,
+ T_Minpoll = 332,
+ T_Minsane = 333,
+ T_Mode = 334,
+ T_Monitor = 335,
+ T_Month = 336,
+ T_Multicastclient = 337,
+ T_Nolink = 338,
+ T_Nomodify = 339,
+ T_None = 340,
+ T_Nopeer = 341,
+ T_Noquery = 342,
+ T_Noselect = 343,
+ T_Noserve = 344,
+ T_Notrap = 345,
+ T_Notrust = 346,
+ T_Novolley = 347,
+ T_Ntp = 348,
+ T_Ntpport = 349,
+ T_Orphan = 350,
+ T_Panic = 351,
+ T_Peer = 352,
+ T_Peerstats = 353,
+ T_Phone = 354,
+ T_Pid = 355,
+ T_Pidfile = 356,
+ T_Pool = 357,
+ T_Port = 358,
+ T_Pps = 359,
+ T_Preempt = 360,
+ T_Prefer = 361,
+ T_Protostats = 362,
+ T_Pw = 363,
+ T_Qos = 364,
+ T_RandFile = 365,
+ T_Rawstats = 366,
+ T_Refid = 367,
+ T_Requestkey = 368,
+ T_Restrict = 369,
+ T_Revoke = 370,
+ T_Server = 371,
+ T_Setvar = 372,
+ T_Sign = 373,
+ T_Statistics = 374,
+ T_Stats = 375,
+ T_Statsdir = 376,
+ T_Step = 377,
+ T_Stepout = 378,
+ T_Stratum = 379,
+ T_String = 380,
+ T_Sysstats = 381,
+ T_Tick = 382,
+ T_Time1 = 383,
+ T_Time2 = 384,
+ T_Tinker = 385,
+ T_Tos = 386,
+ T_Trap = 387,
+ T_True = 388,
+ T_Trustedkey = 389,
+ T_Ttl = 390,
+ T_Type = 391,
+ T_Version = 392,
+ T_Week = 393,
+ T_Year = 394,
+ T_Flag = 395,
+ T_Void = 396,
+ T_EOC = 397,
+ T_Simulate = 398,
+ T_Beep_Delay = 399,
+ T_Sim_Duration = 400,
+ T_Server_Offset = 401,
+ T_Duration = 402,
+ T_Freq_Offset = 403,
+ T_Wander = 404,
+ T_Jitter = 405,
+ T_Prop_Delay = 406,
+ T_Proc_Delay = 407
};
#endif
/* Tokens. */
#define T_Flag2 292
#define T_Flag3 293
#define T_Flag4 294
-#define T_Floor 295
-#define T_Freq 296
-#define T_Fudge 297
-#define T_Host 298
-#define T_Huffpuff 299
-#define T_IPv4_address 300
-#define T_IPv6_address 301
-#define T_Iburst 302
-#define T_Ident 303
-#define T_Ignore 304
-#define T_Includefile 305
-#define T_Integer 306
-#define T_Interface 307
-#define T_Kernel 308
-#define T_Key 309
-#define T_Keys 310
-#define T_Keysdir 311
-#define T_Kod 312
-#define T_Leap 313
-#define T_Leapfile 314
-#define T_Limited 315
-#define T_Link 316
-#define T_Logconfig 317
-#define T_Logfile 318
-#define T_Loopstats 319
-#define T_Lowpriotrap 320
-#define T_Manycastclient 321
-#define T_Manycastserver 322
-#define T_Mask 323
-#define T_Maxclock 324
-#define T_Maxdist 325
-#define T_Maxhop 326
-#define T_Maxpoll 327
-#define T_Minclock 328
-#define T_Mindist 329
-#define T_Minimum 330
-#define T_Minpoll 331
-#define T_Minsane 332
-#define T_Mode 333
-#define T_Monitor 334
-#define T_Month 335
-#define T_Multicastclient 336
-#define T_Nolink 337
-#define T_Nomodify 338
-#define T_None 339
-#define T_Nopeer 340
-#define T_Noquery 341
-#define T_Noselect 342
-#define T_Noserve 343
-#define T_Notrap 344
-#define T_Notrust 345
-#define T_Novolley 346
-#define T_Ntp 347
-#define T_Ntpport 348
-#define T_Orphan 349
-#define T_Panic 350
-#define T_Peer 351
-#define T_Peerstats 352
-#define T_Phone 353
-#define T_Pid 354
-#define T_Pidfile 355
-#define T_Pool 356
-#define T_Port 357
-#define T_Pps 358
-#define T_Preempt 359
-#define T_Prefer 360
-#define T_Pw 361
-#define T_Qos 362
-#define T_RandFile 363
-#define T_Rawstats 364
-#define T_Refid 365
-#define T_Requestkey 366
-#define T_Restrict 367
-#define T_Revoke 368
-#define T_Server 369
-#define T_Setvar 370
-#define T_Sign 371
-#define T_Statistics 372
-#define T_Stats 373
-#define T_Statsdir 374
-#define T_Step 375
-#define T_Stepout 376
-#define T_Stratum 377
-#define T_String 378
-#define T_Sysstats 379
-#define T_Tick 380
-#define T_Time1 381
-#define T_Time2 382
-#define T_Tinker 383
-#define T_Tos 384
-#define T_Trap 385
-#define T_True 386
-#define T_Trustedkey 387
-#define T_Ttl 388
-#define T_Type 389
-#define T_Version 390
-#define T_Week 391
-#define T_Year 392
-#define T_Flag 393
-#define T_Void 394
-#define T_EOC 395
-#define T_Simulate 396
-#define T_Beep_Delay 397
-#define T_Sim_Duration 398
-#define T_Server_Offset 399
-#define T_Duration 400
-#define T_Freq_Offset 401
-#define T_Wander 402
-#define T_Jitter 403
-#define T_Prop_Delay 404
-#define T_Proc_Delay 405
+#define T_Flake 295
+#define T_Floor 296
+#define T_Freq 297
+#define T_Fudge 298
+#define T_Host 299
+#define T_Huffpuff 300
+#define T_IPv4_address 301
+#define T_IPv6_address 302
+#define T_Iburst 303
+#define T_Ident 304
+#define T_Ignore 305
+#define T_Includefile 306
+#define T_Integer 307
+#define T_Interface 308
+#define T_Kernel 309
+#define T_Key 310
+#define T_Keys 311
+#define T_Keysdir 312
+#define T_Kod 313
+#define T_Leap 314
+#define T_Leapfile 315
+#define T_Limited 316
+#define T_Link 317
+#define T_Logconfig 318
+#define T_Logfile 319
+#define T_Loopstats 320
+#define T_Lowpriotrap 321
+#define T_Manycastclient 322
+#define T_Manycastserver 323
+#define T_Mask 324
+#define T_Maxclock 325
+#define T_Maxdist 326
+#define T_Maxhop 327
+#define T_Maxpoll 328
+#define T_Minclock 329
+#define T_Mindist 330
+#define T_Minimum 331
+#define T_Minpoll 332
+#define T_Minsane 333
+#define T_Mode 334
+#define T_Monitor 335
+#define T_Month 336
+#define T_Multicastclient 337
+#define T_Nolink 338
+#define T_Nomodify 339
+#define T_None 340
+#define T_Nopeer 341
+#define T_Noquery 342
+#define T_Noselect 343
+#define T_Noserve 344
+#define T_Notrap 345
+#define T_Notrust 346
+#define T_Novolley 347
+#define T_Ntp 348
+#define T_Ntpport 349
+#define T_Orphan 350
+#define T_Panic 351
+#define T_Peer 352
+#define T_Peerstats 353
+#define T_Phone 354
+#define T_Pid 355
+#define T_Pidfile 356
+#define T_Pool 357
+#define T_Port 358
+#define T_Pps 359
+#define T_Preempt 360
+#define T_Prefer 361
+#define T_Protostats 362
+#define T_Pw 363
+#define T_Qos 364
+#define T_RandFile 365
+#define T_Rawstats 366
+#define T_Refid 367
+#define T_Requestkey 368
+#define T_Restrict 369
+#define T_Revoke 370
+#define T_Server 371
+#define T_Setvar 372
+#define T_Sign 373
+#define T_Statistics 374
+#define T_Stats 375
+#define T_Statsdir 376
+#define T_Step 377
+#define T_Stepout 378
+#define T_Stratum 379
+#define T_String 380
+#define T_Sysstats 381
+#define T_Tick 382
+#define T_Time1 383
+#define T_Time2 384
+#define T_Tinker 385
+#define T_Tos 386
+#define T_Trap 387
+#define T_True 388
+#define T_Trustedkey 389
+#define T_Ttl 390
+#define T_Type 391
+#define T_Version 392
+#define T_Week 393
+#define T_Year 394
+#define T_Flag 395
+#define T_Void 396
+#define T_EOC 397
+#define T_Simulate 398
+#define T_Beep_Delay 399
+#define T_Sim_Duration 400
+#define T_Server_Offset 401
+#define T_Duration 402
+#define T_Freq_Offset 403
+#define T_Wander 404
+#define T_Jitter 405
+#define T_Prop_Delay 406
+#define T_Proc_Delay 407
script_info *Sim_script;
}
/* Line 1529 of yacc.c. */
-#line 364 "../../ntpd/ntp_parser.h"
+#line 368 "../../ntpd/ntp_parser.h"
YYSTYPE;
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
%token T_Flag2
%token T_Flag3
%token T_Flag4
+%token T_Flake
%token T_Floor
%token T_Freq
%token T_Fudge
%token T_Pps
%token T_Preempt
%token T_Prefer
+%token T_Protostats
%token T_Pw
%token T_Qos
%token T_RandFile
option
/* : /* Null Statement { $$ = NULL; } */
- : T_Autokey { $$ = create_attr_ival(T_Flag, FLAG_SKEY | FLAG_AUTHENABLE); }
+ : T_Autokey { $$ = create_attr_ival(T_Flag, FLAG_SKEY); }
| T_Burst { $$ = create_attr_ival(T_Flag, FLAG_BURST); }
| T_Iburst { $$ = create_attr_ival(T_Flag, FLAG_IBURST); }
| T_Key T_Integer { $$ = create_attr_ival(T_Key, $2); }
{ $$ = create_pval("rawstats"); }
| T_Sysstats
{ $$ = create_pval("sysstats"); }
+ | T_Protostats
+ { $$ = create_pval("protostats"); }
;
filegen_option_list
;
access_control_flag
- : T_Ignore { $$ = create_ival(RES_IGNORE); }
+ : T_Flake { $$ = create_ival(RES_TIMEOUT); }
+ | T_Ignore { $$ = create_ival(RES_IGNORE); }
| T_Kod { $$ = create_ival(RES_KOD); }
| T_Limited { $$ = create_ival(RES_LIMITED); }
| T_Lowpriotrap { $$ = create_ival(RES_LPTRAP); }
#include "ntpd.h"
#include "ntp_stdlib.h"
+#include "ntp_control.h"
#include <ntp_random.h>
#ifdef OPENSSL
#include "openssl/rand.h"
* NO_PEER | e 1 0 1 1 1
* ACTIVE | e 1 1 0 0 0
* PASSIVE | e 1 e 0 0 0
- * CLIENT | e 0 0 0 1 1
+ * CLIENT | e 0 0 0 1 0
* SERVER | e 0 0 0 0 0
* BCAST | e 0 0 0 0 0
* BCLIENT | e 0 0 0 e 1
/*P*/ { AM_ERR, AM_PROCPKT, AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH},
-/*C*/ { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_PROCPKT, AM_POSSBCL},
+/*C*/ { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_PROCPKT, AM_NOMATCH},
/*S*/ { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH},
/*BCL*/ { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_PROCPKT},
};
-#define MATCH_ASSOC(x,y) AM[(x)][(y)]
+#define MATCH_ASSOC(x, y) AM[(x)][(y)]
/*
* These routines manage the allocation of memory to peer structures
static void getmorepeermem (void);
static struct interface *select_peerinterface (struct peer *, struct sockaddr_storage *, struct interface *, u_char);
+static int score(struct peer *);
+
/*
* init_peer - initialize peer data structures and counters
*
/*
- * unpeer - remove peer structure from hash table and free structure
+ * score_all() - determine if an association can be demobilized
*/
-void
-unpeer(
- struct peer *peer_to_remove
+int
+score_all(
+ struct peer *peer /* peer structure pointer */
)
{
- int hash;
-#ifdef OPENSSL
- char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
-
- if (peer_to_remove->flags & FLAG_SKEY) {
- sprintf(statstr,
- "unpeer %d flash %x reach %03o flags %04x",
- peer_to_remove->associd, peer_to_remove->flash,
- peer_to_remove->reach, peer_to_remove->flags);
- record_crypto_stats(&peer_to_remove->srcadr, statstr);
-#ifdef DEBUG
- if (debug)
- printf("peer: %s\n", statstr);
-#endif
+ struct peer *speer, *next_peer;
+ int n;
+ int temp, tamp;
+
+ /*
+ * This routine finds the minimum score for all ephemeral
+ * assocations and returns > 0 if the association can be
+ * demobilized.
+ */
+ tamp = score(peer);
+ temp = 100;
+ for (n = 0; n < NTP_HASH_SIZE; n++) {
+ for (speer = peer_hash[n]; speer != 0; speer =
+ next_peer) {
+ int x;
+
+ next_peer = speer->next;
+ if ((x = score(speer)) < temp && (peer->flags &
+ FLAG_PREEMPT))
+ temp = x;
+ }
}
-#endif /* OPENSSL */
#ifdef DEBUG
if (debug)
- printf("demobilize %u assoc %d ephem %d\n", peer_to_remove->associd,
- peer_associations, peer_preempt);
+ printf("score_all: at %lu score %d min %d\n",
+ current_time, tamp, temp);
#endif
+ if (tamp != temp)
+ temp = 0;
+ return (temp);
+}
+
+
+/*
+ * score() - calculate preemption score
+ */
+static int
+score(
+ struct peer *peer /* peer structure pointer */
+ )
+{
+ int temp;
+
+ /*
+ * This routine calculates the premption score from the peer
+ * error bits and status. Increasing values are more cherished.
+ */
+ temp = 0;
+ if (!(peer->flash & TEST10))
+ temp++; /* 1 good synch and stratum */
+ if (!(peer->flash & TEST13))
+ temp++; /* 2 reachable */
+ if (!(peer->flash & TEST12))
+ temp++; /* 3 no loop */
+ if (!(peer->flash & TEST11))
+ temp++; /* 4 good distance */
+ if (peer->status >= CTL_PST_SEL_SELCAND)
+ temp++; /* 5 in the hunt */
+ if (peer->status != CTL_PST_SEL_EXCESS)
+ temp++; /* 6 not spare tire */
+ return (temp); /* selection status */
+}
+
+
+/*
+ * unpeer - remove peer structure from hash table and free structure
+ */
+void
+unpeer(
+ struct peer *peer_to_remove
+ )
+{
+ int hash;
+ char tbuf[80];
+
+ snprintf(tbuf, sizeof(tbuf), "assoc %d",
+ peer_to_remove->associd);
+ report_event(PEVNT_DEMOBIL, peer_to_remove, tbuf);
set_peerdstadr(peer_to_remove, NULL);
hash = NTP_HASH_ADDR(&peer_to_remove->srcadr);
peer_hash_count[hash]--;
newpeer(
struct sockaddr_storage *srcadr,
struct interface *dstadr,
- int hmode,
- int version,
- int minpoll,
- int maxpoll,
- u_int flags,
+ int hmode,
+ int version,
+ int minpoll,
+ int maxpoll,
+ u_int flags,
u_char cast_flags,
- int ttl,
- keyid_t key
+ int ttl,
+ keyid_t key
)
{
struct peer *peer;
int i;
+ char tbuf[80];
+
#ifdef OPENSSL
- char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
+ /*
+ * If Autokey is requested but not configured, complain loudly.
+ */
+ if (!crypto_flags) {
+ if (key > NTP_MAXKEY) {
+ return (NULL);
+
+ } else if (flags & FLAG_SKEY) {
+ msyslog(LOG_ERR, "Autokey not configured");
+ return (NULL);
+ }
+ }
#endif /* OPENSSL */
/*
cast_flags));
peer->hmode = (u_char)hmode;
peer->version = (u_char)version;
- peer->minpoll = (u_char)max(NTP_MINPOLL, minpoll);
- peer->maxpoll = (u_char)min(NTP_MAXPOLL, maxpoll);
+ peer->minpoll = max(ntp_minpoll, minpoll);
+ peer->maxpoll = min(NTP_MAXPOLL, maxpoll);
peer->flags = flags;
#ifdef DEBUG
if (debug > 2) {
if (cast_flags & MDF_MCAST && peer->dstadr) {
enable_multicast_if(peer->dstadr, srcadr);
}
- if (key != 0)
- peer->flags |= FLAG_AUTHENABLE;
if (key > NTP_MAXKEY)
peer->flags |= FLAG_SKEY;
peer->cast_flags = cast_flags;
peer->ass_next = assoc_hash[i];
assoc_hash[i] = peer;
assoc_hash_count[i]++;
-
-#ifdef OPENSSL
- if (peer->flags & FLAG_SKEY) {
- sprintf(statstr, "newpeer %d", peer->associd);
- record_crypto_stats(&peer->srcadr, statstr);
- DPRINTF(1, ("peer: %s\n", statstr));
- }
-#endif /* OPENSSL */
-
+ snprintf(tbuf, sizeof(tbuf), "assoc %d", peer->associd);
+ report_event(PEVNT_MOBIL, peer, tbuf);
DPRINTF(1, ("newpeer: %s->%s mode %d vers %d poll %d %d flags 0x%x 0x%x ttl %d key %08x\n",
peer->dstadr == NULL ? "<null>" : stoa(&peer->dstadr->sin),
stoa(&peer->srcadr), peer->hmode, peer->version,
struct peer *peer
)
{
- if (peer == 0)
+ if (peer == NULL)
return;
+
+ peer->timereset = current_time;
peer->sent = 0;
peer->received = 0;
peer->processed = 0;
peer->bogusorg = 0;
peer->oldpkt = 0;
peer->seldisptoolarge = 0;
- peer->timereset = current_time;
+ peer->selbroken = 0;
}
}
-#ifdef OPENSSL
-/*
- * expire_all - flush all crypto data and update timestamps.
- */
-void
-expire_all(void)
-{
- struct peer *peer, *next_peer;
- int n;
-
- /*
- * This routine is called about once per day from the timer
- * routine and when the client is first synchronized. Search the
- * peer list for all associations.
- */
- if (!crypto_flags)
- return;
-
- for (n = 0; n < NTP_HASH_SIZE; n++) {
- for (peer = peer_hash[n]; peer != 0; peer = next_peer) {
- next_peer = peer->next;
- if (!(peer->flags & FLAG_SKEY)) {
- continue;
-
- }
- key_expire(peer);
- }
- }
- RAND_bytes((u_char *)&sys_private, 4);
- crypto_update();
-}
-#endif /* OPENSSL */
-
-
/*
* findmanycastpeer - find and return a manycast peer
*/
struct peer *
findmanycastpeer(
- struct recvbuf *rbufp
+ struct recvbuf *rbufp /* receive buffer pointer */
)
{
register struct peer *peer;
#define AUTH_NONE 0 /* authentication not required */
#define AUTH_OK 1 /* authentication OK */
-#define AUTH_ERROR 2 /* authenticaion error */
+#define AUTH_ERROR 2 /* authentication error */
#define AUTH_CRYPTO 3 /* crypto_NAK */
/*
double sys_maxdist = MAXDISTANCE; /* selection threshold */
double sys_jitter; /* system jitter */
u_long sys_epoch; /* last clock update time */
-static int sys_hopper; /* anticlockhop counter */
-static int sys_maxhop = MAXHOP; /* anticlockhop counter threshold */
+static int sys_maxhop = MAXHOP; /* anticlockhop threshol */
int leap_tai; /* TAI at next next leap */
u_long leap_sec; /* next scheduled leap from file */
u_long leap_peers; /* next scheduled leap from peers */
/*
* Statistics counters - first the good, then the bad
*/
-u_long sys_stattime; /* time since reset */
+u_long sys_stattime; /* elapsed time */
u_long sys_received; /* packets received */
u_long sys_processed; /* packets for this host */
u_long sys_newversion; /* current version */
u_long sys_oldversion; /* old version */
-
u_long sys_restricted; /* access denied */
u_long sys_badlength; /* bad length or format */
u_long sys_badauth; /* bad authentication */
-u_long sys_declined; /* packets declined */
+u_long sys_declined; /* declined */
u_long sys_limitrejected; /* rate exceeded */
u_long sys_kodsent; /* KoD sent */
* three consecutive polls, stuff infinity in the clock
* filter.
*/
- oreach = peer->reach & 0xfe;
+ oreach = peer->reach;
peer->outdate = current_time;
peer->unreach++;
peer->reach <<= 1;
* previously reachable raise a trap. Send a
* burst if enabled.
*/
- if (oreach) {
- report_event(EVNT_UNREACH, peer);
- peer->timereachable = current_time;
- }
- if (peer->flags & FLAG_IBURST && peer->retry ==
- 0)
+ if (oreach)
+ report_event(PEVNT_UNREACH, peer, NULL);
+ if ((peer->flags & FLAG_IBURST) &&
+ peer->retry == 0)
peer->retry = NTP_RETRY;
} else {
* enabled and the peer is fit.
*/
hpoll = sys_poll;
- if (!oreach || !(peer->flags & FLAG_PREEMPT))
+ if (!(peer->flags & FLAG_PREEMPT &&
+ peer->hmode == MODE_CLIENT))
peer->unreach = 0;
- if (peer->flags & FLAG_BURST && peer->retry ==
+ if ((peer->flags & FLAG_BURST) && peer->retry ==
0 && !peer_unfit(peer))
peer->retry = NTP_RETRY;
}
* poll_update() routine will clamp it to maxpoll.
*/
if (peer->unreach >= NTP_UNREACH) {
- if (peer->flags & FLAG_PREEMPT &&
- (sys_survivors > sys_maxclock ||
- peer->pmode == MODE_BROADCAST)) {
- peer_clear(peer, "TIME");
- unpeer(peer);
- return;
-
- } else {
-#ifdef OPENSSL
- /*
- * If timeout in Autokey dance, restart
- * the protocol.
- */
- if (peer->crypto || (peer->flash &
- TEST9)) {
+ hpoll++;
+ if (peer->flags & FLAG_PREEMPT) {
+ report_event(PEVNT_RESTART, peer,
+ "timeout");
+ if (peer->hmode != MODE_CLIENT) {
peer_clear(peer, "TIME");
- peer->unreach = 0;
+ unpeer(peer);
+ return;
+ }
+ if (peer_associations > sys_maxclock &&
+ score_all(peer)) {
+ peer_clear(peer, "TIME");
+ unpeer(peer);
+ return;
}
-#endif /* OPENSSL */
- hpoll++;
}
}
} else {
peer->burst--;
-
- /*
- * If a broadcast client at this point, the burst has
- * concluded, so we switch to client mode and purge the
- * keylist, since no further transmissions will be made.
- */
if (peer->burst == 0) {
+
+ /*
+ * If initial broadcast volley and not Autokey,
+ * switch to broadcast client mode.
+ */
if (peer->cast_flags & MDF_BCLNT) {
- peer->hmode = MODE_BCLIENT;
+ peer->flags &= ~FLAG_IBURST;
#ifdef OPENSSL
- key_expire(peer);
+ if (!(peer->flags & FLAG_SKEY))
+ peer->hmode = MODE_BCLIENT;
+#else /* OPENSSL */
+ peer->hmode = MODE_BCLIENT;
#endif /* OPENSSL */
}
peer_ntpdate--;
if (peer_ntpdate == 0) {
msyslog(LOG_NOTICE,
- "ntpdate: no reply; clock not set");
+ "ntpd: no servers found");
+ printf(
+ "ntpd: no servers found\n");
exit (0);
}
}
if (peer->retry > 0)
peer->retry--;
+#ifdef OPENSSL
+ if (peer->cast_flags & MDF_BCLNT) {
+ if (peer->flags & FLAG_SKEY) {
+ if (!(~peer->crypto & CRYPTO_FLAG_ALL))
+ peer->hmode = MODE_BCLIENT;
+ else
+ peer->hmode = MODE_CLIENT;
+ }
+ }
+#endif /* OPENSSL */
+
/*
* Do not transmit if in broadcast client mode.
*/
int is_authentic = 0; /* cryptosum ok */
int retcode = AM_NOMATCH; /* match code */
keyid_t skeyid = 0; /* key IDs */
+ u_int32 opcode = 0; /* extension field opcode */
struct sockaddr_storage *dstadr_sin; /* active runway */
struct peer *peer2; /* aux peer structure pointer */
l_fp p_org; /* origin timestamp */
sys_restricted++;
return; /* no time serve */
}
+
+ /*
+ * This is for testing. If restricted drop ten percent of
+ * surviving packets.
+ */
+ if (restrict_mask & RES_TIMEOUT) {
+ if ((double)ntp_random() / 0x7fffffff < .1) {
+ sys_restricted++;
+ return; /* no flakeway */
+ }
+ }
/*
* Version check must be after the query packets, since they
authlen = LEN_PKT_NOMAC;
has_mac = rbufp->recv_length - authlen;
while (has_mac != 0) {
- int temp;
+ u_int32 len;
if (has_mac % 4 != 0 || has_mac < 0) {
sys_badlength++;
break;
} else if (has_mac > MAX_MAC_LEN) {
- temp = ntohl(((u_int32 *)pkt)[authlen / 4]) &
- 0xffff;
- if (temp < 4 || temp % 4 != 0 || temp +
+ opcode = ntohl(((u_int32 *)pkt)[authlen / 4]);
+ len = opcode & 0xffff;
+ if (len < 4 || len % 4 != 0 || len +
authlen + MAX_MAC_LEN >
rbufp->recv_length) {
sys_badlength++;
return; /* bad length */
}
- authlen += temp;
- has_mac -= temp;
+ authlen += len;
+ has_mac -= len;
} else {
sys_badlength++;
return; /* bad length */
}
/*
- * Update the MRU list and finger the cloggers. We do this in
- * all cases mainly as a profiling tool. It can be a little
- * expensive, so turn it off for production use. Note that we
- * don't do this for control and monitoring packets, as they are
- * not rate controlled. Note that if RES_DONTTRUST is lit,
- * packets without a MAC are discarded.
+ * If authentication required, a MAC must be present.
*/
- restrict_mask = ntp_monitor(rbufp, restrict_mask);
if (restrict_mask & RES_DONTTRUST && has_mac == 0) {
sys_restricted++;
return; /* access denied */
}
+
+ /*
+ * Update the MRU list and finger the cloggers. It can be a
+ * little expensive, so turn it off for production use.
+ */
+ restrict_mask = ntp_monitor(rbufp, restrict_mask);
if (restrict_mask & RES_LIMITED) {
sys_limitrejected++;
if (!(restrict_mask & RES_KOD) || hismode ==
* address used to construct the autokey is the unicast address
* of the interface. However, if the sender is a broadcaster,
* the interface broadcast address is used instead.
- & Notwithstanding this technobabble, if the sender is a
+ * Notwithstanding this technobabble, if the sender is a
* multicaster, the broadcast address is null, so we use the
* unicast address anyway. Don't ask.
*/
* and install in the key cache. Use the socket
* broadcast or unicast address as appropriate.
*/
- if (skeyid > NTP_MAXKEY) {
+ if (crypto_flags && skeyid > NTP_MAXKEY) {
/*
* More on the autokey dance (AKD). A cookie is
* # if unsync, 0
* % can't happen
*/
+ if (has_mac < MAX_MAC_LEN) {
+ sys_badauth++;
+ return;
+ }
if (hismode == MODE_BROADCAST) {
/*
* association. Note that there is no key zero.
*/
if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
- has_mac)) {
+ has_mac))
is_authentic = AUTH_ERROR;
- sys_badauth++;
- } else {
+ else
is_authentic = AUTH_OK;
- }
#ifdef OPENSSL
- if (skeyid > NTP_MAXKEY)
+ if (crypto_flags && skeyid > NTP_MAXKEY)
authtrust(skeyid, 0);
#endif /* OPENSSL */
#ifdef DEBUG
*/
if (!(rbufp->dstadr->flags & INT_MCASTOPEN)) {
if (AUTH(restrict_mask & RES_DONTTRUST,
- is_authentic))
+ is_authentic)) {
fast_xmit(rbufp, MODE_SERVER, skeyid,
NULL);
- else if (is_authentic == AUTH_ERROR)
+ } else if (is_authentic == AUTH_ERROR) {
fast_xmit(rbufp, MODE_SERVER, 0, NULL);
+ sys_badauth++;
+ } else {
+ sys_restricted++;
+ }
return; /* hooray */
}
}
/*
- * Do not respond if we have no system peer or our
+ * Do not respond if we are not synchronized or our
* stratum is greater than the manycaster or the
* manycaster has already synchronized to us.
*/
- if (sys_peer == NULL || sys_stratum >= hisstratum ||
- (!sys_cohort && sys_stratum == hisstratum + 1) ||
- rbufp->dstadr->addr_refid == pkt->refid) {
+ if (sys_leap == LEAP_NOTINSYNC || sys_stratum >=
+ hisstratum || (!sys_cohort && sys_stratum ==
+ hisstratum + 1) || rbufp->dstadr->addr_refid ==
+ pkt->refid) {
sys_declined++;
return; /* no help */
}
if (hisleap == LEAP_NOTINSYNC || hisstratum <
sys_floor || hisstratum >= sys_ceiling) {
sys_declined++;
- return; /* no helpm */
+ return; /* no help */
}
if ((peer2 = findmanycastpeer(rbufp)) == NULL) {
sys_restricted++;
hisversion, NTP_MINDPOLL, NTP_MAXDPOLL,
FLAG_IBURST | FLAG_PREEMPT, MDF_UCAST | MDF_ACLNT,
0, skeyid)) == NULL) {
- peer->oldpkt++;
+ sys_declined++;
return; /* ignore duplicate */
}
* kiss any frogs here.
*/
case AM_NEWBCL:
+ if (sys_bclient == 0) {
+ sys_restricted++;
+ return; /* not enabled */
+ }
if (!AUTH(sys_authenticate | (restrict_mask &
(RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
sys_restricted++;
return; /* no help */
}
+#ifdef OPENSSL
/*
- * Do not respond if we have a system peer and our
- * stratum is not greater than the broadcaster or the
- * broadcaster has already synchronized to us.
+ * Do not respond if Autokey and the opcode is not a
+ * CRYPTO_ASSOC response.
*/
- if ((sys_peer != NULL && sys_stratum <= hisstratum) ||
- rbufp->dstadr->addr_refid == pkt->refid) {
+ if (crypto_flags && skeyid > NTP_MAXKEY && (opcode &
+ 0xffff0000) != (CRYPTO_ASSOC | CRYPTO_RESP)) {
sys_declined++;
- return; /* no help */
+ return;
}
+#endif /* OPENSSL */
/*
- * If not enabled, just skedaddle.
- */
- if (sys_bclient == 0) {
- sys_restricted++;
- return; /* not enabled */
-
- /*
- * Do not execute the initial volley.
+ * Determine whether to execute the initial volley.
*/
- } else if (sys_bdelay != 0 || sys_bclient > 1) {
+ if (sys_bdelay > 0 || sys_bclient > 1) {
#ifdef OPENSSL
/*
* If a two-way exchange is not possible,
* neither is Autokey.
*/
- if (skeyid > NTP_MAXKEY) {
- msyslog(LOG_NOTICE,
- "receive: autokey requires two-way communication");
+ if (crypto_flags && skeyid > NTP_MAXKEY) {
sys_restricted++;
return; /* no autokey */
}
#endif /* OPENSSL */
+
+ /*
+ * Do not execute the volley. Start out in
+ * broadcast client mode.
+ */
if ((peer = newpeer(&rbufp->recv_srcadr,
rbufp->dstadr, MODE_BCLIENT, hisversion,
- pkt->ppoll, NTP_MAXDPOLL, 0, MDF_BCLNT, 0,
- skeyid)) == NULL) {
- peer->oldpkt++;
- return; /* ignore duplicate */
- }
+ pkt->ppoll, NTP_MAXDPOLL, 0, 0, 0,
+ skeyid)) == NULL)
+ sys_restricted++;
+ else
+ peer->delay = sys_bdelay * 2.;
+ return;
+ }
/*
* Execute the initial volley in order to calibrate the
* propagation delay and run the Autokey protocol.
*
* Note that the minpoll is taken from the broadcast
- * packet, normally 6 (64 s).
+ * packet, normally 6 (64 s) and that the poll interval
+ * is fixed at this value.
*/
- } else {
- if ((peer = newpeer(&rbufp->recv_srcadr,
- rbufp->dstadr, MODE_CLIENT, hisversion,
- pkt->ppoll, NTP_MAXDPOLL, FLAG_MCAST |
- FLAG_IBURST | FLAG_PREEMPT, MDF_BCLNT, 0,
- skeyid)) == NULL) {
- peer->oldpkt++;
- return; /* ignore duplicate */
- }
+ if ((peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
+ MODE_CLIENT, hisversion, pkt->ppoll, NTP_MAXDPOLL,
+ FLAG_IBURST | FLAG_PREEMPT, MDF_BCLNT, 0,
+ skeyid)) == NULL) {
+ sys_restricted++;
+ return; /* ignore duplicate */
+ }
#ifdef OPENSSL
- /*
- * Ordinarily this will be an association reply
- * message which initializes the dance. If an
- * autokey reply message, it is ignored. Any
- * other message is a protocol error leaving the
- * asssociation ready for a following
- * association reply message.
- */
- if (skeyid > NTP_MAXKEY)
- crypto_recv(peer, rbufp);
+ /*
+ * Ordinarily this will be an association reply message
+ * which initializes the dance. If an autokey reply
+ * message, it is ignored. Any other message is a
+ * protocol error leaving the asssociation ready for a
+ * following association reply message.
+ */
+ if (peer->flags & FLAG_SKEY)
+ crypto_recv(peer, rbufp);
#endif /* OPENSSL */
- return; /* hooray */
- }
- break;
+ return; /* hooray */
/*
* This is the first packet received from a symmetric active
* mobilize a passive association. If not, kiss the frog.
*/
case AM_NEWPASS:
- if (!AUTH(sys_authenticate | (restrict_mask &
- (RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
- sys_restricted++;
- return; /* access denied */
- }
/*
- * Do not respond if unsynchronized or stratum is below
- * the floor or at or above the ceiling.
+ * If authentication fails, drop the packet. If Autokey,
+ * send a crypto-NAK.
*/
- if (hisleap == LEAP_NOTINSYNC || hisstratum <
- sys_floor || hisstratum >= sys_ceiling) {
- sys_declined++;
- return; /* no help */
+ if (!AUTH(restrict_mask & RES_DONTTRUST,
+ is_authentic)) {
+#ifdef OPENSSL
+ if (crypto_flags && skeyid > NTP_MAXKEY)
+ fast_xmit(rbufp, MODE_ACTIVE, 0, NULL);
+#endif /* OPENSSL */
+ sys_restricted++;
+ return; /* access denied */
}
-
- /*
- * If correctly authenticated but not enabled, send a
- * summetric active response without mobilizing
- * an association.
- */
if (!AUTH(sys_authenticate | (restrict_mask &
RES_NOPEER), is_authentic)) {
+
+#ifdef WINTIME
+ /*
+ * If authenticated but cannot mobilize an
+ * association, send a summetric passive
+ * response without mobilizing an association.
+ * This is for drat broken Windows clients. See
+ * Microsoft KB 875424 for preferred workaround.
+ */
fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL);
+#else /* WINTIME */
+ sys_restricted++;
+#endif /* WINTIME */
return; /* hooray */
}
+ /*
+ * Do not respond if synchronized and stratum is either
+ * below the floor or at or above the ceiling. Note,
+ * this allows an unsynchronized peer to synchronize to
+ * us. It would be very strange if he did and then was
+ * nipped, but that could only happen if we were
+ * operating at the top end of the range.
+ */
+ if (hisleap != LEAP_NOTINSYNC && (hisstratum <
+ sys_floor || hisstratum >= sys_ceiling)) {
+ sys_declined++;
+ return; /* no help */
+ }
+
/*
* The message is correctly authenticated and
- * enabled. Mobiliae a symmetric passive association.
+ * allowed. Mobiliae a symmetric passive association.
*/
if ((peer = newpeer(&rbufp->recv_srcadr,
rbufp->dstadr, MODE_PASSIVE, hisversion,
NTP_MINDPOLL, NTP_MAXDPOLL, FLAG_PREEMPT, MDF_UCAST,
0, skeyid)) == NULL) {
- peer->oldpkt++;
+ sys_declined++;
return; /* ignore duplicate */
}
break;
sys_declined++;
return;
}
+
+#ifdef OPENSSL
+ /*
+ * If the association is configured for Autokey, the packet must
+ * have a public key ID; if not, the packet must have a
+ * symmetric key ID.
+ */
+ if (is_authentic != AUTH_CRYPTO && (((peer->flags &
+ FLAG_SKEY) && skeyid <= NTP_MAXKEY) || (!(peer->flags &
+ FLAG_SKEY) && skeyid > NTP_MAXKEY))) {
+ sys_badauth++;
+ return;
+ }
+#endif /* OPENSSL */
peer->received++;
peer->flash &= ~PKT_TEST_MASK;
if (L_ISZERO(&p_xmt)) {
peer->flash |= TEST3; /* protocol unsynch */
peer->bogusorg++;
+ return;
/*
* If the transmit timestamp duplicates a previous one, the
} else if (L_ISEQU(&peer->org, &p_xmt)) {
peer->flash |= TEST1; /* duplicate packet */
peer->oldpkt++;
+ return;
/*
* If this is a broadcast mode packet, skip further checking.
}
/*
- * If this is a client association and the flashers are not
- * dark, drop the packet forthwith.
+ * If not a symmetric mode and any flash is lit, drop the
+ * packet. This helps to protect against old replay attacks.
+ * Can't do this in symmetric modes since a packet can be lost.
*/
- if (peer->hmode == MODE_CLIENT && (peer->flash &
- PKT_TEST_MASK)) {
- return; /* broken packet */
+ if ((peer->hmode == MODE_CLIENT || peer->hmode ==
+ MODE_BROADCAST) && (peer->flash & PKT_TEST_MASK))
+ return;
+
+ peer->org = p_xmt;
+ peer->rec = rbufp->recv_time;
+ L_CLR(&peer->xmt);
+ if (peer->flash & PKT_TEST_MASK)
+ return;
/*
- * If this is a crypto_NAK and the flashers are dark, the server
- * might have just changed keys. Reset the association and
- * restart the protocol.
+ * If this is a crypto_NAK, the server cannot authenticate a
+ * client packet. The server might have just changed keys. Clear
+ * the association and restart the protocol.
*/
- } else if (is_authentic == AUTH_CRYPTO && !(peer->flash &
- PKT_TEST_MASK)) {
- peer_clear(peer, "AUTH");
+ if (is_authentic == AUTH_CRYPTO) {
+ report_event(PEVNT_AUTH, peer, "crypto_NAK");
+ peer->flash |= TEST5; /* bad auth */
+ peer->badauth++;
+ if (peer->flags & FLAG_PREEMPT) {
+ unpeer(peer);
+ return;
+ }
+#ifdef OPENSSL
+ if (peer->crypto)
+ peer_clear(peer, "AUTH");
+#endif /* OPENSSL */
return;
/*
- * If the packet is authenticated or the server not trusted,
- * received packets must be correctly authenticated. This is
- * designed to avoid a bait-and-switch attack, which was
+ * If the digest fails, the client cannot authenticate a server
+ * reply to a client packet previously sent. The loopback check
+ * is designed to avoid a bait-and-switch attack, which was
* possible in past versions. If symmetric modes, return a
* crypto-NAK. The peer should restart the protocol.
*/
} else if (!AUTH(has_mac || (restrict_mask & RES_DONTTRUST),
is_authentic)) {
- peer->flash |= TEST5;
+ report_event(PEVNT_AUTH, peer, "digest");
+ peer->flash |= TEST5; /* bad auth */
peer->badauth++;
if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
fast_xmit(rbufp, MODE_ACTIVE, 0, NULL);
- sys_restricted++;
- return; /* access denied */
+ if (peer->flags & FLAG_PREEMPT) {
+ unpeer(peer);
+ return;
+ }
+#ifdef OPENSSL
+ if (peer->crypto)
+ peer_clear(peer, "AUTH");
+#endif /* OPENSSL */
+ return;
}
/*
- * Update the timestamps. If a flash is lit, abandon ship.
- */
- peer->org = p_xmt;
- peer->rec = rbufp->recv_time;
- L_CLR(&peer->xmt); /* avoid replay */
- if (peer->flash & PKT_TEST_MASK)
- return; /* Davy Jones */
-
- /*
- * Test for kiss-o'-death packets. We carefully avoid a hazard
- * when the client has restarted the association after a kiss by
- * upping the throttle to the max.
+ * Set the peer ppoll to the maximum of the packet ppoll and the
+ * peer minpoll. If a kiss-o'-death, set the peer minpoll to
+ * this maximumn and advance the headway to give the sender some
+ * headroom. Very intricate.
*/
+ peer->ppoll = max(peer->minpoll, pkt->ppoll);
if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
- hisstratum == STRATUM_UNSPEC) {
+ hisstratum == STRATUM_UNSPEC && &pkt->refid != 0) {
peer->selbroken++;
if (memcmp(&pkt->refid, "RATE", 4) == 0) {
- peer->throttle += NTP_SHIFT * (1 <<
- peer->minpoll);
- poll_update(peer, peer->hpoll);
- msyslog(LOG_NOTICE,
- "receive: server %s maximum rate exceeded",
- stoa(&rbufp->recv_srcadr));
+ report_event(PEVNT_RATE, peer, NULL);
} else if (memcmp(&pkt->refid, "DENY", 4) == 0) {
- peer->flash |= TEST4;
- msyslog(LOG_NOTICE,
- "receive: server %s access denied",
- stoa(&rbufp->recv_srcadr));
+ peer->flash |= TEST4; /* access denied */
+ report_event(PEVNT_DENY, peer, NULL);
}
+ if (pkt->ppoll > peer->minpoll)
+ peer->minpoll = peer->ppoll;
+ peer->burst = peer->retry = 0;
+ peer->throttle = (NTP_SHIFT + 1) * (1 << peer->minpoll);
+ poll_update(peer, pkt->ppoll);
return; /* kiss-o'-death */
}
* 5. Check to see that one or more hashes of the current key ID
* matches the previous key ID or ultimate original key ID
* obtained from the broadcaster or symmetric peer. If no
- * match, sit the dance and wait for timeout.
+ * match, sit the dance and call for new autokey values.
*
- * In case of crypto error, fire the orchestra and stop dancing.
- * This is considered a permanant error, so light the crypto bit
- * to suppress further requests.
+ * In case of crypto error, fire the orchestra, stop dancing and
+ * restart the protocol.
*/
- if (crypto_flags && (peer->flags & FLAG_SKEY)) {
+ if (peer->flags & FLAG_SKEY) {
+ /*
+ * Decrement remaining audokey hashes. This isn't
+ * perfect if a packet is lost, but results in no harm.
+ */
+ ap = (struct autokey *)peer->recval.ptr;
+ if (ap != NULL) {
+ if (ap->seq > 0)
+ ap->seq--;
+ }
peer->flash |= TEST8;
rval = crypto_recv(peer, rbufp);
+ if (rval == XEVNT_OK)
+ peer->unreach = 0;
if (rval != XEVNT_OK) {
+ report_event(PEVNT_RESTART, peer,
+ "crypto");
peer_clear(peer, "CRYP");
- peer->flash |= TEST9; /* crypto error */
+ peer->flash |= TEST9; /* bad crypt */
+ if (peer->flags & FLAG_PREEMPT)
+ unpeer(peer);
return;
+ /*
+ * If server mode, verify the receive key ID matches
+ * the transmit key ID.
+ */
} else if (hismode == MODE_SERVER) {
if (skeyid == peer->keyid)
peer->flash &= ~TEST8;
+
+ /*
+ * If an extension field is present, verify only that it
+ * has been correctly signed. We don't need a sequence
+ * check here, but the sequence continues.
+ */
} else if (!(peer->flash & TEST8)) {
peer->pkeyid = skeyid;
- } else if ((ap = (struct autokey *)peer->recval.ptr) !=
- NULL) {
+
+ /*
+ * Now the fun part. Here, skeyid is the current ID in
+ * the packet, pkeyid is the ID in the last packet and
+ * tkeyid is the hash of skeyid. If the autokey values
+ * have not been received, this is an automatic error.
+ * If so, check that the tkeyid matches pkeyid. If not,
+ * hash tkeyid and try again. If the number of hashes
+ * exceeds the number remaining in the sequence, declare
+ * a successful failure and refresh the autokey values.
+ */
+ } else if (ap != NULL) {
int i;
for (i = 0; ; i++) {
tkeyid == ap->key) {
peer->flash &= ~TEST8;
peer->pkeyid = skeyid;
+ ap->seq -= i;
break;
}
- if (i > ap->seq)
+ if (i > ap->seq) {
+ peer->crypto &=
+ ~CRYPTO_FLAG_AUTO;
break;
-
+ }
tkeyid = session_key(
&rbufp->recv_srcadr, dstadr_sin,
tkeyid, pkeyid, 0);
}
}
if (!(peer->crypto & CRYPTO_FLAG_PROV)) /* test 9 */
- peer->flash |= TEST8; /* not proventic */
+ peer->flash |= TEST8; /* bad autokey */
/*
- * About once a week restart the Autokey protocol to
- * slurp up and refreshed certificates or leapsecond
- * values.
+ * The maximum lifetime of the protocol is about one
+ * week before restarting the Autokey protocol to
+ * refreshed certificates and leapseconds values.
*/
if (current_time > peer->refresh) {
+ report_event(PEVNT_RESTART, peer, "timeout");
peer_clear(peer, "TIME");
return;
}
double p_offset, p_del, p_disp;
l_fp p_rec, p_xmt, p_org, p_reftime, ci;
u_char pmode, pleap, pstratum;
- double etemp, ftemp; /* experimental */
+#ifdef ASSYM
int itemp;
- double td;
+ double etemp, ftemp, td;
+#endif /* ASSYM */
sys_processed++;
peer->processed++;
peer->leap = pleap;
peer->stratum = min(pstratum, STRATUM_UNSPEC);
peer->pmode = pmode;
- peer->ppoll = pkt->ppoll;
peer->precision = pkt->precision;
peer->rootdelay = p_del;
peer->rootdisp = p_disp;
*/
if (pleap == LEAP_NOTINSYNC || /* test 6 */
pstratum < sys_floor || pstratum >= sys_ceiling)
- peer->flash |= TEST6; /* peer not synch */
+ peer->flash |= TEST6; /* bad synch or strat */
if (p_del / 2 + p_disp >= /* test 7 */
MAXDISPERSE || !L_ISHIS(&p_xmt, &p_reftime))
peer->flash |= TEST7; /* bad header */
* case, mark it reachable.
*/
if (!peer->reach) {
- report_event(EVNT_REACH, peer);
+ report_event(PEVNT_REACH, peer, NULL);
peer->timereachable = current_time;
}
peer->reach |= 1;
LFPTOD(&ci, t21);
ci = peer->rec; /* t4 - t1 */
L_SUB(&ci, &p_org);
+ p_del = fabs(t21 - t34);
+ p_offset = (t21 + t34) / 2.;
+#if ASSYM
/*
* This code calculates the outbound and inbound data rates by
* measuring the differences between timestamps at different
}
}
}
- peer->t21 = t21;
- peer->t21_last = peer->t21_bytes;
- peer->t34 = -t34;
- peer->t34_bytes = len;
- p_del = fabs(t21 - t34);
-#ifdef DEBUG
- if (debug > 2)
- printf("proto: t21 %.9lf %d t34 %.9lf %d\n", peer->t21,
- peer->t21_bytes, peer->t34, peer->t34_bytes);
-#endif
/*
* The following section compensates for different data rates on
* the roundtrip delay. Then it calculates the correction as a
* fraction of d.
*/
+ peer->t21 = t21;
+ peer->t21_last = peer->t21_bytes;
+ peer->t34 = -t34;
+ peer->t34_bytes = len;
+#ifdef DEBUG
+ if (debug > 1)
+ printf("proto: t21 %.9lf %d t34 %.9lf %d\n", peer->t21,
+ peer->t21_bytes, peer->t34, peer->t34_bytes);
+#endif
if (peer->r21 > 0 && peer->r34 > 0 && p_del > 0) {
- if (pmode != MODE_BROADCAST)
+ if (peer->pmode != MODE_BROADCAST)
td = (peer->r34 / (peer->r21 + peer->r34) -
.5) * p_del;
else
* calculations are useful, so this should be considered
* a work in progress.
*/
-#if 0 /* temporarily disabled */
t21 -= td;
t34 -= td;
-#endif
#ifdef DEBUG
- if (debug > 2)
+ if (debug > 1)
printf("proto: del %.6lf r21 %.1lf r34 %.1lf %.6lf\n",
p_del, peer->r21 / 1e3, peer->r34 / 1e3,
td);
#endif
}
+#endif /* ASSYM */
/*
* If running in a broadcast association, the clock offset is
- * (t3 - t4) corrected by the one-way delay, but we can't
+ * (t3 - t4) plus one-half the roundtrip delay, but we can't
* measure that directly. Therefore, we start up in MODE_CLIENT
- * mode, set FLAG_MCAST and exchange eight messages to determine
- * the clock offset. When the last message is sent, we switch to
- * MODE_BCLIENT mode. The next broadcast message after that
- * computes the broadcast offset and clears FLAG_MCAST.
- */
- if (pmode == MODE_BROADCAST) {
- p_offset = t34;
- if (peer->flags & FLAG_MCAST) {
- peer->estbdelay = peer->offset - p_offset;
- if (peer->hmode == MODE_CLIENT)
- return;
-
- peer->flags &= ~(FLAG_MCAST | FLAG_BURST);
- }
- p_offset += peer->estbdelay;
+ * mode and exchange several messages to determine the clock
+ * offset and roundtrip delay and possibly set the system clock.
+ * When the last message is sent, we switch to MODE_BCLIENT mode
+ * and send no further messages.
+ */
+ if (peer->pmode == MODE_BROADCAST) {
p_del = peer->delay;
- } else {
- p_offset = (t21 + t34) / 2.;
+ p_offset = t34 + p_del / 2.;
}
p_disp = LOGTOD(sys_precision) + LOGTOD(peer->precision) +
clock_phi * p_del;
struct peer *peer /* peer structure pointer */
)
{
- u_char ostratum;
double dtemp;
u_long epoch;
l_fp now;
* dispersion is updated even if the offset has already been
* processed.
*/
- dtemp = peer->disp + sys_jitter + fabs(sys_offset) + clock_phi *
+ dtemp = sys_jitter + fabs(sys_offset) + peer->disp + clock_phi *
(current_time - peer->update);
#ifdef REFCLOCK
if (!(peer->flags & FLAG_REFCLOCK) && sys_rootdisp <
current_time, peer->epoch, peer->associd);
#endif
sys_epoch = peer->epoch;
- ostratum = sys_stratum;
switch (local_clock(peer, epoch, sys_offset)) {
/*
* Clock exceeds panic threshold. Life as we know it ends.
*/
case -1:
- report_event(EVNT_SYSFAULT, NULL);
#ifdef HAVE_LIBSCF_H
/*
* For Solaris enter the maintenance mode.
L_CLR(&sys_reftime);
sys_jitter = LOGTOD(sys_precision);
memcpy(&sys_refid, "STEP", 4);
- report_event(EVNT_CLOCKRESET, NULL);
break;
/*
* leap bits. If crypto, the timer will goose the setup
* process.
*/
- if (sys_leap == LEAP_NOTINSYNC) {
+ if (sys_leap == LEAP_NOTINSYNC)
sys_leap = LEAP_NOWARNING;
- report_event(EVNT_SYNCCHG, NULL);
- }
sys_stratum = min(peer->stratum + 1, STRATUM_UNSPEC);
sys_rootdelay = peer->delay + peer->rootdelay;
sys_reftime = peer->rec;
sys_tai = leap_tai - 1;
if (leapsec == 0)
leapsec = leap_sec - now.l_ui;
- msyslog(LOG_NOTICE,
- "crypto: leap epoch %.1f days",
- leapsec / 86400.);
+ report_event(EVNT_ARMED, NULL,
+ NULL);
}
} else {
sys_tai = leap_tai;
if (leap_peers > now.l_ui) {
if (leapsec == 0)
leapsec = leap_peers - now.l_ui;
- msyslog(LOG_NOTICE,
- "proto: leap epoch %.1f days",
- leapsec / 86400.);
+ report_event(PEVNT_ARMED, peer,
+ NULL);
}
} else {
leapsec = 0;
+ report_event(EVNT_DISARMED, NULL, NULL);
}
break;
/*
default:
break;
}
- if (ostratum != sys_stratum)
- report_event(EVNT_PEERSTCHG, NULL);
}
int mpoll
)
{
- int hpoll;
+ int hpoll, minpkt;
u_long next, utemp;
/*
* works for any association. Otherwise, clamp the poll interval
* between minpoll and maxpoll.
*/
- if (peer->flags & FLAG_FIXPOLL)
+ if ((peer->flags & FLAG_FIXPOLL) || (peer->cast_flags &
+ MDF_BCLNT))
hpoll = peer->minpoll;
else
hpoll = max(min(peer->maxpoll, mpoll), peer->minpoll);
* the lifetimes in the key list are probably bogus. Purge the
* the key list and regenerate it later.
*/
- if (hpoll != peer->hpoll)
+ if ((peer->flags & FLAG_SKEY) && hpoll != peer->hpoll)
key_expire(peer);
#endif /* OPENSSL */
peer->hpoll = hpoll;
* slink away. If called from the poll process, delay 1 s for a
* reference clock, otherwise 2 s.
*/
+ minpkt = 1 << ntp_minpkt;
utemp = current_time + max(peer->throttle - (NTP_SHIFT - 1) *
- (1 << peer->minpoll), res_min_interval);
+ (1 << peer->minpoll), minpkt);
if (peer->burst > 0) {
if (peer->nextdate > current_time)
return;
*/
} else if (peer->cmmd != NULL) {
if (peer->nextdate > current_time) {
- if (peer->nextdate + res_min_interval != utemp)
+ if (peer->nextdate + minpkt != utemp)
peer->nextdate = utemp;
} else {
peer->nextdate = utemp;
#endif /* OPENSSL */
/*
- * The ordinary case. If a retry, start with minpoll; otherwise
- * start with the minimum of the host and peer poll exponents.
- * In other words, oversampling is okay but understampling is
- * evil. Use the maximum of this value and the headway. If the
- * average headway is greater than the headway threshold,
- * increase the headway by the minimum interval plus 0.25 times
- * the difference. This is to rapidly reduce the overshoot.
+ * The ordinary case. If a retry, use minpoll; if unreachable,
+ * use host poll; otherwise, use the minimum of host and peer
+ * polls; In other words, oversampling is okay but
+ * understampling is evil. Use the maximum of this value and the
+ * headway. If the average headway is greater than the headway
+ * threshold, increase the headway by the minimum interval.
*/
} else {
if (peer->retry > 0)
hpoll = peer->minpoll;
+ else if (!(peer->reach))
+ hpoll = peer->hpoll;
else
hpoll = min(peer->ppoll, peer->hpoll);
next = (u_long)((0x10000 | (ntp_random() & 0x0fff)) <<
peer->nextdate = utemp;
hpoll = peer->throttle - (1 << peer->minpoll);
if (hpoll > 0)
- peer->nextdate += res_min_interval + (hpoll >>
- 4);
+ peer->nextdate += minpkt;
}
#ifdef DEBUG
if (debug > 1)
)
{
int i;
-#ifdef OPENSSL
- char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
-#endif /* OPENSSL */
-
- if (peer == sys_peer)
- sys_peer = NULL;
#ifdef OPENSSL
/*
* Clear all values, including the optional crypto values above.
*/
memset(CLEAR_TO_ZERO(peer), 0, LEN_CLEAR_TO_ZERO);
- peer->estbdelay = sys_bdelay;
peer->ppoll = peer->maxpoll;
peer->hpoll = peer->minpoll;
peer->disp = MAXDISPERSE;
+ peer_unfit(peer);
peer->jitter = LOGTOD(sys_precision);
for (i = 0; i < NTP_SHIFT; i++) {
peer->filter_order[i] = i;
* implosion.
*/
peer->nextdate = peer->update = peer->outdate = current_time;
- if (initializing)
+ if (initializing) {
peer->nextdate += peer_associations;
- else if (peer->hmode == MODE_PASSIVE)
- peer->nextdate += res_min_interval;
- else
+ } else if (peer->hmode == MODE_PASSIVE) {
+ peer->nextdate += 1 << ntp_minpkt;
+ } else {
peer->nextdate += ntp_random() % peer_associations;
+ }
#ifdef OPENSSL
- peer->refresh = current_time + NTP_REFRESH;
- sprintf(statstr, "clear %d ident %s", peer->associd,
- ident);
- record_crypto_stats(&peer->srcadr, statstr);
+ peer->refresh = current_time + (1 << NTP_REFRESH);
#endif /* OPENSSL */
#ifdef DEBUG
if (debug)
int ord[NTP_SHIFT]; /* index vector */
int i, j, k, m;
double dtemp, etemp;
+ char tbuf[80];
/*
* A sample consists of the offset, delay, dispersion and epoch
* If the clock discipline has stabilized, sort the samples by
* distance.
*/
- if (state == 4) {
+ if (sys_leap != LEAP_NOTINSYNC) {
for (i = 1; i < NTP_SHIFT; i++) {
for (j = 0; j < i; j++) {
if (dst[j] > dst[i]) {
sys_maxdist && etemp > CLOCK_SGATE * peer->jitter &&
peer->filter_epoch[k] - peer->epoch < 2. *
ULOGTOD(peer->hpoll)) {
-#ifdef DEBUG
- if (debug)
- printf("clock_filter: popcorn %.6f %.6f\n",
- etemp, dtemp);
-#endif
+ snprintf(tbuf, sizeof(tbuf), "%.6f s", etemp);
+ report_event(PEVNT_POPCORN, peer, tbuf);
return;
}
if (peer_unfit(peer))
continue;
+#ifdef REFCLOCK
/*
* Don't allow the local clock or modem drivers
- * in the kitchen at this point, unless the
- * prefer peer. Do that later, but only if
- * nobody else is around. These guys are all
- * configured, so we never throw them away.
+ * in the kitchen at this point. Do that later,
+ * but only if nobody else is around. These guys
+ * are all configured, so we never throw them
+ * away.
*/
-#ifdef REFCLOCK
if (peer->refclktype == REFCLK_LOCALCLOCK
#if defined(VMS) && defined(VMS_LOCALUNIT)
/* wjm: VMS_LOCALUNIT taken seriously */
#endif /* VMS && VMS_LOCALUNIT */
) {
typelocal = peer;
-#ifndef LOCKCLOCK
- if (!(peer->flags & FLAG_PREFER))
- continue; /* no local clock */
-#endif /* LOCKCLOCK */
+ continue;
}
- if (peer->sstclktype == CTL_SST_TS_TELEPHONE) {
+ if (peer->refclktype == REFCLK_ACTS) {
typeacts = peer;
- if (!(peer->flags & FLAG_PREFER))
- continue; /* no acts */
+ continue;
}
#endif /* REFCLOCK */
high) && !(peer->flags & FLAG_TRUE))
continue;
- peer->status = CTL_PST_SEL_DISTSYSPEER;
-
/*
* The order metric is formed from the stratum times
* max distance (1.) plus the root distance. It strongly
error[0] = 0;
synch[0] = 0;
if (typeacts != NULL) {
- typeacts->status = CTL_PST_SEL_DISTSYSPEER;
peer_list[0] = typeacts;
nlist = 1;
} else if (typelocal != NULL) {
- typelocal->status = CTL_PST_SEL_DISTSYSPEER;
peer_list[0] = typelocal;
nlist = 1;
} else {
- if (osys_peer != NULL) {
- msyslog(LOG_NOTICE,
- "no servers reachable");
- report_event(EVNT_PEERSTCHG, NULL);
- }
+ if (osys_peer != NULL)
+ report_event(EVNT_NOPEER, NULL, NULL);
}
}
"select: drop %s seljit %.6f jit %.6f\n",
ntoa(&peer_list[k]->srcadr), g, d);
#endif
+ if (nlist > sys_maxclock)
+ peer_list[k]->status = CTL_PST_SEL_EXCESS;
for (j = k + 1; j < nlist; j++) {
peer_list[j - 1] = peer_list[j];
+ synch[j - 1] = synch[j];
error[j - 1] = error[j];
}
nlist--;
/*
* What remains is a list usually not greater than sys_minclock
- * peers. We want only the peer at the lowest stratum to become
- * the system peer, although all survivors are eligible for the
- * combining algorithm. Check for prefer and pps peers at any
- * stratum. Note that the head of the list is at the lowest
- * stratum and that unsynchronized peers cannot survive this
- * far.
- *
- * Also, reset the association unreach timer for the first
- * sys_maxclock survivors. The rest, if preemptable, will be
- * kicked off the bus after timeout.
+ * peers. Note that the head of the list is the system peer at
+ * the lowest stratum and that unsynchronized peers cannot
+ * survive this far.
*
* While at it, count the number of leap warning bits found.
* This will be used later to vote the system leap warning bit.
* is always won.
*/
leap_vote = 0;
+ j = 0;
for (i = 0; i < nlist; i++) {
- sys_survivors++;
peer = peer_list[i];
- if (sys_survivors <= sys_maxclock)
- peer->unreach = 0;
+ peer->unreach = 0;
+ peer->status = CTL_PST_SEL_SYNCCAND;
+ sys_survivors++;
if (peer->leap == LEAP_ADDSECOND) {
if (peer->flags & FLAG_REFCLOCK)
leap_vote = nlist;
else
leap_vote++;
}
- peer->status = CTL_PST_SEL_SYNCCAND;
+ if (peer == osys_peer)
+ j = i;
if (peer->flags & FLAG_PREFER)
sys_prefer = peer;
- if (peer == osys_peer)
- typesystem = peer;
#ifdef REFCLOCK
if (peer->refclktype == REFCLK_ATOM_PPS)
sys_pps = peer;
#endif /* REFCLOCK */
-#if DEBUG
- if (debug > 2)
- printf("cluster: survivor %s metric %.6f\n",
- ntoa(&peer_list[i]->srcadr), synch[i]);
-#endif
}
/*
- * Anticlockhop provision. Keep the current system peer if it is
- * a survivor but not first in the list. But do that only HOPPER
- * times.
+ * Anticlockhop provisions. Ordinarily, use the first survivor
+ * on the list. However, if the previous system peer is on the
+ * list but not first, use it if the synchronization distance is
+ * not greater than the accumulation over the last sys_maxhop
+ * poll intervals.
*/
- if (typesystem == NULL || typesystem == peer_list[0] ||
- sys_hopper > sys_maxhop) {
+ if (synch[j] < synch[0] + sys_mindisp + ULOGTOD(sys_poll) *
+ sys_maxhop * clock_phi)
+ typesystem = peer_list[j];
+ else
typesystem = peer_list[0];
- sys_hopper = 0;
- } else {
- sys_hopper++;
- }
/*
* Mitigation rules of the game. There are several types of
sys_peer = sys_pps;
sys_peer->status = CTL_PST_SEL_PPS;
sys_offset = sys_peer->offset;
- if (!pps_control)
- NLOG(NLOG_SYNCSTATUS)
- msyslog(LOG_INFO,
- "pps sync enabled");
- pps_control = current_time;
#ifdef DEBUG
if (debug > 2)
printf("select: pps offset %.6f\n",
*/
sys_peer = typesystem;
sys_peer->status = CTL_PST_SEL_SYSPEER;
- clock_combine(peer_list, nlist);
+ clock_combine(peer_list, sys_survivors);
if (sys_peer->stratum == STRATUM_REFCLOCK ||
sys_peer->stratum == STRATUM_UNSPEC)
sys_refid = sys_peer->refid;
*/
sys_peer->flags |= FLAG_SYSPEER;
if (osys_peer != sys_peer) {
- char *src;
-
- report_event(EVNT_PEERSTCHG, NULL);
-
-#ifdef REFCLOCK
- if (sys_peer->flags & FLAG_REFCLOCK)
- src = refnumtoa(&sys_peer->srcadr);
- else
-#endif /* REFCLOCK */
- src = ntoa(&sys_peer->srcadr);
- NLOG(NLOG_SYNCSTATUS)
- msyslog(LOG_INFO, "synchronized to %s, stratum %d",
- src, sys_peer->stratum);
+ report_event(PEVNT_NEWPEER, sys_peer, NULL);
}
clock_update(sys_peer);
}
if (!peer->dstadr) /* drop peers without interface */
return;
- /*
- * Construct the packet header only if rate and crypto ok.
- */
- if (peer->flash & (TEST4 | TEST9))
- return;
-
xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap, peer->version,
peer->hmode);
xpkt.stratum = STRATUM_TO_PKT(sys_stratum);
* might not be usable.
*/
sendlen = LEN_PKT_NOMAC;
- if (!(peer->flags & FLAG_AUTHENABLE)) {
+#ifdef OPENSSL
+ if (!(peer->flags & FLAG_SKEY) && peer->keyid == 0) {
+#else
+ if (peer->keyid == 0) {
+#endif /* OPENSSL */
get_systime(&peer->xmt);
HTONL_FP(&peer->xmt, &xpkt.xmt);
peer->t21_bytes = sendlen;
sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl],
&xpkt, sendlen);
peer->sent++;
- peer->throttle += 1 << peer->minpoll;
+ peer->throttle += (1 << peer->minpoll) - 2;
#ifdef DEBUG
if (debug)
printf("transmit: at %ld %s->%s mode %d len %d\n",
* modes; otherwise, symmetric key cryptography is used.
*/
#ifdef OPENSSL
- if (crypto_flags && (peer->flags & FLAG_SKEY)) {
+ if (peer->flags & FLAG_SKEY) {
struct exten *exten; /* extension field */
/*
break;
/*
- * In symmetric modes the digest, certificate, agreement
- * parameters, cookie and autokey values are required.
- * The leapsecond field is optional. But, a passive peer
- * will not believe the active peer until the latter has
- * synchronized, so the agreement must be postponed
- * until then. In any case, if a new keylist is
- * generated, the autokey values are pushed.
- *
- * If the crypto bit is lit, don't send requests.
+ * In symmetric modes the parameter, certificate,
+ * identity, cookie and autokey exchanges are
+ * required. The leapsecond exchange is optional. But, a
+ * peer will not believe the other peer until the other
+ * peer has synchronized, so the certificate exchange
+ * might loop until then. If a peer finds a broken
+ * autokey sequence, it uses the autokey exchange to
+ * retrieve the autokey values. In any case, if a new
+ * keylist is generated, the autokey values are pushed.
*/
case MODE_ACTIVE:
case MODE_PASSIVE:
/*
- * Parameter and certificate.
+ * Parameter, certificate and identity.
*/
if (!peer->crypto)
exten = crypto_args(peer, CRYPTO_ASSOC,
peer->associd, sys_hostname);
- else if (!(peer->crypto & CRYPTO_FLAG_VALID))
+ else if (!(peer->crypto & CRYPTO_FLAG_CERT))
exten = crypto_args(peer, CRYPTO_CERT,
peer->associd, peer->issuer);
-
- /*
- * Identity. Note we have to sign the
- * certificate before the cookie to avoid a
- * deadlock when the passive peer is walking the
- * certificate trail. Awesome.
- */
else if (!(peer->crypto & CRYPTO_FLAG_VRFY))
exten = crypto_args(peer,
crypto_ident(peer), peer->associd,
NULL);
- else if (sys_leap != LEAP_NOTINSYNC &&
- !(peer->crypto & CRYPTO_FLAG_SIGN))
- exten = crypto_args(peer, CRYPTO_SIGN,
- peer->associd, sys_hostname);
/*
- * Autokey. We request the cookie only when the
- * server and client are synchronized and
- * signatures work both ways. On the other hand,
- * the active peer needs the autokey values
- * before then and when the passive peer is
- * waiting for the active peer to synchronize.
- * Any time we regenerate the key list, we offer
- * the autokey values without being asked.
+ * Cookie and autokey. We request the cookie
+ * only when the this peer and the other peer
+ * are synchronized. But, this peer needs the
+ * autokey values when the cookie is zero. Any
+ * time we regenerate the key list, we offer the
+ * autokey values without being asked. If for
+ * some reason either peer finds a broken
+ * autokey sequence, the autokey exchange is
+ * used to retrieve the autokey values.
*/
else if (sys_leap != LEAP_NOTINSYNC &&
peer->leap != LEAP_NOTINSYNC &&
- !(peer->crypto & CRYPTO_FLAG_AGREE))
+ !(peer->crypto & CRYPTO_FLAG_COOK))
exten = crypto_args(peer, CRYPTO_COOK,
peer->associd, NULL);
+ else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
+ exten = crypto_args(peer, CRYPTO_AUTO,
+ peer->assoc, NULL);
else if (peer->flags & FLAG_ASSOC)
exten = crypto_args(peer, CRYPTO_AUTO |
CRYPTO_RESP, peer->associd, NULL);
- else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
- exten = crypto_args(peer, CRYPTO_AUTO,
- peer->associd, NULL);
/*
- * Postamble. We trade leapsecond fields only
- * when the server and client are synchronized.
+ * Wait for clock sync, then sign the
+ * certificate and retrieve the leapsecond
+ * values.
*/
- else if (sys_leap != LEAP_NOTINSYNC &&
- peer->leap != LEAP_NOTINSYNC &&
- !(peer->crypto & CRYPTO_FLAG_LEAP))
- exten = crypto_args(peer, CRYPTO_TAI,
+ else if (sys_leap == LEAP_NOTINSYNC)
+ break;
+
+ else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
+ exten = crypto_args(peer, CRYPTO_SIGN,
+ peer->associd, sys_hostname);
+ else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
+ exten = crypto_args(peer, CRYPTO_LEAP,
peer->associd, NULL);
break;
/*
- * In client mode the digest, certificate, agreement
- * parameters and cookie are required. The leapsecond
- * field is optional. If broadcast client mode, the
- * autokey values are required as well. In broadcast
- * client mode, these values must be acquired during the
- * client/server exchange to avoid having to wait until
- * the next key list regeneration. Otherwise, the poor
- * dude may die a lingering death until becoming
- * unreachable and attempting rebirth.
- *
- * If neither the server or client have the agreement
- * parameters, the protocol transmits the cookie in the
- * clear. If the server has the parameters, the client
- * requests them and the protocol blinds it using the
- * agreed key. It is a protocol error if the client has
- * the parameters but the server does not.
- *
- * If the crypto bit is lit, don't send requests.
+ * In client mode the parameter, certificate, identity,
+ * cookie and sign exchanges are required. The
+ * leapsecond exchange is optional. If broadcast client
+ * mode the same exchanges are required, except that the
+ * autokey exchange is substitutes for the cookie
+ * exchange, since the cookie is always zero. If the
+ * broadcast client finds a broken autokey sequence, it
+ * uses the autokey exchange to retrieve the autokey
+ * values.
*/
case MODE_CLIENT:
/*
- * Parameter and certificate.
+ * Parameter, certificate and identity.
*/
if (!peer->crypto)
exten = crypto_args(peer, CRYPTO_ASSOC,
peer->associd, sys_hostname);
- else if (!(peer->crypto & CRYPTO_FLAG_VALID))
+ else if (!(peer->crypto & CRYPTO_FLAG_CERT))
exten = crypto_args(peer, CRYPTO_CERT,
peer->associd, peer->issuer);
-
- /*
- * Identity. Nothing special here.
- */
else if (!(peer->crypto & CRYPTO_FLAG_VRFY))
exten = crypto_args(peer,
crypto_ident(peer), peer->associd,
NULL);
/*
- * Cookie and autokey data. In broadcast client
- * mode we request the autokey values now to
- * avoid having to wait for the next key list.
+ * Cookie and autokey. These are requests, but
+ * we use the peer association ID with autokey
+ * rather than our own.
*/
- else if (!(peer->crypto & CRYPTO_FLAG_AGREE))
+ else if (!(peer->crypto & CRYPTO_FLAG_COOK))
exten = crypto_args(peer, CRYPTO_COOK,
peer->associd, NULL);
- else if (!(peer->crypto & CRYPTO_FLAG_AUTO) &&
- (peer->cast_flags & MDF_BCLNT))
+ else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
exten = crypto_args(peer, CRYPTO_AUTO,
peer->assoc, NULL);
/*
- * Postamble. We can sign the certificate here,
- * since there is no chance of deadlock.
+ * Wait for clock sync, then sign the
+ * certificate and retrieve the leapsecond
+ * values.
*/
- else if (sys_leap != LEAP_NOTINSYNC &&
- !(peer->crypto & CRYPTO_FLAG_SIGN))
+ else if (sys_leap == LEAP_NOTINSYNC)
+ break;
+
+ else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
exten = crypto_args(peer, CRYPTO_SIGN,
peer->associd, sys_hostname);
- else if (sys_leap != LEAP_NOTINSYNC &&
- !(peer->crypto & CRYPTO_FLAG_LEAP))
- exten = crypto_args(peer, CRYPTO_TAI,
+ else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
+ exten = crypto_args(peer, CRYPTO_LEAP,
peer->associd, NULL);
break;
}
/*
- * Build the extension fields as directed. A response to
- * a request is always sent, even if an error. If an
- * error occurs when sending a request, the crypto
- * machinery broke or was misconfigured. In that case
- * light the crypto bit to suppress further requests.
+ * Add a queued extension field if present. This is
+ * always a request message, so the reply ID is already
+ * in the message. If an error occurs, the error bit is
+ * lit in the response.
*/
if (peer->cmmd != NULL) {
- peer->cmmd->associd = htonl(peer->associd);
- crypto_xmit(&xpkt, &peer->srcadr, &sendlen,
+ u_int32 temp32;
+
+ temp32 = CRYPTO_RESP;
+ peer->cmmd->opcode |= htonl(temp32);
+ crypto_xmit(peer, &xpkt, NULL, &sendlen,
peer->cmmd, 0);
free(peer->cmmd);
peer->cmmd = NULL;
}
+
+ /*
+ * Add an extension field created above. All but the
+ * autokey response message are request messages.
+ */
if (exten != NULL) {
if (exten->opcode != 0)
- crypto_xmit(&xpkt, &peer->srcadr,
- &sendlen, exten, 0);
+ crypto_xmit(peer, &xpkt, NULL, &sendlen,
+ exten, 0);
free(exten);
}
/*
- * If extension fields are present, we must use a
- * private cookie value of zero. Don't send if the
- * crypto bit is set and no extension field is present,
- * but in that case give back the key. Most intricate.
+ * Calculate the next session key. Since extension
+ * fields are present, the cookie value is zero.
*/
if (sendlen > LEN_PKT_NOMAC) {
session_key(&peer->dstadr->sin, &peer->srcadr,
HTONL_FP(&peer->xmt, &xpkt.xmt);
authlen = authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
if (authlen == 0) {
- msyslog(LOG_NOTICE, "transmit: %s key %u not found",
- stoa(&peer->srcadr), xkeyid);
- peer_clear(peer, "CRYP");
- peer->flash |= TEST9; /* no key found */
+ report_event(PEVNT_AUTH, peer, "no key");
+ peer->flash |= TEST5; /* auth error */
+ peer->badauth++;
return;
}
sendlen += authlen;
#endif /* OPENSSL */
get_systime(&xmt_tx);
if (sendlen > sizeof(xpkt)) {
- msyslog(LOG_ERR, "buffer overflow %u", sendlen);
+ msyslog(LOG_ERR, "proto: buffer overflow %u", sendlen);
exit (-1);
}
peer->t21_bytes = sendlen;
sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt,
sendlen);
peer->sent++;
- peer->throttle += 1 << peer->minpoll;
+ peer->throttle += (1 << peer->minpoll) - 2;
/*
* Calculate the encryption delay. Keep the minimum over
/*
* Initialize transmit packet header fields from the receive
- * buffer provided. We leave some fields intact as received. If
- * the gazinta was from a multicast address, the gazoutta must
- * go out another way.
+ * buffer provided. We leave the fields intact as received, but
+ * set the peer poll at the maximum of the receive peer poll and
+ * the system minimum poll (ntp_minpoll). This is for KoD rate
+ * control and not strictly specification compliant, but doesn't
+ * break anything.
+ *
+ * If the gazinta was from a multicast address, the gazoutta
+ * must go out another way.
*/
rpkt = &rbufp->recv_pkt;
if (rbufp->dstadr->flags & INT_MCASTOPEN)
/*
* If this is a kiss-o'-death (KoD) packet, show leap
* unsynchronized, stratum zero, reference ID the four-character
- * kiss code and system root delay. Note the rate limit on these
- * packets. Once a second initialize a bucket counter. Every
- * packet sent decrements the counter until reaching zero. If
- * the counter is zero, drop the kiss. Note also we don't reveal
- * the local time, so these packets can't be used for
+ * kiss code and system root delay. Note we don't reveal the
+ * local time, so these packets can't be used for
* synchronization.
*/
if (mask != NULL) {
xpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOTINSYNC,
PKT_VERSION(rpkt->li_vn_mode), xmode);
xpkt.stratum = STRATUM_PKT_UNSPEC;
+ xpkt.ppoll = max(rpkt->ppoll, ntp_minpoll);
memcpy(&xpkt.refid, mask, 4);
xpkt.org = rpkt->xmt;
xpkt.rec = rpkt->xmt;
xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap,
PKT_VERSION(rpkt->li_vn_mode), xmode);
xpkt.stratum = STRATUM_TO_PKT(sys_stratum);
- xpkt.ppoll = rpkt->ppoll;
+ xpkt.ppoll = max(rpkt->ppoll, ntp_minpoll);
xpkt.precision = sys_precision;
xpkt.refid = sys_refid;
xpkt.rootdelay = HTONS_FP(DTOFP(sys_rootdelay));
*/
cookie = session_key(&rbufp->recv_srcadr,
&rbufp->dstadr->sin, 0, sys_private, 0);
- if (rbufp->recv_length >= (int)(sendlen + MAX_MAC_LEN +
- 2 * sizeof(u_int32))) {
+ if (rbufp->recv_length >= sendlen + MAX_MAC_LEN + 2 *
+ sizeof(u_int32)) {
session_key(&rbufp->dstadr->sin,
&rbufp->recv_srcadr, xkeyid, 0, 2);
temp32 = CRYPTO_RESP;
rpkt->exten[0] |= htonl(temp32);
- crypto_xmit(&xpkt, &rbufp->recv_srcadr,
- &sendlen, (struct exten *)rpkt->exten,
- cookie);
+ crypto_xmit(NULL, &xpkt, rbufp, &sendlen,
+ (struct exten *)rpkt->exten, cookie);
} else {
session_key(&rbufp->dstadr->sin,
&rbufp->recv_srcadr, xkeyid, cookie, 2);
*/
if (peer->leap == LEAP_NOTINSYNC || peer->stratum < sys_floor ||
peer->stratum >= sys_ceiling)
- rval |= TEST10; /* stratum out of bounds */
+ rval |= TEST10; /* bad synch or stratum */
/*
* A distance error for a remote peer occurs if the root
if (peer->stratum > 1 && peer->refid != htonl(LOOPBACKADR) &&
(peer->refid == (peer->dstadr ? peer->dstadr->addr_refid :
0) || peer->refid == sys_refid))
- rval |= TEST12; /* synch loop */
+ rval |= TEST12; /* synchronization loop */
/*
* An unreachable error occurs if the server is unreachable or
* the noselect bit is set.
*/
- if (!peer->reach || peer->flags & FLAG_NOSELECT)
+ if (!peer->reach || (peer->flags & FLAG_NOSELECT))
rval |= TEST13; /* unreachable */
peer->flash &= ~PEER_TEST_MASK;
/*
* Find the nearest power of two.
*/
- msyslog(LOG_NOTICE, "precision = %.3f usec", tick * 1e6);
+ msyslog(LOG_NOTICE, "proto: precision = %.3f usec", tick * 1e6);
for (i = 0; tick <= 1; i++)
tick *= 2;
if (tick - 1. > 1. - tick / 2)
sys_authenticate = 1;
L_CLR(&sys_authdelay);
sys_authdly[0] = sys_authdly[1] = 0;
- sys_stattime = 0;
+ sys_stattime = current_time;
proto_clr_stats();
for (i = 0; i < MAX_TTL; i++) {
sys_ttl[i] = (u_char)((i * 256) / MAX_TTL);
default:
msyslog(LOG_NOTICE,
- "proto_config: unsupported option %d", item);
+ "proto: unsupported option %d", item);
}
}
return;
switch (code) {
- case CEVNT_NOMINAL:
- break;
case CEVNT_TIMEOUT:
pp->noreply++;
case CEVNT_FAULT:
break;
- case CEVNT_PROP:
- break;
-
case CEVNT_BADDATE:
case CEVNT_BADTIME:
pp->baddata++;
break;
default:
- /* shouldn't happen */
+ /* ignore others */
break;
}
-
- if (pp->currentstatus != code) {
- pp->currentstatus = (u_char)code;
-
- /* RFC1305: copy only iff not CEVNT_NOMINAL */
- if (code != CEVNT_NOMINAL)
- pp->lastevent = (u_char)code;
-
- if (code == CEVNT_FAULT)
- msyslog(LOG_ERR,
- "clock %s event '%s' (0x%02x)",
- refnumtoa(&peer->srcadr),
- ceventstr(code), code);
- else {
- NLOG(NLOG_CLOCKEVENT)
- msyslog(LOG_INFO,
- "clock %s event '%s' (0x%02x)",
- refnumtoa(&peer->srcadr),
- ceventstr(code), code);
- }
-
- /* RFC1305: post peer clock event */
- report_event(EVNT_PEERCLOCK, peer);
- }
+ if (pp->lastevent < 15)
+ pp->lastevent++;
+ if (pp->currentstatus != code)
+ pp->currentstatus = code;
+ report_event(PEVNT_CLOCK, peer, ceventstr(code));
}
+
/*
* init_refclock - initialize the reference clock drivers
*
peer->outdate = current_time;
if (!peer->reach) {
if (oreach) {
- report_event(EVNT_UNREACH, peer);
+ report_event(PEVNT_UNREACH, peer, NULL);
peer->timereachable = current_time;
}
} else {
peer->received++;
peer->timereceived = current_time;
if (!peer->reach) {
- report_event(EVNT_REACH, peer);
+ report_event(PEVNT_REACH, peer, NULL);
peer->timereachable = current_time;
}
peer->reach |= 1;
return;
clock_filter(peer, pp->offset, 0., pp->jitter);
- if (cal_enable && last_offset < MINDISPERSE) {
-#ifdef KERNEL_PLL
- if (peer != sys_peer || pll_status & STA_PPSTIME)
-#else
- if (peer != sys_peer)
-#endif /* KERNEL_PLL */
+ if (cal_enable && fabs(last_offset) < sys_mindisp && sys_peer !=
+ NULL) {
+ if (sys_peer->refclktype == REFCLK_ATOM_PPS &&
+ peer->refclktype != REFCLK_ATOM_PPS)
pp->fudgetime1 -= pp->offset * FUDGEFAC;
- else
- pp->fudgetime1 -= pp->fudgetime1 * FUDGEFAC;
}
}
ips->flags |= INFO_FLAG_CONFIG;
if (pp->flags & FLAG_REFCLOCK)
ips->flags |= INFO_FLAG_REFCLOCK;
- if (pp->flags & FLAG_AUTHENABLE)
- ips->flags |= INFO_FLAG_AUTHENABLE;
if (pp->flags & FLAG_PREFER)
ips->flags |= INFO_FLAG_PREFER;
if (pp->flags & FLAG_BURST)
ip->flags |= INFO_FLAG_CONFIG;
if (pp->flags & FLAG_REFCLOCK)
ip->flags |= INFO_FLAG_REFCLOCK;
- if (pp->flags & FLAG_AUTHENABLE)
- ip->flags |= INFO_FLAG_AUTHENABLE;
if (pp->flags & FLAG_PREFER)
ip->flags |= INFO_FLAG_PREFER;
if (pp->flags & FLAG_BURST)
ip->unreach = (u_char) pp->unreach;
ip->flash = (u_char)pp->flash;
ip->flash2 = (u_short) pp->flash;
- ip->estbdelay = HTONS_FP(DTOFP(pp->estbdelay));
+ ip->estbdelay = HTONS_FP(DTOFP(pp->delay));
ip->ttl = pp->ttl;
ip->associd = htons(pp->associd);
ip->rootdelay = HTONS_FP(DTOUFP(pp->rootdelay));
ip->flags |= INFO_FLAG_CONFIG;
if (pp->flags & FLAG_REFCLOCK)
ip->flags |= INFO_FLAG_REFCLOCK;
- if (pp->flags & FLAG_AUTHENABLE)
- ip->flags |= INFO_FLAG_AUTHENABLE;
if (pp->flags & FLAG_PREFER)
ip->flags |= INFO_FLAG_PREFER;
if (pp->flags & FLAG_BURST)
&& temp_cp.hmode != MODE_CLIENT
&& temp_cp.hmode != MODE_BROADCAST)
fl = 1;
- if (temp_cp.flags & ~(CONF_FLAG_AUTHENABLE | CONF_FLAG_PREFER
- | CONF_FLAG_BURST | CONF_FLAG_IBURST | CONF_FLAG_SKEY))
- fl = 1;
+ if (temp_cp.flags & ~(CONF_FLAG_PREFER | CONF_FLAG_BURST |
+ CONF_FLAG_IBURST | CONF_FLAG_SKEY))
+ fl = 1;
cp = (struct conf_peer *)
((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize));
}
memset((char *)&peeraddr, 0, sizeof(struct sockaddr_storage));
fl = 0;
- if (temp_cp.flags & CONF_FLAG_AUTHENABLE)
- fl |= FLAG_AUTHENABLE;
if (temp_cp.flags & CONF_FLAG_PREFER)
fl |= FLAG_PREFER;
if (temp_cp.flags & CONF_FLAG_BURST)
u_long leapsec; /* leapseconds countdown */
#ifdef OPENSSL
static u_long revoke_timer; /* keys revoke timer */
-u_long sys_revoke = KEY_REVOKE; /* keys revoke timeout */
static u_long keys_timer; /* session key timer */
-u_long sys_automax = NTP_AUTOMAX; /* session key timeout */
+u_long sys_revoke = KEY_REVOKE; /* keys revoke timeout (log2 s) */
+u_long sys_automax = NTP_AUTOMAX; /* key list timeout (log2 s) */
#endif /* OPENSSL */
/*
#else /* KERNEL_PLL */
step_systime(-1.0);
#endif /* KERNEL_PLL */
- msyslog(LOG_NOTICE,
- "leapsecond event %lu TAI %d",
- current_time, sys_tai);
+ report_event(EVNT_LEAP, NULL, NULL);
} else {
if (leapsec < DAY)
sys_leap = LEAP_ADDSECOND;
* Garbage collect expired keys.
*/
if (keys_timer <= current_time) {
- keys_timer += sys_automax;
+ keys_timer += 1 << sys_automax;
auth_agekeys();
}
*/
if (revoke_timer <= current_time && sys_leap !=
LEAP_NOTINSYNC) {
- revoke_timer += sys_revoke;
- expire_all();
+ revoke_timer += 1 << sys_revoke;
+ RAND_bytes((u_char *)&sys_private, 4);
}
#endif /* OPENSSL */
char *leapseconds_file_name; /* leapseconds file name */
char *stats_drift_file; /* frequency file name */
static char *stats_temp_file; /* temp frequency file name */
-static double wander_resid; /* wander threshold */
+double wander_resid; /* wander threshold */
double wander_threshold = 1e-7; /* initial wander threshold */
int drift_file_sw; /* clock update switch */
static FILEGEN clockstats;
static FILEGEN rawstats;
static FILEGEN sysstats;
+static FILEGEN protostats;
/*
* This controls whether stats are written to the fileset. Provided
* Static prototypes
*/
static int leap_file(FILE *);
+static void record_sys_stats(void);
/*
* init_util - initialize the utilities
filegen_register(&statsdir[0], "clockstats", &clockstats);
filegen_register(&statsdir[0], "rawstats", &rawstats);
filegen_register(&statsdir[0], "sysstats", &sysstats);
+ filegen_register(&statsdir[0], "protostats", &protostats);
#ifdef OPENSSL
filegen_register(&statsdir[0], "cryptostats", &cryptostats);
#endif /* OPENSSL */
#endif /* VMS */
#endif /* DOSYNCTODR */
record_sys_stats();
- clock_stepcnt = 0;
ftemp = fabs(prev_drift_comp - drift_comp);
prev_drift_comp = drift_comp;
if (ftemp > clock_phi)
clock_stability * 1e6, wander_resid * 1e6,
drift_comp * 1e6);
#endif
- if (state == 4 && clock_stability > wander_resid) {
+ if (sys_leap != LEAP_NOTINSYNC && clock_stability >
+ wander_resid) {
wander_resid = wander_threshold;
if ((fp = fopen(stats_temp_file, "w")) == NULL)
{
sysstats.fp = NULL;
filegen_setup(&sysstats, now.l_ui);
}
+ if(protostats.prefix == &statsdir[0] &&
+ protostats.fp != NULL) {
+ fclose(protostats.fp);
+ protostats.fp = NULL;
+ filegen_setup(&protostats, now.l_ui);
+ }
#ifdef OPENSSL
if(cryptostats.prefix == &statsdir[0] &&
cryptostats.fp != NULL) {
* record_peer_stats - write peer statistics to file
*
* file format:
- * day (mjd)
+ * day (MJD)
* time (s past UTC midnight)
- * peer (ip address)
- * peer status word (hex)
- * peer offset (s)
- * peer delay (s)
- * peer error bound (s)
- * peer error (s)
+ * IP address
+ * status word (hex)
+ * offset
+ * delay
+ * dispersion
+ * jitter
*/
void
record_peer_stats(
struct sockaddr_storage *addr,
int status,
- double offset,
- double delay,
- double dispersion,
- double skew
+ double offset, /* offset */
+ double delay, /* delay */
+ double dispersion, /* dispersion */
+ double jitter /* jitter */
)
{
l_fp now;
fprintf(peerstats.fp,
"%lu %s %s %x %.9f %.9f %.9f %.9f\n", day,
ulfptoa(&now, 3), stoa(addr), status, offset,
- delay, dispersion, skew);
+ delay, dispersion, jitter);
fflush(peerstats.fp);
}
}
* record_loop_stats - write loop filter statistics to file
*
* file format:
- * day (mjd)
+ * day (MJD)
* time (s past midnight)
- * offset (s)
- * frequency (approx ppm)
- * time constant (log base 2)
+ * offset
+ * frequency (PPM)
+ * jitter
+ * wnder (PPM)
+ * time constant (log2)
*/
void
record_loop_stats(
- double offset,
- double freq,
- double jitter,
- double stability,
+ double offset, /* offset */
+ double freq, /* frequency (PPM) */
+ double jitter, /* jitter */
+ double wander, /* wander (PPM) */
int spoll
)
{
if (loopstats.fp != NULL) {
fprintf(loopstats.fp, "%lu %s %.9f %.3f %.9f %.6f %d\n",
day, ulfptoa(&now, 3), offset, freq * 1e6, jitter,
- stability * 1e6, spoll);
+ wander * 1e6, spoll);
fflush(loopstats.fp);
}
}
* record_clock_stats - write clock statistics to file
*
* file format:
- * day (mjd)
+ * day (MJD)
* time (s past midnight)
- * peer (ip address)
+ * IP address
* text message
*/
void
* record_raw_stats - write raw timestamps to file
*
* file format
+ * day (MJD)
* time (s past midnight)
* peer ip address
- * local ip address
+ * IP address
* t1 t2 t3 t4 timestamps
*/
void
struct sockaddr_storage *srcadr,
struct sockaddr_storage *dstadr,
l_fp *t1, /* originate timestamp */
- l_fp *t2, /* receiver timestamp */
+ l_fp *t2, /* receive timestamp */
l_fp *t3, /* transmit timestamp */
l_fp *t4 /* destination timestamp */
)
* record_sys_stats - write system statistics to file
*
* file format
- ^ day (mjd)
+ * day (MJD)
* time (s past midnight)
- * time since startup (hr)
+ * time since reset
* packets recieved
- * packets processed
+ * packets for this host
* current version
- * previous version
+ * old version
* access denied
* bad length or format
* bad authentication
if (sysstats.fp != NULL) {
fprintf(sysstats.fp,
"%lu %s %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu\n",
- day, ulfptoa(&now, 3), sys_stattime / 3600,
+ day, ulfptoa(&now, 3), sys_stattime - current_time,
sys_received, sys_processed, sys_newversion,
sys_oldversion, sys_restricted, sys_badlength,
sys_badauth, sys_declined, sys_limitrejected,
}
+/*
+ * record_proto_stats - write system statistics to file
+ *
+ * file format
+ * day (MJD)
+ * time (s past midnight)
+ * text message
+ */
+void
+record_proto_stats(
+ char *str /* text string */
+ )
+{
+ l_fp now;
+ u_long day;
+
+ if (!stats_control)
+ return;
+
+ get_systime(&now);
+ filegen_setup(&protostats, now.l_ui);
+ day = now.l_ui / 86400 + MJD_1900;
+ now.l_ui %= 86400;
+ if (protostats.fp != NULL) {
+ fprintf(protostats.fp, "%lu %s %s\n", day,
+ ulfptoa(&now, 3), str);
+ fflush(protostats.fp);
+ }
+}
+
+
#ifdef OPENSSL
/*
* record_crypto_stats - write crypto statistics to file
* file format:
* day (mjd)
* time (s past midnight)
- * peer (ip address)
+ * peer ip address
* text message
*/
void
now.l_ui %= 86400;
if (cryptostats.fp != NULL) {
if (addr == NULL)
- fprintf(cryptostats.fp, "%lu %s %s\n",
+ fprintf(cryptostats.fp, "%lu %s 0.0.0.0 %s\n",
day, ulfptoa(&now, 3), text);
else
fprintf(cryptostats.fp, "%lu %s %s %s\n",
* Get the configuration. This is done in a separate module
* since this will definitely be different for the gizmo board.
*/
-
getconfig(argc, argv);
-
+ report_event(EVNT_SYSRESTART, NULL, NULL);
loop_config(LOOP_DRIFTCOMP, old_drift);
initializing = 0;
} /* if( droproot ) */
#endif /* HAVE_DROPROOT */
- /*
- * Report that we're up to any trappers
- */
- report_event(EVNT_SYSRESTART, (struct peer *)0);
-
/*
* Use select() on all on all input fd's for unlimited
* time. select() will terminate on SIGALARM or on the
/*
* What to do depends on the state and the first token in the
- * message. A NO token sends the message to the clockstats.
- */
+ * message. */
pp = peer->procptr;
up = (struct actsunit *)pp->unitptr;
-#ifdef DEBUG
ioctl(pp->io.fd, TIOCMGET, (char *)&modem);
- sprintf(tbuf, "acts: %04x (%d %d) %d %s", modem, up->state,
- up->timer, strlen(pp->a_lastcode), pp->a_lastcode);
+#ifdef DEBUG
+ snprintf(tbuf, sizeof(tbuf), "acts: %04x (%d %d) %d %s", modem,
+ up->state, up->timer, strlen(pp->a_lastcode),
+ pp->a_lastcode);
if (debug)
printf("%s\n", tbuf);
#endif
+
+ /*
+ * Extract the first token in the line. A NO token sends the
+ * message to the clockstats.
+ */
strncpy(tbuf, pp->a_lastcode, SMAX);
strtok(tbuf, " ");
- if (strcmp(tbuf, "NO") == 0)
- record_clock_stats(&peer->srcadr, pp->a_lastcode);
+ if (strcmp(tbuf, "NO") == 0) {
+ report_event(PEVNT_CLOCK, peer, pp->a_lastcode);
+ return;
+ }
switch(up->state) {
/*
* here is token CONNECT. Send the message to the clockstats.
*/
case S_CONNECT:
- record_clock_stats(&peer->srcadr, pp->a_lastcode);
+ report_event(PEVNT_CLOCK, peer, pp->a_lastcode);
if (strcmp(tbuf, "CONNECT") != 0) {
acts_disc(peer);
return;
if (!refclock_process(pp)) {
refclock_report(peer, CEVNT_BADTIME);
return;
- }
+ }
pp->lastref = pp->lastrec;
- if (peer->disp > MAXDISTANCE)
- refclock_receive(peer);
if (up->state != S_MSG) {
up->state = S_MSG;
up->timer = TIMECODE;
int fd;
char device[20];
char lockfile[128], pidbuf[8];
- char tbuf[BMAX];
+ char tbuf[SMAX];
/*
* The state machine is driven by messages from the modem, when
* file may not be removed.
*/
if (pp->sloppyclockflag & CLK_FLAG2) {
- sprintf(lockfile, LOCKFILE, up->unit);
+ snprintf(lockfile, sizeof(lockfile), LOCKFILE,
+ up->unit);
fd = open(lockfile, O_WRONLY | O_CREAT | O_EXCL,
0644);
if (fd < 0) {
msyslog(LOG_ERR, "acts: port busy");
return;
}
- sprintf(pidbuf, "%d\n", (u_int)getpid());
+ snprintf(pidbuf, sizeof(pidbuf), "%d\n",
+ (u_int)getpid());
write(fd, pidbuf, strlen(pidbuf));
close(fd);
}
* Open the device in raw mode and link the I/O.
*/
if (!pp->io.fd) {
- sprintf(device, DEVICE, up->unit);
+ snprintf(device, sizeof(device), DEVICE,
+ up->unit);
fd = refclock_open(device, SPEED232,
LDISC_ACTS | LDISC_RAW | LDISC_REMOTE);
if (fd == 0) {
* before hammering it with a dial command.
*/
case S_DTR:
- sprintf(tbuf, "DIAL #%d %s", up->retry,
+ snprintf(tbuf, sizeof(tbuf), "DIAL #%d %s", up->retry,
sys_phone[up->retry]);
- record_clock_stats(&peer->srcadr, tbuf);
+ report_event(PEVNT_CLOCK, peer, tbuf);
#ifdef DEBUG
if (debug)
printf("%s\n", tbuf);
io_closeclock(&pp->io);
close(pp->io.fd);
if (pp->sloppyclockflag & CLK_FLAG2) {
- sprintf(lockfile, LOCKFILE, up->unit);
+ snprintf(lockfile, sizeof(lockfile),
+ LOCKFILE, up->unit);
unlink(lockfile);
}
pp->io.fd = 0;
/*
* We get here if the call terminated successfully or if an
- * error occured. If the median filter has something in it,feed
- * the data to the clock filter. If a modem port, drop DTR to
- * force command mode and send modem hangup.
+ * error occured. If the median filter has something in it,
+ * feed the data to the clock filter. If a modem port, drop DTR
+ * to force command mode and send modem hangup.
*/
pp = peer->procptr;
up = (struct actsunit *)pp->unitptr;
/*
* If the mode is nonzero, use that for the time_pps_setparams()
- * mode; otherwise, PPS_CAPTUREASSERT. Enable kernel PPS if
- * flag3 is lit.
+ * mode; otherwise, PPS_CAPTUREASSERT.
*/
mode = peer->ttl;
if (mode == 0)
"refclock_atom: time_pps_kcbind failed: %m");
return (0);
}
- pps_enable = 1;
}
#if DEBUG
if (debug) {
* set from the prefer peer, unless overriden by a fudge
* command.
*/
+ pps_enable = 0;
if (pp->codeproc == pp->coderecv) {
refclock_report(peer, CEVNT_TIMEOUT);
return;
pp->codeproc = pp->coderecv;
return;
}
+ if (pp->sloppyclockflag & CLK_FLAG3)
+ pps_enable = 1;
pp->leap = sys_prefer->leap;
if (pp->stratum >= STRATUM_UNSPEC)
peer->stratum = sys_prefer->stratum;
* Another application for this driver is if you want to use a
* particular server's clock as the clock of last resort when all other
* normal synchronization sources have gone away. This is especially
- * useful if that server has an ovenized oscillator. For this you would
- * configure this driver at a higher stratum (say 5) to prevent the
- * server's stratum from falling below that.
+ * useful if that server has an ovenized oscillator.
*
* A third application for this driver is when an external discipline
* source is available, such as the NIST "lockclock" program, which
* In the default mode the behavior of the clock selection algorithm is
* modified when this driver is in use. The algorithm is designed so
* that this driver will never be selected unless no other discipline
- * source is available. This can be overriden with the prefer keyword of
- * the server configuration command, in which case only this driver will
- * be selected for synchronization and all other discipline sources will
- * be ignored. This behavior is intended for use when an external
- * discipline source controls the system clock.
+ * source is available.
*
* Fudge Factors
*
* The stratum for this driver set at 5 by default, but it can be
* changed by the fudge command and/or the ntpdc utility. The reference
- * ID is 127.0.0.1 by default, but can be changed using the same mechanism.
- * *NEVER* configure this driver to operate at a stratum which might
- * possibly disrupt a client with access to a bona fide primary server,
- * unless the local clock oscillator is reliably disciplined by another
- * source. *NEVER NEVER* configure a server which might devolve to an
- * undisciplined local clock to use multicast mode. Always remember that
- * an improperly configured local clock driver let loose in the Internet
- * can cause very serious disruption. This is why most of us who care
- * about good time use cryptographic authentication.
+ * ID is 127.0.0.1 by default, but can be changed using the same
+ * mechanism.
*
* This driver provides a mechanism to trim the local clock in both time
* and frequency, as well as a way to manipulate the leap bits. The
#endif /* KERNEL_PLL LOCKCLOCK */
struct refclockproc *pp;
+ /*
+ * Do no evil unless the house is dark or lit with our own lamp.
+ */
+ if (!(sys_peer == NULL || sys_peer == peer))
+ return;
+
#if defined(VMS) && defined(VMS_LOCALUNIT)
if (unit == VMS_LOCALUNIT) {
extern void vms_local_poll(struct peer *);
return;
}
#endif /* VMS && VMS_LOCALUNIT */
+
pp = peer->procptr;
pp->polls++;
/*
* Old CTL_PST defines for version 2.
*/
-#define OLD_CTL_PST_CONFIG 0x80
+#define OLD_CTL_PST_CONFIG 0x80
#define OLD_CTL_PST_AUTHENABLE 0x40
#define OLD_CTL_PST_AUTHENTIC 0x20
-#define OLD_CTL_PST_REACH 0x10
-#define OLD_CTL_PST_SANE 0x08
-#define OLD_CTL_PST_DISP 0x04
+#define OLD_CTL_PST_REACH 0x10
+#define OLD_CTL_PST_SANE 0x08
+#define OLD_CTL_PST_DISP 0x04
+
#define OLD_CTL_PST_SEL_REJECT 0
#define OLD_CTL_PST_SEL_SELCAND 1
#define OLD_CTL_PST_SEL_SYNCCAND 2
#define OLD_CTL_PST_SEL_SYSPEER 3
-
char flash2[] = " .+* "; /* flash decode for version 2 */
char flash3[] = " x.-+#*o"; /* flash decode for peer status version 3 */
return 1;
}
- (void) fprintf(fp,"assID=%d ",associd);
+ (void) fprintf(fp,"associd=%d ",associd);
printvars(dsize, datap, (int)rstatus, type, fp);
return 1;
}
if (dsize == 0)
(void) fprintf(fp, "done! (no data returned)\n");
else {
- (void) fprintf(fp,"assID=%d ",associd);
+ (void) fprintf(fp,"associd=%d ",associd);
printvars(dsize, datap, (int)rstatus,
(associd != 0) ? TYPE_PEER : TYPE_SYS, fp);
}
if (dsize == 0)
(void) fprintf(fp, "done! (no data returned)\n");
else {
- (void) fprintf(fp,"assID=%d ",associd);
+ (void) fprintf(fp,"associd=%d ",associd);
printvars(dsize, datap, (int)rstatus,
(associd != 0) ? TYPE_PEER : TYPE_SYS, fp);
}
}
if (assid2 == 0 || assid2 > 65535) {
- (void) fprintf(stderr,
- "***Invalid association ID %lu specified\n", (u_long)assid2);
+ fprintf(stderr,
+ "***Invalid association ID %lu specified\n", (u_long)assid2);
return 0;
}
* Output a header
*/
(void) fprintf(fp,
- "\nind assID status conf reach auth condition last_event cnt\n");
+ "\nind assid status conf reach auth condition last_event cnt\n");
(void) fprintf(fp,
"===========================================================\n");
for (i = 0; i < numassoc; i++) {
conf = "yes";
else
conf = "no";
- if (statval & CTL_PST_REACH || 1) {
- reach = "yes";
+ if (statval & CTL_PST_BCAST) {
+ reach = "none";
+ if (statval & CTL_PST_AUTHENABLE)
+ auth = "yes";
+ else
+ auth = "none";
+ } else {
+ if (statval & CTL_PST_REACH)
+ reach = "yes";
+ else
+ reach = "no";
if (statval & CTL_PST_AUTHENABLE) {
if (statval & CTL_PST_AUTHENTIC)
auth = "ok ";
else
auth = "bad";
- } else
+ } else {
auth = "none";
+ }
+ }
+ if (pktversion > NTP_OLDVERSION) {
+ switch (statval & 0x7) {
- if (pktversion > NTP_OLDVERSION)
- switch (statval & 0x7) {
- case CTL_PST_SEL_REJECT:
- condition = "reject";
- break;
- case CTL_PST_SEL_SANE:
- condition = "falsetick";
- break;
- case CTL_PST_SEL_CORRECT:
- condition = "excess";
- break;
- case CTL_PST_SEL_SELCAND:
- condition = "outlyer";
- break;
- case CTL_PST_SEL_SYNCCAND:
- condition = "candidat";
- break;
- case CTL_PST_SEL_DISTSYSPEER:
- condition = "selected";
- break;
- case CTL_PST_SEL_SYSPEER:
- condition = "sys.peer";
- break;
- case CTL_PST_SEL_PPS:
- condition = "pps.peer";
- break;
- }
- else
- switch (statval & 0x3) {
- case OLD_CTL_PST_SEL_REJECT:
- if (!(statval & OLD_CTL_PST_SANE))
+ case CTL_PST_SEL_REJECT:
+ condition = "reject";
+ break;
+
+ case CTL_PST_SEL_SANE:
+ condition = "falsetick";
+ break;
+
+ case CTL_PST_SEL_CORRECT:
+ condition = "excess";
+ break;
+
+ case CTL_PST_SEL_SELCAND:
+ condition = "outlyer";
+ break;
+
+ case CTL_PST_SEL_SYNCCAND:
+ condition = "candidate";
+ break;
+
+ case CTL_PST_SEL_EXCESS:
+ condition = "backup";
+ break;
+
+ case CTL_PST_SEL_SYSPEER:
+ condition = "sys.peer";
+ break;
+
+ case CTL_PST_SEL_PPS:
+ condition = "pps.peer";
+ break;
+ }
+ } else {
+ switch (statval & 0x3) {
+
+ case OLD_CTL_PST_SEL_REJECT:
+ if (!(statval & OLD_CTL_PST_SANE))
condition = "insane";
- else if (!(statval & OLD_CTL_PST_DISP))
+ else if (!(statval & OLD_CTL_PST_DISP))
condition = "hi_disp";
- else
+ else
condition = "";
- break;
- case OLD_CTL_PST_SEL_SELCAND:
- condition = "sel_cand";
- break;
- case OLD_CTL_PST_SEL_SYNCCAND:
- condition = "sync_cand";
- break;
- case OLD_CTL_PST_SEL_SYSPEER:
- condition = "sys_peer";
- break;
- }
+ break;
- } else {
- reach = "no";
- auth = condition = "";
- }
+ case OLD_CTL_PST_SEL_SELCAND:
+ condition = "sel_cand";
+ break;
+ case OLD_CTL_PST_SEL_SYNCCAND:
+ condition = "sync_cand";
+ break;
+
+ case OLD_CTL_PST_SEL_SYSPEER:
+ condition = "sys_peer";
+ break;
+ }
+ }
switch (PEER_EVENT|event) {
- case EVNT_PEERIPERR:
- last_event = "IP error";
- break;
- case EVNT_PEERAUTH:
- last_event = "auth fail";
+
+ case PEVNT_MOBIL:
+ last_event = "mobilize";
break;
- case EVNT_UNREACH:
- last_event = "lost reach";
+
+ case PEVNT_DEMOBIL:
+ last_event = "demobilize";
break;
- case EVNT_REACH:
+
+ case PEVNT_REACH:
last_event = "reachable";
break;
- case EVNT_PEERCLOCK:
- last_event = "clock expt";
+
+ case PEVNT_UNREACH:
+ last_event = "unreachable";
break;
-#if 0
- case EVNT_PEERSTRAT:
- last_event = "stratum chg";
+
+ case PEVNT_RESTART:
+ last_event = "restart";
break;
-#endif
- default:
+
+ case PEVNT_REPLY:
+ last_event = "no_reply";
+ break;
+
+ case PEVNT_RATE:
+ last_event = "raate_exceeded";
+ break;
+
+ case PEVNT_DENY:
+ last_event = "access_denied";
+ break;
+
+ case PEVNT_ARMED:
+ last_event = "leap_armed";
+ break;
+
+ case PEVNT_NEWPEER:
+ last_event = "sys_peer";
+ break;
+
+ case PEVNT_CLOCK:
+ last_event = "clock_alarm";
+ break;
+
+ default:
last_event = "";
break;
}
-
- if (event_count != 0)
- cnt = uinttoa(event_count);
- else
- cnt = "";
- (void) sprintf(buf,
- "%3d %5u %04x %3.3s %4s %4.4s %9.9s %11s %2s",
- i+1, assoc_cache[i].assid, assoc_cache[i].status,
- conf, reach, auth, condition, last_event, cnt);
+ cnt = uinttoa(event_count);
+ sprintf(buf,
+ "%3d %5u %04x %3.3s %4s %4.4s %9.9s %11s %2s",
+ i + 1, assoc_cache[i].assid, assoc_cache[i].status,
+ conf, reach, auth, condition, last_event, cnt);
bp = &buf[strlen(buf)];
while (bp > buf && *(bp-1) == ' ')
*(--bp) = '\0';
}
-
/*
* associations - get, record and print a list of associations
*/
return;
}
- (void) fprintf(fp,"assID=%d ",associd);
+ (void) fprintf(fp,"associd=%d ",associd);
printvars(dsize, datap, (int)rstatus, TYPE_PEER, fp);
}
{ CS_REFTIME, TS, "reftime" }, /* 7 */
{ CS_POLL, UI, "poll" }, /* 8 */
{ CS_PEERID, UI, "peer" }, /* 9 */
- { CS_STATE, UI, "state" }, /* 10 */
- { CS_OFFSET, FL, "offset" }, /* 11 */
- { CS_DRIFT, FS, "frequency" }, /* 12 */
- { CS_JITTER, FU, "jitter" }, /* 13 */
- { CS_CLOCK, TS, "clock" }, /* 14 */
- { CS_PROCESSOR, ST, "processor" }, /* 15 */
- { CS_SYSTEM, ST, "system" }, /* 16 */
- { CS_VERSION, ST, "version" }, /* 17 */
- { CS_STABIL, FS, "stability" }, /* 18 */
- { CS_VARLIST, ST, "sys_var_list" }, /* 19 */
+ { CS_OFFSET, FL, "offset" }, /* 10 */
+ { CS_DRIFT, FS, "frequency" }, /* 11 */
+ { CS_JITTER, FU, "jitter" }, /* 12 */
+ { CS_CLOCK, TS, "clock" }, /* 13 */
+ { CS_PROCESSOR, ST, "processor" }, /* 14 */
+ { CS_SYSTEM, ST, "system" }, /* 15 */
+ { CS_VERSION, ST, "version" }, /* 16 */
+ { CS_STABIL, FS, "stability" }, /* 17 */
+ { CS_VARLIST, ST, "sys_var_list" }, /* 18 */
{ 0, EOV, "" }
};
{ CP_HPOLL, UI, "hpoll" }, /* 12 */
{ CP_PRECISION, SI, "precision" }, /* 13 */
{ CP_ROOTDELAY, FS, "rootdelay" }, /* 14 */
- { CP_ROOTDISPERSION, FU, "rootdispersion" }, /* 15 */
+ { CP_ROOTDISPERSION, FU, "rootdisp" }, /* 15 */
{ CP_REFID, RF, "refid" }, /* 16 */
{ CP_REFTIME, TS, "reftime" }, /* 17 */
{ CP_ORG, TS, "org" }, /* 18 */
"pkt_denied", /* TEST4 */
"pkt_auth", /* TEST5 */
"pkt_stratum", /* TEST6 */
- "pkt_head", /* TEST7 */
+ "pkt_header", /* TEST7 */
"pkt_autokey", /* TEST8 */
"pkt_crypto", /* TEST9 */
"peer_stratum", /* TEST10 */
use Getopt::Std;
-$opt_f = 0; # 'Hard' failure if 'state' is unknown
$opt_n = 1000; # How many tries before we give up? (10 min+)
$opt_s = 6; # Seconds to sleep between tries (6s = 10/min)
$opt_v = 0; # Be verbose?
-getopts('fn:s:v');
+getopts('n:s:v');
-$cmd = 'ntpq -c "rv 0 state"';
+$cmd = 'ntpq -c "rv 0"';
$| = 1; # Autoflush output.
for ($i = 0; $i < $opt_n; ++$i) {
open(Q, $cmd." 2>&1 |") || die "Can't start ntpq: $!";
while(<Q>) {
- if (/^state=4/) {
- print "\bOK!\n" if ($opt_v);
- exit 0;
- }
-
- if (/request variable was unknown/) {
- print "\bCan't tell!\nPerhaps you are running an old version of ntpd.\n" if ($opt_v);
- exit $opt_f;
+ chomp;
+ # the first line should be similar to:
+ # associd=0 status=0645 leap_none, sync_ntp, ...
+ if (/^associd=0 status=(\S{4}) (\S+), (\S+),/) {
+ my $status = $1;
+ my $leap = $2;
+ my $sync = $3;
+ # print $_;
+ # print "status <$status>, leap <$leap>, sync <$sync>\n";
+ last if ($leap =~ /(sync|leap)_alarm/);
+ if ($leap =~ /leap_(none|((add|del)_sec))/) {
+ # We could check $sync here to make sure we like the source...
+ print "\bOK!\n" if ($opt_v);
+ exit 0;
+ }
+ print "\bUnexpected 'leap' status <$leap>\n";
+ exit 1;
}
if (/Connection refused/) {
print "\bntpd is not running!\n" if ($opt_v);
exit 1;
}
+
+ # Otherwise, we have a bigger problem.
+ print "\bUnexpected first line <$_>\n";
+ exit 1;
}
close(Q);
print "\b".substr("*+:.", $i % 4, 1) if ($opt_v);
projects / thirdparty / ntp.git / commitdiff
