Module Name: src
Committed By: bouyer
Date: Mon Jan 6 19:24:42 UTC 2014
Modified Files:
src/dist/ntp/ntpd [netbsd-5-2]: ntp_request.c
src/etc [netbsd-5-2]: ntp.conf
Log Message:
etc/ntp.conf 1.16, 1.17, 1.18 via patch
external/bsd/ntp/dist/ntpd/ntp_request.c patch
Patch from ntp 4.2.7p404 to prevent an amplifier and DoS attack.
Add several "restrict" lines to the default ntp.conf and
improve comments
[spz, ticket #1895]
To generate a diff of this commit:
cvs rdiff -u -r1.8.4.1 -r1.8.4.1.6.1 src/dist/ntp/ntpd/ntp_request.c
cvs rdiff -u -r1.9 -r1.9.36.1 src/etc/ntp.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/dist/ntp/ntpd/ntp_request.c
diff -u src/dist/ntp/ntpd/ntp_request.c:1.8.4.1 src/dist/ntp/ntpd/ntp_request.c:1.8.4.1.6.1
--- src/dist/ntp/ntpd/ntp_request.c:1.8.4.1 Wed Dec 9 04:48:24 2009
+++ src/dist/ntp/ntpd/ntp_request.c Mon Jan 6 19:24:42 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: ntp_request.c,v 1.8.4.1 2009/12/09 04:48:24 snj Exp $ */
+/* $NetBSD: ntp_request.c,v 1.8.4.1.6.1 2014/01/06 19:24:42 bouyer Exp $ */
/*
* ntp_request.c - respond to information requests
@@ -84,8 +84,7 @@ static void do_resaddflags P((struct soc
static void do_ressubflags P((struct sockaddr_storage *, struct interface *, struct req_pkt *));
static void do_unrestrict P((struct sockaddr_storage *, struct interface *, struct req_pkt *));
static void do_restrict P((struct sockaddr_storage *, struct interface *, struct req_pkt *, int));
-static void mon_getlist_0 P((struct sockaddr_storage *, struct interface *, struct req_pkt *));
-static void mon_getlist_1 P((struct sockaddr_storage *, struct interface *, struct req_pkt *));
+static void mon_getlist P((struct sockaddr_storage *, struct interface *, struct req_pkt *));
static void reset_stats P((struct sockaddr_storage *, struct interface *, struct req_pkt *));
static void reset_peer P((struct sockaddr_storage *, struct interface *, struct req_pkt *));
static void do_key_reread P((struct sockaddr_storage *, struct interface *, struct req_pkt *));
@@ -145,8 +144,8 @@ static struct req_proc ntp_codes[] = {
sizeof(struct conf_restrict), do_ressubflags },
{ REQ_UNRESTRICT, AUTH, v4sizeof(struct conf_restrict),
sizeof(struct conf_restrict), do_unrestrict },
- { REQ_MON_GETLIST, NOAUTH, 0, 0, mon_getlist_0 },
- { REQ_MON_GETLIST_1, NOAUTH, 0, 0, mon_getlist_1 },
+ { REQ_MON_GETLIST, NOAUTH, 0, 0, mon_getlist },
+ { REQ_MON_GETLIST_1, NOAUTH, 0, 0, mon_getlist },
{ REQ_RESET_STATS, AUTH, sizeof(struct reset_flags), 0, reset_stats },
{ REQ_RESET_PEER, AUTH, v4sizeof(struct conf_unpeer),
sizeof(struct conf_unpeer), reset_peer },
@@ -601,6 +600,9 @@ process_private(
"process_private: failed auth mod_okay %d\n",
mod_okay);
#endif
+ if (!mod_okay) {
+ sys_restricted++;
+ }
req_ack(srcadr, inter, inpkt, INFO_ERR_AUTH);
return;
}
@@ -822,35 +824,42 @@ peer_info (
struct req_pkt *inpkt
)
{
- register struct info_peer_list *ipl;
+ struct info_peer_list ipl;
register struct peer *pp;
register struct info_peer *ip;
register int items;
+ size_t item_sz;
+ char * datap;
register int i, j;
struct sockaddr_storage addr;
extern struct peer *sys_peer;
l_fp ltmp;
- memset((char *)&addr, 0, sizeof addr);
items = INFO_NITEMS(inpkt->err_nitems);
- ipl = (struct info_peer_list *) inpkt->data;
-
+ item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize);
+ datap = inpkt->data;
+ if (item_sz != sizeof(ipl)) {
+ req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ return;
+ }
ip = (struct info_peer *)prepare_pkt(srcadr, inter, inpkt,
v6sizeof(struct info_peer));
while (items-- > 0 && ip != 0) {
+ memset(&ipl,0,sizeof(ipl));
+ memcpy(&ipl, datap, item_sz);
memset((char *)&addr, 0, sizeof(addr));
- NSRCPORT(&addr) = ipl->port;
- if (client_v6_capable && ipl->v6_flag != 0) {
+ NSRCPORT(&addr) = ipl.port;
+ if (client_v6_capable && ipl.v6_flag != 0) {
addr.ss_family = AF_INET6;
- GET_INADDR6(addr) = ipl->addr6;
+ GET_INADDR6(addr) = ipl.addr6;
} else {
addr.ss_family = AF_INET;
- GET_INADDR(addr) = ipl->addr;
+ GET_INADDR(addr) = ipl.addr;
}
#ifdef HAVE_SA_LEN_IN_STRUCT_SOCKADDR
addr.ss_len = SOCKLEN(&addr);
#endif
- ipl++;
+ datap += item_sz;
if ((pp = findexistingpeer(&addr, (struct peer *)0, -1)) == 0)
continue;
if (pp->srcadr.ss_family == AF_INET6) {
@@ -954,10 +963,12 @@ peer_stats (
struct req_pkt *inpkt
)
{
- register struct info_peer_list *ipl;
+ struct info_peer_list ipl;
register struct peer *pp;
register struct info_peer_stats *ip;
register int items;
+ size_t item_sz;
+ char * datap;
struct sockaddr_storage addr;
extern struct peer *sys_peer;
@@ -966,18 +977,25 @@ peer_stats (
printf("peer_stats: called\n");
#endif
items = INFO_NITEMS(inpkt->err_nitems);
- ipl = (struct info_peer_list *) inpkt->data;
+ item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize);
+ datap = inpkt->data;
+ if (item_sz > sizeof(ipl)) {
+ req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ return;
+ }
ip = (struct info_peer_stats *)prepare_pkt(srcadr, inter, inpkt,
v6sizeof(struct info_peer_stats));
while (items-- > 0 && ip != 0) {
+ memset(&ipl,0,sizeof(ipl));
+ memcpy(&ipl, datap, item_sz);
memset((char *)&addr, 0, sizeof(addr));
- NSRCPORT(&addr) = ipl->port;
- if (client_v6_capable && ipl->v6_flag) {
+ NSRCPORT(&addr) = ipl.port;
+ if (client_v6_capable && ipl.v6_flag) {
addr.ss_family = AF_INET6;
- GET_INADDR6(addr) = ipl->addr6;
+ GET_INADDR6(addr) = ipl.addr6;
} else {
addr.ss_family = AF_INET;
- GET_INADDR(addr) = ipl->addr;
+ GET_INADDR(addr) = ipl.addr;
}
#ifdef HAVE_SA_LEN_IN_STRUCT_SOCKADDR
addr.ss_len = SOCKLEN(&addr);
@@ -985,10 +1003,9 @@ peer_stats (
#ifdef DEBUG
if (debug)
printf("peer_stats: looking for %s, %d, %d\n", stoa(&addr),
- ipl->port, ((struct sockaddr_in6 *)&addr)->sin6_port);
+ ipl.port, ((struct sockaddr_in6 *)&addr)->sin6_port);
#endif
- ipl = (struct info_peer_list *)((char *)ipl +
- INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ datap += item_sz;
if ((pp = findexistingpeer(&addr, (struct peer *)0, -1)) == 0)
continue;
@@ -1329,8 +1346,9 @@ do_conf(
)
{
int items;
+ size_t item_sz;
+ char * datap;
u_int fl;
- struct conf_peer *cp;
struct conf_peer temp_cp;
struct sockaddr_storage peeraddr;
struct sockaddr_in tmp_clock;
@@ -1341,39 +1359,16 @@ do_conf(
* very picky here.
*/
items = INFO_NITEMS(inpkt->err_nitems);
- cp = (struct conf_peer *)inpkt->data;
- memset(&temp_cp, 0, sizeof(struct conf_peer));
- memcpy(&temp_cp, (char *)cp, INFO_ITEMSIZE(inpkt->mbz_itemsize));
- fl = 0;
- while (items-- > 0 && !fl) {
- if (((temp_cp.version) > NTP_VERSION)
- || ((temp_cp.version) < NTP_OLDVERSION))
- fl = 1;
- if (temp_cp.hmode != MODE_ACTIVE
- && temp_cp.hmode != MODE_CLIENT
- && temp_cp.hmode != MODE_BROADCAST)
- fl = 1;
- if (temp_cp.flags & ~(CONF_FLAG_AUTHENABLE | CONF_FLAG_PREFER
- | CONF_FLAG_BURST | CONF_FLAG_IBURST | CONF_FLAG_SKEY))
- fl = 1;
- cp = (struct conf_peer *)
- ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize));
- }
-
- if (fl) {
+ item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize);
+ datap = inpkt->data;
+ if (item_sz > sizeof(temp_cp)) {
req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
return;
}
- /*
- * Looks okay, try it out
- */
- items = INFO_NITEMS(inpkt->err_nitems);
- cp = (struct conf_peer *)inpkt->data;
-
while (items-- > 0) {
memset(&temp_cp, 0, sizeof(struct conf_peer));
- memcpy(&temp_cp, (char *)cp, INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ memcpy(&temp_cp, datap, item_sz);
memset((char *)&peeraddr, 0, sizeof(struct sockaddr_storage));
fl = 0;
@@ -1421,8 +1416,7 @@ do_conf(
req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
return;
}
- cp = (struct conf_peer *)
- ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ datap += item_sz;
}
req_ack(srcadr, inter, inpkt, INFO_OKAY);
@@ -1535,9 +1529,10 @@ do_unconf(
struct req_pkt *inpkt
)
{
- register struct conf_unpeer *cp;
struct conf_unpeer temp_cp;
register int items;
+ size_t item_sz;
+ char * datap;
register struct peer *peer;
struct sockaddr_storage peeraddr;
int bad, found;
@@ -1549,13 +1544,18 @@ do_unconf(
* an error.
*/
items = INFO_NITEMS(inpkt->err_nitems);
- cp = (struct conf_unpeer *)inpkt->data;
+ item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize);
+ datap = inpkt->data;
+ if (item_sz > sizeof(temp_cp)) {
+ req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ return;
+ }
bad = 0;
while (items-- > 0 && !bad) {
memset(&temp_cp, 0, sizeof(temp_cp));
+ memcpy(&temp_cp, datap, item_sz);
memset(&peeraddr, 0, sizeof(peeraddr));
- memcpy(&temp_cp, cp, INFO_ITEMSIZE(inpkt->mbz_itemsize));
if (client_v6_capable && temp_cp.v6_flag != 0) {
peeraddr.ss_family = AF_INET6;
GET_INADDR6(peeraddr) = temp_cp.peeraddr6;
@@ -1582,8 +1582,7 @@ do_unconf(
}
if (!found)
bad = 1;
- cp = (struct conf_unpeer *)
- ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ datap = inpkt->data;
}
if (bad) {
@@ -1596,11 +1595,12 @@ do_unconf(
*/
items = INFO_NITEMS(inpkt->err_nitems);
- cp = (struct conf_unpeer *)inpkt->data;
+ datap = inpkt->data;
+
while (items-- > 0) {
memset(&temp_cp, 0, sizeof(temp_cp));
+ memcpy(&temp_cp, datap, item_sz);
memset(&peeraddr, 0, sizeof(peeraddr));
- memcpy(&temp_cp, cp, INFO_ITEMSIZE(inpkt->mbz_itemsize));
if (client_v6_capable && temp_cp.v6_flag != 0) {
peeraddr.ss_family = AF_INET6;
GET_INADDR6(peeraddr) = temp_cp.peeraddr6;
@@ -1613,8 +1613,7 @@ do_unconf(
peeraddr.ss_len = SOCKLEN(&peeraddr);
#endif
peer_unconfig(&peeraddr, (struct interface *)0, -1);
- cp = (struct conf_unpeer *)
- ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ datap += item_sz;
}
req_ack(srcadr, inter, inpkt, INFO_OKAY);
@@ -1815,8 +1814,10 @@ do_restrict(
int op
)
{
- register struct conf_restrict *cr;
+ struct conf_restrict cr;
register int items;
+ size_t item_sz;
+ char * datap;
struct sockaddr_storage matchaddr;
struct sockaddr_storage matchmask;
int bad;
@@ -1827,26 +1828,31 @@ do_restrict(
* about it. Note we are very picky here.
*/
items = INFO_NITEMS(inpkt->err_nitems);
- cr = (struct conf_restrict *)inpkt->data;
+ item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize);
+ datap = inpkt->data;
+ if (item_sz > sizeof(cr)) {
+ req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ return;
+ }
bad = 0;
- cr->flags = ntohs(cr->flags);
- cr->mflags = ntohs(cr->mflags);
while (items-- > 0 && !bad) {
- if (cr->mflags & ~(RESM_NTPONLY))
+ memcpy(&cr, datap, item_sz);
+ cr.flags = ntohs(cr.flags);
+ cr.mflags = ntohs(cr.mflags);
+ if (cr.mflags & ~(RESM_NTPONLY))
bad |= 1;
- if (cr->flags & ~(RES_ALLFLAGS))
+ if (cr.flags & ~(RES_ALLFLAGS))
bad |= 2;
- if (cr->mask != htonl(INADDR_ANY)) {
- if (client_v6_capable && cr->v6_flag != 0) {
- if (IN6_IS_ADDR_UNSPECIFIED(&cr->addr6))
+ if (cr.mask != htonl(INADDR_ANY)) {
+ if (client_v6_capable && cr.v6_flag != 0) {
+ if (IN6_IS_ADDR_UNSPECIFIED(&cr.addr6))
bad |= 4;
} else
- if (cr->addr == htonl(INADDR_ANY))
+ if (cr.addr == htonl(INADDR_ANY))
bad |= 8;
}
- cr = (struct conf_restrict *)((char *)cr +
- INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ datap += item_sz;
}
if (bad) {
@@ -1859,25 +1865,28 @@ do_restrict(
* Looks okay, try it out
*/
items = INFO_NITEMS(inpkt->err_nitems);
- cr = (struct conf_restrict *)inpkt->data;
memset((char *)&matchaddr, 0, sizeof(struct sockaddr_storage));
memset((char *)&matchmask, 0, sizeof(struct sockaddr_storage));
+ datap = inpkt->data;
while (items-- > 0) {
- if (client_v6_capable && cr->v6_flag != 0) {
- GET_INADDR6(matchaddr) = cr->addr6;
- GET_INADDR6(matchmask) = cr->mask6;
+ memcpy(&cr, datap, item_sz);
+ cr.flags = ntohs(cr.flags);
+ cr.mflags = ntohs(cr.mflags);
+ if (client_v6_capable && cr.v6_flag != 0) {
+ GET_INADDR6(matchaddr) = cr.addr6;
+ GET_INADDR6(matchmask) = cr.mask6;
matchaddr.ss_family = AF_INET6;
matchmask.ss_family = AF_INET6;
} else {
- GET_INADDR(matchaddr) = cr->addr;
- GET_INADDR(matchmask) = cr->mask;
+ GET_INADDR(matchaddr) = cr.addr;
+ GET_INADDR(matchmask) = cr.mask;
matchaddr.ss_family = AF_INET;
matchmask.ss_family = AF_INET;
}
- hack_restrict(op, &matchaddr, &matchmask, cr->mflags,
- cr->flags);
- cr++;
+ hack_restrict(op, &matchaddr, &matchmask, cr.mflags,
+ cr.flags);
+ datap += item_sz;
}
req_ack(srcadr, inter, inpkt, INFO_OKAY);
@@ -1888,103 +1897,13 @@ do_restrict(
* mon_getlist - return monitor data
*/
static void
-mon_getlist_0(
+mon_getlist(
struct sockaddr_storage *srcadr,
struct interface *inter,
struct req_pkt *inpkt
)
{
- register struct info_monitor *im;
- register struct mon_data *md;
- extern struct mon_data mon_mru_list;
- extern int mon_enabled;
-
-#ifdef DEBUG
- if (debug > 2)
- printf("wants monitor 0 list\n");
-#endif
- if (!mon_enabled) {
- req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
- return;
- }
- im = (struct info_monitor *)prepare_pkt(srcadr, inter, inpkt,
- v6sizeof(struct info_monitor));
- for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
- md = md->mru_next) {
- im->lasttime = htonl((u_int32)md->avg_interval);
- im->firsttime = htonl((u_int32)(current_time - md->lasttime));
- im->lastdrop = htonl((u_int32)md->drop_count);
- im->count = htonl((u_int32)(md->count));
- if (md->rmtadr.ss_family == AF_INET6) {
- if (!client_v6_capable)
- continue;
- im->addr6 = GET_INADDR6(md->rmtadr);
- im->v6_flag = 1;
- } else {
- im->addr = GET_INADDR(md->rmtadr);
- if (client_v6_capable)
- im->v6_flag = 0;
- }
- im->port = md->rmtport;
- im->mode = md->mode;
- im->version = md->version;
- im = (struct info_monitor *)more_pkt();
- }
- flush_pkt();
-}
-
-/*
- * mon_getlist - return monitor data
- */
-static void
-mon_getlist_1(
- struct sockaddr_storage *srcadr,
- struct interface *inter,
- struct req_pkt *inpkt
- )
-{
- register struct info_monitor_1 *im;
- register struct mon_data *md;
- extern struct mon_data mon_mru_list;
- extern int mon_enabled;
-
- if (!mon_enabled) {
- req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
- return;
- }
- im = (struct info_monitor_1 *)prepare_pkt(srcadr, inter, inpkt,
- v6sizeof(struct info_monitor_1));
- for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
- md = md->mru_next) {
- im->lasttime = htonl((u_int32)md->avg_interval);
- im->firsttime = htonl((u_int32)(current_time - md->lasttime));
- im->lastdrop = htonl((u_int32)md->drop_count);
- im->count = htonl((u_int32)md->count);
- if (md->rmtadr.ss_family == AF_INET6) {
- if (!client_v6_capable)
- continue;
- im->addr6 = GET_INADDR6(md->rmtadr);
- im->v6_flag = 1;
- im->daddr6 = GET_INADDR6(md->interface->sin);
- } else {
- im->addr = GET_INADDR(md->rmtadr);
- if (client_v6_capable)
- im->v6_flag = 0;
- im->daddr = (md->cast_flags == MDF_BCAST)
- ? GET_INADDR(md->interface->bcast)
- : (md->cast_flags
- ? (GET_INADDR(md->interface->sin)
- ? GET_INADDR(md->interface->sin)
- : GET_INADDR(md->interface->bcast))
- : 4);
- }
- im->flags = htonl(md->cast_flags);
- im->port = md->rmtport;
- im->mode = md->mode;
- im->version = md->version;
- im = (struct info_monitor_1 *)more_pkt();
- }
- flush_pkt();
+ req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
}
/*
@@ -2053,8 +1972,10 @@ reset_peer(
struct req_pkt *inpkt
)
{
- register struct conf_unpeer *cp;
+ struct conf_unpeer cp;
register int items;
+ size_t item_sz;
+ char * datap;
register struct peer *peer;
struct sockaddr_storage peeraddr;
int bad;
@@ -2065,16 +1986,23 @@ reset_peer(
*/
items = INFO_NITEMS(inpkt->err_nitems);
- cp = (struct conf_unpeer *)inpkt->data;
+ item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize);
+ datap = inpkt->data;
+ if (item_sz > sizeof(cp)) {
+ req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ return;
+ }
bad = 0;
while (items-- > 0 && !bad) {
+ memset(&cp,0,sizeof(cp));
+ memcpy(&cp, datap, item_sz);
memset((char *)&peeraddr, 0, sizeof(peeraddr));
- if (client_v6_capable && cp->v6_flag != 0) {
- GET_INADDR6(peeraddr) = cp->peeraddr6;
+ if (client_v6_capable && cp.v6_flag != 0) {
+ GET_INADDR6(peeraddr) = cp.peeraddr6;
peeraddr.ss_family = AF_INET6;
} else {
- GET_INADDR(peeraddr) = cp->peeraddr;
+ GET_INADDR(peeraddr) = cp.peeraddr;
peeraddr.ss_family = AF_INET;
}
NSRCPORT(&peeraddr) = htons(NTP_PORT);
@@ -2084,8 +2012,7 @@ reset_peer(
peer = findexistingpeer(&peeraddr, (struct peer *)0, -1);
if (peer == (struct peer *)0)
bad++;
- cp = (struct conf_unpeer *)((char *)cp +
- INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ datap += item_sz;
}
if (bad) {
@@ -2097,15 +2024,16 @@ reset_peer(
* Now do it in earnest.
*/
- items = INFO_NITEMS(inpkt->err_nitems);
- cp = (struct conf_unpeer *)inpkt->data;
+ datap = inpkt->data;
while (items-- > 0) {
+ memset(&cp,0,sizeof(cp));
+ memcpy(&cp, datap, item_sz);
memset((char *)&peeraddr, 0, sizeof(peeraddr));
- if (client_v6_capable && cp->v6_flag != 0) {
- GET_INADDR6(peeraddr) = cp->peeraddr6;
+ if (client_v6_capable && cp.v6_flag != 0) {
+ GET_INADDR6(peeraddr) = cp.peeraddr6;
peeraddr.ss_family = AF_INET6;
} else {
- GET_INADDR(peeraddr) = cp->peeraddr;
+ GET_INADDR(peeraddr) = cp.peeraddr;
peeraddr.ss_family = AF_INET;
}
#ifdef HAVE_SA_LEN_IN_STRUCT_SOCKADDR
@@ -2116,8 +2044,7 @@ reset_peer(
peer_reset(peer);
peer = findexistingpeer(&peeraddr, (struct peer *)peer, -1);
}
- cp = (struct conf_unpeer *)((char *)cp +
- INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ datap += item_sz;
}
req_ack(srcadr, inter, inpkt, INFO_OKAY);
@@ -2836,7 +2763,7 @@ fill_info_if_stats(void *data, interface
memcpy((char *)&ifs->unmask.addr, (char *)&CAST_V4(interface->mask)->sin_addr, sizeof(struct in_addr));
}
ifs->v6_flag = htonl(ifs->v6_flag);
- strcpy(ifs->name, interface->name);
+ strlcpy(ifs->name, interface->name, sizeof(ifs->name));
ifs->family = htons(interface->family);
ifs->flags = htonl(interface->flags);
ifs->last_ttl = htonl(interface->last_ttl);
Index: src/etc/ntp.conf
diff -u src/etc/ntp.conf:1.9 src/etc/ntp.conf:1.9.36.1
--- src/etc/ntp.conf:1.9 Sat Feb 10 19:36:56 2007
+++ src/etc/ntp.conf Mon Jan 6 19:24:42 2014
@@ -1,4 +1,4 @@
-# $NetBSD: ntp.conf,v 1.9 2007/02/10 19:36:56 reed Exp $
+# $NetBSD: ntp.conf,v 1.9.36.1 2014/01/06 19:24:42 bouyer Exp $
#
# NetBSD default Network Time Protocol (NTP) configuration file for ntpd
@@ -23,61 +23,96 @@ driftfile /var/db/ntp.drift
logconfig -syncstatus
-# This will help minimize disruptions due to network congestion. Don't
+# Refuse to set the local clock if there are too few good peers or servers.
+# This may help minimize disruptions due to network congestion. Don't
# do this if you configure only one server!
tos minsane 2
+# Access control restrictions.
+# See /usr/share/doc/html/ntp/accopt.html for syntax.
+# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice.
+# Last match wins.
+#
+# Some of the more common keywords are:
+# ignore Deny packets of all kinds.
+# kod Send "kiss-o'-death" packets if clients exceed rate
+# limits.
+# nomodify Deny attempts to modify the state of the server via
+# ntpq or ntpdc queries.
+# noquery Deny all ntpq and ntpdc queries. Does not affect time
+# synchronisation.
+# nopeer Prevent establishing an new peer association.
+# Does not affect preconfigured peer associations.
+# Does not affect client/server time synchronisation.
+# noserve Deny all time synchronisation. Does not affect ntpq or
+# ntpdc queries.
+# notrap Deny the trap subset of the ntpdc control message protocol.
+# notrust Deny packets that are not cryptographically authenticated.
+#
+# By default, either deny everything, or allow client/server time exchange
+# but deny configuration changes, queries, and peer associations that were not
+# explicitly configured.
+# (Uncomment one of the following "restrict default" lines.)
+#
+#restrict default ignore
+restrict default kod nopeer noquery
+
+# Fewer restrictions for the local subnet.
+# (Uncomment and adjust as appropriate.)
+#
+#restrict 192.0.2.0 mask 255.255.255.0 kod nomodify notrap nopeer
+#restrict 2001:db8:: mask ffff:ffff:: kod nomodify notrap nopeer
+
+# No restrictions for localhost.
+#
+restrict 127.0.0.1
+restrict ::1
+
# Hereafter should be "server" or "peer" statements to configure other
-# hosts to exchange NTP packets with. Peers should be selected in such
-# a way that the network path to them is symmetric (that is, the series
-# of links and routers used to get to the peer is the same one that the
-# peer uses to get back. NTP assumes such symmetry in its network delay
-# calculation. NTP will apply an incorrect adjustment to timestamps
-# received from the peer if the path is not symmetric. This can result
-# in clock skew (your system clock being maintained consistently wrong
-# by a certain amount).
-#
-# The best way to select symmetric peers is to make sure that the
-# network path to them is as short as possible (this reduces the chance
-# that there is more than one network path between you and your peer).
-# You can measure these distances with the traceroute(8) program. The
-# best place to start looking for NTP peers for your system is within
-# your own network, or at your Internet Service Provider (ISP).
+# hosts to exchange NTP packets with.
+#
+# See <http://support.ntp.org/bin/view/Support/DesigningYourNTPNetwork>
+# and <http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers>
+# for advice.
+#
+# Peers should be selected in such a way that the network path to them
+# is short, uncongested, and symmetric (that is, the series of links
+# and routers used to get to the peer is the same one that the peer
+# uses to get back). The best place to start looking for NTP peers for
+# your system is within your own network, or at your Internet Service
+# Provider (ISP).
#
# Ideally, you should select at least three other systems to talk NTP
# with, for an "what I tell you three times is true" effect.
#
+# A "restrict" line for each configured peer or server might be necessary,
+# if the "restrict default" settings are very restrictive. As a courtesy
+# to configured peers and servers, consider allowing them to query.
#peer an.ntp.peer.goes.here
#server an.ntp.server.goes.here
+#restrict an.ntp.server.goes.here nomodify notrap
-# Public servers from the pool.ntp.org project. Volunteer's servers
-# are dynamically assigned to the CNAMES below via DNS round-robin.
+# The pool.ntp.org project coordinates public time servers provided by
+# volunteers. See <http://www.pool.ntp.org>. The *.netbsd.pool.ntp.org
+# servers are intended to be used by default on NetBSD hosts, but
+# servers that are closer to you are likely to be better. Consider
+# using servers specific to your country, a nearby country, or your
+# continent.
+#
# The pool.ntp.org project needs more volunteers! The only criteria to
# join are a nailed-up connection and a static IP address. For details,
# see the web page:
#
-# http://www.pool.ntp.org/
+# http://www.pool.ntp.org/join.html
#
-# The country codes can help you find servers that are net-wise close.
-# As explained above, closer is better...
-
-# Northern U.S.A
-#server ca.pool.ntp.org
-#server us.pool.ntp.org
-#server us.pool.ntp.org
-
-# Northern Europe
-#server de.pool.ntp.org
-#server de.pool.ntp.org
-#server dk.pool.ntp.org
-
-# Depending on the vagaries of DNS can occasionally pull in the same
-# server twice. The following CNAMES are guaranteed to be disjoint, at
-# least over some short interval.
-
-server 0.pool.ntp.org
-server 1.pool.ntp.org
-server 2.pool.ntp.org
+server 0.netbsd.pool.ntp.org
+restrict 0.netbsd.pool.ntp.org nomodify notrap
+server 1.netbsd.pool.ntp.org
+restrict 1.netbsd.pool.ntp.org nomodify notrap
+server 2.netbsd.pool.ntp.org
+restrict 2.netbsd.pool.ntp.org nomodify notrap
+server 3.netbsd.pool.ntp.org
+restrict 3.netbsd.pool.ntp.org nomodify notrap
