> On 09/17/2023 at 10:36 PM PDT, Hal Murray wrote:
>
> -4 and -6 work on the server line in ntp.conf but are not documented
The closest I can see to an implementation is in ntpd/ntp_parser.y
lines 390-395. I infer this to mean that it sets the Address Family
of peer->srcaddr to a matching value. Which I could draft a document of.
> -4/ipv4 and -6/ipv6 "work" on the command line, but they don't do what the
> documentation says. The man page says:
>Force DNS resolution of following host names on the command line to
>the IPv4 namespace.
> What they do is turn off setting up sockets for the other protocol.
I could write some code to do both and update the doc to reflect
that but not merge it.
> I'm not sure what the NTS server does if, say, the system doesn't support
> IPv6
> when it tries to listen on an IPv6 address.
A couple of possible cases here: First if a host truly doesn't support
IPv6, it will probably generate a failure at some point that gets
logged> OTOH a host that has disconnected IPv6 will probably set up a
peer entry that will persist unless something removes it.
> The network side sets up two flags: ipv4_works and ipv6_works
> The command line -4 and -6 flags turn off the other _works flag.
There are variables in ntpd.c for whether to try choosing a particular
AF or go with the default. After checking which AFs work, there is
the following code...
if (ipv4_works && ipv6_works) {
if (opt_ipv4)
ipv6_works = false;
else if (opt_ipv6)
ipv4_works = false;
} else if (!ipv4_works && !ipv6_works) {
msyslog(LOG_ERR, "INIT: Neither IPv4 nor IPv6 networking
detected, fatal.");
exit(1);
} else if (opt_ipv4 && !ipv4_works)
msyslog(LOG_WARNING, "INIT: -4/--ipv4 ignored, IPv4 networking
not found.");
else if (opt_ipv6 && !ipv6_works)
msyslog(LOG_WARNING, "INIT: -6/--ipv6 ignored, IPv6 networking
not found.");
Replace with something more like the following.
if (metal_af == AF_NONE) {
msyslog(LOG_ALERT, "INIT: The Network does not work.");
exit(1);
} else if ((metal_af == argv_af) || (metal_af == AF_UNSPEC)) {
sys_af = argv_af;
} else if (peer_af == AF_UNSPEC) {
sys_af = metal_af;
} else {
msyslog(LOG_WARNING, "INIT: Ignoring requested family %d", argv_af);
}
> I wrote the DNS code for both server/pool and NTS. I don't remember how the
> -4/-6 options work (and a quick look didn't refresh my memory). I don't
> remember ever checking the above flags or thinking about doing it.
It uses the AF of peer->srcaddr, AFAICT the command line doesn't
affect it even indirectly.
> Note that there are 2 DNS lookups on the NTS path, one for the NTS-KE server
> and another if the server returns a name/address rather than using the
> default
> of the same address as was used for the NTS-KE lookup.
I was going to try to write something relevant here, but I decided
not to.
> I'm pretty sure the command line processing doesn't do any DNS lookups.
> It roughly adds a server line, and does a DNS lookup with the constant-only
> (no net traffic) flag so that slot won't get delayed behing a real DNS lookup
> that is skow.
>
> --
>
> I think we should clean up this area. That includes:
I would also suggest cleaning up libntp/{initnetwork,isc_net}.c to
remove isc_result as we only seem to care if we succeed and not the
why of failures.
> Making sure DNS lookups don't use an address for a disabled protocol.
A minor patch in ntp_dns.c may help with that.
if ((sys_af == AF_UNSPEC) || (sys_af = peer_af)) {
hint.af = peer_af;
} else if (peer_af = AF_UNSPEC) {
hint.af = sys_af;
} else {
msyslog(LOG_WARNING, "DNS: Requested supported family %d", peer_af);
}
> Add enable/disable -4/ipv4 -6/ipv6 to ntp.conf
> Note that these will have a backwards meaning from the -4 on the command line.
> -4 on the command line <=> disable -6
>
>
> Does this make sense?
> Am I missing anything?
A corner case and minor details, perhaps.
> This will take a lot of testing.
Ah, yes, the other reason why I can't get anything merged.
> We should move the command line code in config_peers to that checks for a
> numeric address to the main processing loop.
We should do it before the main loop starts; the
check is probably affordable.
static bool is_sane_resolved_address()
in ntp_cconfig.c is written for that.
It seems that -4 and -6 also apply to the interface commands in the
config file and via mode 6.
___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel
