From nobody@www.freebsd.org  Sat Jun 15 05:50:42 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id B4AE037B412
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 15 Jun 2002 05:50:41 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5FCofhG058442
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 15 Jun 2002 05:50:41 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5FCofU9058441;
	Sat, 15 Jun 2002 05:50:41 -0700 (PDT)
Message-Id: <200206151250.g5FCofU9058441@www.freebsd.org>
Date: Sat, 15 Jun 2002 05:50:41 -0700 (PDT)
From: Noel Kthe <fbsd@koethe.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: bind ntpd to only one IP
X-Send-Pr-Version: www-1.0

>Number:         39327
>Category:       i386
>Synopsis:       bind ntpd to only one IP
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          wish
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 15 06:00:04 PDT 2002
>Closed-Date:    Sat Jun 15 12:07:28 PDT 2002
>Last-Modified:  Tue Mar 20 11:32:01 UTC 2012
>Originator:     Noel Kthe
>Release:        4.6-RC
>Organization:
>Environment:
FreeBSD yuki.hostsharing.net 4.6-RC FreeBSD 4.6-RC #7: Fri Jun 14 10:46:22 CEST 2002     root@yuki.hostsharing.net:/usr/obj/usr/src/sys/YUKI  i386
>Description:
      Its not possible to bind the ntp Daemon to only one IP address.

>How-To-Repeat:
      
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dougb 
State-Changed-When: Sat Jun 15 12:06:31 PDT 2002 
State-Changed-Why:  

Yes, you've described how ntpd works. If you have a problem 
with this behavior, I suggest you mail 
freebsd-questions@freebsd.org and describe what you need 
help with. 

Good luck. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39327 

From: nonexistent@babolo.ru
To: fbsd@koethe.net (Noel Kthe)
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: i386/39327: bind ntpd to only one IP
Date: Sun, 16 Jun 2002 00:42:53 +0400 (MSD)

 Noel Kthe writes:
 > >Number:         39327
 > >Category:       i386
 > >Synopsis:       bind ntpd to only one IP
 > >Confidential:   no
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    freebsd-bugs
 > >State:          open
 > >Quarter:        
 > >Keywords:       
 > >Date-Required:
 > >Class:          wish
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Sat Jun 15 06:00:04 PDT 2002
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Noel Kthe
 > >Release:        4.6-RC
 > >Organization:
 > >Environment:
 > FreeBSD yuki.hostsharing.net 4.6-RC FreeBSD 4.6-RC #7: Fri Jun 14 10:46:22 CEST 2002     root@yuki.hostsharing.net:/usr/obj/usr/src/sys/YUKI  i386
 > >Description:
 >       Its not possible to bind the ntp Daemon to only one IP address.
 > 
 > >How-To-Repeat:
 >       
 > >Fix:
 http://free.babolo.ru/patch/src.usr.sbin.ntp.patch
 
 Test it please
 
 -- 
 @BABOLO      http://links.ru/

From: Dmitry Morozovsky <marck@rinet.ru>
To: =?KOI8-r?Q?Noel_K=F6the?= <fbsd@koethe.net>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: i386/39327: bind ntpd to only one IP
Date: Sun, 16 Jun 2002 14:01:07 +0400 (MSD)

 On Sat, 15 Jun 2002, Noel Kthe wrote:
 
 NK> >Description:
 NK>       Its not possible to bind the ntp Daemon to only one IP address.
 
 Here is the possible patch we use for our jail systems (I know ntpd is
 contributed, so the patch should be discussed both with FreeBSD
 maintainers and ntpd author)
 
 It is quick'n'dirty solution -- only command-line -h option available to
 restrict bind list. more appropriate fix would also contain config-file
 directive.
 
 Sincerely,
 D.Marck                                   [DM5020, DM268-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------
 Index: contrib/ntp/ntpd/cmd_args.c
 ===================================================================
 RCS file: /ncvs/src/contrib/ntp/ntpd/cmd_args.c,v
 retrieving revision 1.1.1.1.2.1
 diff -u -r1.1.1.1.2.1 cmd_args.c
 --- contrib/ntp/ntpd/cmd_args.c	21 Dec 2001 17:39:12 -0000	1.1.1.1.2.1
 +++ contrib/ntp/ntpd/cmd_args.c	11 May 2002 17:09:07 -0000
 @@ -14,8 +14,9 @@
   */
  extern char const *progname;
  int	listen_to_virtual_ips = 0;
 +u_long	bindonlyaddress = 0;
 
 -static const char *ntp_options = "aAbc:dD:f:gk:l:LmnN:p:P:qr:s:t:v:V:x";
 +static const char *ntp_options = "aAbc:dD:f:gh:k:l:LmnN:p:P:qr:s:t:v:V:x";
 
  #ifdef HAVE_NETINFO
  extern int	check_netinfo;
 @@ -76,6 +77,17 @@
  		    ++errflg;
  		    break;
  #endif
 +		case 'h':
 +		do {
 +			struct in_addr addr;
 +
 +			if (inet_aton(ntp_optarg, &addr) <= 0)
 +				msyslog(LOG_ERR,
 +					"bad ip address: %s", ntp_optarg);
 +			else
 +				bindonlyaddress = addr.s_addr;
 +		} while (0);
 +			break;
  		case 'L':
  		    listen_to_virtual_ips = 1;
  		    break;
 @@ -214,6 +226,9 @@
  			allow_panic = TRUE;
  			break;
 
 +		    case 'h':	/* already done at pre-scan */
 +			break;
 +
  		    case 'k':
  			getauthkeys(ntp_optarg);
  			break;
 @@ -263,7 +278,7 @@
  				}
  			} while (0);
  			break;
 -
 +
  		    case 's':
  			stats_config(STATS_STATSDIR, ntp_optarg);
  			break;
 Index: contrib/ntp/ntpd/ntp_io.c
 ===================================================================
 RCS file: /ncvs/src/contrib/ntp/ntpd/ntp_io.c,v
 retrieving revision 1.1.1.3.2.1
 diff -u -r1.1.1.3.2.1 ntp_io.c
 --- contrib/ntp/ntpd/ntp_io.c	21 Dec 2001 17:39:13 -0000	1.1.1.3.2.1
 +++ contrib/ntp/ntpd/ntp_io.c	11 May 2002 17:06:56 -0000
 @@ -131,6 +131,8 @@
  fd_set activefds;
  int maxactivefd;
 
 +extern	u_long	bindonlyaddress;
 +
  static	int create_sockets	P((u_int));
  static	int open_socket		P((struct sockaddr_in *, int, int));
  static	void	close_socket	P((int));
 @@ -229,14 +231,22 @@
  	 */
  	inter_list[0].sin.sin_family = AF_INET;
  	inter_list[0].sin.sin_port = port;
 -	inter_list[0].sin.sin_addr.s_addr = htonl(INADDR_ANY);
 -	(void) strncpy(inter_list[0].name, "wildcard",
 -		       sizeof(inter_list[0].name));
 -	inter_list[0].mask.sin_addr.s_addr = htonl(~ (u_int32)0);
 +	if (!bindonlyaddress) {
 +		inter_list[0].sin.sin_addr.s_addr = htonl(INADDR_ANY);
 +		(void) strncpy(inter_list[0].name, "wildcard",
 +			       sizeof(inter_list[0].name));
 +		inter_list[0].mask.sin_addr.s_addr = htonl(~ (u_int32)0);
 +		inter_list[0].flags = INT_BROADCAST;
 +	} else {
 +		inter_list[0].sin.sin_addr.s_addr = inet_addr("127.0.0.1");
 +		(void) strncpy(inter_list[0].name, "loopback",
 +			       sizeof(inter_list[0].name));
 +		inter_list[0].mask.sin_addr.s_addr = inet_addr("255.0.0.0");
 +		inter_list[0].flags = INT_LOOPBACK;
 +	}
  	inter_list[0].received = 0;
  	inter_list[0].sent = 0;
  	inter_list[0].notsent = 0;
 -	inter_list[0].flags = INT_BROADCAST;
  	any_interface = &inter_list[0];
 
  #if _BSDI_VERSION >= 199510
 @@ -508,6 +518,13 @@
    			      sizeof(inter_list[i].name));
  # endif
  		inter_list[i].sin = *(struct sockaddr_in *)&ifr->ifr_addr;
 +		if (bindonlyaddress &&
 +		    inter_list[i].sin.sin_addr.s_addr != bindonlyaddress) {
 +			if (debug)
 +			    printf("ignoring %s - not in bindlist\n",
 +				   ifr->ifr_name);
 +			continue;
 +		}
  		inter_list[i].sin.sin_family = AF_INET;
  		inter_list[i].sin.sin_port = port;
 
 

From: marius@alchemy.franken.de
To: freebsd-gnats-submit@FreeBSD.org
Cc: fbsd@koethe.net, marck@rinet.ru, nonexistent@babolo.ru, dougb@FreeBSD.org
Subject: Re: i386/39327: bind ntpd to only one IP
Date: Fri, 27 Sep 2002 22:42:18 +0200

 --9s922KAXlWjPfK/Q
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 
 Hi,
 
 the patch at http://free.babolo.ru/patch/src.usr.sbin.ntp.patch doesn't
 work, it makes ntpd to only bind to the address specified with "-h" but
 then ntpd just sits there and apparently does nothing.
 The patch Dmitry submitted as a followup does work, however I think
 adding a "-h" flag is the wrong approach. Ntpd already only binds to the
 first IP-address of an interface if there are aliases on BSD/OS:
 ntp_io.c around line 306:
                 /*
                  * look for an already existing source interface address.  If   
                  * the machine has multiple point to point interfaces, then
                  * the local address may appear more than once.
                  *
                  * A second problem exists if we have two addresses on 
                  * the same network (via "ifconfig alias ...").  Don't
                  * make two xntp interfaces for the two aliases on the
                  * one physical interface. -wsr
                  */
                 for (j=0; j < i; j++)
                     if (inter_list[j].sin.sin_addr.s_addr &
                         inter_list[j].mask.sin_addr.s_addr ==
                         inter_list[i].sin.sin_addr.s_addr &
                         inter_list[i].mask.sin_addr.s_addr)
                     {
                             if (inter_list[j].flags & INT_LOOPBACK)
                                 inter_list[j] = inter_list[i];
                             break;
                     }
 
 NetBSD once fixed this for xntpd:
 http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/xntp/xntpd/Attic/ntp_io.c?rev=1.10&content-type=text/x-cvsweb-markup
 and now use and fixed the BSD/OS code:
 http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/dist/ntp/ntpd/ntp_io.c?rev=1.6&content-type=text/x-cvsweb-markup
 
 Unfortunately their code doesn't work on FreeBSD to also determine aliases
 because FreeBSD does not use the same netmask for aliases as for the non-
 alias IP-address (like BSD/OS, NetBSD, OpenBSD, ...) but 0xffffffff.
 Therefore I think something like the attached should be commited. This
 isn't exactly what a "-h" would offer but fixes ntpd for usage in a jail
 host (which IMHO is the main concern here).
 
 
 --9s922KAXlWjPfK/Q
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="ntp_io.c.diff"
 
 --- ntp_io.c.orig	Fri Sep 27 16:29:34 2002
 +++ ntp_io.c	Fri Sep 27 22:09:46 2002
 @@ -579,10 +579,32 @@
  		 * look for an already existing source interface address.  If
  		 * the machine has multiple point to point interfaces, then
  		 * the local address may appear more than once.
 +		 *
 +		 * A second problem exists if we have two addresses on
 +		 * the same network (via "ifconfig alias ...").  Don't
 +		 * make two xntp interfaces for the two aliases on the
 +		 * one physical interface. -wsr
  		 */
  		for (j=0; j < i; j++)
 -		    if (inter_list[j].sin.sin_addr.s_addr ==
 -			inter_list[i].sin.sin_addr.s_addr) {
 +		    if (((inter_list[j].sin.sin_addr.s_addr &
 +			inter_list[j].mask.sin_addr.s_addr) ==
 +			(inter_list[i].sin.sin_addr.s_addr &
 +			inter_list[i].mask.sin_addr.s_addr))
 +#ifdef __FreeBSD__
 +			/*
 +			 * FreeBSD uses a mask of 0xffffffff for aliases,
 +			 * therefore we check if the address is in the same
 +			 * subnet as an already existing source interface
 +			 * address.
 +			 */
 +			|| ((inter_list[j].sin.sin_addr.s_addr &
 +			inter_list[j].mask.sin_addr.s_addr) ==
 +			(inter_list[i].sin.sin_addr.s_addr &
 +			inter_list[j].mask.sin_addr.s_addr))
 +#endif
 +			) {
 +			    if (inter_list[j].flags & INT_LOOPBACK)
 +				inter_list[j] = inter_list[i];
  			    break;
  		    }
  		if (j == i)
 
 --9s922KAXlWjPfK/Q--

From: Dmitry Morozovsky <marck@rinet.ru>
To: marius@alchemy.franken.de
Cc: fbsd@koethe.net, <nonexistent@babolo.ru>, <dougb@FreeBSD.org>,
	<freebsd-gnats-submit@FreeBSD.org>
Subject: Re: i386/39327: bind ntpd to only one IP
Date: Thu, 7 Nov 2002 20:55:47 +0300 (MSK)

 Actually, your patch works if and only if alias addresses are in the same
 subnet as main address, which is not always true.
 
 For example, our typical jail scheme is as follows:
 
 ifconfig_xx0="A.B.C.D ..."
 
 xx0_alias0="A.B.X.0 netmask 0xffffffff"
 xx0_alias1="A.B.X.1 netmask 0xffffffff"
 xx0_alias2="A.B.X.2 netmask 0xffffffff"
 ...
 
 where A.B.X.0/28 is aliases via 16 /32s to A.B.C.D, which is on colocation
 segment.
 
 Moreover, I can easily imagine scheme where there would me more than one
 subnet attached to the same physical interface, which renders your approach
 even less useable.
 
 I think we need somewhat more generic solution...
 
 Sincerely,
 D.Marck                                   [DM5020, DM268-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------
 

From: marius@alchemy.franken.de
To: Dmitry Morozovsky <marck@rinet.ru>
Cc: fbsd@koethe.net, nonexistent@babolo.ru, dougb@FreeBSD.org,
	freebsd-gnats-submit@FreeBSD.org, roberto@keltia.freenix.fr
Subject: Re: i386/39327: bind ntpd to only one IP
Date: Thu, 7 Nov 2002 20:34:37 +0100

 On Thu, Nov 07, 2002 at 08:55:47PM +0300, Dmitry Morozovsky wrote:
 > Actually, your patch works if and only if alias addresses are in the same
 > subnet as main address, which is not always true.
 > 
 > For example, our typical jail scheme is as follows:
 > 
 > ifconfig_xx0="A.B.C.D ..."
 > 
 > xx0_alias0="A.B.X.0 netmask 0xffffffff"
 > xx0_alias1="A.B.X.1 netmask 0xffffffff"
 > xx0_alias2="A.B.X.2 netmask 0xffffffff"
 > ...
 > 
 > where A.B.X.0/28 is aliases via 16 /32s to A.B.C.D, which is on colocation
 > segment.
 > 
 > Moreover, I can easily imagine scheme where there would me more than one
 > subnet attached to the same physical interface, which renders your approach
 > even less useable.
 > 
 > I think we need somewhat more generic solution...
 > 
 
 [Added Ollivier Robert to CC: as he seems to maintain ntp on FreeBSD.]
 
 Well, my primary concern was consistent behaviour with what ntpd does
 on BSD/OS, NetBSD and OpenBSD and that code will also fail (i.e. bind
 to one ip-address per subnet) if there are multiple ("real") subnets
 configured on the same interface. I'm not sure what the right thing to
 do is as ntpd behaves differently and has different options on dirrent
 operating-systems, e.g. the manpage lists "-L Listen to virtual IPs."
 (with the implicit default of binding to only one ip-address) which
 only works on Windows if I remember the source correct.
 Changing ntpd to behave the same way regarding alias addresses on
 FreeBSD like on the other BSDs and adding an option to bind only to
 a specified ip-address really are orthogonal but the former should
 already catch several (most ?) cases the second would be good for.
 
>Unformatted:
