INSIST(0 != hisstratum);
if (restrict_mask & RES_IGNORE) {
+ DPRINTF(2, ("receive: drop: RES_IGNORE\n"));
sys_restricted++;
return; /* ignore everything */
}
if (hismode == MODE_PRIVATE) {
if (!ntp_mode7 || (restrict_mask & RES_NOQUERY)) {
+ DPRINTF(2, ("receive: drop: RES_NOQUERY\n"));
sys_restricted++;
return; /* no query private */
}
}
if (hismode == MODE_CONTROL) {
if (restrict_mask & RES_NOQUERY) {
+ DPRINTF(2, ("receive: drop: RES_NOQUERY\n"));
sys_restricted++;
return; /* no query control */
}
return;
}
if (restrict_mask & RES_DONTSERVE) {
+ DPRINTF(2, ("receive: drop: RES_DONTSERVE\n"));
sys_restricted++;
return; /* no time serve */
}
*/
if (restrict_mask & RES_FLAKE) {
if ((double)ntp_random() / 0x7fffffff < .1) {
+ DPRINTF(2, ("receive: drop: RES_FLAKE\n"));
sys_restricted++;
return; /* no flakeway */
}
&& hisversion >= NTP_OLDVERSION) {
sys_oldversion++; /* previous version */
} else {
+ DPRINTF(2, ("receive: drop: RES_VERSION\n"));
sys_badlength++;
return; /* old version */
}
if (hisversion == NTP_OLDVERSION) {
hismode = MODE_CLIENT;
} else {
+ DPRINTF(2, ("receive: drop: MODE_UNSPEC\n"));
sys_badlength++;
return; /* invalid mode */
}
#endif /*AUTOKEY */
if (has_mac % 4 != 0 || has_mac < (int)MIN_MAC_LEN) {
+ DPRINTF(2, ("receive: drop: bad post-packet length\n"));
sys_badlength++;
return; /* bad length */
}
if ( len % 4 != 0
|| len < 4
|| (int)len + authlen > rbufp->recv_length) {
+ DPRINTF(2, ("receive: drop: bad EF length\n"));
sys_badlength++;
return; /* bad length */
}
if ( hostlen >= sizeof(hostname)
|| hostlen > len -
offsetof(struct exten, pkt)) {
+ DPRINTF(2, ("receive: drop: bad autokey hostname length\n"));
sys_badlength++;
return; /* bad length */
}
hostname[hostlen] = '\0';
groupname = strchr(hostname, '@');
if (groupname == NULL) {
+ DPRINTF(2, ("receive: drop: empty autokey groupname\n"));
sys_declined++;
return;
}
* If has_mac is < 0 we had a malformed packet.
*/
if (has_mac < 0) {
+ DPRINTF(2, ("receive: drop: post-packet under-read\n"));
sys_badlength++;
return; /* bad length */
}
* If authentication required, a MAC must be present.
*/
if (restrict_mask & RES_DONTTRUST && has_mac == 0) {
+ DPRINTF(2, ("receive: drop: RES_DONTTRUST\n"));
sys_restricted++;
return; /* access denied */
}
if ( !(restrict_mask & RES_KOD)
|| MODE_BROADCAST == hismode
|| MODE_SERVER == hismode) {
- if (MODE_SERVER == hismode)
+ if (MODE_SERVER == hismode) {
DPRINTF(1, ("Possibly self-induced rate limiting of MODE_SERVER from %s\n",
stoa(&rbufp->recv_srcadr)));
+ } else {
+ DPRINTF(2, ("receive: drop: RES_KOD\n"));
+ }
return; /* rate exceeded */
}
if (hismode == MODE_CLIENT)
* % can't happen
*/
if (has_mac < (int)MAX_MD5_LEN) {
+ DPRINTF(2, ("receive: drop: MD5 digest too short\n"));
sys_badauth++;
return;
}
if ( crypto_flags
&& rbufp->dstadr ==
ANY_INTERFACE_CHOOSE(&rbufp->recv_srcadr)) {
+ DPRINTF(2, ("receive: drop: BCAST from wildcard\n"));
sys_restricted++;
return; /* no wildcard */
}
restrict_mask);
sys_badauth++;
} else {
+ DPRINTF(2, ("receive: AM_FXMIT drop: !mcast restricted\n"));
sys_restricted++;
}
* configured as a manycast server.
*/
if (!sys_manycastserver) {
+ DPRINTF(2, ("receive: AM_FXMIT drop: Not manycastserver\n"));
sys_restricted++;
return; /* not enabled */
}
* Do not respond if not the same group.
*/
if (group_test(groupname, NULL)) {
+ DPRINTF(2, ("receive: AM_FXMIT drop: empty groupname\n"));
sys_declined++;
return;
}
|| sys_stratum >= hisstratum
|| (!sys_cohort && sys_stratum == hisstratum + 1)
|| rbufp->dstadr->addr_refid == pkt->refid) {
+ DPRINTF(2, ("receive: AM_FXMIT drop: LEAP_NOTINSYNC || stratum || loop\n"));
sys_declined++;
return; /* no help */
}
* Do not respond if not the same group.
*/
if (group_test(groupname, NULL)) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: empty groupname\n"));
sys_declined++;
return;
}
#endif /* AUTOKEY */
if ((peer2 = findmanycastpeer(rbufp)) == NULL) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: No manycast peer\n"));
sys_restricted++;
return; /* not enabled */
}
RES_DONTTRUST)), is_authentic)
/* MC: RES_NOEPEER? */
) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: bad auth || (NOPEER|DONTTRUST)\n"));
sys_restricted++;
return; /* access denied */
}
if ( hisleap == LEAP_NOTINSYNC
|| hisstratum < sys_floor
|| hisstratum >= sys_ceiling) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: unsync/stratum\n"));
sys_declined++;
return; /* no help */
}
(FLAG_IBURST & peer2->flags), MDF_UCAST |
MDF_UCLNT, 0, skeyid, sys_ident);
if (NULL == peer) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: duplicate\n"));
sys_declined++;
return; /* ignore duplicate */
}
* Do not respond if not the same group.
*/
if (group_test(groupname, sys_ident)) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: groupname mismatch\n"));
sys_declined++;
return;
}
#endif /* AUTOKEY */
if (sys_bclient == 0) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: not a bclient\n"));
sys_restricted++;
return; /* not enabled */
}
(RES_NOPEER | RES_DONTTRUST)), is_authentic)
/* NEWBCL: RES_NOEPEER? */
) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: AUTH failed\n"));
sys_restricted++;
return; /* access denied */
}
if ( hisleap == LEAP_NOTINSYNC
|| hisstratum < sys_floor
|| hisstratum >= sys_ceiling) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: Unsync or bad stratum\n"));
sys_declined++;
return; /* no help */
}
*/
if ( crypto_flags && skeyid > NTP_MAXKEY
&& (opcode & 0xffff0000) != (CRYPTO_ASSOC | CRYPTO_RESP)) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not CRYPTO_ASSOC\n"));
sys_declined++;
return; /* protocol error */
}
*/
if (crypto_flags && skeyid > NTP_MAXKEY) {
sys_restricted++;
+ DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not 2-way\n"));
return; /* no autokey */
}
#endif /* AUTOKEY */
pkt->ppoll, pkt->ppoll, FLAG_PREEMPT,
MDF_BCLNT, 0, skeyid, sys_ident);
if (NULL == peer) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: duplicate\n"));
sys_restricted++;
return; /* ignore duplicate */
FLAG_BC_VOL | FLAG_IBURST | FLAG_PREEMPT, MDF_BCLNT,
0, skeyid, sys_ident);
if (NULL == peer) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: empty newpeer() failed\n"));
sys_restricted++;
return; /* ignore duplicate */
}
* Do not respond if not the same group.
*/
if (group_test(groupname, sys_ident)) {
+ DPRINTF(2, ("receive: AM_NEWPASS drop: Autokey group mismatch\n"));
sys_declined++;
return;
}
*/
if ( hisleap != LEAP_NOTINSYNC
&& (hisstratum < sys_floor || hisstratum >= sys_ceiling)) {
+ DPRINTF(2, ("receive: AM_NEWPASS drop: Autokey group mismatch\n"));
sys_declined++;
return; /* no help */
}
rbufp->dstadr, MODE_PASSIVE, hisversion, pkt->ppoll,
NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid,
sys_ident)) == NULL) {
+ DPRINTF(2, ("receive: AM_NEWPASS drop: newpeer() failed\n"));
sys_declined++;
return; /* ignore duplicate */
}
* Do not respond if not the same group.
*/
if (group_test(groupname, peer->ident)) {
+ DPRINTF(2, ("receive: AM_PROCPKT drop: Autokey group mismatch\n"));
sys_declined++;
return;
}
}
if (bail) {
+ DPRINTF(2, ("receive: AM_PROCPKT drop: bail\n"));
peer->timelastrec = current_time;
sys_declined++;
return;
* attempt to deny service, just ignore it.
*/
case AM_ERR:
+ DPRINTF(2, ("receive: AM_ERR drop.\n"));
sys_declined++;
return;
* For everything else there is the bit bucket.
*/
default:
+ DPRINTF(2, ("receive: default drop.\n"));
sys_declined++;
return;
}
if ( is_authentic != AUTH_CRYPTO
&& ( ((peer->flags & FLAG_SKEY) && skeyid <= NTP_MAXKEY)
|| (!(peer->flags & FLAG_SKEY) && skeyid > NTP_MAXKEY))) {
+ DPRINTF(2, ("receive: drop: Autokey but wrong/bad auth\n"));
sys_badauth++;
return;
}
* the most recent packet, authenticated or not.
*/
} else if (L_ISEQU(&peer->xmt, &p_xmt)) {
+ DPRINTF(2, ("receive: drop: Duplicate xmit\n"));
peer->flash |= TEST1; /* duplicate */
peer->oldpkt++;
return;
*/
} else if ( !L_ISZERO(&peer->dst)
&& !L_ISEQU(&p_org, &peer->dst)) {
+ DPRINTF(2, ("receive: drop: Bogus packet in interleaved symmetric mode\n"));
peer->bogusorg++;
peer->flags |= FLAG_XBOGUS;
peer->flash |= TEST2; /* bogus */
if (unpeer_crypto_nak_early) {
unpeer(peer);
}
+ DPRINTF(2, ("receive: drop: PREEMPT crypto_NAK\n"));
return;
}
#ifdef AUTOKEY
peer_clear(peer, "AUTH");
}
#endif /* AUTOKEY */
+ DPRINTF(2, ("receive: drop: crypto_NAK\n"));
return;
/*
peer_clear(peer, "AUTH");
}
#endif /* AUTOKEY */
+ DPRINTF(2, ("receive: drop: Bad or missing AUTH\n"));
return;
}
projects / thirdparty / ntp.git / commitdiff
