From e4a72ca09ef2b2c892be1411a4456516c8705173 Mon Sep 17 00:00:00 2001
From: phessler <>
Date: Fri, 23 Oct 2015 14:52:20 +0000
Subject: [PATCH] Allowing upstream servers of ntp being in multiple routing
 tables is non-sensical.  The dns lookups happened in the process routing
 table (usually '0'), which is very likely to have different results from the
 other routing domains.  If you do depend on having this behaviour, you'll
 need to use pf to cross the rtable boundary.

"listen on * rtable X" is still supported.

Users of "server * rtable X" will need to switch to launching ntpd with
"route -T X exec /usr/sbin/ntpd"

OK deraadt@
---
 src/usr.sbin/ntpd/client.c    | 15 +++------------
 src/usr.sbin/ntpd/control.c   |  5 ++---
 src/usr.sbin/ntpd/ntp.c       | 13 +++++--------
 src/usr.sbin/ntpd/ntpd.conf.5 | 20 ++++----------------
 src/usr.sbin/ntpd/ntpd.h      |  4 +---
 src/usr.sbin/ntpd/parse.y     | 12 +++---------
 6 files changed, 18 insertions(+), 51 deletions(-)

diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c
index 93e69ead..9980bbd5 100644
--- a/src/usr.sbin/ntpd/client.c
+++ b/src/usr.sbin/ntpd/client.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: client.c,v 1.102 2015/07/18 00:53:44 bcook Exp $ */
+/*	$OpenBSD: client.c,v 1.103 2015/10/23 14:52:20 phessler Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -142,10 +142,6 @@ client_query(struct ntp_peer *p)
 		    0)) == -1)
 			fatal("client_query socket");
 
-		if (p->rtable != -1 &&
-		    setsockopt(p->query->fd, SOL_SOCKET, SO_RTABLE,
-		    &p->rtable, sizeof(p->rtable)) == -1)
-			fatal("client_query setsockopt SO_RTABLE");
 		if (connect(p->query->fd, sa, SA_LEN(sa)) == -1) {
 			if (errno == ECONNREFUSED || errno == ENETUNREACH ||
 			    errno == EHOSTUNREACH || errno == EADDRNOTAVAIL) {
@@ -248,11 +244,6 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
 		return (0);
 	}
 
-	if (p->rtable != -1 &&
-	    setsockopt(p->query->fd, SOL_SOCKET, SO_RTABLE, &p->rtable,
-	    sizeof(p->rtable)) == -1)
-		fatal("client_dispatch setsockopt SO_RTABLE");
-
 	for (cmsg = CMSG_FIRSTHDR(&somsg); cmsg != NULL;
 	    cmsg = CMSG_NXTHDR(&somsg, cmsg)) {
 		if (cmsg->cmsg_level == SOL_SOCKET &&
@@ -393,10 +384,10 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
 	}
 
 	log_debug("reply from %s: offset %f delay %f, "
-	    "next query %llds %s",
+	    "next query %llds",
 	    log_sockaddr((struct sockaddr *)&p->addr->ss),
 	    p->reply[p->shift].offset, p->reply[p->shift].delay,
-	    (long long)interval, print_rtable(p->rtable));
+	    (long long)interval);
 
 	client_update(p);
 	if (settime)
diff --git a/src/usr.sbin/ntpd/control.c b/src/usr.sbin/ntpd/control.c
index 2dd76d16..08740ba9 100644
--- a/src/usr.sbin/ntpd/control.c
+++ b/src/usr.sbin/ntpd/control.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: control.c,v 1.6 2015/07/18 00:53:44 bcook Exp $ */
+/*	$OpenBSD: control.c,v 1.7 2015/10/23 14:52:20 phessler Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -333,8 +333,7 @@ build_show_peer(struct ctl_show_peer *cp, struct ntp_peer *p)
 		addr_head_name = p->addr_head.name;
 
 	snprintf(cp->peer_desc, sizeof(cp->peer_desc),
-	    "%s %s%s %s", a, pool, addr_head_name,
-	    print_rtable(p->rtable) );
+	    "%s %s%s", a, pool, addr_head_name);
 
 	validdelaycnt = best = 0;
 	cp->offset = cp->delay = 0.0;
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index da6fc354..b8dbafe3 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntp.c,v 1.137 2015/10/12 06:50:08 reyk Exp $ */
+/*	$OpenBSD: ntp.c,v 1.138 2015/10/23 14:52:20 phessler Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -271,9 +271,8 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
 			if (p->deadline > 0 && p->deadline <= getmonotime()) {
 				timeout = 300;
 				log_debug("no reply from %s received in time, "
-				    "next query %ds %s", log_sockaddr(
-				    (struct sockaddr *)&p->addr->ss), timeout,
-				    print_rtable(p->rtable));
+				    "next query %ds", log_sockaddr(
+				    (struct sockaddr *)&p->addr->ss), timeout);
 				if (p->trustlevel >= TRUSTLEVEL_BADPEER &&
 				    (p->trustlevel /= 2) < TRUSTLEVEL_BADPEER)
 					log_info("peer %s now invalid",
@@ -545,7 +544,6 @@ ntp_dispatch_imsg_dns(void)
 					npeer->addr_head.name =
 					    peer->addr_head.name;
 					npeer->addr_head.pool = 1;
-					npeer->rtable = peer->rtable;
 					client_peer_init(npeer);
 					npeer->state = STATE_DNS_DONE;
 					peer_add(npeer);
@@ -832,9 +830,8 @@ report_peers(int always)
 					    (struct sockaddr *)&p->addr->ss);
 				if (p->addr_head.pool)
 					pool = "from pool ";
-				log_warnx("bad peer %s%s (%s) %s",
-				    pool, p->addr_head.name, a,
-				    print_rtable(p->rtable));
+				log_warnx("bad peer %s%s (%s)",
+				    pool, p->addr_head.name, a);
 			}
 		}
 	}
diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
index 70f547f4..ef693df8 100644
--- a/src/usr.sbin/ntpd/ntpd.conf.5
+++ b/src/usr.sbin/ntpd/ntpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ntpd.conf.5,v 1.32 2015/08/28 02:59:29 deraadt Exp $
+.\" $OpenBSD: ntpd.conf.5,v 1.33 2015/10/23 14:52:20 phessler Exp $
 .\"
 .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 .\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 28 2015 $
+.Dd $Mdocdate: October 23 2015 $
 .Dt NTPD.CONF 5
 .Os
 .Sh NAME
@@ -130,17 +130,12 @@ A stratum value other than the default of 1 can be assigned using
 the stratum keyword.
 .It Xo Ic server Ar address
 .Op Ic weight Ar weight-value
-.Op Ic rtable Ar table-id
 .Xc
 Specify the IP address or the hostname of an NTP
 server to synchronize to.
 If it appears multiple times,
 .Xr ntpd 8
 will try to synchronize to all of the servers specified.
-The
-.Cm rtable
-option specifies which routing table should be used for connection attempts.
-Hostname resolution will still happen using the default routing table.
 If a hostname resolves to multiple IPv4 and/or IPv6 addresses,
 .Xr ntpd 8
 uses the first address.
@@ -151,7 +146,7 @@ is found.
 For example:
 .Bd -literal -offset indent
 server 10.0.0.2 weight 5
-server ntp.example.org weight 1 rtable 4
+server ntp.example.org weight 1
 .Ed
 .Pp
 To provide redundancy, it is good practice to configure multiple servers.
@@ -159,7 +154,6 @@ In general, best accuracy is obtained by using servers that have a low
 network latency.
 .It Xo Ic servers Ar address
 .Op Ic weight Ar weight-value
-.Op Ic rtable Ar table-id
 .Xc
 As with
 .Cm server ,
@@ -173,7 +167,7 @@ will try to synchronize to all of them.
 For example:
 .Bd -literal -offset indent
 servers pool.ntp.org
-servers pool.ntp.org rtable 5
+servers pool.ntp.org weight 5
 .Ed
 .El
 .Sh CONSTRAINTS
@@ -231,9 +225,3 @@ The
 .Nm
 file format first appeared in
 .Ox 3.6 .
-.Sh CAVEATS
-When using different
-.Cm rtable
-options,
-.Xr ntpd 8
-must be started in rtable 0.
diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h
index 9d008183..007fb347 100644
--- a/src/usr.sbin/ntpd/ntpd.h
+++ b/src/usr.sbin/ntpd/ntpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntpd.h,v 1.122 2015/10/12 06:50:08 reyk Exp $ */
+/*	$OpenBSD: ntpd.h,v 1.123 2015/10/23 14:52:20 phessler Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -104,7 +104,6 @@ struct listen_addr {
 struct ntp_addr {
 	struct ntp_addr		*next;
 	struct sockaddr_storage	 ss;
-	int			 rtable;
 };
 
 struct ntp_addr_wrap {
@@ -159,7 +158,6 @@ struct ntp_peer {
 	u_int8_t			 weight;
 	int				 lasterror;
 	int				 senderrors;
-	int				 rtable;
 };
 
 struct ntp_sensor {
diff --git a/src/usr.sbin/ntpd/parse.y b/src/usr.sbin/ntpd/parse.y
index 52852f77..4b15df98 100644
--- a/src/usr.sbin/ntpd/parse.y
+++ b/src/usr.sbin/ntpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.63 2015/07/18 00:53:44 bcook Exp $ */
+/*	$OpenBSD: parse.y,v 1.64 2015/10/23 14:52:20 phessler Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -106,8 +106,6 @@ main		: LISTEN ON address listen_opts	{
 			struct listen_addr	*la;
 			struct ntp_addr		*h, *next;
 
-			if ($3->a)
-				$3->a->rtable = $4.rtable;
 			if ((h = $3->a) == NULL &&
 			    (host_dns($3->name, &h) == -1 || !h)) {
 				yyerror("could not resolve \"%s\"", $3->name);
@@ -155,7 +153,6 @@ main		: LISTEN ON address listen_opts	{
 
 				p = new_peer();
 				p->weight = $3.weight;
-				p->rtable = $3.rtable;
 				p->addr = h;
 				p->addr_head.a = h;
 				p->addr_head.pool = 1;
@@ -164,7 +161,7 @@ main		: LISTEN ON address listen_opts	{
 					fatal(NULL);
 				if (p->addr != NULL)
 					p->state = STATE_DNS_DONE;
-				if (!(p->rtable > 0 && p->addr))
+				if (!(p->addr))
 					TAILQ_INSERT_TAIL(&conf->ntp_peers,
 					    p, entry);
 				h = next;
@@ -195,7 +192,6 @@ main		: LISTEN ON address listen_opts	{
 			}
 
 			p->weight = $3.weight;
-			p->rtable = $3.rtable;
 			p->addr_head.a = p->addr;
 			p->addr_head.pool = 0;
 			p->addr_head.name = strdup($2->name);
@@ -203,7 +199,7 @@ main		: LISTEN ON address listen_opts	{
 				fatal(NULL);
 			if (p->addr != NULL)
 				p->state = STATE_DNS_DONE;
-			if (!(p->rtable > 0 && p->addr))
+			if (!(p->addr))
 				TAILQ_INSERT_TAIL(&conf->ntp_peers, p, entry);
 			free($2->name);
 			free($2);
@@ -355,7 +351,6 @@ server_opts_l	: server_opts_l server_opt
 		| server_opt
 		;
 server_opt	: weight
-		| rtable
 		;
 
 sensor_opts	:	{ opts_default(); }
@@ -428,7 +423,6 @@ opts_default(void)
 {
 	memset(&opts, 0, sizeof opts);
 	opts.weight = 1;
-	opts.rtable = -1;
 	opts.stratum = 1;
 }