2 * NTP client/server, based on OpenNTPD 3.9p1
4 * Author: Adam Tkac <vonsch@gmail.com>
6 * Licensed under GPLv2, see file LICENSE in this tarball for details.
8 * Parts of OpenNTPD clock syncronization code is replaced by
9 * code which is based on ntp-4.2.6, whuch carries the following
12 ***********************************************************************
14 * Copyright (c) University of Delaware 1992-2009 *
16 * Permission to use, copy, modify, and distribute this software and *
17 * its documentation for any purpose with or without fee is hereby *
18 * granted, provided that the above copyright notice appears in all *
19 * copies and that both the copyright notice and this permission *
20 * notice appear in supporting documentation, and that the name *
21 * University of Delaware not be used in advertising or publicity *
22 * pertaining to distribution of the software without specific, *
23 * written prior permission. The University of Delaware makes no *
24 * representations about the suitability this software for any *
25 * purpose. It is provided "as is" without express or implied *
28 ***********************************************************************
32 #include <netinet/ip.h> /* For IPTOS_LOWDELAY definition */
33 #include <sys/timex.h>
34 #ifndef IPTOS_LOWDELAY
35 # define IPTOS_LOWDELAY 0x10
38 # error "Sorry, your kernel has to support IP_PKTINFO"
42 /* Verbosity control (max level of -dddd options accepted).
43 * max 5 is very talkative (and bloated). 2 is non-bloated,
44 * production level setting.
49 #define RETRY_INTERVAL 5 /* on error, retry in N secs */
50 #define QUERYTIME_MAX 15 /* wait for reply up to N secs */
52 #define FREQ_TOLERANCE 0.000015 /* % frequency tolerance (15 PPM) */
53 #define MINPOLL 4 /* % minimum poll interval (6: 64 s) */
54 #define MAXPOLL 12 /* % maximum poll interval (12: 1.1h, 17: 36.4h) (was 17) */
55 #define MINDISP 0.01 /* % minimum dispersion (s) */
56 #define MAXDISP 16 /* maximum dispersion (s) */
57 #define MAXSTRAT 16 /* maximum stratum (infinity metric) */
58 #define MAXDIST 1 /* % distance threshold (s) */
59 #define MIN_SELECTED 1 /* % minimum intersection survivors */
60 #define MIN_CLUSTERED 3 /* % minimum cluster survivors */
62 #define MAXDRIFT 0.000500 /* frequency drift we can correct (500 PPM) */
64 /* Clock discipline parameters and constants */
65 #define STEP_THRESHOLD 0.128 /* step threshold (s) */
66 #define WATCH_THRESHOLD 150 /* stepout threshold (s). std ntpd uses 900 (11 mins (!)) */
67 /* NB: set WATCH_THRESHOLD to ~60 when debugging to save time) */
68 #define PANIC_THRESHOLD 1000 /* panic threshold (s) */
70 /* Poll-adjust threshold.
71 * When we see that offset is small enough compared to discipline jitter,
72 * we grow a counter: += MINPOLL. When it goes over POLLADJ_LIMIT,
73 * we poll_exp++. If offset isn't small, counter -= poll_exp*2,
74 * and when it goes below -POLLADJ_LIMIT, we poll_exp--
76 #define POLLADJ_LIMIT 30
77 /* If offset < POLLADJ_GATE * discipline_jitter, then we can increase
78 * poll interval (we think we can't improve timekeeping
79 * by staying at smaller poll).
81 #define POLLADJ_GATE 4
82 /* Compromise Allan intercept (s). doc uses 1500, std ntpd uses 512 */
86 /* FLL loop gain [why it depends on MAXPOLL??] */
87 #define FLL (MAXPOLL + 1)
88 /* Parameter averaging constant */
97 NTP_MSGSIZE_NOAUTH = 48,
98 NTP_MSGSIZE = (NTP_MSGSIZE_NOAUTH + 4 + NTP_DIGESTSIZE),
101 MODE_MASK = (7 << 0),
102 VERSION_MASK = (7 << 3),
106 /* Leap Second Codes (high order two bits of m_status) */
107 LI_NOWARNING = (0 << 6), /* no warning */
108 LI_PLUSSEC = (1 << 6), /* add a second (61 seconds) */
109 LI_MINUSSEC = (2 << 6), /* minus a second (59 seconds) */
110 LI_ALARM = (3 << 6), /* alarm condition */
113 MODE_RES0 = 0, /* reserved */
114 MODE_SYM_ACT = 1, /* symmetric active */
115 MODE_SYM_PAS = 2, /* symmetric passive */
116 MODE_CLIENT = 3, /* client */
117 MODE_SERVER = 4, /* server */
118 MODE_BROADCAST = 5, /* broadcast */
119 MODE_RES1 = 6, /* reserved for NTP control message */
120 MODE_RES2 = 7, /* reserved for private use */
123 //TODO: better base selection
124 #define OFFSET_1900_1970 2208988800UL /* 1970 - 1900 in seconds */
126 #define NUM_DATAPOINTS 8
139 uint8_t m_status; /* status of local clock and leap info */
141 uint8_t m_ppoll; /* poll value */
142 int8_t m_precision_exp;
143 s_fixedpt_t m_rootdelay;
144 s_fixedpt_t m_rootdisp;
146 l_fixedpt_t m_reftime;
147 l_fixedpt_t m_orgtime;
148 l_fixedpt_t m_rectime;
149 l_fixedpt_t m_xmttime;
151 uint8_t m_digest[NTP_DIGESTSIZE];
161 len_and_sockaddr *p_lsa;
163 /* when to send new query (if p_fd == -1)
164 * or when receive times out (if p_fd >= 0): */
165 time_t next_action_time;
168 uint32_t lastpkt_refid;
169 uint8_t lastpkt_leap;
170 uint8_t lastpkt_stratum;
171 uint8_t p_reachable_bits;
173 double lastpkt_recv_time;
174 double lastpkt_delay;
175 double lastpkt_rootdelay;
176 double lastpkt_rootdisp;
177 /* produced by filter algorithm: */
178 double filter_offset;
179 double filter_dispersion;
180 double filter_jitter;
181 datapoint_t filter_datapoint[NUM_DATAPOINTS];
182 /* last sent packet: */
192 /* Insert new options above this line. */
193 /* Non-compat options: */
195 OPT_l = (1 << 5) * ENABLE_FEATURE_NTPD_SERVER,
199 /* total round trip delay to currently selected reference clock */
201 /* reference timestamp: time when the system clock was last set or corrected */
203 /* total dispersion to currently selected reference clock */
206 #if ENABLE_FEATURE_NTPD_SERVER
211 /* refid: 32-bit code identifying the particular server or reference clock
212 * in stratum 0 packets this is a four-character ASCII string,
213 * called the kiss code, used for debugging and monitoring
214 * in stratum 1 packets this is a four-character ASCII string
215 * assigned to the reference clock by IANA. Example: "GPS "
216 * in stratum 2+ packets, it's IPv4 address or 4 first bytes of MD5 hash of IPv6
220 /* precision is defined as the larger of the resolution and time to
221 * read the clock, in log2 units. For instance, the precision of a
222 * mains-frequency clock incrementing at 60 Hz is 16 ms, even when the
223 * system clock hardware representation is to the nanosecond.
225 * Delays, jitters of various kinds are clamper down to precision.
227 * If precision_sec is too large, discipline_jitter gets clamped to it
228 * and if offset is much smaller than discipline_jitter, poll interval
229 * grows even though we really can benefit from staying at smaller one,
230 * collecting non-lagged datapoits and correcting the offset.
231 * (Lagged datapoits exist when poll_exp is large but we still have
232 * systematic offset error - the time distance between datapoints
233 * is significat and older datapoints have smaller offsets.
234 * This makes our offset estimation a bit smaller than reality)
235 * Due to this effect, setting G_precision_sec close to
236 * STEP_THRESHOLD isn't such a good idea - offsets may grow
237 * too big and we will step. I observed it with -6.
239 * OTOH, setting precision too small would result in futile attempts
240 * to syncronize to the unachievable precision.
242 * -6 is 1/64 sec, -7 is 1/128 sec and so on.
244 #define G_precision_exp -8
245 #define G_precision_sec (1.0 / (1 << (- G_precision_exp)))
247 /* Bool. After set to 1, never goes back to 0: */
249 // uint8_t time_was_stepped;
250 uint8_t adjtimex_was_done;
252 uint8_t discipline_state; // doc calls it c.state
253 uint8_t poll_exp; // s.poll
254 int polladj_count; // c.count
255 long kernel_freq_drift;
256 double last_update_offset; // c.last
257 double last_update_recv_time; // s.t
258 double discipline_jitter; // c.jitter
259 //TODO: add s.jitter - grep for it here and see clock_combine() in doc
260 #define USING_KERNEL_PLL_LOOP 1
261 #if !USING_KERNEL_PLL_LOOP
262 double discipline_freq_drift; // c.freq
263 //TODO: conditionally calculate wander? it's used only for logging
264 double discipline_wander; // c.wander
267 #define G (*ptr_to_globals)
269 static const int const_IPTOS_LOWDELAY = IPTOS_LOWDELAY;
272 #define VERB1 if (MAX_VERBOSE && G.verbose)
273 #define VERB2 if (MAX_VERBOSE >= 2 && G.verbose >= 2)
274 #define VERB3 if (MAX_VERBOSE >= 3 && G.verbose >= 3)
275 #define VERB4 if (MAX_VERBOSE >= 4 && G.verbose >= 4)
276 #define VERB5 if (MAX_VERBOSE >= 5 && G.verbose >= 5)
279 static double LOG2D(int a)
282 return 1.0 / (1UL << -a);
285 static ALWAYS_INLINE double SQUARE(double x)
289 static ALWAYS_INLINE double MAXD(double a, double b)
295 static ALWAYS_INLINE double MIND(double a, double b)
301 #define SQRT(x) (sqrt(x))
307 gettimeofday(&tv, NULL); /* never fails */
308 return (tv.tv_sec + 1.0e-6 * tv.tv_usec + OFFSET_1900_1970);
312 d_to_tv(double d, struct timeval *tv)
314 tv->tv_sec = (long)d;
315 tv->tv_usec = (d - tv->tv_sec) * 1000000;
319 lfp_to_d(l_fixedpt_t lfp)
322 lfp.int_partl = ntohl(lfp.int_partl);
323 lfp.fractionl = ntohl(lfp.fractionl);
324 ret = (double)lfp.int_partl + ((double)lfp.fractionl / UINT_MAX);
328 sfp_to_d(s_fixedpt_t sfp)
331 sfp.int_parts = ntohs(sfp.int_parts);
332 sfp.fractions = ntohs(sfp.fractions);
333 ret = (double)sfp.int_parts + ((double)sfp.fractions / USHRT_MAX);
336 #if ENABLE_FEATURE_NTPD_SERVER
341 lfp.int_partl = (uint32_t)d;
342 lfp.fractionl = (uint32_t)((d - lfp.int_partl) * UINT_MAX);
343 lfp.int_partl = htonl(lfp.int_partl);
344 lfp.fractionl = htonl(lfp.fractionl);
351 sfp.int_parts = (uint16_t)d;
352 sfp.fractions = (uint16_t)((d - sfp.int_parts) * USHRT_MAX);
353 sfp.int_parts = htons(sfp.int_parts);
354 sfp.fractions = htons(sfp.fractions);
360 dispersion(const datapoint_t *dp, double t)
362 return dp->d_dispersion + FREQ_TOLERANCE * (t - dp->d_recv_time);
366 root_distance(peer_t *p, double t)
368 /* The root synchronization distance is the maximum error due to
369 * all causes of the local clock relative to the primary server.
370 * It is defined as half the total delay plus total dispersion
373 return MAXD(MINDISP, p->lastpkt_rootdelay + p->lastpkt_delay) / 2
374 + p->lastpkt_rootdisp
375 + p->filter_dispersion
376 + FREQ_TOLERANCE * (t - p->lastpkt_recv_time)
381 set_next(peer_t *p, unsigned t)
383 p->next_action_time = time(NULL) + t;
387 * Peer clock filter and its helpers
390 filter_datapoints(peer_t *p, double t)
393 double minoff, maxoff, wavg, sum, w;
396 minoff = maxoff = p->filter_datapoint[0].d_offset;
397 for (i = 1; i < NUM_DATAPOINTS; i++) {
398 if (minoff > p->filter_datapoint[i].d_offset)
399 minoff = p->filter_datapoint[i].d_offset;
400 if (maxoff < p->filter_datapoint[i].d_offset)
401 maxoff = p->filter_datapoint[i].d_offset;
404 idx = p->datapoint_idx; /* most recent datapoint */
406 * Drop two outliers and take weighted average of the rest:
407 * most_recent/2 + older1/4 + older2/8 ... + older5/32 + older6/32
408 * we use older6/32, not older6/64 since sum of weights should be 1:
409 * 1/2 + 1/4 + 1/8 + 1/16 + 1/32 + 1/32 = 1
415 // filter_dispersion = \ -------------
420 for (i = 0; i < NUM_DATAPOINTS; i++) {
422 bb_error_msg("datapoint[%d]: off:%f disp:%f(%f) age:%f%s",
424 p->filter_datapoint[idx].d_offset,
425 p->filter_datapoint[idx].d_dispersion, dispersion(&p->filter_datapoint[idx], t),
426 t - p->filter_datapoint[idx].d_recv_time,
427 (minoff == p->filter_datapoint[idx].d_offset || maxoff == p->filter_datapoint[idx].d_offset)
428 ? " (outlier by offset)" : ""
432 sum += dispersion(&p->filter_datapoint[idx], t) / (2 << i);
434 if (minoff == p->filter_datapoint[idx].d_offset) {
435 minoff -= 1; /* so that we don't match it ever again */
437 if (maxoff == p->filter_datapoint[idx].d_offset) {
440 x = p->filter_datapoint[idx].d_offset * w;
445 idx = (idx - 1) & (NUM_DATAPOINTS - 1);
447 wavg += x; /* add another older6/64 to form older6/32 */
448 p->filter_offset = wavg;
449 p->filter_dispersion = sum;
450 //TODO: fix systematic underestimation with large poll intervals.
451 // Imagine that we still have a bit of uncorrected drift,
452 // and poll interval is big. Offsets form a progression:
453 // 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7, 0.7 is most recent.
454 // The algorithm above drops 0.0 and 0.7 as outliers,
455 // and then we have this estimation, ~25% off from 0.7:
456 // 0.1/32 + 0.2/32 + 0.3/16 + 0.4/8 + 0.5/4 + 0.6/2 = 0.503125
458 // +----- -----+ ^ 1/2
462 // filter_jitter = --- * | / (avg-offset_j) |
466 // where n is the number of valid datapoints in the filter (n > 1);
467 // if filter_jitter < precision then filter_jitter = precision
469 for (i = 0; i < NUM_DATAPOINTS; i++) {
470 sum += SQUARE(wavg - p->filter_datapoint[i].d_offset);
472 sum = SQRT(sum) / NUM_DATAPOINTS;
473 p->filter_jitter = sum > G_precision_sec ? sum : G_precision_sec;
475 VERB3 bb_error_msg("filter offset:%f disp:%f jitter:%f",
476 p->filter_offset, p->filter_dispersion, p->filter_jitter);
481 reset_peer_stats(peer_t *p, double t, double offset)
484 for (i = 0; i < NUM_DATAPOINTS; i++) {
485 if (offset < 16 * STEP_THRESHOLD) {
486 p->filter_datapoint[i].d_recv_time -= offset;
487 if (p->filter_datapoint[i].d_offset != 0) {
488 p->filter_datapoint[i].d_offset -= offset;
491 p->filter_datapoint[i].d_recv_time = t;
492 p->filter_datapoint[i].d_offset = 0;
493 p->filter_datapoint[i].d_dispersion = MAXDISP;
496 if (offset < 16 * STEP_THRESHOLD) {
497 p->lastpkt_recv_time -= offset;
499 p->p_reachable_bits = 0;
500 p->lastpkt_recv_time = t;
502 filter_datapoints(p, t); /* recalc p->filter_xxx */
503 p->next_action_time -= (time_t)offset;
504 VERB5 bb_error_msg("%s->lastpkt_recv_time=%f", p->p_dotted, p->lastpkt_recv_time);
512 p = xzalloc(sizeof(*p));
513 p->p_lsa = xhost2sockaddr(s, 123);
514 p->p_dotted = xmalloc_sockaddr2dotted_noport(&p->p_lsa->u.sa);
516 p->p_xmt_msg.m_status = MODE_CLIENT | (NTP_VERSION << 3);
517 p->next_action_time = time(NULL); /* = set_next(p, 0); */
518 reset_peer_stats(p, gettime1900d(), 16 * STEP_THRESHOLD);
519 /* Speed up initial sync: with small offsets from peers,
520 * 3 samples will sync
522 p->filter_datapoint[6].d_dispersion = 0;
523 p->filter_datapoint[7].d_dispersion = 0;
525 llist_add_to(&G.ntp_peers, p);
531 const struct sockaddr *from, const struct sockaddr *to, socklen_t addrlen,
532 msg_t *msg, ssize_t len)
538 ret = sendto(fd, msg, len, MSG_DONTWAIT, to, addrlen);
540 ret = send_to_from(fd, msg, len, MSG_DONTWAIT, to, from, addrlen);
543 bb_perror_msg("send failed");
550 send_query_to_peer(peer_t *p)
552 // Why do we need to bind()?
553 // See what happens when we don't bind:
555 // socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
556 // setsockopt(3, SOL_IP, IP_TOS, [16], 4) = 0
557 // gettimeofday({1259071266, 327885}, NULL) = 0
558 // sendto(3, "xxx", 48, MSG_DONTWAIT, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("10.34.32.125")}, 16) = 48
559 // ^^^ we sent it from some source port picked by kernel.
560 // time(NULL) = 1259071266
561 // write(2, "ntpd: entering poll 15 secs\n", 28) = 28
562 // poll([{fd=3, events=POLLIN}], 1, 15000) = 1 ([{fd=3, revents=POLLIN}])
563 // recv(3, "yyy", 68, MSG_DONTWAIT) = 48
564 // ^^^ this recv will receive packets to any local port!
566 // Uncomment this and use strace to see it in action:
567 #define PROBE_LOCAL_ADDR // { len_and_sockaddr lsa; lsa.len = LSA_SIZEOF_SA; getsockname(p->query.fd, &lsa.u.sa, &lsa.len); }
571 len_and_sockaddr *local_lsa;
573 family = p->p_lsa->u.sa.sa_family;
574 p->p_fd = fd = xsocket_type(&local_lsa, family, SOCK_DGRAM);
575 /* local_lsa has "null" address and port 0 now.
576 * bind() ensures we have a *particular port* selected by kernel
577 * and remembered in p->p_fd, thus later recv(p->p_fd)
578 * receives only packets sent to this port.
581 xbind(fd, &local_lsa->u.sa, local_lsa->len);
583 #if ENABLE_FEATURE_IPV6
584 if (family == AF_INET)
586 setsockopt(fd, IPPROTO_IP, IP_TOS, &const_IPTOS_LOWDELAY, sizeof(const_IPTOS_LOWDELAY));
591 * Send out a random 64-bit number as our transmit time. The NTP
592 * server will copy said number into the originate field on the
593 * response that it sends us. This is totally legal per the SNTP spec.
595 * The impact of this is two fold: we no longer send out the current
596 * system time for the world to see (which may aid an attacker), and
597 * it gives us a (not very secure) way of knowing that we're not
598 * getting spoofed by an attacker that can't capture our traffic
599 * but can spoof packets from the NTP server we're communicating with.
601 * Save the real transmit timestamp locally.
603 p->p_xmt_msg.m_xmttime.int_partl = random();
604 p->p_xmt_msg.m_xmttime.fractionl = random();
605 p->p_xmttime = gettime1900d();
607 if (do_sendto(p->p_fd, /*from:*/ NULL, /*to:*/ &p->p_lsa->u.sa, /*addrlen:*/ p->p_lsa->len,
608 &p->p_xmt_msg, NTP_MSGSIZE_NOAUTH) == -1
612 set_next(p, RETRY_INTERVAL);
616 p->p_reachable_bits <<= 1;
617 VERB1 bb_error_msg("sent query to %s", p->p_dotted);
618 set_next(p, QUERYTIME_MAX);
625 step_time(double offset)
632 gettimeofday(&tv, NULL); /* never fails */
633 dtime = offset + tv.tv_sec;
634 dtime += 1.0e-6 * tv.tv_usec;
637 if (settimeofday(&tv, NULL) == -1)
638 bb_perror_msg_and_die("settimeofday");
641 strftime(buf, sizeof(buf), "%a %b %e %H:%M:%S %Z %Y", localtime(&tval));
643 bb_error_msg("setting clock to %s (offset %fs)", buf, offset);
645 // G.time_was_stepped = 1;
650 * Selection and clustering, and their helpers
658 compare_point_edge(const void *aa, const void *bb)
660 const point_t *a = aa;
661 const point_t *b = bb;
662 if (a->edge < b->edge) {
665 return (a->edge > b->edge);
672 compare_survivor_metric(const void *aa, const void *bb)
674 const survivor_t *a = aa;
675 const survivor_t *b = bb;
676 if (a->metric < b->metric)
678 return (a->metric > b->metric);
681 fit(peer_t *p, double rd)
683 if (p->p_reachable_bits == 0) {
684 VERB3 bb_error_msg("peer %s unfit for selection: unreachable", p->p_dotted);
687 //TODO: we never accept such packets anyway, right?
688 if ((p->lastpkt_leap & LI_ALARM) == LI_ALARM
689 || p->lastpkt_stratum >= MAXSTRAT
691 VERB3 bb_error_msg("peer %s unfit for selection: bad status/stratum", p->p_dotted);
694 /* rd is root_distance(p, t) */
695 if (rd > MAXDIST + FREQ_TOLERANCE * (1 << G.poll_exp)) {
696 VERB3 bb_error_msg("peer %s unfit for selection: root distance too high", p->p_dotted);
700 // /* Do we have a loop? */
701 // if (p->refid == p->dstaddr || p->refid == s.refid)
706 select_and_cluster(double t)
710 int size = 3 * G.peer_cnt;
711 /* for selection algorithm */
713 unsigned num_points, num_candidates;
715 unsigned num_falsetickers;
716 /* for cluster algorithm */
717 survivor_t survivor[size];
718 unsigned num_survivors;
724 while (item != NULL) {
725 peer_t *p = (peer_t *) item->data;
726 double rd = root_distance(p, t);
727 double offset = p->filter_offset;
734 VERB4 bb_error_msg("interval: [%f %f %f] %s",
740 point[num_points].p = p;
741 point[num_points].type = -1;
742 point[num_points].edge = offset - rd;
744 point[num_points].p = p;
745 point[num_points].type = 0;
746 point[num_points].edge = offset;
748 point[num_points].p = p;
749 point[num_points].type = 1;
750 point[num_points].edge = offset + rd;
754 num_candidates = num_points / 3;
755 if (num_candidates == 0) {
756 VERB3 bb_error_msg("no valid datapoints, no peer selected");
757 return NULL; /* never happers? */
759 //TODO: sorting does not seem to be done in reference code
760 qsort(point, num_points, sizeof(point[0]), compare_point_edge);
762 /* Start with the assumption that there are no falsetickers.
763 * Attempt to find a nonempty intersection interval containing
764 * the midpoints of all truechimers.
765 * If a nonempty interval cannot be found, increase the number
766 * of assumed falsetickers by one and try again.
767 * If a nonempty interval is found and the number of falsetickers
768 * is less than the number of truechimers, a majority has been found
769 * and the midpoint of each truechimer represents
770 * the candidates available to the cluster algorithm.
772 num_falsetickers = 0;
775 unsigned num_midpoints = 0;
780 for (i = 0; i < num_points; i++) {
782 * if (point[i].type == -1) c++;
783 * if (point[i].type == 1) c--;
784 * and it's simpler to do it this way:
787 if (c >= num_candidates - num_falsetickers) {
788 /* If it was c++ and it got big enough... */
792 if (point[i].type == 0)
796 for (i = num_points-1; i >= 0; i--) {
798 if (c >= num_candidates - num_falsetickers) {
799 high = point[i].edge;
802 if (point[i].type == 0)
805 /* If the number of midpoints is greater than the number
806 * of allowed falsetickers, the intersection contains at
807 * least one truechimer with no midpoint - bad.
808 * Also, interval should be nonempty.
810 if (num_midpoints <= num_falsetickers && low < high)
813 if (num_falsetickers * 2 >= num_candidates) {
814 VERB3 bb_error_msg("too many falsetickers:%d (candidates:%d), no peer selected",
815 num_falsetickers, num_candidates);
819 VERB3 bb_error_msg("selected interval: [%f, %f]; candidates:%d falsetickers:%d",
820 low, high, num_candidates, num_falsetickers);
824 /* Construct a list of survivors (p, metric)
825 * from the chime list, where metric is dominated
826 * first by stratum and then by root distance.
827 * All other things being equal, this is the order of preference.
830 for (i = 0; i < num_points; i++) {
833 if (point[i].edge < low || point[i].edge > high)
836 survivor[num_survivors].p = p;
837 //TODO: save root_distance in point_t and reuse here?
838 survivor[num_survivors].metric = MAXDIST * p->lastpkt_stratum + root_distance(p, t);
839 VERB4 bb_error_msg("survivor[%d] metric:%f peer:%s",
840 num_survivors, survivor[num_survivors].metric, p->p_dotted);
843 /* There must be at least MIN_SELECTED survivors to satisfy the
844 * correctness assertions. Ordinarily, the Byzantine criteria
845 * require four survivors, but for the demonstration here, one
848 if (num_survivors < MIN_SELECTED) {
849 VERB3 bb_error_msg("num_survivors %d < %d, no peer selected",
850 num_survivors, MIN_SELECTED);
854 //looks like this is ONLY used by the fact that later we pick survivor[0].
855 //we can avoid sorting then, just find the minimum once!
856 qsort(survivor, num_survivors, sizeof(survivor[0]), compare_survivor_metric);
858 /* For each association p in turn, calculate the selection
859 * jitter p->sjitter as the square root of the sum of squares
860 * (p->offset - q->offset) over all q associations. The idea is
861 * to repeatedly discard the survivor with maximum selection
862 * jitter until a termination condition is met.
865 unsigned max_idx = max_idx;
866 double max_selection_jitter = max_selection_jitter;
867 double min_jitter = min_jitter;
869 if (num_survivors <= MIN_CLUSTERED) {
870 bb_error_msg("num_survivors %d <= %d, not discarding more",
871 num_survivors, MIN_CLUSTERED);
875 /* To make sure a few survivors are left
876 * for the clustering algorithm to chew on,
877 * we stop if the number of survivors
878 * is less than or equal to MIN_CLUSTERED (3).
880 for (i = 0; i < num_survivors; i++) {
881 double selection_jitter_sq;
882 peer_t *p = survivor[i].p;
884 if (i == 0 || p->filter_jitter < min_jitter)
885 min_jitter = p->filter_jitter;
887 selection_jitter_sq = 0;
888 for (j = 0; j < num_survivors; j++) {
889 peer_t *q = survivor[j].p;
890 //TODO: where is 1/(n-1) * ... multiplier?
891 selection_jitter_sq += SQUARE(p->filter_offset - q->filter_offset);
893 if (i == 0 || selection_jitter_sq > max_selection_jitter) {
894 max_selection_jitter = selection_jitter_sq;
897 VERB5 bb_error_msg("survivor %d selection_jitter^2:%f",
898 i, selection_jitter_sq);
900 max_selection_jitter = SQRT(max_selection_jitter);
901 VERB4 bb_error_msg("max_selection_jitter (at %d):%f min_jitter:%f",
902 max_idx, max_selection_jitter, min_jitter);
904 /* If the maximum selection jitter is less than the
905 * minimum peer jitter, then tossing out more survivors
906 * will not lower the minimum peer jitter, so we might
909 if (max_selection_jitter < min_jitter) {
910 VERB3 bb_error_msg("max_selection_jitter:%f < min_jitter:%f, num_survivors:%d, not discarding more",
911 max_selection_jitter, min_jitter, num_survivors);
915 /* Delete survivor[max_idx] from the list
916 * and go around again.
918 VERB5 bb_error_msg("dropping survivor %d", max_idx);
920 while (max_idx < num_survivors) {
921 survivor[max_idx] = survivor[max_idx + 1];
926 /* Pick the best clock. If the old system peer is on the list
927 * and at the same stratum as the first survivor on the list,
928 * then don't do a clock hop. Otherwise, select the first
929 * survivor on the list as the new system peer.
931 //TODO - see clock_combine()
932 VERB3 bb_error_msg("selected peer %s filter_offset:%f age:%f",
933 survivor[0].p->p_dotted,
934 survivor[0].p->filter_offset,
935 t - survivor[0].p->lastpkt_recv_time
937 return survivor[0].p;
942 * Local clock discipline and its helpers
945 set_new_values(int disc_state, double offset, double recv_time)
947 /* Enter new state and set state variables. Note we use the time
948 * of the last clock filter sample, which must be earlier than
951 VERB3 bb_error_msg("disc_state=%d last_update_offset=%f last_update_recv_time=%f",
952 disc_state, offset, recv_time);
953 G.discipline_state = disc_state;
954 G.last_update_offset = offset;
955 G.last_update_recv_time = recv_time;
957 /* Clock state definitions */
958 #define STATE_NSET 0 /* initial state, "nothing is set" */
959 #define STATE_FSET 1 /* frequency set from file */
960 #define STATE_SPIK 2 /* spike detected */
961 #define STATE_FREQ 3 /* initial frequency */
962 #define STATE_SYNC 4 /* clock synchronized (normal operation) */
963 /* Return: -1: decrease poll interval, 0: leave as is, 1: increase */
965 update_local_clock(peer_t *p, double t)
970 double offset = p->filter_offset;
971 double recv_time = p->lastpkt_recv_time;
974 double since_last_update;
977 abs_offset = fabs(offset);
979 /* If the offset is too large, give up and go home */
980 if (abs_offset > PANIC_THRESHOLD) {
981 bb_error_msg_and_die("offset %f far too big, exiting", offset);
984 /* If this is an old update, for instance as the result
985 * of a system peer change, avoid it. We never use
986 * an old sample or the same sample twice.
988 if (recv_time <= G.last_update_recv_time) {
989 VERB3 bb_error_msg("same or older datapoint: %f >= %f, not using it",
990 G.last_update_recv_time, recv_time);
991 return 0; /* "leave poll interval as is" */
994 /* Clock state machine transition function. This is where the
995 * action is and defines how the system reacts to large time
996 * and frequency errors.
998 since_last_update = recv_time - G.reftime;
1000 if (G.discipline_state == STATE_FREQ) {
1001 /* Ignore updates until the stepout threshold */
1002 if (since_last_update < WATCH_THRESHOLD) {
1003 VERB3 bb_error_msg("measuring drift, datapoint ignored, %f sec remains",
1004 WATCH_THRESHOLD - since_last_update);
1005 return 0; /* "leave poll interval as is" */
1007 freq_drift = (offset - G.last_update_offset) / since_last_update;
1010 /* There are two main regimes: when the
1011 * offset exceeds the step threshold and when it does not.
1013 if (abs_offset > STEP_THRESHOLD) {
1016 switch (G.discipline_state) {
1018 /* The first outlyer: ignore it, switch to SPIK state */
1019 VERB3 bb_error_msg("offset:%f - spike detected", offset);
1020 G.discipline_state = STATE_SPIK;
1021 return -1; /* "decrease poll interval" */
1024 /* Ignore succeeding outlyers until either an inlyer
1025 * is found or the stepout threshold is exceeded.
1027 if (since_last_update < WATCH_THRESHOLD) {
1028 VERB3 bb_error_msg("spike detected, datapoint ignored, %f sec remains",
1029 WATCH_THRESHOLD - since_last_update);
1030 return -1; /* "decrease poll interval" */
1032 /* fall through: we need to step */
1035 /* Step the time and clamp down the poll interval.
1037 * In NSET state an initial frequency correction is
1038 * not available, usually because the frequency file has
1039 * not yet been written. Since the time is outside the
1040 * capture range, the clock is stepped. The frequency
1041 * will be set directly following the stepout interval.
1043 * In FSET state the initial frequency has been set
1044 * from the frequency file. Since the time is outside
1045 * the capture range, the clock is stepped immediately,
1046 * rather than after the stepout interval. Guys get
1047 * nervous if it takes 17 minutes to set the clock for
1050 * In SPIK state the stepout threshold has expired and
1051 * the phase is still above the step threshold. Note
1052 * that a single spike greater than the step threshold
1053 * is always suppressed, even at the longer poll
1056 VERB3 bb_error_msg("stepping time by %f; poll_exp=MINPOLL", offset);
1058 if (option_mask32 & OPT_q) {
1059 /* We were only asked to set time once. Done. */
1063 G.polladj_count = 0;
1064 G.poll_exp = MINPOLL;
1065 G.stratum = MAXSTRAT;
1066 for (item = G.ntp_peers; item != NULL; item = item->link) {
1067 peer_t *pp = (peer_t *) item->data;
1068 reset_peer_stats(pp, t, offset);
1070 if (G.discipline_state == STATE_NSET) {
1071 set_new_values(STATE_FREQ, /*offset:*/ 0, recv_time);
1072 return 1; /* "ok to increase poll interval" */
1074 set_new_values(STATE_SYNC, /*offset:*/ 0, recv_time);
1076 } else { /* abs_offset <= STEP_THRESHOLD */
1078 if (G.poll_exp < MINPOLL) {
1079 VERB3 bb_error_msg("saw small offset %f, disabling burst mode", offset);
1080 G.poll_exp = MINPOLL;
1083 /* Compute the clock jitter as the RMS of exponentially
1084 * weighted offset differences. Used by the poll adjust code.
1086 etemp = SQUARE(G.discipline_jitter);
1087 dtemp = SQUARE(MAXD(fabs(offset - G.last_update_offset), G_precision_sec));
1088 G.discipline_jitter = SQRT(etemp + (dtemp - etemp) / AVG);
1089 VERB3 bb_error_msg("discipline jitter=%f", G.discipline_jitter);
1091 switch (G.discipline_state) {
1093 if (option_mask32 & OPT_q) {
1094 /* We were only asked to set time once.
1095 * The clock is precise enough, no need to step.
1099 /* This is the first update received and the frequency
1100 * has not been initialized. The first thing to do
1101 * is directly measure the oscillator frequency.
1103 set_new_values(STATE_FREQ, offset, recv_time);
1104 VERB3 bb_error_msg("transitioning to FREQ, datapoint ignored");
1105 return -1; /* "decrease poll interval" */
1107 #if 0 /* this is dead code for now */
1109 /* This is the first update and the frequency
1110 * has been initialized. Adjust the phase, but
1111 * don't adjust the frequency until the next update.
1113 set_new_values(STATE_SYNC, offset, recv_time);
1114 /* freq_drift remains 0 */
1119 /* since_last_update >= WATCH_THRESHOLD, we waited enough.
1120 * Correct the phase and frequency and switch to SYNC state.
1121 * freq_drift was already estimated (see code above)
1123 set_new_values(STATE_SYNC, offset, recv_time);
1127 /* Compute freq_drift due to PLL and FLL contributions.
1129 * The FLL and PLL frequency gain constants
1130 * depend on the poll interval and Allan
1131 * intercept. The FLL is not used below one-half
1132 * the Allan intercept. Above that the loop gain
1133 * increases in steps to 1 / AVG.
1135 if ((1 << G.poll_exp) > ALLAN / 2) {
1136 etemp = FLL - G.poll_exp;
1139 freq_drift += (offset - G.last_update_offset) / (MAXD(since_last_update, ALLAN) * etemp);
1141 /* For the PLL the integration interval
1142 * (numerator) is the minimum of the update
1143 * interval and poll interval. This allows
1144 * oversampling, but not undersampling.
1146 etemp = MIND(since_last_update, (1 << G.poll_exp));
1147 dtemp = (4 * PLL) << G.poll_exp;
1148 freq_drift += offset * etemp / SQUARE(dtemp);
1149 set_new_values(STATE_SYNC, offset, recv_time);
1152 G.stratum = p->lastpkt_stratum + 1;
1156 G.leap = p->lastpkt_leap;
1157 G.refid = p->lastpkt_refid;
1158 G.rootdelay = p->lastpkt_rootdelay + p->lastpkt_delay;
1159 dtemp = p->filter_jitter; // SQRT(SQUARE(p->filter_jitter) + SQUARE(s.jitter));
1160 dtemp += MAXD(p->filter_dispersion + FREQ_TOLERANCE * (t - p->lastpkt_recv_time) + abs_offset, MINDISP);
1161 G.rootdisp = p->lastpkt_rootdisp + dtemp;
1162 VERB3 bb_error_msg("updating leap/refid/reftime/rootdisp from peer %s", p->p_dotted);
1164 /* We are in STATE_SYNC now, but did not do adjtimex yet.
1165 * (Any other state does not reach this, they all return earlier)
1166 * By this time, freq_drift and G.last_update_offset are set
1167 * to values suitable for adjtimex.
1169 #if !USING_KERNEL_PLL_LOOP
1170 /* Calculate the new frequency drift and frequency stability (wander).
1171 * Compute the clock wander as the RMS of exponentially weighted
1172 * frequency differences. This is not used directly, but can,
1173 * along with the jitter, be a highly useful monitoring and
1176 dtemp = G.discipline_freq_drift + freq_drift;
1177 G.discipline_freq_drift = MAXD(MIND(MAXDRIFT, dtemp), -MAXDRIFT);
1178 etemp = SQUARE(G.discipline_wander);
1179 dtemp = SQUARE(dtemp);
1180 G.discipline_wander = SQRT(etemp + (dtemp - etemp) / AVG);
1182 VERB3 bb_error_msg("discipline freq_drift=%.9f(int:%ld corr:%e) wander=%f",
1183 G.discipline_freq_drift,
1184 (long)(G.discipline_freq_drift * 65536e6),
1186 G.discipline_wander);
1189 memset(&tmx, 0, sizeof(tmx));
1190 if (adjtimex(&tmx) < 0)
1191 bb_perror_msg_and_die("adjtimex");
1192 VERB3 bb_error_msg("p adjtimex freq:%ld offset:%ld constant:%ld status:0x%x",
1193 tmx.freq, tmx.offset, tmx.constant, tmx.status);
1197 if (!G.adjtimex_was_done) {
1198 G.adjtimex_was_done = 1;
1199 /* When we use adjtimex for the very first time,
1200 * we need to ADD to pre-existing tmx.offset - it may be !0
1202 memset(&tmx, 0, sizeof(tmx));
1203 if (adjtimex(&tmx) < 0)
1204 bb_perror_msg_and_die("adjtimex");
1205 old_tmx_offset = tmx.offset;
1207 memset(&tmx, 0, sizeof(tmx));
1209 //doesn't work, offset remains 0 (!) in kernel:
1210 //ntpd: set adjtimex freq:1786097 tmx.offset:77487
1211 //ntpd: prev adjtimex freq:1786097 tmx.offset:0
1212 //ntpd: cur adjtimex freq:1786097 tmx.offset:0
1213 tmx.modes = ADJ_FREQUENCY | ADJ_OFFSET;
1214 /* 65536 is one ppm */
1215 tmx.freq = G.discipline_freq_drift * 65536e6;
1216 tmx.offset = G.last_update_offset * 1000000; /* usec */
1218 tmx.modes = ADJ_OFFSET | ADJ_STATUS | ADJ_TIMECONST;// | ADJ_MAXERROR | ADJ_ESTERROR;
1219 tmx.offset = (G.last_update_offset * 1000000) /* usec */
1220 /* + (G.last_update_offset < 0 ? -0.5 : 0.5) - too small to bother */
1221 + old_tmx_offset; /* almost always 0 */
1222 tmx.status = STA_PLL;
1223 //if (sys_leap == LEAP_ADDSECOND)
1224 // tmx.status |= STA_INS;
1225 //else if (sys_leap == LEAP_DELSECOND)
1226 // tmx.status |= STA_DEL;
1227 tmx.constant = G.poll_exp - 4;
1228 //tmx.esterror = (u_int32)(clock_jitter * 1e6);
1229 //tmx.maxerror = (u_int32)((sys_rootdelay / 2 + sys_rootdisp) * 1e6);
1230 VERB3 bb_error_msg("b adjtimex freq:%ld offset:%ld constant:%ld status:0x%x",
1231 tmx.freq, tmx.offset, tmx.constant, tmx.status);
1232 rc = adjtimex(&tmx);
1234 bb_perror_msg_and_die("adjtimex");
1235 if (G.kernel_freq_drift != tmx.freq / 65536) {
1236 G.kernel_freq_drift = tmx.freq / 65536;
1237 VERB2 bb_error_msg("kernel clock drift: %ld ppm", G.kernel_freq_drift);
1240 bb_error_msg("adjtimex:%d freq:%ld offset:%ld constant:%ld status:0x%x",
1241 rc, tmx.freq, tmx.offset, tmx.constant, tmx.status);
1243 /* always gives the same output as above msg */
1244 memset(&tmx, 0, sizeof(tmx));
1245 if (adjtimex(&tmx) < 0)
1246 bb_perror_msg_and_die("adjtimex");
1247 VERB3 bb_error_msg("c adjtimex freq:%ld offset:%ld constant:%ld status:0x%x",
1248 tmx.freq, tmx.offset, tmx.constant, tmx.status);
1251 // #define STA_MODE 0x4000 /* mode (0 = PLL, 1 = FLL) (ro) */ - ?
1252 // it appeared after a while:
1253 //ntpd: p adjtimex freq:-14545653 offset:-5396 constant:10 status:0x41
1254 //ntpd: c adjtimex freq:-14547835 offset:-8307 constant:10 status:0x1
1255 //ntpd: p adjtimex freq:-14547835 offset:-6398 constant:10 status:0x41
1256 //ntpd: c adjtimex freq:-14550486 offset:-10158 constant:10 status:0x1
1257 //ntpd: p adjtimex freq:-14550486 offset:-6132 constant:10 status:0x41
1258 //ntpd: c adjtimex freq:-14636129 offset:-10158 constant:10 status:0x4001
1259 //ntpd: p adjtimex freq:-14636129 offset:-10002 constant:10 status:0x4041
1260 //ntpd: c adjtimex freq:-14636245 offset:-7497 constant:10 status:0x1
1261 //ntpd: p adjtimex freq:-14636245 offset:-4573 constant:10 status:0x41
1262 //ntpd: c adjtimex freq:-14642034 offset:-11715 constant:10 status:0x1
1263 //ntpd: p adjtimex freq:-14642034 offset:-4098 constant:10 status:0x41
1264 //ntpd: c adjtimex freq:-14699112 offset:-11746 constant:10 status:0x4001
1265 //ntpd: p adjtimex freq:-14699112 offset:-4239 constant:10 status:0x4041
1266 //ntpd: c adjtimex freq:-14762330 offset:-12786 constant:10 status:0x4001
1267 //ntpd: p adjtimex freq:-14762330 offset:-4434 constant:10 status:0x4041
1268 //ntpd: b adjtimex freq:0 offset:-9669 constant:8 status:0x1
1269 //ntpd: adjtimex:0 freq:-14809095 offset:-9669 constant:10 status:0x4001
1270 //ntpd: c adjtimex freq:-14809095 offset:-9669 constant:10 status:0x4001
1272 return 1; /* "ok to increase poll interval" */
1277 * We've got a new reply packet from a peer, process it
1281 retry_interval(void)
1283 /* Local problem, want to retry soon */
1284 unsigned interval, r;
1285 interval = RETRY_INTERVAL;
1287 interval += r % (unsigned)(RETRY_INTERVAL / 4);
1288 VERB3 bb_error_msg("chose retry interval:%u", interval);
1292 poll_interval(int exponent) /* exp is always -1 or 0 */
1294 /* Want to send next packet at (1 << G.poll_exp) + small random value */
1295 unsigned interval, r;
1296 exponent += G.poll_exp; /* G.poll_exp is always > 0 */
1297 /* never true: if (exp < 0) exp = 0; */
1298 interval = 1 << exponent;
1300 interval += ((r & (interval-1)) >> 4) + ((r >> 8) & 1); /* + 1/16 of interval, max */
1301 VERB3 bb_error_msg("chose poll interval:%u (poll_exp:%d exp:%d)", interval, G.poll_exp, exponent);
1305 recv_and_process_peer_pkt(peer_t *p)
1310 double T1, T2, T3, T4;
1312 datapoint_t *datapoint;
1315 /* We can recvfrom here and check from.IP, but some multihomed
1316 * ntp servers reply from their *other IP*.
1317 * TODO: maybe we should check at least what we can: from.port == 123?
1319 size = recv(p->p_fd, &msg, sizeof(msg), MSG_DONTWAIT);
1321 bb_perror_msg("recv(%s) error", p->p_dotted);
1322 if (errno == EHOSTUNREACH || errno == EHOSTDOWN
1323 || errno == ENETUNREACH || errno == ENETDOWN
1324 || errno == ECONNREFUSED || errno == EADDRNOTAVAIL
1327 //TODO: always do this?
1328 set_next(p, retry_interval());
1334 if (size != NTP_MSGSIZE_NOAUTH && size != NTP_MSGSIZE) {
1335 bb_error_msg("malformed packet received from %s", p->p_dotted);
1339 if (msg.m_orgtime.int_partl != p->p_xmt_msg.m_xmttime.int_partl
1340 || msg.m_orgtime.fractionl != p->p_xmt_msg.m_xmttime.fractionl
1345 if ((msg.m_status & LI_ALARM) == LI_ALARM
1346 || msg.m_stratum == 0
1347 || msg.m_stratum > NTP_MAXSTRATUM
1349 // TODO: stratum 0 responses may have commands in 32-bit m_refid field:
1350 // "DENY", "RSTR" - peer does not like us at all
1351 // "RATE" - peer is overloaded, reduce polling freq
1352 interval = poll_interval(0);
1353 bb_error_msg("reply from %s: not synced, next query in %us", p->p_dotted, interval);
1358 // * Verify the server is synchronized with valid stratum and
1359 // * reference time not later than the transmit time.
1361 // if (p->lastpkt_leap == NOSYNC || p->lastpkt_stratum >= MAXSTRAT)
1362 // return; /* unsynchronized */
1364 // /* Verify valid root distance */
1365 // if (msg.m_rootdelay / 2 + msg.m_rootdisp >= MAXDISP || p->lastpkt_reftime > msg.m_xmt)
1366 // return; /* invalid header values */
1368 p->lastpkt_leap = msg.m_status;
1369 p->lastpkt_rootdelay = sfp_to_d(msg.m_rootdelay);
1370 p->lastpkt_rootdisp = sfp_to_d(msg.m_rootdisp);
1371 p->lastpkt_refid = msg.m_refid;
1374 * From RFC 2030 (with a correction to the delay math):
1376 * Timestamp Name ID When Generated
1377 * ------------------------------------------------------------
1378 * Originate Timestamp T1 time request sent by client
1379 * Receive Timestamp T2 time request received by server
1380 * Transmit Timestamp T3 time reply sent by server
1381 * Destination Timestamp T4 time reply received by client
1383 * The roundtrip delay and local clock offset are defined as
1385 * delay = (T4 - T1) - (T3 - T2); offset = ((T2 - T1) + (T3 - T4)) / 2
1388 T2 = lfp_to_d(msg.m_rectime);
1389 T3 = lfp_to_d(msg.m_xmttime);
1390 T4 = gettime1900d();
1392 p->lastpkt_recv_time = T4;
1394 VERB5 bb_error_msg("%s->lastpkt_recv_time=%f", p->p_dotted, p->lastpkt_recv_time);
1395 p->datapoint_idx = p->p_reachable_bits ? (p->datapoint_idx + 1) % NUM_DATAPOINTS : 0;
1396 datapoint = &p->filter_datapoint[p->datapoint_idx];
1397 datapoint->d_recv_time = T4;
1398 datapoint->d_offset = ((T2 - T1) + (T3 - T4)) / 2;
1399 /* The delay calculation is a special case. In cases where the
1400 * server and client clocks are running at different rates and
1401 * with very fast networks, the delay can appear negative. In
1402 * order to avoid violating the Principle of Least Astonishment,
1403 * the delay is clamped not less than the system precision.
1405 p->lastpkt_delay = (T4 - T1) - (T3 - T2);
1406 if (p->lastpkt_delay < G_precision_sec)
1407 p->lastpkt_delay = G_precision_sec;
1408 datapoint->d_dispersion = LOG2D(msg.m_precision_exp) + G_precision_sec;
1409 if (!p->p_reachable_bits) {
1410 /* 1st datapoint ever - replicate offset in every element */
1412 for (i = 1; i < NUM_DATAPOINTS; i++) {
1413 p->filter_datapoint[i].d_offset = datapoint->d_offset;
1417 p->p_reachable_bits |= 1;
1419 bb_error_msg("reply from %s: reach 0x%02x offset %f delay %f",
1421 p->p_reachable_bits,
1422 datapoint->d_offset, p->lastpkt_delay);
1425 /* Muck with statictics and update the clock */
1426 filter_datapoints(p, T4);
1427 q = select_and_cluster(T4);
1430 rc = update_local_clock(q, T4);
1433 /* Adjust the poll interval by comparing the current offset
1434 * with the clock jitter. If the offset is less than
1435 * the clock jitter times a constant, then the averaging interval
1436 * is increased, otherwise it is decreased. A bit of hysteresis
1437 * helps calm the dance. Works best using burst mode.
1440 bb_error_msg("offset:%f POLLADJ_GATE*discipline_jitter:%f poll:%s",
1441 q->filter_offset, POLLADJ_GATE * G.discipline_jitter,
1442 fabs(q->filter_offset) < POLLADJ_GATE * G.discipline_jitter
1446 if (rc > 0 && fabs(q->filter_offset) < POLLADJ_GATE * G.discipline_jitter) {
1447 /* was += G.poll_exp but it is a bit
1448 * too optimistic for my taste at high poll_exp's */
1449 G.polladj_count += MINPOLL;
1450 if (G.polladj_count > POLLADJ_LIMIT) {
1451 G.polladj_count = 0;
1452 if (G.poll_exp < MAXPOLL) {
1454 VERB3 bb_error_msg("polladj: discipline_jitter:%f ++poll_exp=%d",
1455 G.discipline_jitter, G.poll_exp);
1458 VERB3 bb_error_msg("polladj: incr:%d", G.polladj_count);
1461 G.polladj_count -= G.poll_exp * 2;
1462 if (G.polladj_count < -POLLADJ_LIMIT) {
1463 G.polladj_count = 0;
1464 if (G.poll_exp > MINPOLL) {
1466 VERB3 bb_error_msg("polladj: discipline_jitter:%f --poll_exp=%d",
1467 G.discipline_jitter, G.poll_exp);
1470 VERB3 bb_error_msg("polladj: decr:%d", G.polladj_count);
1475 /* Decide when to send new query for this peer */
1476 interval = poll_interval(0);
1477 set_next(p, interval);
1480 /* We do not expect any more packets from this peer for now.
1481 * Closing the socket informs kernel about it.
1482 * We open a new socket when we send a new query.
1490 #if ENABLE_FEATURE_NTPD_SERVER
1492 recv_and_process_client_pkt(void /*int fd*/)
1497 len_and_sockaddr *to;
1498 struct sockaddr *from;
1500 uint8_t query_status;
1501 l_fixedpt_t query_xmttime;
1503 to = get_sock_lsa(G.listen_fd);
1504 from = xzalloc(to->len);
1506 size = recv_from_to(G.listen_fd, &msg, sizeof(msg), MSG_DONTWAIT, from, &to->u.sa, to->len);
1507 if (size != NTP_MSGSIZE_NOAUTH && size != NTP_MSGSIZE) {
1510 if (errno == EAGAIN)
1512 bb_perror_msg_and_die("recv");
1514 addr = xmalloc_sockaddr2dotted_noport(from);
1515 bb_error_msg("malformed packet received from %s: size %u", addr, (int)size);
1520 query_status = msg.m_status;
1521 query_xmttime = msg.m_xmttime;
1523 /* Build a reply packet */
1524 memset(&msg, 0, sizeof(msg));
1525 msg.m_status = G.stratum < MAXSTRAT ? G.leap : LI_ALARM;
1526 msg.m_status |= (query_status & VERSION_MASK);
1527 msg.m_status |= ((query_status & MODE_MASK) == MODE_CLIENT) ?
1528 MODE_SERVER : MODE_SYM_PAS;
1529 msg.m_stratum = G.stratum;
1530 msg.m_ppoll = G.poll_exp;
1531 msg.m_precision_exp = G_precision_exp;
1532 rectime = gettime1900d();
1533 msg.m_xmttime = msg.m_rectime = d_to_lfp(rectime);
1534 msg.m_reftime = d_to_lfp(G.reftime);
1535 msg.m_orgtime = query_xmttime;
1536 msg.m_rootdelay = d_to_sfp(G.rootdelay);
1537 //simple code does not do this, fix simple code!
1538 msg.m_rootdisp = d_to_sfp(G.rootdisp);
1539 version = (query_status & VERSION_MASK); /* ... >> VERSION_SHIFT - done below instead */
1540 msg.m_refid = G.refid; // (version > (3 << VERSION_SHIFT)) ? G.refid : G.refid3;
1542 /* We reply from the local address packet was sent to,
1543 * this makes to/from look swapped here: */
1544 do_sendto(G.listen_fd,
1545 /*from:*/ &to->u.sa, /*to:*/ from, /*addrlen:*/ to->len,
1554 /* Upstream ntpd's options:
1556 * -4 Force DNS resolution of host names to the IPv4 namespace.
1557 * -6 Force DNS resolution of host names to the IPv6 namespace.
1558 * -a Require cryptographic authentication for broadcast client,
1559 * multicast client and symmetric passive associations.
1560 * This is the default.
1561 * -A Do not require cryptographic authentication for broadcast client,
1562 * multicast client and symmetric passive associations.
1563 * This is almost never a good idea.
1564 * -b Enable the client to synchronize to broadcast servers.
1566 * Specify the name and path of the configuration file,
1567 * default /etc/ntp.conf
1568 * -d Specify debugging mode. This option may occur more than once,
1569 * with each occurrence indicating greater detail of display.
1571 * Specify debugging level directly.
1573 * Specify the name and path of the frequency file.
1574 * This is the same operation as the "driftfile FILE"
1575 * configuration command.
1576 * -g Normally, ntpd exits with a message to the system log
1577 * if the offset exceeds the panic threshold, which is 1000 s
1578 * by default. This option allows the time to be set to any value
1579 * without restriction; however, this can happen only once.
1580 * If the threshold is exceeded after that, ntpd will exit
1581 * with a message to the system log. This option can be used
1582 * with the -q and -x options. See the tinker command for other options.
1584 * Chroot the server to the directory jaildir. This option also implies
1585 * that the server attempts to drop root privileges at startup
1586 * (otherwise, chroot gives very little additional security).
1587 * You may need to also specify a -u option.
1589 * Specify the name and path of the symmetric key file,
1590 * default /etc/ntp/keys. This is the same operation
1591 * as the "keys FILE" configuration command.
1593 * Specify the name and path of the log file. The default
1594 * is the system log file. This is the same operation as
1595 * the "logfile FILE" configuration command.
1596 * -L Do not listen to virtual IPs. The default is to listen.
1598 * -N To the extent permitted by the operating system,
1599 * run the ntpd at the highest priority.
1601 * Specify the name and path of the file used to record the ntpd
1602 * process ID. This is the same operation as the "pidfile FILE"
1603 * configuration command.
1605 * To the extent permitted by the operating system,
1606 * run the ntpd at the specified priority.
1607 * -q Exit the ntpd just after the first time the clock is set.
1608 * This behavior mimics that of the ntpdate program, which is
1609 * to be retired. The -g and -x options can be used with this option.
1610 * Note: The kernel time discipline is disabled with this option.
1612 * Specify the default propagation delay from the broadcast/multicast
1613 * server to this client. This is necessary only if the delay
1614 * cannot be computed automatically by the protocol.
1616 * Specify the directory path for files created by the statistics
1617 * facility. This is the same operation as the "statsdir DIR"
1618 * configuration command.
1620 * Add a key number to the trusted key list. This option can occur
1623 * Specify a user, and optionally a group, to switch to.
1626 * Add a system variable listed by default.
1627 * -x Normally, the time is slewed if the offset is less than the step
1628 * threshold, which is 128 ms by default, and stepped if above
1629 * the threshold. This option sets the threshold to 600 s, which is
1630 * well within the accuracy window to set the clock manually.
1631 * Note: since the slew rate of typical Unix kernels is limited
1632 * to 0.5 ms/s, each second of adjustment requires an amortization
1633 * interval of 2000 s. Thus, an adjustment as much as 600 s
1634 * will take almost 14 days to complete. This option can be used
1635 * with the -g and -q options. See the tinker command for other options.
1636 * Note: The kernel time discipline is disabled with this option.
1639 /* By doing init in a separate function we decrease stack usage
1642 static NOINLINE void ntp_init(char **argv)
1650 bb_error_msg_and_die(bb_msg_you_must_be_root);
1652 /* Set some globals */
1654 /* With constant b = 100, G.precision_exp is also constant -6.
1655 * Uncomment this to verify.
1662 /* We can use sys_clock_getres but assuming 10ms tick should be fine */
1663 clock_getres(CLOCK_REALTIME, &tp);
1665 tp.tv_nsec = 10000000;
1666 b = 1000000000 / tp.tv_nsec; /* convert to Hz */
1668 b = 100; /* b = 1000000000/10000000 = 100 */
1672 /*G.precision_exp = prec;*/
1673 /*G.precision_sec = (1.0 / (1 << (- prec)));*/
1674 bb_error_msg("G.precision_exp:%d sec:%f", prec, G_precision_sec); /* -6 */
1677 G.stratum = MAXSTRAT;
1678 G.poll_exp = 1; /* should use MINPOLL, but 1 speeds up initial sync */
1679 G.reftime = G.last_update_recv_time = gettime1900d();
1683 opt_complementary = "dd:p::"; /* d: counter, p: list */
1684 opts = getopt32(argv,
1686 "p:"IF_FEATURE_NTPD_SERVER("l") /* NOT compat */
1688 "46aAbgL", /* compat, ignored */
1689 &peers, &G.verbose);
1690 if (!(opts & (OPT_p|OPT_l)))
1692 // if (opts & OPT_x) /* disable stepping, only slew is allowed */
1693 // G.time_was_stepped = 1;
1695 add_peers(llist_pop(&peers));
1696 if (!(opts & OPT_n)) {
1697 bb_daemonize_or_rexec(DAEMON_DEVNULL_STDIO, argv);
1698 logmode = LOGMODE_NONE;
1700 #if ENABLE_FEATURE_NTPD_SERVER
1703 G.listen_fd = create_and_bind_dgram_or_die(NULL, 123);
1704 socket_want_pktinfo(G.listen_fd);
1705 setsockopt(G.listen_fd, IPPROTO_IP, IP_TOS, &const_IPTOS_LOWDELAY, sizeof(const_IPTOS_LOWDELAY));
1708 /* I hesitate to set -20 prio. -15 should be high enough for timekeeping */
1710 setpriority(PRIO_PROCESS, 0, -15);
1712 bb_signals((1 << SIGTERM) | (1 << SIGINT), record_signo);
1713 bb_signals((1 << SIGPIPE) | (1 << SIGHUP), SIG_IGN);
1716 int ntpd_main(int argc UNUSED_PARAM, char **argv) MAIN_EXTERNALLY_VISIBLE;
1717 int ntpd_main(int argc UNUSED_PARAM, char **argv)
1723 memset(&g, 0, sizeof(g));
1724 SET_PTR_TO_GLOBALS(&g);
1729 /* if ENABLE_FEATURE_NTPD_SERVER, + 1 for listen_fd: */
1730 unsigned cnt = g.peer_cnt + ENABLE_FEATURE_NTPD_SERVER;
1731 idx2peer = xzalloc(sizeof(idx2peer[0]) * cnt);
1732 pfd = xzalloc(sizeof(pfd[0]) * cnt);
1735 while (!bb_got_signal) {
1738 unsigned sent_cnt, trial_cnt;
1740 time_t cur_time, nextaction;
1742 /* Nothing between here and poll() blocks for any significant time */
1744 cur_time = time(NULL);
1745 nextaction = cur_time + 3600;
1748 #if ENABLE_FEATURE_NTPD_SERVER
1749 if (g.listen_fd != -1) {
1750 pfd[0].fd = g.listen_fd;
1751 pfd[0].events = POLLIN;
1755 /* Pass over peer list, send requests, time out on receives */
1756 sent_cnt = trial_cnt = 0;
1757 for (item = g.ntp_peers; item != NULL; item = item->link) {
1758 peer_t *p = (peer_t *) item->data;
1760 /* Overflow-safe "if (p->next_action_time <= cur_time) ..." */
1761 if ((int)(cur_time - p->next_action_time) >= 0) {
1762 if (p->p_fd == -1) {
1763 /* Time to send new req */
1765 if (send_query_to_peer(p) == 0)
1768 /* Timed out waiting for reply */
1771 timeout = poll_interval(-1); /* try a bit faster */
1772 bb_error_msg("timed out waiting for %s, reach 0x%02x, next query in %us",
1773 p->p_dotted, p->p_reachable_bits, timeout);
1774 set_next(p, timeout);
1778 if (p->next_action_time < nextaction)
1779 nextaction = p->next_action_time;
1782 /* Wait for reply from this peer */
1783 pfd[i].fd = p->p_fd;
1784 pfd[i].events = POLLIN;
1790 // if ((trial_cnt > 0 && sent_cnt == 0) || g.peer_cnt == 0) {
1791 // G.time_was_stepped = 1;
1794 timeout = nextaction - cur_time;
1798 /* Here we may block */
1799 VERB2 bb_error_msg("poll %us, sockets:%u", timeout, i);
1800 nfds = poll(pfd, i, timeout * 1000);
1804 /* Process any received packets */
1806 #if ENABLE_FEATURE_NTPD_SERVER
1807 if (g.listen_fd != -1) {
1808 if (pfd[0].revents /* & (POLLIN|POLLERR)*/) {
1810 recv_and_process_client_pkt(/*g.listen_fd*/);
1815 for (; nfds != 0 && j < i; j++) {
1816 if (pfd[j].revents /* & (POLLIN|POLLERR)*/) {
1818 recv_and_process_peer_pkt(idx2peer[j]);
1821 } /* while (!bb_got_signal) */
1823 kill_myself_with_sig(bb_got_signal);
1831 /*** openntpd-4.6 uses only adjtime, not adjtimex ***/
1833 /*** ntp-4.2.6/ntpd/ntp_loopfilter.c - adjtimex usage ***/
1837 direct_freq(double fp_offset)
1842 * If the kernel is enabled, we need the residual offset to
1843 * calculate the frequency correction.
1845 if (pll_control && kern_enable) {
1846 memset(&ntv, 0, sizeof(ntv));
1849 clock_offset = ntv.offset / 1e9;
1850 #else /* STA_NANO */
1851 clock_offset = ntv.offset / 1e6;
1852 #endif /* STA_NANO */
1853 drift_comp = FREQTOD(ntv.freq);
1855 #endif /* KERNEL_PLL */
1856 set_freq((fp_offset - clock_offset) / (current_time - clock_epoch) + drift_comp);
1862 set_freq(double freq) /* frequency update */
1870 * If the kernel is enabled, update the kernel frequency.
1872 if (pll_control && kern_enable) {
1873 memset(&ntv, 0, sizeof(ntv));
1874 ntv.modes = MOD_FREQUENCY;
1875 ntv.freq = DTOFREQ(drift_comp);
1877 snprintf(tbuf, sizeof(tbuf), "kernel %.3f PPM", drift_comp * 1e6);
1878 report_event(EVNT_FSET, NULL, tbuf);
1880 snprintf(tbuf, sizeof(tbuf), "ntpd %.3f PPM", drift_comp * 1e6);
1881 report_event(EVNT_FSET, NULL, tbuf);
1883 #else /* KERNEL_PLL */
1884 snprintf(tbuf, sizeof(tbuf), "ntpd %.3f PPM", drift_comp * 1e6);
1885 report_event(EVNT_FSET, NULL, tbuf);
1886 #endif /* KERNEL_PLL */
1895 * This code segment works when clock adjustments are made using
1896 * precision time kernel support and the ntp_adjtime() system
1897 * call. This support is available in Solaris 2.6 and later,
1898 * Digital Unix 4.0 and later, FreeBSD, Linux and specially
1899 * modified kernels for HP-UX 9 and Ultrix 4. In the case of the
1900 * DECstation 5000/240 and Alpha AXP, additional kernel
1901 * modifications provide a true microsecond clock and nanosecond
1902 * clock, respectively.
1904 * Important note: The kernel discipline is used only if the
1905 * step threshold is less than 0.5 s, as anything higher can
1906 * lead to overflow problems. This might occur if some misguided
1907 * lad set the step threshold to something ridiculous.
1909 if (pll_control && kern_enable) {
1911 #define MOD_BITS (MOD_OFFSET | MOD_MAXERROR | MOD_ESTERROR | MOD_STATUS | MOD_TIMECONST)
1914 * We initialize the structure for the ntp_adjtime()
1915 * system call. We have to convert everything to
1916 * microseconds or nanoseconds first. Do not update the
1917 * system variables if the ext_enable flag is set. In
1918 * this case, the external clock driver will update the
1919 * variables, which will be read later by the local
1920 * clock driver. Afterwards, remember the time and
1921 * frequency offsets for jitter and stability values and
1922 * to update the frequency file.
1924 memset(&ntv, 0, sizeof(ntv));
1926 ntv.modes = MOD_STATUS;
1929 ntv.modes = MOD_BITS | MOD_NANO;
1930 #else /* STA_NANO */
1931 ntv.modes = MOD_BITS;
1932 #endif /* STA_NANO */
1933 if (clock_offset < 0)
1938 ntv.offset = (int32)(clock_offset * 1e9 + dtemp);
1939 ntv.constant = sys_poll;
1940 #else /* STA_NANO */
1941 ntv.offset = (int32)(clock_offset * 1e6 + dtemp);
1942 ntv.constant = sys_poll - 4;
1943 #endif /* STA_NANO */
1944 ntv.esterror = (u_int32)(clock_jitter * 1e6);
1945 ntv.maxerror = (u_int32)((sys_rootdelay / 2 + sys_rootdisp) * 1e6);
1946 ntv.status = STA_PLL;
1949 * Enable/disable the PPS if requested.
1952 if (!(pll_status & STA_PPSTIME))
1953 report_event(EVNT_KERN,
1954 NULL, "PPS enabled");
1955 ntv.status |= STA_PPSTIME | STA_PPSFREQ;
1957 if (pll_status & STA_PPSTIME)
1958 report_event(EVNT_KERN,
1959 NULL, "PPS disabled");
1960 ntv.status &= ~(STA_PPSTIME |
1963 if (sys_leap == LEAP_ADDSECOND)
1964 ntv.status |= STA_INS;
1965 else if (sys_leap == LEAP_DELSECOND)
1966 ntv.status |= STA_DEL;
1970 * Pass the stuff to the kernel. If it squeals, turn off
1971 * the pps. In any case, fetch the kernel offset,
1972 * frequency and jitter.
1974 if (ntp_adjtime(&ntv) == TIME_ERROR) {
1975 if (!(ntv.status & STA_PPSSIGNAL))
1976 report_event(EVNT_KERN, NULL,
1979 pll_status = ntv.status;
1981 clock_offset = ntv.offset / 1e9;
1982 #else /* STA_NANO */
1983 clock_offset = ntv.offset / 1e6;
1984 #endif /* STA_NANO */
1985 clock_frequency = FREQTOD(ntv.freq);
1988 * If the kernel PPS is lit, monitor its performance.
1990 if (ntv.status & STA_PPSTIME) {
1992 clock_jitter = ntv.jitter / 1e9;
1993 #else /* STA_NANO */
1994 clock_jitter = ntv.jitter / 1e6;
1995 #endif /* STA_NANO */
1998 #if defined(STA_NANO) && NTP_API == 4
2000 * If the TAI changes, update the kernel TAI.
2002 if (loop_tai != sys_tai) {
2004 ntv.modes = MOD_TAI;
2005 ntv.constant = sys_tai;
2008 #endif /* STA_NANO */
2010 #endif /* KERNEL_PLL */
projects / oweals / busybox.git / blob