diff options
Diffstat (limited to 'ntpd/invoke-ntp.conf.texi')
| -rw-r--r-- | ntpd/invoke-ntp.conf.texi | 290 |
1 files changed, 259 insertions, 31 deletions
diff --git a/ntpd/invoke-ntp.conf.texi b/ntpd/invoke-ntp.conf.texi index ff8dbdfd753e..7e8a4dc54031 100644 --- a/ntpd/invoke-ntp.conf.texi +++ b/ntpd/invoke-ntp.conf.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:44:16 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:14:34 PM by AutoGen 5.18.5 # From the definitions ntp.conf.def # and the template file agtexi-file.tpl @end ignore @@ -1462,7 +1462,7 @@ The @code{monitor} subcommand specifies the probability of discard for packets that overflow the rate-control window. -@item @code{restrict} @code{address} @code{[@code{mask} @kbd{mask}]} @code{[@kbd{flag} @kbd{...}]} +@item @code{restrict} @code{address} @code{[@code{mask} @kbd{mask}]} @code{[@code{ippeerlimit} @kbd{int}]} @code{[@kbd{flag} @kbd{...}]} The @kbd{address} argument expressed in @@ -1486,6 +1486,15 @@ Note that text string @code{default}, with no mask option, may be used to indicate the default entry. +The +@code{ippeerlimit} +directive limits the number of peer requests for each IP to +@kbd{int}, +where a value of -1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, @code{flag} always @@ -1536,6 +1545,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +@item @code{noepeer} +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +@file{ntp.keys} +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +@code{noepeer} +to become the default in ntp-4.4. @item @code{nomodify} Deny @code{ntpq(1ntpqmdoc)} @@ -1553,10 +1574,10 @@ and queries. Time service is not affected. @item @code{nopeer} -Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes @code{pool} associations, so if you want to use servers from a @@ -1564,8 +1585,9 @@ associations, so if you want to use servers from a directive and also want to use @code{nopeer} by default, you'll want a -@code{restrict source ...} @code{line} @code{as} @code{well} @code{that} @code{does} -@item not +@code{restrict source ...} +line as well that does +@emph{not} include the @code{nopeer} directive. @@ -1937,9 +1959,10 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed to any number of poll intervals between 0 and 4. +@end table @subsubsection Manycast Options @table @asis @item @code{tos} @code{[@code{ceiling} @kbd{ceiling} | @code{cohort} @code{@{} @code{0} | @code{1} @code{@}} | @code{floor} @kbd{floor} | @code{minclock} @kbd{minclock} | @code{minsane} @kbd{minsane}]} @@ -2255,7 +2278,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -@file{/usr/share/doc/ntp}). +@file{/usr/share/doc/ntp} @file{).} @item @code{stratum} @kbd{int} Specifies the stratum number assigned to the driver, an integer between 0 and 15. @@ -2516,6 +2539,69 @@ This option is useful for sites that run @code{ntpd(1ntpdmdoc)} on multiple hosts, with (mostly) common options (e.g., a restriction list). +@item @code{interface} @code{[@code{listen} | @code{ignore} | @code{drop}]} @code{[@code{all} | @code{ipv4} | @code{ipv6} | @code{wildcard} @kbd{name} | @kbd{address} @code{[@code{/} @kbd{prefixlen}]}]} +The +@code{interface} +directive controls which network addresses +@code{ntpd(1ntpdmdoc)} +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +@kbd{prefixlen} +determines how many bits must match for this rule to apply. +@code{ignore} +prevents opening matching addresses, +@code{drop} +causes +@code{ntpd(1ntpdmdoc)} +to open the address and drop all received packets without examination. +Multiple +@code{interface} +directives can be used. +The last rule which matches a particular address determines the action for it. +@code{interface} +directives are disabled if any +@code{-I}, +@code{--interface}, +@code{-L}, +or +@code{--novirtualips} +command-line options are specified in the configuration file, +all available network addresses are opened. +The +@code{nic} +directive is an alias for +@code{interface}. +@item @code{leapfile} @kbd{leapfile} +This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +@code{https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list} +or +@code{ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list}. +The +@code{leapfile} +is scanned when +@code{ntpd(1ntpdmdoc)} +processes the +@code{leapfile} @code{directive} @code{or} @code{when} +@code{ntpd} @code{detects} @code{that} @code{the} +@kbd{leapfile} +has changed. +@code{ntpd} +checks once a day to see if the +@kbd{leapfile} +has changed. +The +@code{update-leap(1update_leapmdoc)} +script can be run to see if the +@kbd{leapfile} +should be updated. @item @code{leapsmearinterval} @kbd{seconds} This EXPERIMENTAL option is only available if @code{ntpd(1ntpdmdoc)} @@ -2606,6 +2692,146 @@ facility. This is the same operation as the @code{-l} command line option. +@item @code{mru} @code{[@code{maxdepth} @kbd{count} | @code{maxmem} @kbd{kilobytes} | @code{mindepth} @kbd{count} | @code{maxage} @kbd{seconds} | @code{initialloc} @kbd{count} | @code{initmem} @kbd{kilobytes} | @code{incalloc} @kbd{count} | @code{incmem} @kbd{kilobytes}]} +Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. +@table @asis +@item @code{maxdepth} @kbd{count} +@item @code{maxmem} @kbd{kilobytes} +Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +@code{incalloc} +entries or +@code{incmem} +kilobytes larger. +As with all of the +@code{mru} +options offered in units of entries or kilobytes, if both +@code{maxdepth} +and +@code{maxmem} @code{are} @code{used,} @code{the} @code{last} @code{one} @code{used} @code{controls.} +The default is 1024 kilobytes. +@item @code{mindepth} @kbd{count} +Lower limit on the MRU list size. +When the MRU list has fewer than +@code{mindepth} +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +@item @code{maxage} @kbd{seconds} +Once the MRU list has +@code{mindepth} +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +@code{maxage} +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +@code{maxdepth} @code{/} @code{moxmem}. +The default is 64 seconds. +@item @code{initalloc} @kbd{count} +@item @code{initmem} @kbd{kilobytes} +Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +@item @code{incalloc} @kbd{count} +@item @code{incmem} @kbd{kilobytes} +Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +@end table +@item @code{nonvolatile} @kbd{threshold} +Specify the +@kbd{threshold} +delta in seconds before an hourly change to the +@code{driftfile} +(frequency file) will be written, with a default value of 1e-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +@code{threshold} +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +@item @code{phone} @kbd{dial} @kbd{...} +This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 - 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 - 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +@item @code{reset} @code{[@code{allpeers}]} @code{[@code{auth}]} @code{[@code{ctl}]} @code{[@code{io}]} @code{[@code{mem}]} @code{[@code{sys}]} @code{[@code{timer}]} +Reset one or more groups of counters maintained by +@code{ntpd} +and exposed by +@code{ntpq} +and +@code{ntpdc}. +@item @code{rlimit} @code{[@code{memlock} @kbd{Nmegabytes} | @code{stacksize} @kbd{N4kPages} @code{filenum} @kbd{Nfiledescriptors}]} +@table @asis +@item @code{memlock} @kbd{Nmegabytes} +Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +@code{-i} +option). +The default is 32 megabytes on non-Linux machines, and -1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +@item @code{stacksize} @kbd{N4kPages} +Specifies the maximum size of the process stack on systems with the +@code{mlockall()} +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +@item @code{filenum} @kbd{Nfiledescriptors} +Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +@end table +@item @code{saveconfigdir} @kbd{directory_path} +Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +@code{saveconfig} +command. +If +@code{saveconfigdir} +does not appear in the configuration file, +@code{saveconfig} +requests are rejected by +@code{ntpd}. +@item @code{saveconfig} @kbd{filename} +Write the current configuration, including any runtime +modifications given with +@code{:config} +or +@code{config-from-file} +to the +@code{ntpd} +host's +@kbd{filename} +in the +@code{saveconfigdir}. +This command will be rejected unless the +@code{saveconfigdir} +directive appears in +.Cm ntpd 's +configuration file. +@kbd{filename} +can use +@code{strftime(3)} +format directives to substitute the current date and time, +for example, +@code{saveconfig\ ntp-%Y%m%d-%H%M%S.conf}. +The filename used is stored in the system variable +@code{savedconfig}. +Authentication is required. @item @code{setvar} @kbd{variable} @code{[@code{default}]} This command adds an additional system variable. These @@ -2638,6 +2864,10 @@ holds the names of all peer variables and the @code{clock_var_list} holds the names of the reference clock variables. +@item @code{sysinfo} +Display operational summary. +@item @code{sysstats} +Show statistics counters maintained in the protocol module. @item @code{tinker} @code{[@code{allan} @kbd{allan} | @code{dispersion} @kbd{dispersion} | @code{freq} @kbd{freq} | @code{huffpuff} @kbd{huffpuff} | @code{panic} @kbd{panic} | @code{step} @kbd{step} | @code{stepback} @kbd{stepback} | @code{stepfwd} @kbd{stepfwd} | @code{stepout} @kbd{stepout}]} This command can be used to alter several system variables in very exceptional circumstances. @@ -2715,27 +2945,18 @@ be set to any positive number in seconds. If set to zero, the stepout pulses will not be suppressed. @end table -@item @code{rlimit} @code{[@code{memlock} @kbd{Nmegabytes} | @code{stacksize} @kbd{N4kPages} @code{filenum} @kbd{Nfiledescriptors}]} -@table @asis -@item @code{memlock} @kbd{Nmegabytes} -Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -@code{-i} -option). -The default is 32 megabytes on non-Linux machines, and -1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -@item @code{stacksize} @kbd{N4kPages} -Specifies the maximum size of the process stack on systems with the -@code{mlockall()} -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -@item @code{filenum} @kbd{Nfiledescriptors} -Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -@end table +@item @code{writevar} @kbd{assocID\ name} @kbd{=} @kbd{value} @kbd{[,...]} +Write (create or update) the specified variables. +If the +@code{assocID} +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +@code{assocID} +is required, as the same name can occur in both name spaces. @item @code{trap} @kbd{host_address} @code{[@code{port} @kbd{port_number}]} @code{[@code{interface} @kbd{interface_address}]} This command configures a trap receiver at the given host address and port number for sending messages with the specified @@ -2747,6 +2968,13 @@ message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes. +@item @code{ttl} @kbd{hop} @kbd{...} +This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +@code{manycast} +mode these values are used in-turn in an expanding-ring search. +The default is eight multiples of 32 starting at 31. The trap receiver will generally log event messages and other information from the server in a log file. |