> On 09/17/2023 at 10:36 PM PDT, Hal Murray wrote: > > -4 and -6 work on the server line in ntp.conf but are not documented
The closest I can see to an implementation is in ntpd/ntp_parser.y lines 390-395. I infer this to mean that it sets the Address Family of peer->srcaddr to a matching value. Which I could draft a document of. > -4/ipv4 and -6/ipv6 "work" on the command line, but they don't do what the > documentation says. The man page says: > Force DNS resolution of following host names on the command line to > the IPv4 namespace. > What they do is turn off setting up sockets for the other protocol. I could write some code to do both and update the doc to reflect that but not merge it. > I'm not sure what the NTS server does if, say, the system doesn't support > IPv6 > when it tries to listen on an IPv6 address. A couple of possible cases here: First if a host truly doesn't support IPv6, it will probably generate a failure at some point that gets logged> OTOH a host that has disconnected IPv6 will probably set up a peer entry that will persist unless something removes it. > The network side sets up two flags: ipv4_works and ipv6_works > The command line -4 and -6 flags turn off the other _works flag. There are variables in ntpd.c for whether to try choosing a particular AF or go with the default. After checking which AFs work, there is the following code... if (ipv4_works && ipv6_works) { if (opt_ipv4) ipv6_works = false; else if (opt_ipv6) ipv4_works = false; } else if (!ipv4_works && !ipv6_works) { msyslog(LOG_ERR, "INIT: Neither IPv4 nor IPv6 networking detected, fatal."); exit(1); } else if (opt_ipv4 && !ipv4_works) msyslog(LOG_WARNING, "INIT: -4/--ipv4 ignored, IPv4 networking not found."); else if (opt_ipv6 && !ipv6_works) msyslog(LOG_WARNING, "INIT: -6/--ipv6 ignored, IPv6 networking not found."); Replace with something more like the following. if (metal_af == AF_NONE) { msyslog(LOG_ALERT, "INIT: The Network does not work."); exit(1); } else if ((metal_af == argv_af) || (metal_af == AF_UNSPEC)) { sys_af = argv_af; } else if (peer_af == AF_UNSPEC) { sys_af = metal_af; } else { msyslog(LOG_WARNING, "INIT: Ignoring requested family %d", argv_af); } > I wrote the DNS code for both server/pool and NTS. I don't remember how the > -4/-6 options work (and a quick look didn't refresh my memory). I don't > remember ever checking the above flags or thinking about doing it. It uses the AF of peer->srcaddr, AFAICT the command line doesn't affect it even indirectly. > Note that there are 2 DNS lookups on the NTS path, one for the NTS-KE server > and another if the server returns a name/address rather than using the > default > of the same address as was used for the NTS-KE lookup. I was going to try to write something relevant here, but I decided not to. > I'm pretty sure the command line processing doesn't do any DNS lookups. > It roughly adds a server line, and does a DNS lookup with the constant-only > (no net traffic) flag so that slot won't get delayed behing a real DNS lookup > that is skow. > > ---------- > > I think we should clean up this area. That includes: I would also suggest cleaning up libntp/{initnetwork,isc_net}.c to remove isc_result as we only seem to care if we succeed and not the why of failures. > Making sure DNS lookups don't use an address for a disabled protocol. A minor patch in ntp_dns.c may help with that. if ((sys_af == AF_UNSPEC) || (sys_af = peer_af)) { hint.af = peer_af; } else if (peer_af = AF_UNSPEC) { hint.af = sys_af; } else { msyslog(LOG_WARNING, "DNS: Requested supported family %d", peer_af); } > Add enable/disable -4/ipv4 -6/ipv6 to ntp.conf > Note that these will have a backwards meaning from the -4 on the command line. > -4 on the command line <=> disable -6 > > > Does this make sense? > Am I missing anything? A corner case and minor details, perhaps. > This will take a lot of testing. Ah, yes, the other reason why I can't get anything merged. > We should move the command line code in config_peers to that checks for a > numeric address to the main processing loop. We should do it before the main loop starts; the check is probably affordable. static bool is_sane_resolved_address() in ntp_cconfig.c is written for that. It seems that -4 and -6 also apply to the interface commands in the config file and via mode 6. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel