From 12a126dd4a8ce37f0fa604d19088082eab2b4bde Mon Sep 17 00:00:00 2001 From: phessler Date: Fri, 23 Oct 2015 14:52:20 +0000 Subject: [PATCH] Allowing upstream servers of ntp being in multiple routing tables is non-sensical. The dns lookups happened in the process routing table (usually '0'), which is very likely to have different results from the other routing domains. If you do depend on having this behaviour, you'll need to use pf to cross the rtable boundary. "listen on * rtable X" is still supported. Users of "server * rtable X" will need to switch to launching ntpd with "route -T X exec /usr/sbin/ntpd" OK deraadt@ --- usr.sbin/ntpd/client.c | 15 +++------------ usr.sbin/ntpd/control.c | 5 ++--- usr.sbin/ntpd/ntp.c | 13 +++++-------- usr.sbin/ntpd/ntpd.conf.5 | 20 ++++---------------- usr.sbin/ntpd/ntpd.h | 4 +--- usr.sbin/ntpd/parse.y | 12 +++--------- 6 files changed, 18 insertions(+), 51 deletions(-) diff --git a/usr.sbin/ntpd/client.c b/usr.sbin/ntpd/client.c index 93e69eadb26..9980bbd5f10 100644 --- a/usr.sbin/ntpd/client.c +++ b/usr.sbin/ntpd/client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: client.c,v 1.102 2015/07/18 00:53:44 bcook Exp $ */ +/* $OpenBSD: client.c,v 1.103 2015/10/23 14:52:20 phessler Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -142,10 +142,6 @@ client_query(struct ntp_peer *p) 0)) == -1) fatal("client_query socket"); - if (p->rtable != -1 && - setsockopt(p->query->fd, SOL_SOCKET, SO_RTABLE, - &p->rtable, sizeof(p->rtable)) == -1) - fatal("client_query setsockopt SO_RTABLE"); if (connect(p->query->fd, sa, SA_LEN(sa)) == -1) { if (errno == ECONNREFUSED || errno == ENETUNREACH || errno == EHOSTUNREACH || errno == EADDRNOTAVAIL) { @@ -248,11 +244,6 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime) return (0); } - if (p->rtable != -1 && - setsockopt(p->query->fd, SOL_SOCKET, SO_RTABLE, &p->rtable, - sizeof(p->rtable)) == -1) - fatal("client_dispatch setsockopt SO_RTABLE"); - for (cmsg = CMSG_FIRSTHDR(&somsg); cmsg != NULL; cmsg = CMSG_NXTHDR(&somsg, cmsg)) { if (cmsg->cmsg_level == SOL_SOCKET && @@ -393,10 +384,10 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime) } log_debug("reply from %s: offset %f delay %f, " - "next query %llds %s", + "next query %llds", log_sockaddr((struct sockaddr *)&p->addr->ss), p->reply[p->shift].offset, p->reply[p->shift].delay, - (long long)interval, print_rtable(p->rtable)); + (long long)interval); client_update(p); if (settime) diff --git a/usr.sbin/ntpd/control.c b/usr.sbin/ntpd/control.c index 2dd76d16fbf..08740ba90aa 100644 --- a/usr.sbin/ntpd/control.c +++ b/usr.sbin/ntpd/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.6 2015/07/18 00:53:44 bcook Exp $ */ +/* $OpenBSD: control.c,v 1.7 2015/10/23 14:52:20 phessler Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -333,8 +333,7 @@ build_show_peer(struct ctl_show_peer *cp, struct ntp_peer *p) addr_head_name = p->addr_head.name; snprintf(cp->peer_desc, sizeof(cp->peer_desc), - "%s %s%s %s", a, pool, addr_head_name, - print_rtable(p->rtable) ); + "%s %s%s", a, pool, addr_head_name); validdelaycnt = best = 0; cp->offset = cp->delay = 0.0; diff --git a/usr.sbin/ntpd/ntp.c b/usr.sbin/ntpd/ntp.c index da6fc354929..b8dbafe38da 100644 --- a/usr.sbin/ntpd/ntp.c +++ b/usr.sbin/ntpd/ntp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntp.c,v 1.137 2015/10/12 06:50:08 reyk Exp $ */ +/* $OpenBSD: ntp.c,v 1.138 2015/10/23 14:52:20 phessler Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -271,9 +271,8 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf, if (p->deadline > 0 && p->deadline <= getmonotime()) { timeout = 300; log_debug("no reply from %s received in time, " - "next query %ds %s", log_sockaddr( - (struct sockaddr *)&p->addr->ss), timeout, - print_rtable(p->rtable)); + "next query %ds", log_sockaddr( + (struct sockaddr *)&p->addr->ss), timeout); if (p->trustlevel >= TRUSTLEVEL_BADPEER && (p->trustlevel /= 2) < TRUSTLEVEL_BADPEER) log_info("peer %s now invalid", @@ -545,7 +544,6 @@ ntp_dispatch_imsg_dns(void) npeer->addr_head.name = peer->addr_head.name; npeer->addr_head.pool = 1; - npeer->rtable = peer->rtable; client_peer_init(npeer); npeer->state = STATE_DNS_DONE; peer_add(npeer); @@ -832,9 +830,8 @@ report_peers(int always) (struct sockaddr *)&p->addr->ss); if (p->addr_head.pool) pool = "from pool "; - log_warnx("bad peer %s%s (%s) %s", - pool, p->addr_head.name, a, - print_rtable(p->rtable)); + log_warnx("bad peer %s%s (%s)", + pool, p->addr_head.name, a); } } } diff --git a/usr.sbin/ntpd/ntpd.conf.5 b/usr.sbin/ntpd/ntpd.conf.5 index 70f547f4bab..ef693df81df 100644 --- a/usr.sbin/ntpd/ntpd.conf.5 +++ b/usr.sbin/ntpd/ntpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ntpd.conf.5,v 1.32 2015/08/28 02:59:29 deraadt Exp $ +.\" $OpenBSD: ntpd.conf.5,v 1.33 2015/10/23 14:52:20 phessler Exp $ .\" .\" Copyright (c) 2003, 2004 Henning Brauer .\" @@ -14,7 +14,7 @@ .\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT .\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 28 2015 $ +.Dd $Mdocdate: October 23 2015 $ .Dt NTPD.CONF 5 .Os .Sh NAME @@ -130,17 +130,12 @@ A stratum value other than the default of 1 can be assigned using the stratum keyword. .It Xo Ic server Ar address .Op Ic weight Ar weight-value -.Op Ic rtable Ar table-id .Xc Specify the IP address or the hostname of an NTP server to synchronize to. If it appears multiple times, .Xr ntpd 8 will try to synchronize to all of the servers specified. -The -.Cm rtable -option specifies which routing table should be used for connection attempts. -Hostname resolution will still happen using the default routing table. If a hostname resolves to multiple IPv4 and/or IPv6 addresses, .Xr ntpd 8 uses the first address. @@ -151,7 +146,7 @@ is found. For example: .Bd -literal -offset indent server 10.0.0.2 weight 5 -server ntp.example.org weight 1 rtable 4 +server ntp.example.org weight 1 .Ed .Pp To provide redundancy, it is good practice to configure multiple servers. @@ -159,7 +154,6 @@ In general, best accuracy is obtained by using servers that have a low network latency. .It Xo Ic servers Ar address .Op Ic weight Ar weight-value -.Op Ic rtable Ar table-id .Xc As with .Cm server , @@ -173,7 +167,7 @@ will try to synchronize to all of them. For example: .Bd -literal -offset indent servers pool.ntp.org -servers pool.ntp.org rtable 5 +servers pool.ntp.org weight 5 .Ed .El .Sh CONSTRAINTS @@ -231,9 +225,3 @@ The .Nm file format first appeared in .Ox 3.6 . -.Sh CAVEATS -When using different -.Cm rtable -options, -.Xr ntpd 8 -must be started in rtable 0. diff --git a/usr.sbin/ntpd/ntpd.h b/usr.sbin/ntpd/ntpd.h index 9d0081838f6..007fb347a33 100644 --- a/usr.sbin/ntpd/ntpd.h +++ b/usr.sbin/ntpd/ntpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.h,v 1.122 2015/10/12 06:50:08 reyk Exp $ */ +/* $OpenBSD: ntpd.h,v 1.123 2015/10/23 14:52:20 phessler Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -104,7 +104,6 @@ struct listen_addr { struct ntp_addr { struct ntp_addr *next; struct sockaddr_storage ss; - int rtable; }; struct ntp_addr_wrap { @@ -159,7 +158,6 @@ struct ntp_peer { u_int8_t weight; int lasterror; int senderrors; - int rtable; }; struct ntp_sensor { diff --git a/usr.sbin/ntpd/parse.y b/usr.sbin/ntpd/parse.y index 52852f77d12..4b15df98f45 100644 --- a/usr.sbin/ntpd/parse.y +++ b/usr.sbin/ntpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.63 2015/07/18 00:53:44 bcook Exp $ */ +/* $OpenBSD: parse.y,v 1.64 2015/10/23 14:52:20 phessler Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -106,8 +106,6 @@ main : LISTEN ON address listen_opts { struct listen_addr *la; struct ntp_addr *h, *next; - if ($3->a) - $3->a->rtable = $4.rtable; if ((h = $3->a) == NULL && (host_dns($3->name, &h) == -1 || !h)) { yyerror("could not resolve \"%s\"", $3->name); @@ -155,7 +153,6 @@ main : LISTEN ON address listen_opts { p = new_peer(); p->weight = $3.weight; - p->rtable = $3.rtable; p->addr = h; p->addr_head.a = h; p->addr_head.pool = 1; @@ -164,7 +161,7 @@ main : LISTEN ON address listen_opts { fatal(NULL); if (p->addr != NULL) p->state = STATE_DNS_DONE; - if (!(p->rtable > 0 && p->addr)) + if (!(p->addr)) TAILQ_INSERT_TAIL(&conf->ntp_peers, p, entry); h = next; @@ -195,7 +192,6 @@ main : LISTEN ON address listen_opts { } p->weight = $3.weight; - p->rtable = $3.rtable; p->addr_head.a = p->addr; p->addr_head.pool = 0; p->addr_head.name = strdup($2->name); @@ -203,7 +199,7 @@ main : LISTEN ON address listen_opts { fatal(NULL); if (p->addr != NULL) p->state = STATE_DNS_DONE; - if (!(p->rtable > 0 && p->addr)) + if (!(p->addr)) TAILQ_INSERT_TAIL(&conf->ntp_peers, p, entry); free($2->name); free($2); @@ -355,7 +351,6 @@ server_opts_l : server_opts_l server_opt | server_opt ; server_opt : weight - | rtable ; sensor_opts : { opts_default(); } @@ -428,7 +423,6 @@ opts_default(void) { memset(&opts, 0, sizeof opts); opts.weight = 1; - opts.rtable = -1; opts.stratum = 1; } -- 2.20.1