From: Harlan Stenn Date: Sat, 10 Feb 2018 00:05:30 +0000 (-0800) Subject: Rename restrict flags to rflags. Use an enum for their values. Provide dump_restric... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8642ff1eee8b50aedd02e76dacb0857df3a0c49;p=thirdparty%2Fntp.git Rename restrict flags to rflags. Use an enum for their values. Provide dump_restricts(). bk: 5a7e374aVyPY_21tMOlIQXrAe1XP5w --- diff --git a/ChangeLog b/ChangeLog index e0086e014..b3ccdaa14 100644 --- a/ChangeLog +++ b/ChangeLog @@ -91,6 +91,8 @@ * Update the documentation in ntp.conf.def . HStenn. * restrictions() must return restrict flags and ippeerlimit. HStenn. * Update ntpq peer documentation to describe the 'p' type. HStenn. +* Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. +* Provide dump_restricts() for debugging. HStenn. --- (4.2.8p10) 2017/03/21 Released by Harlan Stenn diff --git a/include/ntp.h b/include/ntp.h index deec06851..fb739c756 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -826,7 +826,7 @@ typedef struct restrict_u_tag restrict_u; struct restrict_u_tag { restrict_u * link; /* link to next entry */ u_int32 count; /* number of packets matched */ - u_short flags; /* accesslist flags */ + u_short rflags; /* restrict (accesslist) flags */ u_short mflags; /* match flags */ short ippeerlimit; /* IP peer limit */ u_long expire; /* valid until time */ @@ -847,11 +847,11 @@ struct r4addr_tag { }; char *build_iflags(u_int32 flags); -char *build_mflags(u_short flags); -char *build_rflags(u_short flags); +char *build_mflags(u_short mflags); +char *build_rflags(u_short rflags); /* - * Access flags + * Restrict (Access) flags (rflags) */ #define RES_IGNORE 0x0001 /* ignore packet */ #define RES_DONTSERVE 0x0002 /* access denied */ @@ -882,7 +882,7 @@ char *build_rflags(u_short flags); RES_NOMRULIST) /* - * Match flags + * Match flags (mflags) */ #define RESM_INTERFACE 0x1000 /* this is an interface */ #define RESM_NTPONLY 0x2000 /* match source port 123 */ @@ -891,10 +891,13 @@ char *build_rflags(u_short flags); /* * Restriction configuration ops */ -#define RESTRICT_FLAGS 1 /* add flags to restrict entry */ -#define RESTRICT_UNFLAG 2 /* remove flags from restrict entry */ -#define RESTRICT_REMOVE 3 /* remove a restrict entry */ -#define RESTRICT_REMOVEIF 4 /* remove an interface restrict entry */ +typedef enum +restrict_ops { + RESTRICT_FLAGS = 1, /* add rflags to restrict entry */ + RESTRICT_UNFLAG, /* remove rflags from restrict entry */ + RESTRICT_REMOVE, /* remove a restrict entry */ + RESTRICT_REMOVEIF, /* remove an interface restrict entry */ +} restrict_op; /* * Endpoint structure for the select algorithm diff --git a/include/ntp_request.h b/include/ntp_request.h index f5406b650..d05a67f75 100644 --- a/include/ntp_request.h +++ b/include/ntp_request.h @@ -654,7 +654,7 @@ struct info_restrict { u_int32 addr; /* match address */ u_int32 mask; /* match mask */ u_int32 count; /* number of packets matched */ - u_short flags; /* restrict flags */ + u_short rflags; /* restrict flags */ u_short mflags; /* match flags */ u_int v6_flag; /* is this v6 or not */ u_int unused1; /* unused, padding for addr6 */ diff --git a/include/ntpd.h b/include/ntpd.h index f226f6448..6a5128ce0 100644 --- a/include/ntpd.h +++ b/include/ntpd.h @@ -258,9 +258,10 @@ extern void reset_auth_stats(void); /* ntp_restrict.c */ extern void init_restrict (void); extern void restrictions (sockaddr_u *, r4addr *); -extern void hack_restrict (int, sockaddr_u *, sockaddr_u *, +extern void hack_restrict (restrict_op, sockaddr_u *, sockaddr_u *, short, u_short, u_short, u_long); extern void restrict_source (sockaddr_u *, int, u_long); +extern void dump_restricts (void); /* ntp_timer.c */ extern void init_timer (void); diff --git a/ntpd/ntp_config.c b/ntpd/ntp_config.c index 07d7b1c57..003b1534a 100644 --- a/ntpd/ntp_config.c +++ b/ntpd/ntp_config.c @@ -2472,7 +2472,7 @@ config_access( struct addrinfo * pai; int rc; int restrict_default; - u_short flags; + u_short rflags; u_short mflags; short ippeerlimit; int range_err; @@ -2592,13 +2592,16 @@ config_access( } /* Configure the restrict options */ - ippeerlimit = -1; my_node = HEAD_PFIFO(ptree->restrict_opts); - /* Grab the ippeerlmit */ for (; my_node != NULL; my_node = my_node->link) { + /* Grab the ippeerlmit */ + ippeerlimit = my_node->ippeerlimit; + +DPRINTF(1, ("config_access: top-level node %p: ippeerlimit %d\n", my_node, ippeerlimit)); + /* Parse the flags */ - flags = 0; + rflags = 0; mflags = 0; curr_tok_fifo = HEAD_PFIFO(my_node->flag_tok_fifo); @@ -2617,75 +2620,75 @@ config_access( break; case T_Flake: - flags |= RES_FLAKE; + rflags |= RES_FLAKE; break; case T_Ignore: - flags |= RES_IGNORE; + rflags |= RES_IGNORE; break; case T_Kod: - flags |= RES_KOD; + rflags |= RES_KOD; break; case T_Mssntp: - flags |= RES_MSSNTP; + rflags |= RES_MSSNTP; break; case T_Limited: - flags |= RES_LIMITED; + rflags |= RES_LIMITED; break; case T_Lowpriotrap: - flags |= RES_LPTRAP; + rflags |= RES_LPTRAP; break; case T_Nomodify: - flags |= RES_NOMODIFY; + rflags |= RES_NOMODIFY; break; case T_Nomrulist: - flags |= RES_NOMRULIST; + rflags |= RES_NOMRULIST; break; case T_Noepeer: - flags |= RES_NOEPEER; + rflags |= RES_NOEPEER; break; case T_Nopeer: - flags |= RES_NOPEER; + rflags |= RES_NOPEER; break; case T_Noquery: - flags |= RES_NOQUERY; + rflags |= RES_NOQUERY; break; case T_Noserve: - flags |= RES_DONTSERVE; + rflags |= RES_DONTSERVE; break; case T_Notrap: - flags |= RES_NOTRAP; + rflags |= RES_NOTRAP; break; case T_Notrust: - flags |= RES_DONTTRUST; + rflags |= RES_DONTTRUST; break; case T_Version: - flags |= RES_VERSION; + rflags |= RES_VERSION; break; } } - if ((RES_MSSNTP & flags) && !warned_signd) { + if ((RES_MSSNTP & rflags) && !warned_signd) { warned_signd = 1; fprintf(stderr, "%s\n", signd_warning); msyslog(LOG_WARNING, "%s", signd_warning); } /* It would be swell if we could identify the line number */ - if ((RES_KOD & flags) && !(RES_LIMITED & flags)) { + if ((RES_KOD & rflags) && !(RES_LIMITED & rflags)) { const char *kod_where = (my_node->addr) ? my_node->addr->address : (mflags & RESM_SOURCE) @@ -2713,10 +2716,10 @@ config_access( restrict_default = 1; } else { /* apply "restrict source ..." */ - DPRINTF(1, ("restrict source template ippeerlimit %d mflags %x flags %x\n", - ippeerlimit, mflags, flags)); + DPRINTF(1, ("restrict source template ippeerlimit %d mflags %x rflags %x\n", + ippeerlimit, mflags, rflags)); hack_restrict(RESTRICT_FLAGS, NULL, NULL, - ippeerlimit, mflags, flags, 0); + ippeerlimit, mflags, rflags, 0); continue; } } else { @@ -2786,14 +2789,14 @@ config_access( AF(&addr) = AF_INET; AF(&mask) = AF_INET; hack_restrict(RESTRICT_FLAGS, &addr, &mask, - ippeerlimit, mflags, flags, 0); + ippeerlimit, mflags, rflags, 0); AF(&addr) = AF_INET6; AF(&mask) = AF_INET6; } do { hack_restrict(RESTRICT_FLAGS, &addr, &mask, - ippeerlimit, mflags, flags, 0); + ippeerlimit, mflags, rflags, 0); if (pai != NULL && NULL != (pai = pai->ai_next)) { INSIST(pai->ai_addr != NULL); @@ -4587,6 +4590,12 @@ config_ntpd( config_fudge(ptree); config_reset_counters(ptree); +#ifdef DEBUG + if (debug > 1) { + dump_restricts(); + } +#endif + #ifdef TEST_BLOCKING_WORKER { struct addrinfo hints; @@ -5354,94 +5363,98 @@ build_mflags(u_short mflags) char * -build_rflags(u_short flags) +build_rflags(u_short rflags) { static char rfs[1024]; rfs[0] = '\0'; - if (flags & RES_FLAKE) { - flags &= ~RES_FLAKE; + if (rflags & RES_FLAKE) { + rflags &= ~RES_FLAKE; appendstr(rfs, sizeof rfs, "flake"); } - if (flags & RES_IGNORE) { - flags &= ~RES_IGNORE; + if (rflags & RES_IGNORE) { + rflags &= ~RES_IGNORE; appendstr(rfs, sizeof rfs, "ignore"); } - if (flags & RES_KOD) { - flags &= ~RES_KOD; + if (rflags & RES_KOD) { + rflags &= ~RES_KOD; appendstr(rfs, sizeof rfs, "kod"); } - if (flags & RES_MSSNTP) { - flags &= ~RES_MSSNTP; + if (rflags & RES_MSSNTP) { + rflags &= ~RES_MSSNTP; appendstr(rfs, sizeof rfs, "mssntp"); } - if (flags & RES_LIMITED) { - flags &= ~RES_LIMITED; + if (rflags & RES_LIMITED) { + rflags &= ~RES_LIMITED; appendstr(rfs, sizeof rfs, "limited"); } - if (flags & RES_LPTRAP) { - flags &= ~RES_LPTRAP; + if (rflags & RES_LPTRAP) { + rflags &= ~RES_LPTRAP; appendstr(rfs, sizeof rfs, "lptrap"); } - if (flags & RES_NOMODIFY) { - flags &= ~RES_NOMODIFY; + if (rflags & RES_NOMODIFY) { + rflags &= ~RES_NOMODIFY; appendstr(rfs, sizeof rfs, "nomodify"); } - if (flags & RES_NOMRULIST) { - flags &= ~RES_NOMRULIST; + if (rflags & RES_NOMRULIST) { + rflags &= ~RES_NOMRULIST; appendstr(rfs, sizeof rfs, "nomrulist"); } - if (flags & RES_NOEPEER) { - flags &= ~RES_NOEPEER; + if (rflags & RES_NOEPEER) { + rflags &= ~RES_NOEPEER; appendstr(rfs, sizeof rfs, "noepeer"); } - if (flags & RES_NOPEER) { - flags &= ~RES_NOPEER; + if (rflags & RES_NOPEER) { + rflags &= ~RES_NOPEER; appendstr(rfs, sizeof rfs, "nopeer"); } - if (flags & RES_NOQUERY) { - flags &= ~RES_NOQUERY; + if (rflags & RES_NOQUERY) { + rflags &= ~RES_NOQUERY; appendstr(rfs, sizeof rfs, "noquery"); } - if (flags & RES_DONTSERVE) { - flags &= ~RES_DONTSERVE; + if (rflags & RES_DONTSERVE) { + rflags &= ~RES_DONTSERVE; appendstr(rfs, sizeof rfs, "dontserve"); } - if (flags & RES_NOTRAP) { - flags &= ~RES_NOTRAP; + if (rflags & RES_NOTRAP) { + rflags &= ~RES_NOTRAP; appendstr(rfs, sizeof rfs, "notrap"); } - if (flags & RES_DONTTRUST) { - flags &= ~RES_DONTTRUST; + if (rflags & RES_DONTTRUST) { + rflags &= ~RES_DONTTRUST; appendstr(rfs, sizeof rfs, "notrust"); } - if (flags & RES_VERSION) { - flags &= ~RES_VERSION; + if (rflags & RES_VERSION) { + rflags &= ~RES_VERSION; appendstr(rfs, sizeof rfs, "version"); } - if (flags) { + if (rflags) { char string[10]; - snprintf(string, sizeof string, "%0x", flags); + snprintf(string, sizeof string, "%0x", rflags); appendstr(rfs, sizeof rfs, string); } + if ('\0' == rfs[0]) { + appendstr(rfs, sizeof rfs, "(none)"); + } + return rfs; } diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c index 756a874c1..b8f0d2deb 100644 --- a/ntpd/ntp_control.c +++ b/ntpd/ntp_control.c @@ -4422,6 +4422,7 @@ send_restrict_entry( while (sent[which]) which = (which + 1) % COUNTOF(sent); + /* XXX: Numbers? Really? */ switch (which) { case 0: @@ -4444,7 +4445,7 @@ send_restrict_entry( case 3: snprintf(tag, sizeof(tag), flags_fmt, idx); match_str = res_match_flags(pres->mflags); - access_str = res_access_flags(pres->flags); + access_str = res_access_flags(pres->rflags); if ('\0' == match_str[0]) { pch = access_str; } else { diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c index b738de84e..1ecd95964 100644 --- a/ntpd/ntp_io.c +++ b/ntpd/ntp_io.c @@ -1043,7 +1043,7 @@ remove_interface( /* remove restrict interface entry */ SET_HOSTMASK(&resmask, AF(&ep->sin)); hack_restrict(RESTRICT_REMOVEIF, &ep->sin, &resmask, - -2, RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0); + -3, RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0); } @@ -2093,7 +2093,7 @@ create_interface( */ SET_HOSTMASK(&resmask, AF(&iface->sin)); hack_restrict(RESTRICT_FLAGS, &iface->sin, &resmask, - -2, RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0); + -4, RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0); /* * set globals with the first found diff --git a/ntpd/ntp_peer.c b/ntpd/ntp_peer.c index f594ee950..71c093683 100644 --- a/ntpd/ntp_peer.c +++ b/ntpd/ntp_peer.c @@ -860,6 +860,12 @@ DPRINTF(1, ("newpeer(%s) found no existing and %d other associations\n", ippeerlimit)); return NULL; } + } else { + DPRINTF(1, ("newpeer(%s) - ippeerlimit %d ignored\n", + (hostname) + ? hostname + : stoa(srcadr), + ippeerlimit)); } /* diff --git a/ntpd/ntp_request.c b/ntpd/ntp_request.c index 6cdb1f440..e541f7c51 100644 --- a/ntpd/ntp_request.c +++ b/ntpd/ntp_request.c @@ -87,7 +87,7 @@ static void list_restrict (sockaddr_u *, endpt *, struct req_pkt *); static void do_resaddflags (sockaddr_u *, endpt *, struct req_pkt *); static void do_ressubflags (sockaddr_u *, endpt *, struct req_pkt *); static void do_unrestrict (sockaddr_u *, endpt *, struct req_pkt *); -static void do_restrict (sockaddr_u *, endpt *, struct req_pkt *, int); +static void do_restrict (sockaddr_u *, endpt *, struct req_pkt *, restrict_op); static void mon_getlist (sockaddr_u *, endpt *, struct req_pkt *); static void reset_stats (sockaddr_u *, endpt *, struct req_pkt *); static void reset_peer (sockaddr_u *, endpt *, struct req_pkt *); @@ -1659,7 +1659,7 @@ list_restrict4( pir->v6_flag = 0; pir->mask = htonl(res->u.v4.mask); pir->count = htonl(res->count); - pir->flags = htons(res->flags); + pir->rflags = htons(res->rflags); pir->mflags = htons(res->mflags); pir = (struct info_restrict *)more_pkt(); } @@ -1690,7 +1690,7 @@ list_restrict6( pir->mask6 = res->u.v6.mask; pir->v6_flag = 1; pir->count = htonl(res->count); - pir->flags = htons(res->flags); + pir->rflags = htons(res->rflags); pir->mflags = htons(res->mflags); pir = (struct info_restrict *)more_pkt(); } @@ -1779,7 +1779,7 @@ do_restrict( sockaddr_u *srcadr, endpt *inter, struct req_pkt *inpkt, - int op + restrict_op op ) { char * datap; @@ -1790,6 +1790,18 @@ do_restrict( sockaddr_u matchmask; int bad; + switch(op) { + case RESTRICT_FLAGS: + case RESTRICT_UNFLAG: + case RESTRICT_REMOVE: + case RESTRICT_REMOVEIF: + break; + + default: + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } + /* * Do a check of the flags to make sure that only * the NTPPORT flag is set, if any. If not, complain @@ -1803,7 +1815,7 @@ do_restrict( return; } - bad = FALSE; + bad = 0; while (items-- > 0 && !bad) { memcpy(&cr, datap, item_sz); cr.flags = ntohs(cr.flags); diff --git a/ntpd/ntp_restrict.c b/ntpd/ntp_restrict.c index d15744390..ef453233d 100644 --- a/ntpd/ntp_restrict.c +++ b/ntpd/ntp_restrict.c @@ -94,7 +94,7 @@ static restrict_u restrict_def6; * "restrict source ..." enabled knob and restriction bits. */ static int restrict_source_enabled; -static u_short restrict_source_flags; +static u_short restrict_source_rflags; static u_short restrict_source_mflags; static short restrict_source_ippeerlimit; @@ -112,8 +112,81 @@ static restrict_u * match_restrict6_addr(const struct in6_addr *, static restrict_u * match_restrict_entry(const restrict_u *, int); static int res_sorts_before4(restrict_u *, restrict_u *); static int res_sorts_before6(restrict_u *, restrict_u *); +static char * roptoa(restrict_op op); + + +void dump_restricts(void); + +/* + * dump_restrict - spit out a restrict_u + */ +static void +dump_restrict( + restrict_u * res, + int is_ipv6 + ) +{ + char as[INET6_ADDRSTRLEN]; + char ms[INET6_ADDRSTRLEN]; + + if (is_ipv6) { + inet_ntop(AF_INET6, &res->u.v6.addr, as, sizeof as); + inet_ntop(AF_INET6, &res->u.v6.mask, ms, sizeof ms); + } else { + struct in_addr sia = { htonl(res->u.v4.addr) }; + struct in_addr sim = { htonl(res->u.v4.mask) }; + + inet_ntop(AF_INET, &sia, as, sizeof as); + inet_ntop(AF_INET, &sim, ms, sizeof ms); + } + mprintf("restrict node at %p: %s/%s count %d, rflags %05x, mflags %05x, ippeerlimit %d, expire %lu, next %p\n", + res, as, ms, res->count, res->rflags, res->mflags, + res->ippeerlimit, res->expire, res->link); + return; +} +/* + * dump_restricts - spit out the 'restrict' lines + */ +void +dump_restricts(void) +{ + int defaultv4_done = 0; + int defaultv6_done = 0; + restrict_u * res; + restrict_u * next; + + mprintf("dump_restrict: restrict_def4: %p\n", &restrict_def4); + /* Spit out 'restrict {,-4,-6} default ...' lines, if needed */ + for (res = &restrict_def4; res != NULL; res = next) { + dump_restrict(res, 0); + next = res->link; + } + + mprintf("dump_restrict: restrict_def6: %p\n", &restrict_def6); + for (res = &restrict_def6; res != NULL; res = next) { + dump_restrict(res, 1); + next = res->link; + } + + /* Spit out the IPv4 list */ + mprintf("dump_restrict: restrictlist4: %p\n", &restrictlist4); + for (res = restrictlist4; res != NULL; res = next) { + dump_restrict(res, 0); + next = res->link; + } + + /* Spit out the IPv6 list */ + mprintf("dump_restrict: restrictlist6: %p\n", &restrictlist6); + for (res = restrictlist6; res != NULL; res = next) { + dump_restrict(res, 1); + next = res->link; + } + + return; +} + /* * init_restrict - initialize the restriction data structures */ @@ -216,7 +289,7 @@ free_res( restrict_u * unlinked; restrictcount--; - if (RES_LIMITED & res->flags) + if (RES_LIMITED & res->rflags) dec_res_limited(); if (v6) @@ -266,14 +339,21 @@ match_restrict4_addr( restrict_u * next; for (res = restrictlist4; res != NULL; res = next) { + struct in_addr sia = { htonl(res->u.v4.addr) }; + next = res->link; - if (res->expire && - res->expire <= current_time) - free_res(res, v6); - if (res->u.v4.addr == (addr & res->u.v4.mask) - && (!(RESM_NTPONLY & res->mflags) - || NTP_PORT == port)) + DPRINTF(2, ("match_restrict4_addr: Checking %s, port %d ... ", + inet_ntoa(sia), port)); + if ( res->expire + && res->expire <= current_time) + free_res(res, v6); /* zeroes the contents */ + if ( res->u.v4.addr == (addr & res->u.v4.mask) + && ( !(RESM_NTPONLY & res->mflags) + || NTP_PORT == port)) { + DPRINTF(2, ("MATCH: ippeerlimit %d\n", res->ippeerlimit)); break; + } + DPRINTF(2, ("doesn't match: ippeerlimit %d\n", res->ippeerlimit)); } return res; } @@ -428,6 +508,8 @@ restrictions( r4a->rflags = RES_IGNORE; r4a->ippeerlimit = 0; + DPRINTF(1, ("restrictions: looking up %s\n", stoa(srcadr))); + /* IPv4 source address */ if (IS_IPV4(srcadr)) { /* @@ -435,8 +517,11 @@ restrictions( * (this should be done early in the receive process, * not later!) */ - if (IN_CLASSD(SRCADR(srcadr))) + if (IN_CLASSD(SRCADR(srcadr))) { + DPRINTF(1, ("restrictions: srcadr %s is multicast\n", stoa(srcadr))); + r4a->ippeerlimit = 2; /* XXX: we should use a better value */ return; + } match = match_restrict4_addr(SRCADR(srcadr), SRCPORT(srcadr)); @@ -453,7 +538,7 @@ restrictions( res_not_found++; else res_found++; - r4a->rflags = match->flags; + r4a->rflags = match->rflags; r4a->ippeerlimit = match->ippeerlimit; } @@ -476,24 +561,43 @@ restrictions( res_not_found++; else res_found++; - r4a->rflags = match->flags; + r4a->rflags = match->rflags; r4a->ippeerlimit = match->ippeerlimit; } return; } +/* + * roptoa - convert a restrict_op to a string + */ +char * +roptoa(restrict_op op) { + static char sb[30]; + + switch(op) { + case RESTRICT_FLAGS: return "RESTRICT_FLAGS"; + case RESTRICT_UNFLAG: return "RESTRICT_UNFLAGS"; + case RESTRICT_REMOVE: return "RESTRICT_REMOVE"; + case RESTRICT_REMOVEIF: return "RESTRICT_REMOVEIF"; + default: + snprintf(sb, sizeof sb, "**RESTRICT_#%d**", op); + return sb; + } +} + + /* * hack_restrict - add/subtract/manipulate entries on the restrict list */ void hack_restrict( - int op, + restrict_op op, sockaddr_u * resaddr, sockaddr_u * resmask, short ippeerlimit, u_short mflags, - u_short flags, + u_short rflags, u_long expire ) { @@ -502,13 +606,13 @@ hack_restrict( restrict_u * res; restrict_u ** plisthead; - DPRINTF(1, ("restrict: op %d addr %s mask %s ippeerlimit %d mflags %08x flags %08x\n", - op, stoa(resaddr), stoa(resmask), ippeerlimit, mflags, flags)); + DPRINTF(1, ("hack_restrict: op %s addr %s mask %s ippeerlimit %d mflags %08x rflags %08x\n", + roptoa(op), stoa(resaddr), stoa(resmask), ippeerlimit, mflags, rflags)); if (NULL == resaddr) { REQUIRE(NULL == resmask); REQUIRE(RESTRICT_FLAGS == op); - restrict_source_flags = flags; + restrict_source_rflags = rflags; restrict_source_mflags = mflags; restrict_source_ippeerlimit = ippeerlimit; restrict_source_enabled = 1; @@ -547,7 +651,7 @@ hack_restrict( } else /* not IPv4 nor IPv6 */ REQUIRE(0); - match.flags = flags; + match.rflags = rflags; match.mflags = mflags; match.ippeerlimit = ippeerlimit; match.expire = expire; @@ -557,7 +661,7 @@ hack_restrict( case RESTRICT_FLAGS: /* - * Here we add bits to the flags. If this is a + * Here we add bits to the rflags. If this is a * new restriction add it. */ if (NULL == res) { @@ -579,26 +683,29 @@ hack_restrict( : res_sorts_before4(res, L_S_S_CUR()), link, restrict_u); restrictcount++; - if (RES_LIMITED & flags) + if (RES_LIMITED & rflags) inc_res_limited(); } else { - if ((RES_LIMITED & flags) && - !(RES_LIMITED & res->flags)) + if ( (RES_LIMITED & rflags) + && !(RES_LIMITED & res->rflags)) inc_res_limited(); - res->flags |= flags; + res->rflags |= rflags; } + + res->ippeerlimit = match.ippeerlimit; + break; case RESTRICT_UNFLAG: /* - * Remove some bits from the flags. If we didn't + * Remove some bits from the rflags. If we didn't * find this one, just return. */ if (res != NULL) { - if ((RES_LIMITED & res->flags) - && (RES_LIMITED & flags)) + if ( (RES_LIMITED & res->rflags) + && (RES_LIMITED & rflags)) dec_res_limited(); - res->flags &= ~flags; + res->rflags &= ~rflags; } break; @@ -683,7 +790,7 @@ restrict_source( hack_restrict(RESTRICT_FLAGS, addr, &onesmask, restrict_source_ippeerlimit, restrict_source_mflags, - restrict_source_flags, expire); + restrict_source_rflags, expire); DPRINTF(1, ("restrict_source: %s host restriction added\n", stoa(addr))); } diff --git a/ntpdc/layout.std b/ntpdc/layout.std index 0cfd31ae5..f07f79f36 100644 --- a/ntpdc/layout.std +++ b/ntpdc/layout.std @@ -262,7 +262,7 @@ sizeof(struct info_restrict) = 56 offsetof(addr) = 0 offsetof(mask) = 4 offsetof(count) = 8 -offsetof(flags) = 12 +offsetof(rflags) = 12 offsetof(mflags) = 14 offsetof(v6_flag) = 16 offsetof(unused1) = 20 diff --git a/ntpdc/ntpdc_ops.c b/ntpdc/ntpdc_ops.c index 1a400ec9b..586ed7f05 100644 --- a/ntpdc/ntpdc_ops.c +++ b/ntpdc/ntpdc_ops.c @@ -1683,7 +1683,7 @@ reslist( const char *mask; struct resflags *rf; u_int32 count; - u_short flags; + u_short rflags; u_short mflags; char flagstr[300]; static const char *comma = ", "; @@ -1730,7 +1730,7 @@ again: ((pcmd->argval->ival == 4) && (rl->v6_flag == 0))) skip = 0; count = ntohl(rl->count); - flags = ntohs(rl->flags); + rflags = ntohs(rl->rflags); mflags = ntohs(rl->mflags); flagstr[0] = '\0'; @@ -1753,7 +1753,7 @@ again: : &resflagsV3[0]; while (rf->bit != 0) { - if (flags & rf->bit) { + if (rflags & rf->bit) { if (!res) strlcat(flagstr, comma, sizeof(flagstr)); diff --git a/tests/ntpd/ntp_restrict.c b/tests/ntpd/ntp_restrict.c index 1420323db..d86a279a4 100644 --- a/tests/ntpd/ntp_restrict.c +++ b/tests/ntpd/ntp_restrict.c @@ -71,14 +71,14 @@ void test_RestrictionsAreEmptyAfterInit(void) memset(rl6, 0, sizeof(restrict_u)); TEST_ASSERT_EQUAL(rl4->count, restrictlist4->count); - TEST_ASSERT_EQUAL(rl4->flags, restrictlist4->flags); + TEST_ASSERT_EQUAL(rl4->rflags, restrictlist4->rflags); TEST_ASSERT_EQUAL(rl4->mflags, restrictlist4->mflags); TEST_ASSERT_EQUAL(rl4->expire, restrictlist4->expire); TEST_ASSERT_EQUAL(rl4->u.v4.addr, restrictlist4->u.v4.addr); TEST_ASSERT_EQUAL(rl4->u.v4.mask, restrictlist4->u.v4.mask); TEST_ASSERT_EQUAL(rl6->count, restrictlist6->count); - TEST_ASSERT_EQUAL(rl6->flags, restrictlist6->flags); + TEST_ASSERT_EQUAL(rl6->rflags, restrictlist6->rflags); TEST_ASSERT_EQUAL(rl6->mflags, restrictlist6->mflags); TEST_ASSERT_EQUAL(rl6->expire, restrictlist6->expire); @@ -108,7 +108,7 @@ void test_HackingDefaultRestriction(void) * and check if restriction() returns that flag */ - const u_short flags = 42; + const u_short rflags = 42; r4addr r4a; sockaddr_u resaddr = create_sockaddr_u(AF_INET, @@ -116,13 +116,13 @@ void test_HackingDefaultRestriction(void) sockaddr_u resmask = create_sockaddr_u(AF_INET, 54321, "0.0.0.0"); - hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, -1, 0, flags, 0); + hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, -1, 0, rflags, 0); sockaddr_u sockaddr = create_sockaddr_u(AF_INET, 54321, "111.123.251.124"); restrictions(&sockaddr, &r4a); - TEST_ASSERT_EQUAL(flags, r4a.rflags); + TEST_ASSERT_EQUAL(rflags, r4a.rflags); } @@ -147,12 +147,12 @@ void test_AddingNewRestriction(void) sockaddr_u resmask = create_sockaddr_u(AF_INET, 54321, "128.0.0.0"); r4addr r4a; - const u_short flags = 42; + const u_short rflags = 42; - hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, -1, 0, flags, 0); + hack_restrict(RESTRICT_FLAGS, &resaddr, &resmask, -1, 0, rflags, 0); restrictions(&resaddr, &r4a); - TEST_ASSERT_EQUAL(flags, r4a.rflags); + TEST_ASSERT_EQUAL(rflags, r4a.rflags); }