[prev in list] [next in list] [prev in thread] [next in thread]
List: ntp-bugs
Subject: [ntp:bugs] [Bug 1683] New: Interface binding does not seem to work
From: bugzilla () ntp ! org
Date: 2010-10-27 14:29:09
Message-ID: bug-1683-35 () http ! bugs ! ntp ! org/
[Download RAW message or body]
https://bugs.ntp.org/show_bug.cgi?id�83
Summary: Interface binding does not seem to work as intended
Product: ntp
Version: 4.2.7
Platform: PC
OS/Version: FreeBSD
Status: NEW
Severity: normal
Priority: P5
Component: ntpd
AssignedTo: stenn@ntp.org
ReportedBy: bugs.ntp.org@6a9b561e.biz.jgreco.net
CC: bugs@ntp.org
Estimated Hours: 0.0
I've discussed this a few times with Harlan. We've got an environment where we
want services such as NTP to use specific IP addresses so that we can properly
firewall the servers upon which the service runs, without having to later
putter around if the supporting host's connectivity changes. In other words,
we're looking for what products like BIND are already capable of. We used to
just hack up NTP to bind to a single address; such patches took us through the
'90's with no problems.
Recently, the "interface" keyword has been implemented which seems to be
intended to implement functionality to support sites like ours. Harlan asked
me to try it out. It didn't work. I didn't have time at the time to explore
more fully. I've now set up a minimal configuration on a test box. To
simplify things, complications such as OSPF have been eliminated. The box
sports a single active Ethernet interface, 206.55.70.66, and additionally has
another IP address that is routed at that interface, 206.55.70.200. The
default FreeBSD ntp.conf is used, except modified as follows:
interface ignore all
interface ignore wildcard
#interface listen 206.55.70.66
interface listen 206.55.70.200
Our desired mode of operation is for NTP to bind to a single routable IP
address and perform all network operations from that IP address. In
particular, it should not be emitting traffic on any other interface for any
reason, nor should it be listening to any other traffic.
ntpd works correctly when the "interface listen" for .70.66 is uncommented and
.70.200 is commented out. This seems reasonable; that's a minimally stressful
case that's somewhat parallel to how NTP would operate anyways.
ntpd does not work correctly for 206.55.70.200.
First test, was to bind 206.55.70.200 to lo1, and verify connectivity of
course.
ntptestbox# ifconfig lo1 inet 206.55.70.200 netmask 0xffffffff
anotherhost% traceroute -n 206.55.70.200
traceroute to 206.55.70.200 (206.55.70.200), 64 hops max, 40 byte packets
1 206.55.70.97 0.545 ms 0.219 ms 0.411 ms
2 206.55.70.200 0.541 ms 0.518 ms 0.427 ms
ntptestbox# traceroute -ns 206.55.70.200 206.55.64.37
traceroute to 206.55.64.37 (206.55.64.37) from 206.55.70.200, 64 hops max, 40
byte packets
1 206.55.70.65 0.391 ms 0.269 ms 0.577 ms
2 206.55.64.37 2.323 ms 3.282 ms 2.178 ms
ntptestbox# /usr/local/bin/ntpd -d -d -d -d
[long winded conf debug]
create_sockets(123)
interface_action: interface wildcard nic wildcard ignore
interface_action: interface wildcard nic wildcard ignore
update_interfaces(123)
interface_action: interface em0 nic all ignore
interface_action: interface lo0 default loopback listen
examining interface #0: fd=-1, bfd=-1, name=lo0, flags=0x15, scope=3,
sinş80::1, Enabled:
Searching for addr fe80::1 in list of addresses - NOT FOUND
create_interface(fe80::1#123)
addto_syslog: ntp_io: estimated max descriptors: 3520, initial socket boundary:
20
setsockopt SO_TIMESTAMP enabled on fd 20 address fe80::1
bind(20) AF_INET6, addr fe80::1%3#123, flags 0x15
flags for fd 20: 0x6
addto_syslog: Listen normally on 0 lo0 fe80::1 UDP 123
restrict: op 1 addr fe80::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags
00003000 flags 00000001
Searching for addr fe80::1 in list of addresses - NOT FOUND
Added addr fe80::1 to list of addresses
created interface #0: fd , bfd=-1, name=lo0, flags=0x15, scope=3,
sinş80::1, Enabled:
updating interface #0: fd , bfd=-1, name=lo0, flags=0x15, scope=3,
sinş80::1, Enabled: new - created
interface_action: interface lo0 default loopback listen
examining interface #0: fd=-1, bfd=-1, name=lo0, flags=0x15, scope=0, sin=::1,
Enabled:
Searching for addr ::1 in list of addresses - NOT FOUND
create_interface(::1#123)
setsockopt SO_TIMESTAMP enabled on fd 21 address ::1
bind(21) AF_INET6, addr ::1%0#123, flags 0x15
flags for fd 21: 0x6
addto_syslog: Listen normally on 1 lo0 ::1 UDP 123
restrict: op 1 addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags
00003000 flags 00000001
Searching for addr ::1 in list of addresses - NOT FOUND
Added addr ::1 to list of addresses
created interface #1: fd!, bfd=-1, name=lo0, flags=0x15, scope=0, sin=::1,
Enabled:
updating interface #1: fd!, bfd=-1, name=lo0, flags=0x15, scope=0, sin=::1,
Enabled: new - created
interface_action: interface lo0 IPv4 loopback - listen
examining interface #0: fd=-1, bfd=-1, name=lo0, flags=0x15, scope=0,
sin�7.0.0.1, mask%5.0.0.0, Enabled:
Searching for addr 127.0.0.1 in list of addresses - NOT FOUND
create_interface(127.0.0.1#123)
setsockopt SO_TIMESTAMP enabled on fd 22 address 127.0.0.1
bind(22) AF_INET, addr 127.0.0.1%0#123, flags 0x15
flags for fd 22: 0x6
addto_syslog: Listen normally on 2 lo0 127.0.0.1 UDP 123
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00003000 flags
00000001
Searching for addr 127.0.0.1 in list of addresses - NOT FOUND
Added addr 127.0.0.1 to list of addresses
created interface #2: fd", bfd=-1, name=lo0, flags=0x15, scope=0,
sin�7.0.0.1, mask%5.0.0.0, Enabled:
updating interface #2: fd", bfd=-1, name=lo0, flags=0x15, scope=0,
sin�7.0.0.1, mask%5.0.0.0, Enabled: new - created
interface_action: interface lo1 IPv4 loopback - listen
examining interface #0: fd=-1, bfd=-1, name=lo1, flags=0x15, scope=0,
sin 6.55.70.200, mask%5.255.255.255, Enabled:
Searching for addr 206.55.70.200 in list of addresses - NOT FOUND
create_interface(206.55.70.200#123)
setsockopt SO_TIMESTAMP enabled on fd 23 address 206.55.70.200
bind(23) AF_INET, addr 206.55.70.200%0#123, flags 0x15
flags for fd 23: 0x6
addto_syslog: Listen normally on 3 lo1 206.55.70.200 UDP 123
restrict: op 1 addr 206.55.70.200 mask 255.255.255.255 mflags 00003000 flags
00000001
Searching for addr 206.55.70.200 in list of addresses - NOT FOUND
Added addr 206.55.70.200 to list of addresses
created interface #3: fd#, bfd=-1, name=lo1, flags=0x15, scope=0,
sin 6.55.70.200, mask%5.255.255.255, Enabled:
updating interface #3: fd#, bfd=-1, name=lo1, flags=0x15, scope=0,
sin 6.55.70.200, mask%5.255.255.255, Enabled: new - created
setting SO_REUSEADDR on lo0@fe80::1 to off
setting SO_REUSEADDR on lo0@::1 to off
setting SO_REUSEADDR on lo0@127.0.0.1 to off
setting SO_REUSEADDR on lo1@206.55.70.200 to off
create_sockets: Total interfaces = 4
addto_syslog: Listening on routing socket on fd #24 for interface updates
io_open_sockets: maxactivefd 24
event at 0 0.0.0.0 c016 06 restart
loop_config: item 2 freq 1000000000.000000
event at 0 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
local_clock: mu 0 state 1 poll 3 count 0
event at 0 0.0.0.0 c011 01 freq_not_set
peer_name_resolved(0.freebsd.pool.ntp.org) rescode 0
Finding interface for addr 208.53.158.34 in list of addresses
findlocalinterface: kernel maps 208.53.158.34 to 206.55.70.66
Searching for addr 206.55.70.66 in list of addresses - NOT FOUND
Searching for addr with same subnet as 206.55.70.66 in list of addresses - NOT
FOUND
Found no interface for address 208.53.158.34 - returning wildcard
newpeer(208.53.158.34): local interface currently not bound
key_expire: at 0 associd 48353
peer_clear: at 0 next 0 associd 48353 refid INIT
event at 0 208.53.158.34 8011 81 mobilize assoc 48353
newpeer: <null>->208.53.158.34 mode 3 vers 4 poll 6 9 flags 0x101 0x1 ttl 0 key
00000000
peer_name_resolved(1.freebsd.pool.ntp.org) rescode 0
Finding interface for addr 207.171.7.152 in list of addresses
findlocalinterface: kernel maps 207.171.7.152 to 206.55.70.66
Searching for addr 206.55.70.66 in list of addresses - NOT FOUND
Searching for addr with same subnet as 206.55.70.66 in list of addresses - NOT
FOUND
Found no interface for address 207.171.7.152 - returning wildcard
newpeer(207.171.7.152): local interface currently not bound
key_expire: at 0 associd 48354
[...]
^Z
ntptestbox# netstat -an|grep 123
udp4 0 0 206.55.70.200.123 *.*
udp4 0 0 127.0.0.1.123 *.*
udp6 0 0 ::1.123 *.*
udp6 0 0 fe80:4::1.123 *.*
udp4 0 0 127.0.0.1.54694 127.0.0.1.123
ntptestbox# ntpdc
ntpdc> dmpeers
remote local st poll reach delay offset disp
====================================================================== qnan.org \
0.0.0.0 16 64 0 0.00000 0.000000 3.99217 bindcat.fhsu.ed 0.0.0.0 \
16 64 0 0.00000 0.000000 3.99217 64.73.32.135 0.0.0.0 16 64 0 \
0.00000 0.000000 3.99217
It looks really like it kind of wants to work, but somehow isn't associating
the peers with the specified address. ntpd doesn't transmit anything, and sits
there doing
poll_update: at 67 64.73.32.135 poll 6 burst 0 retry 1 head 0 early 2 next 65
poll_update: at 69 72.14.178.210 poll 6 burst 0 retry 1 head 0 early 2 next 64
poll_update: at 69 209.114.111.1 poll 6 burst 0 retry 1 head 0 early 2 next 67
poll_update: at 132 64.73.32.135 poll 6 burst 0 retry 0 head 0 early 2 next 64
poll_update: at 133 72.14.178.210 poll 6 burst 0 retry 0 head 0 early 2 next 66
poll_update: at 136 209.114.111.1 poll 6 burst 0 retry 0 head 0 early 2 next 64
I suspect it's the
Found no interface for address 64.73.32.135 - returning wildcard
that's a problem; the dprintf is misleading because under the sheets it's
calling ANY_INTERFACE_CHOOSE which resolves to any_interface, but any_interface
appears to be null.
(gdb) print any_interface
$1 = (struct interface *) 0x0
Looking at create_wildcards, I think I see the logic there, but it's maybe not
right for our case. But on the other hand, it's not clear to me that a
wildcard entry on the any_interface list is mandatory for operation.
I've also tried using other interface types (for example Intel E1000) for the
secondary address, that did not work either, which suggests that there are
problems lurking even for someone who wants to do something simple, such as
binding NTP to a single address on a system with more than one ethernet.
I have a box available with an appropriate network environment for anyone who
needs it to see/debug/etc. the problem, and/or am happy to try out patches,
etc.
--
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
bugs mailing list
bugs@lists.ntp.org
http://lists.ntp.org/listinfo/bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic