+2001-04-26 Harlan Stenn <stenn@whimsy.udel.edu>
+
+ * ntpdc/ntpdc_ops.c: restrict/unrestrict support for version and
+ demobilize. Implement demobilze.
+ * ntpd/ntp_proto.c (receive): Improve version testing, including
+ RES_DEMOBILIZE support.
+ (fast_xmit): Patches to kiss-of-death packet.
+ * ntpd/ntp_loopfilter.c (local_clock): S_SYNC case now also checks
+ abs(clock_offset) against CLOCK_PGATE*sys_jitter.
+ * ntpd/ntp_config.c: CONF_RES_DEMOBILIZE/demobilize support.
+ * include/ntp_config.h (CONF_RES_DEMOBILIZE): Added.
+ * include/ntp.h (RES_DEMOBILIZE): Added.
+ From Dave Mills.
+
2001-04-25 Harlan Stenn <stenn@whimsy.udel.edu>
* html/accopt.htm: Document the "version" parameter
#define RES_LPTRAP 0x080 /* traps set by him are low priority */
#define RES_LIMITED 0x100 /* limit per net number of clients */
#define RES_VERSION 0x200 /* serve only current version */
+#define RES_DEMOBILIZE 0x400 /* demobilize association */
#define RES_ALLFLAGS \
(RES_IGNORE|RES_DONTSERVE|RES_DONTTRUST|RES_NOQUERY\
#define CONF_RES_NTPPORT 10
#define CONF_RES_LIMITED 11
#define CONF_RES_VERSION 12
+#define CONF_RES_DEMOBILIZE 13
/*
* "trap" modifier keywords
{ "notrust", CONF_RES_NOTRUST },
{ "ntpport", CONF_RES_NTPPORT },
{ "version", CONF_RES_VERSION },
+ { "demobilize", CONF_RES_DEMOBILIZE },
{ "", CONFIG_UNKNOWN }
};
peerversion |= RES_VERSION;
break;
+ case CONF_RES_DEMOBILIZE:
+ peerversion |= RES_DEMOBILIZE;
+ break;
+
case CONF_RES_LIMITED:
peerversion |= RES_LIMITED;
break;
* helps calm the dance. Works best using burst mode.
*/
if (state == S_SYNC) {
- if (sys_jitter / mu > clock_stability) {
+ if (sys_jitter / mu > clock_stability &&
+ fabs(clock_offset) < CLOCK_PGATE * sys_jitter) {
tc_counter += sys_poll;
if (tc_counter > CLOCK_LIMIT) {
tc_counter = CLOCK_LIMIT;
* length for control and private mode packets must be checked
* by the service routines. Note that no statistics counters are
* recorded for restrict violations, since these counters are in
- * the restriction routine.
+ * the restriction routine. In case of invalid version,
+ * restricted service or too many clients, return a kiss-of-
+ * death packet.
*/
ntp_monitor(rbufp);
restrict_mask = restrictions(&rbufp->recv_srcadr);
}
pkt = &rbufp->recv_pkt;
if (PKT_VERSION(pkt->li_vn_mode) == NTP_VERSION) {
- sys_newversionpkt++;
- } else if (restrict_mask & RES_VERSION) {
- sys_unknownversion++; /* unknown version */
- return;
- } else if (PKT_VERSION(pkt->li_vn_mode) >= NTP_OLDVERSION) {
- sys_oldversionpkt++;
+ sys_newversionpkt++; /* new version */
+ } else if (!(restrict_mask & RES_VERSION) &&
+ PKT_VERSION(pkt->li_vn_mode) >= NTP_OLDVERSION) {
+ sys_oldversionpkt++; /* old version */
} else {
- sys_unknownversion++; /* unknown version */
+ if (restrict_mask & RES_DEMOBILIZE)
+ fast_xmit(rbufp, 0, 0); /* unknown version */
+ sys_unknownversion++;
return;
}
if (PKT_MODE(pkt->li_vn_mode) == MODE_PRIVATE) {
process_control(rbufp, restrict_mask);
return;
}
- if (restrict_mask & RES_DONTSERVE)
- return; /* no time service */
+ if (restrict_mask & RES_DONTSERVE) {
+ if (restrict_mask & RES_DEMOBILIZE)
+ fast_xmit(rbufp, 0, 0); /* no time service */
+ return;
+ }
if (restrict_mask & RES_LIMITED) {
+ if (restrict_mask & RES_DEMOBILIZE)
+ fast_xmit(rbufp, 0, 0); /* too many clients */
sys_limitrejected++;
- return; /* too many clients */
+ return;
}
if (rbufp->recv_length < LEN_PKT_NOMAC) {
sys_badlength++;
*/
peer = findpeer(&rbufp->recv_srcadr, rbufp->dstadr, rbufp->fd,
hismode, &retcode);
+
+ /*
+ * Kiss-of-death packet
+ */
+ if (PKT_LEAP(pkt->li_vn_mode) == LEAP_NOTINSYNC &&
+ pkt->stratum == 0 && memcmp(&pkt->refid, "DENY", 4) == 0) {
+
+printf("xxx %x %d %4s\n", PKT_LEAP(pkt->li_vn_mode),
+ pkt->stratum, &pkt->refid);
+
+ }
is_authentic = 0;
dstadr_sin = &rbufp->dstadr->sin;
if (has_mac == 0) {
xpkt.li_vn_mode = PKT_LI_VN_MODE((LEAP_NOTINSYNC),
PKT_VERSION(rpkt->li_vn_mode),
PKT_MODE(rpkt->li_vn_mode));
- xpkt.stratum = STRATUM_TO_PKT(0);
+ xpkt.stratum = 0;
memcpy(&xpkt.refid, "DENY", 4);
} else {
xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap,
"display the server's restrict list" },
{ "restrict", new_restrict, { ADD, ADD, NTP_STR, OPT|NTP_STR },
{ "address", "mask",
- "ntpport|ignore|noserve|notrust|noquery|nomodify|nopeer",
+ "ntpport|ignore|noserve|notrust|noquery|nomodify|nopeer|version|demobilize",
"..." },
"create restrict entry/add flags to entry" },
{ "unrestrict", unrestrict, { ADD, ADD, NTP_STR, OPT|NTP_STR },
{ "address", "mask",
- "ntpport|ignore|noserve|notrust|noquery|nomodify|nopeer",
+ "ntpport|ignore|noserve|notrust|noquery|nomodify|nopeer|version|demobilize",
"..." },
"remove flags from a restrict entry" },
{ "delrestrict", delrestrict, { ADD, ADD, OPT|NTP_STR, NO },
{ "lptrap", RES_LPTRAP },
{ "limited", RES_LIMITED },
{ "version", RES_VERSION },
+ { "demobilize", RES_DEMOBILIZE },
+
{ "", 0 }
};