update NEWS

update README
update copyright years
2025-12-04 10:45:07 -05:00 · 2016-02-02 16:49:05 +01:00 · 2016-02-02 12:05:51 +01:00 · 2016-02-02 12:02:16 +01:00 · 2016-02-02 12:02:16 +01:00 · 2016-02-01 16:54:08 +01:00
69 changed files with 3147 additions and 1545 deletions
--- a/41
+++ b/41
@@ -1,3 +1,36 @@
 New in version 2.3
 ==================
 Enhancements
 ------------
 * Add support for NTP and command response rate limiting
 * Add support for dropping root privileges on Mac OS X, FreeBSD, Solaris
 * Add require and trust options for source selection
 * Enable logchange by default (1 second threshold)
 * Set RTC on Mac OS X with rtcsync directive
 * Allow binding to NTP port after dropping root privileges on NetBSD
 * Drop CAP_NET_BIND_SERVICE capability on Linux when NTP port is disabled
 * Resolve names in separate process when seccomp filter is enabled
 * Replace old records in client log when memory limit is reached
 * Don't reveal local time and synchronisation state in client packets
 * Don't keep client sockets open for longer than necessary
 * Ignore poll in KoD RATE packets as ntpd doesn't always set it correctly
 * Warn when using keys shorter than 80 bits
 * Add keygen command to generate random keys easily
 * Add serverstats command to report NTP and command packet statistics
 Bug fixes
 ---------
 * Fix clock correction after making step on Mac OS X
 * Fix building on Solaris
 New in version 2.2.1
 ====================
 Security fixes
 --------------
 * Restrict authentication of NTP server/peer to specified key (CVE-2016-1567)
 New in version 2.2
 ==================
@@ -5,22 +38,26 @@ Enhancements
 ------------
 * Add support for configuration and monitoring over Unix domain socket
  (accessible by root or chrony user when root privileges are dropped)
-* Add support for system call filtering with seccomp on Linux
+* Add support for system call filtering with seccomp on Linux (experimental)
 * Add support for dropping root privileges on NetBSD
 * Control frequency of system clock on FreeBSD, NetBSD, Solaris
 * Add system leap second handling mode on FreeBSD, NetBSD, Solaris
 * Add dynamic drift removal on Mac OS X
 * Add support for setting real-time priority on Mac OS X
 * Add maxdistance directive to limit source selection by root distance
  (3 seconds by default)
 * Add refresh command to get new addresses of NTP sources
 * Allow wildcard patterns in include directive
 * Restore time from driftfile with -s option if later than RTC time
 * Add configure option to set default hwclockfile
 * Add -d option to chronyc to enable debug messages
 * Allow multiple addresses to be specified for chronyc with -h option
  and reconnect when no valid reply is received
 * Make check interval in waitsync command configurable
 Bug fixes
 ---------
-* Fix building on Solaris
+* Fix building on NetBSD, Solaris
 * Restore time from driftfile with -s option if reading RTC failed
 Removed features
--- a/1
+++ b/1
@@ -130,6 +130,7 @@ Erik Bryer <ebryer@spots.ab.ca>
 Bryan Christianson <bryan@whatroute.net>
    Support for Mac OS X
    Support for privilege separation
 Juliusz Chroboczek <jch@pps.jussieu.fr>
    Fix install rule in Makefile if chronyd file is in use.
--- a/addrfilt.c
+++ b/addrfilt.c
@@ -62,7 +62,7 @@ split_ip6(IPAddr *ip, uint32_t *dst)
  int i;
  for (i = 0; i < 4; i++)
-    dst[i] = ip->addr.in6[i * 4 + 0] << 24 |
+    dst[i] = (uint32_t)ip->addr.in6[i * 4 + 0] << 24 |
             ip->addr.in6[i * 4 + 1] << 16 |
             ip->addr.in6[i * 4 + 2] << 8 |
             ip->addr.in6[i * 4 + 3];
--- a/array.c
+++ b/array.c
@@ -103,6 +103,12 @@ ARR_GetElement(ARR_Instance array, unsigned int index)
 void *
 ARR_GetElements(ARR_Instance array)
 {
  /* Return a non-NULL pointer when the array has zero size */
  if (!array->data) {
    assert(!array->used);
    return array;
  }
  return array->data;
 }
--- a/candm.h
+++ b/candm.h
@@ -91,7 +91,9 @@
 #define REQ_SMOOTHING 51
 #define REQ_SMOOTHTIME 52
 #define REQ_REFRESH 53
-#define N_REQUEST_TYPES 54
+#define REQ_SERVER_STATS 54
 #define REQ_CLIENT_ACCESSES_BY_INDEX2 55
 #define N_REQUEST_TYPES 56
 /* Special utoken value used to log on with first exchange being the
   password.  (This time value has long since gone by) */
@@ -243,6 +245,8 @@ typedef struct {
 #define REQ_ADDSRC_IBURST 0x4
 #define REQ_ADDSRC_PREFER 0x8
 #define REQ_ADDSRC_NOSELECT 0x10
 #define REQ_ADDSRC_TRUST 0x20
 #define REQ_ADDSRC_REQUIRE 0x40
 typedef struct {
  IPAddr ip_addr;
@@ -284,7 +288,7 @@ typedef struct {
 typedef struct {
  uint32_t first_index;
-  uint32_t n_indices;
+  uint32_t n_clients;
  int32_t EOR;
 } REQ_ClientAccessesByIndex;
@@ -335,9 +339,15 @@ typedef struct {
   Version 6 : added padding to requests to prevent amplification attack,
   changed maximum number of samples in manual list to 16, new commands: modify
-   makestep, smoothing report, smoothtime command
+   makestep, smoothing, smoothtime
-   Authentication was removed later in version 6.
+   Support for authentication was removed later in version 6 of the protocol
   and commands that required authentication are allowed only locally over Unix
   domain socket.
   Version 6 (no authentication) : changed format of client accesses by index
   (using new request/reply types), new flags in NTP source request and report,
   new commands: refresh, serverstats
 */
 #define PROTO_VERSION_NUMBER 6
@@ -351,7 +361,7 @@ typedef struct {
 #define PROTO_VERSION_PADDING 6
 /* The maximum length of padding in request packet, currently
-   defined by CLIENT_ACCESSES_BY_INDEX and MANUAL_LIST */
+   defined by MANUAL_LIST */
 #define MAX_PADDING_LENGTH 396
 /* ================================================== */
@@ -431,7 +441,9 @@ typedef struct {
 #define RPY_MANUAL_LIST 11
 #define RPY_ACTIVITY 12
 #define RPY_SMOOTHING 13
-#define N_REPLY_TYPES 14
+#define RPY_SERVER_STATS 14
 #define RPY_CLIENT_ACCESSES_BY_INDEX2 15
 #define N_REPLY_TYPES 16
 /* Status codes */
 #define STT_SUCCESS 0
@@ -478,6 +490,8 @@ typedef struct {
 #define RPY_SD_FLAG_NOSELECT 0x1
 #define RPY_SD_FLAG_PREFER 0x2
 #define RPY_SD_FLAG_TRUST 0x4
 #define RPY_SD_FLAG_REQUIRE 0x8
 typedef struct {
  IPAddr ip_addr;
@@ -545,11 +559,14 @@ typedef struct {
 typedef struct {
  IPAddr ip;
-  uint32_t client_hits;
+  uint32_t ntp_hits;
-  uint32_t peer_hits;
+  uint32_t cmd_hits;
-  uint32_t cmd_hits_auth;
+  uint32_t ntp_drops;
-  uint32_t cmd_hits_normal;
+  uint32_t cmd_drops;
-  uint32_t cmd_hits_bad;
+  int8_t ntp_interval;
  int8_t cmd_interval;
  int8_t ntp_timeout_interval;
  int8_t pad;
  uint32_t last_ntp_hit_ago;
  uint32_t last_cmd_hit_ago;
 } RPY_ClientAccesses_Client;
@@ -562,6 +579,15 @@ typedef struct {
  int32_t EOR;
 } RPY_ClientAccessesByIndex;
 typedef struct {
  uint32_t ntp_hits;
  uint32_t cmd_hits;
  uint32_t ntp_drops;
  uint32_t cmd_drops;
  uint32_t log_drops;
  int32_t EOR;
 } RPY_ServerStats;
 #define MAX_MANUAL_LIST_SAMPLES 16
 typedef struct {
@@ -623,6 +649,7 @@ typedef struct {
    RPY_Sourcestats sourcestats;
    RPY_Rtc rtc;
    RPY_ClientAccessesByIndex client_accesses_by_index;
    RPY_ServerStats server_stats;
    RPY_ManualList manual_list;
    RPY_Activity activity;
    RPY_Smoothing smoothing;
--- a/chrony.conf.5.in
+++ b/chrony.conf.5.in
@@ -34,7 +34,7 @@ useful configuration file would look something like
     server bar.example.net iburst
     server baz.example.net iburst
     driftfile @CHRONYVARDIR@/drift
-     makestep 10 3
+     makestep 1.0 3
     rtcsync
 .EE
@@ -46,7 +46,7 @@ case look like
 .EX
     pool pool.ntp.org iburst
     driftfile @CHRONYVARDIR@/drift
-     makestep 10 3
+     makestep 1.0 3
     rtcsync
 .EE
--- a/chrony.texi.in
+++ b/chrony.texi.in
@@ -3,7 +3,7 @@
@afourwide
@paragraphindent 0
@setfilename chrony.info
-@settitle User guide for the chrony suite
+@settitle User guide for the chrony suite version @CHRONY_VERSION@
@c @setchapternewpage off
@ifinfo
@@ -49,7 +49,6 @@ Copyright @copyright{} 2009-2015 Miroslav Lichvar
 * Other time synchronisation packages::  Comparision with other software
 * Distribution and warranty::   There is no warranty
 * Bug reporting::               How to report bugs and make suggestions
 * Contributing::                Areas where contributions are particularly welcome
@end menu
@c }}}
@c {{{ S:Overview
@@ -138,9 +137,9 @@ The `reference' implementation of the Network Time Protocol is the
 program @code{ntpd}, available via
@uref{http://www.ntp.org/, The NTP home page}.
-One of the main differences between @code{ntpd} and @code{chronyd} is in
+One of the main differences between @code{ntpd} and @code{chronyd} is in how
-the algorithms used to control the computer's clock. Things
+they control the computer's clock.  Things @code{chronyd} can do better than
-@code{chronyd} can do better than @code{ntpd}:
+@code{ntpd}:
@itemize @bullet
@item
@@ -160,13 +159,16 @@ longer periods of time.
@item
@code{chronyd} in the default configuration never steps the time to not
 upset other running programs.  @code{ntpd} can be configured to never
-step the time too, but it has to use a different means of adjusting the
+step the time too, but in that case it has to use a different means of
-clock, which has some
+adjusting the clock (daemon loop instead of kernel discipline), which may
-disadvantages.
+have a negative effect on accuracy of the clock.
@item
@code{chronyd} can adjust the rate of the clock in a larger range, which
 allows it to operate even on machines with broken or unstable clock
 (e.g. in some virtual machines).
@item
@code{chronyd} is smaller, it uses less memory and it wakes up the CPU only
 when necessary, which is better for power saving.
@end itemize
 Things @code{chronyd} can do that @code{ntpd} can't:
@@ -192,21 +194,36 @@ Things @code{ntpd} can do that @code{chronyd} can't:
@itemize @bullet
@item
-@code{ntpd} supports all operating modes from RFC 5905, including
+@code{ntpd} supports all operating modes from RFC 5905, including broadcast,
-broadcast, multicast and manycast client / server.  It supports the
+multicast, and manycast server/client.  However, the broadcast and multicast
-orphan mode and it also supports authentication based on public-key
+modes are inherently less accurate and less secure (even with authentication)
-cryptography described in RFC 5906.
+than the ordinary server/client mode and should generally be avoided.
@item
-@code{ntpd} has been ported to more types of computer / operating
+@code{ntpd} supports the Autokey protocol (RFC 5906) to authenticate servers
-system.
+with public-key cryptography.  Note that the protocol has been shown to be
 insecure and it will be probably replaced with an implementation of the Network
 Time Security (NTS) specification.
@item
-@code{ntpd} includes drivers for many reference clocks. @code{chronyd}
+@code{ntpd} supports the orphan mode, which allows synchronisation to a common
-relies on other programs (e.g. gpsd) to access the data from the
+timescale in isolated networks with multiple servers.  With @code{chronyd}
-reference clocks.
+there can be only one master and all other computers have to be directly or
 indirectly synchronised to it.
@item
@code{ntpd} has been ported to more operating systems.
@item
@code{ntpd} includes a large number of reference clock drivers. @code{chronyd}
 relies on other programs (e.g. @code{gpsd}) to access the timing data via the
@code{SHM} or @code{SOCK} driver.
@end itemize
 A comparison of NTP implementations that includes more features and also
 their performance is on the @uref{http://chrony.tuxfamily.org/comparison.html,
 chrony comparison} page.
@node Comparison with timed
@subsection timed
@code{timed} is a program that is part of the BSD networking suite.  It
@@ -272,39 +289,6 @@ pin-point the problem in some cases.  Please be patient and plan for this!
 Of course, if you can debug the problem yourself and send us a source code
 patch to fix it, we will be very grateful!
@c }}}
@c {{{ S:Contributions
@node Contributing
@section Contributions
 Although chrony is now a fairly mature and established project, there are still
 areas that could be improved.  If you can program in C and have some expertise
 in these areas, you might be able to fill the gaps.
 Particular areas that need addressing are :
@enumerate
@item Porting to other Unices
 This involves creating equivalents of sys_solaris.c, sys_linux.c etc for the
 new system.
@item Porting to Windows NT
 A small amount of work on this was done under Cygwin.  Only the sorting
 out of the include files has really been achieved so far.  The two main
 areas still to address are
@enumerate
@item The system clock driver.
@item How to make chronyd into an NT service (i.e. what to replace fork(),
 setsid() etc with so that chronyd can be automatically started in the system
 bootstrap.
@end enumerate
@item More drivers for reference clock support
@end enumerate
@c }}}
@c }}}
@c {{{ Ch:Installation
@@ -419,7 +403,7 @@ minimal useful configuration file could be
@example
 pool pool.ntp.org iburst
-makestep 10 3
+makestep 1.0 3
 rtcsync
@end example
@@ -576,7 +560,7 @@ server foo.example.net iburst
 server bar.example.net iburst
 server baz.example.net iburst
 driftfile @CHRONYVARDIR@/drift
-makestep 10 3
+makestep 1.0 3
 rtcsync
@end example
@@ -588,7 +572,7 @@ could in this case look like
@example
 pool pool.ntp.org iburst
 driftfile @CHRONYVARDIR@/drift
-makestep 10 3
+makestep 1.0 3
 rtcsync
@end example
@c }}}
@@ -648,7 +632,7 @@ server foo.example.net offline
 server bar.example.net offline
 server baz.example.net offline
 driftfile @CHRONYVARDIR@/drift
-makestep 10 3
+makestep 1.0 3
 rtcsync
@end example
@@ -845,7 +829,7 @@ server baz.example.net maxdelay 0.4 offline
 logdir /var/log/chrony
 log statistics measurements tracking
 driftfile @CHRONYVARDIR@/drift
-makestep 10 3
+makestep 1.0 3
 maxupdateskew 100.0
 dumponexit
 dumpdir @CHRONYVARDIR@
@@ -972,13 +956,9 @@ This option is useful when restarting @code{chronyd} and can be used
 in conjunction with the `-r' option.
@item -s
-This option will set the system clock from the computer's real-time
+This option will set the system clock from the computer's real-time clock or
-clock.  This is analogous to supplying the `-s' flag to the
+to the last modification time of the file specified by the @code{driftfile}
-@file{/sbin/hwclock} program during the Linux boot sequence.
+directive.  Real-time clocks are supported only on Linux.
 Support for real-time clocks is limited at present - the criteria are
 described in the section on the @code{rtcfile} directive (@pxref{rtcfile
 directive}).
 If used in conjunction with the `-r' flag, @code{chronyd} will attempt
 to preserve the old samples after setting the system clock from the real
@@ -989,22 +969,32 @@ to work well, it relies on @code{chronyd} having been able to determine
 accurate statistics for the difference between the RTC and
 system clock last time the computer was on.
-If @code{chronyd} doesn't support the RTC on your computer or there is no RTC
+If the last modification time of the drift file is later than the current time
-installed, the system clock will be set with this option forward to the time of
+and the RTC time, the system time will be set to it to restore the time when
-the last modification of the drift file (specified by the @code{driftfile}
+@code{chronyd} was previously stopped.  This is useful on computers that have
-directive) to restore the system time at which @code{chronyd} was previously
+no RTC or the RTC is broken (e.g. it has no battery).
 stopped.
@item -u <user>
 This option sets the name of the system user to which @code{chronyd} will
 switch after start in order to drop root privileges.  It overrides the
-@code{user} directive (default @code{@DEFAULT_USER@}).  It may be set to a
+@code{user} directive (default @code{@DEFAULT_USER@}).
-non-root user only when @code{chronyd} is compiled with support for Linux
+
-capabilities (libcap) or on NetBSD with the @code{/dev/clockctl} device.
+On Linux, @code{chronyd} needs to be compiled with support for the
@code{libcap} library.  On Mac OS X, FreeBSD, NetBSD and Solaris @code{chronyd}
 forks into two processes.  The child process retains root privileges, but can
 only perform a very limited range of privileged system calls on behalf of the
 parent.
@item -F <level>
 This option configures a system call filter when @code{chronyd} is compiled with
 support for the Linux secure computing (seccomp) facility. In level 1 the
 process is killed when a forbidden system call is made, in level -1 the SYSSIG
 signal is thrown instead and in level 0 the filter is disabled (default 0).
 It's recommended to enable the filter only when it's known to work on the
 version of the system where @code{chrony} is installed as the filter needs to
 allow also system calls made from libraries that @code{chronyd} is using (e.g.
 libc) and different versions or implementations of the libraries may make
 different system calls.  If the filter is missing some system call,
@code{chronyd} could be killed even in normal operation.
@item -q
 When run in this mode, @code{chronyd} will set the system clock once
 and exit.  It will not detach from the terminal.
@@ -1104,6 +1094,7 @@ the configuration file is ignored.
 * cmdallow directive::          Give monitoring access to chronyc on other computers
 * cmddeny directive::           Deny monitoring access to chronyc on other computers
 * cmdport directive::           Set port to use for runtime monitoring
 * cmdratelimit directive::      Limit command response rate
 * combinelimit directive::      Limit sources included in combining algorithm
 * corrtimeratio directive::     Set correction time ratio
 * deny directive::              Deny access to NTP clients
@@ -1139,6 +1130,7 @@ the configuration file is ignored.
 * pidfile directive::           Specify the file where chronyd's pid is written
 * pool directive::              Specify an NTP pool
 * port directive::              Set NTP server port
 * ratelimit directive::         Limit NTP response rate
 * refclock directive::          Specify a reference clock
 * reselectdist directive::      Set improvement in distance needed to reselect a source
 * rtcautotrim directive::       Specify threshold at which RTC is trimmed automatically
@@ -1368,11 +1360,13 @@ directive}).
@c {{{ clientloglimit
@node clientloglimit directive
@subsection clientloglimit
-This directive specifies the maximum size of the memory allocated to
+This directive specifies the maximum amount of memory that @code{chronyd} is
-log client accesses.  When the limit is reached, only information for
+allowed to allocate for logging of client accesses.  The default limit is
-clients that have already been logged will be updated.  If 0 is
+524288 bytes, which allows monitoring of several thousands of addresses at the
-specified, the memory size will be unlimited.  The default is 524288
+same time.
-bytes.
+
 In older @code{chrony} versions if the limit was set to 0, the memory
 allocation was unlimited.
 An example of the use of this directive is
@@ -1433,6 +1427,20 @@ This would make @code{chronyd} use 257/udp as its command port.
 (@code{chronyc} would need to be run with the @code{-p 257} switch to
 inter-operate correctly).
@c }}}
@c {{{ cmdratelimit
@node cmdratelimit directive
@subsection cmdratelimit
 This directive enables response rate limiting for command packets.  It's
 similar to the @code{ratelimit} directive (@pxref{ratelimit directive}), except
 responses to the localhost are never limited and the default interval is 1 (2
 seconds), default burst is 16, and default leak rate is 2.
 An example of use of the command is
@example
 cmdratelimit interval 2
@end example
@c }}}
@c {{{ combinelimit
@node combinelimit directive
@subsection combinelimit
@@ -1600,9 +1608,11 @@ NTP, reference clocks or manual input.
@node hwclockfile directive
@subsection hwclockfile
 The @code{hwclockfile} directive sets the location of the adjtime file which is
-used by the @file{/sbin/hwclock} program.  With this directive, @code{chronyd}
+used by the @file{/sbin/hwclock} program on Linux.  @code{chronyd} parses the
-will parse the file to find out if the RTC keeps local time or UTC.  It
+file to find out if the RTC keeps local time or UTC.  It overrides the
-overrides the @code{rtconutc} directive (@pxref{rtconutc directive}).
+@code{rtconutc} directive (@pxref{rtconutc directive}).
 The default value is @file{@DEFAULT_HWCLOCK_FILE@}.
 An example of the command is
@@ -1713,28 +1723,25 @@ pairs.  The format of the file is shown below
 ...
@end example
-Each line consists of an ID, a name of authentication hash function (optional)
+Each line consists of an ID, name of an authentication hash function (optional)
 and a password.  The ID can be any unsigned integer in the range 1 through
-2**32-1.  The hash function is MD5 by default, depending on how was
+2**32-1.  The default hash function is MD5.  Depending on how @code{chronyd}
-@code{chronyd} compiled, other allowed hash functions may be SHA1, SHA256,
+was compiled, other supported functions may be SHA1, SHA256, SHA384, SHA512,
-SHA384, SHA512, RMD128, RMD160, RMD256, RMD320, TIGER and WHIRLPOOL.  The
+RMD128, RMD160, RMD256, RMD320, TIGER and WHIRLPOOL.  The password can be
-password can be encoded as a string of characters not containing a space with
+specified as a string of characters not containing white space with an optional
-optional @code{ASCII:} prefix or as a hexadecimal number with @code{HEX:}
+@code{ASCII:} prefix, or as a hexadecimal number with the @code{HEX:} prefix.
-prefix.
+The maximum length of the line is 2047 characters.
 The password is used with the hash function to generate and verify a message
-authentication code (MAC) in NTP packets.
+authentication code (MAC) in NTP packets.  It's recommended to use SHA1 or a
-For maximum security, it's recommended to use SHA1 or stronger hash function.
+stronger hash function with random passwords specified in the hexadecimal
-The passwords should be random and they should be as long as the output size of
+format that have at least 128 bits.  @code{chronyd} will log a warning to
-the configured hash function, e.g. 160 bits with SHA1.
+syslog on start if a source is specified in the configuration file with a key
 that has password shorter than 80 bits.
-These shell commands can be used to generate random MD5 and SHA1 keys on
+The @code{keygen} command of @code{chronyc} (@pxref{keygen command}) can be
-systems which have the @code{/dev/urandom} device:
+used to generate random keys for the key file.  By default, it generates
-
+160-bit MD5 or SHA1 keys.
@example
 echo "1 MD5 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 32)"
 echo "1 SHA1 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 40)"
@end example
@c }}}
@c {{{ leapsecmode
@node leapsecmode directive
@@ -2257,24 +2264,22 @@ used to disable it entirely.
@c {{{ logchange
@node logchange directive
@subsection logchange
-This directive forces @code{chronyd} to send a message to syslog if it
+This directive sets the threshold for the adjustment of the system clock
-makes a system clock adjustment larger than a threshold value.  An
+that will generate a syslog message.
-example of use is
+
 By default, the threshold is 1 second.
 An example of use is
@example
-logchange 0.5
+logchange 0.1
@end example
 which would cause a syslog message to be generated a system clock error
-of over 0.5 seconds starts to be compensated.
+of over 0.1 seconds starts to be compensated.
-Clock errors detected either via NTP packets or via timestamps entered
+Clock errors detected via NTP packets, reference clocks, or timestamps entered
 via the @code{settime} command of @code{chronyc} are logged.
 This directive assumes that syslog messages are appearing where somebody
 can see them.  This allows that person to see if a large error has
 arisen, e.g. because of a fault, or because of faulty timezone handling,
 for example when summer time (daylight saving) starts or ends.
@c }}}
@c {{{ logdir
@node logdir directive
@@ -2328,10 +2333,10 @@ only with NTP sources.
 An example of the use of this directive is
@example
-makestep 1000 10
+makestep 0.1 10
@end example
-This would step system clock if the adjustment is larger than 1000
+This would step system clock if the adjustment is larger than 0.1
 seconds, but only in the first ten clock updates.
@c }}}
@c {{{ manual
@@ -2397,7 +2402,11 @@ includes the accumulated dispersion, which may be large when the source is no
 longer synchronised, and half of the total round-trip delay to the primary
 source.
-By default, the maximum distance is 3 seconds.
+By default, the maximum root distance is 3 seconds.
 Setting @code{maxdistance} to a larger value can be useful to allow
 synchronisation with a server that only has a very infrequent connection to its
 sources and can accumulate a large dispersion between updates of its clock.
 The syntax is
@@ -2523,6 +2532,9 @@ The syntax of this directive is identical to that for the @code{server}
 directive (@pxref{server directive}), except that it is used to specify
 an NTP peer rather than an NTP server.
 When a key is specified by the @code{key} option to enable authentication, both
 peers must be configured to use the same key and the same key number.
 Please note that NTP peers that are not configured with a key to enable
 authentication are vulnerable to a denial-of-service attack.  An attacker
 knowing that NTP hosts A and B are peering with each other can send a packet
@@ -2595,6 +2607,54 @@ port 11123
 This would change the NTP port served by @code{chronyd} on the computer to
 udp/11123.
@c }}}
@c {{{ ratelimit
@node ratelimit directive
@subsection ratelimit
 This directive enables response rate limiting for NTP packets.  Its purpose is
 to reduce network traffic with misconfigured or broken NTP clients that are
 polling the server too frequently.  The limits are applied to individual IP
 addresses.  If multiple clients share one IP address (e.g. multiple hosts
 behind NAT), the sum of their traffic will be limited.  If a client that
 increases its polling rate when it doesn't receive a reply is detected, its
 rate limiting will be temporarily suspended to avoid increasing the overall
 amount of traffic.  The maximum number of IP addresses which can be monitored
 at the same time depends on the memory limit set by the @code{clientloglimit}
 directive.
 The @code{ratelimit} directive supports a number of subfields (which
 may be defined in any order):
@table @code
@item interval
 This option sets the minimum interval between responses.  It is defined as a
 power of 2 in seconds.  The default value is 3 (8 seconds).  The minimum value
 is -4 and the maximum value is 12.
@item burst
 This option sets the maximum number of responses that can be send in a burst,
 temporarily exceeding the limit specified by the @code{interval} option.  This
 is useful for clients that make rapid measurements on start (e.g.
@code{chronyd} with the @code{iburst} option).  The default value is 8.  The
 minimum value is 1 and the maximum value is 255.
@item leak
 This option sets the rate at which responses are randomly allowed even if the
 limits specified by the @code{interval} and @code{burst} options are exceeded.
 This is necessary to prevent an attacker who is sending requests with a spoofed
 source address from completely blocking responses to that address.  The leak
 rate is defined as a power of 1/2 and it is 3 by default, i.e. on average at
 least every eighth request has a response.  The minimum value is 1 and the
 maximum value is 4.
@end table
 An example use of the command is
@example
 ratelimit interval 4 burst 4
@end example
 This would reduce the response rate for IP addresses that send packets on
 average more frequently than once per 16 seconds and/or send packets in bursts
 with more than 4 packets.
@c }}}
@c {{{ refclock
@node refclock directive
@subsection refclock
@@ -2729,6 +2789,18 @@ Prefer this source over sources without prefer option.
@item noselect
 Never select this source.  This is useful for monitoring or with sources
 which are not very accurate, but are locked with a PPS refclock.
@item trust
 Assume time from this source is always true.  It can't be rejected as a
 falseticker in the source selection if sources that are specified without this
 option don't agree with it.
@item require
 Require that at least one of the sources specified with this option is
 selectable (i.e. recently reachable and not a falseticker) before updating the
 clock.  Together with the @code{trust} option this may be useful to allow a
 trusted, but not very precise, reference clock to be safely combined with
 unauthenticated NTP sources in order to improve the accuracy of the clock.
 They can be selected and used for synchronisation only if they agree with
 the trusted and required source.
@item minsamples
 Set the minimum number of samples kept for this source.  This overrides the
@code{minsamples} directive (@pxref{minsamples directive}).
@@ -2851,12 +2923,17 @@ Note that this setting is overriden when the @code{hwclockfile} directive
@node rtcsync directive
@subsection rtcsync
-The @code{rtcsync} directive will enable a kernel mode where the
+The @code{rtcsync} directive enables a mode where the system time is
-system time is copied to the real time clock (RTC) every 11 minutes.
+periodically copied to the real time clock (RTC).
-This directive is supported only on Linux and cannot be used when the
+On Linux the RTC copy is performed by the kernel every 11 minutes. This
-normal RTC tracking is enabled, i.e. when the @code{rtcfile} directive
+directive cannot be used when the normal RTC tracking is enabled,
-is used.  On other systems this directive does nothing.
+i.e. when the @code{rtcfile} directive is used.
 On Mac OS X, chronyd will perform the RTC copy every 60 minutes when the
 system clock is in a synchronised state.
 On other systems this directive does nothing.
@c }}}
@c {{{ sched_priority
@node sched_priority directive
@@ -3028,6 +3105,19 @@ Prefer this source over sources without prefer option.
@item noselect
 Never select this source.  This is particularly useful for monitoring.
@item trust
 Assume time from this source is always true.  It can't be rejected as a
 falseticker in the source selection if sources that are specified without this
 option don't agree with it.
@item require
 Require that at least one of the sources specified with this option is
 selectable (i.e. recently reachable and not a falseticker) before updating the
 clock.  Together with the @code{trust} option this may be useful to allow a
 trusted authenticated source to be safely combined with unauthenticated sources
 in order to improve the accuracy of the clock.  They can be selected and used
 for synchronisation only if they agree with the trusted and required source.
@item minsamples
 Set the minimum number of samples kept for this source.  This overrides the
@code{minsamples} directive (@pxref{minsamples directive}).
@@ -3183,11 +3273,15 @@ Valid measurements with corresponding compensations are logged to the
@subsection user
 The @code{user} directive sets the name of the system user to which
@code{chronyd} will switch after start in order to drop root privileges.
 It may be set to a non-root user only when @code{chronyd} is compiled with
 support for Linux capabilities (libcap) or on NetBSD with the
@code{/dev/clockctl} device.
-The default value is @code{@DEFAULT_USER@}.
+On Linux, @code{chronyd} needs to be compiled with support for the
@code{libcap} library.  On Mac OS X, FreeBSD, NetBSD and Solaris @code{chronyd}
 forks into two processes.  The child process retains root privileges, but can
 only perform a very limited range of privileged system calls on behalf of the
 parent.
 The default value is @code{@DEFAULT_USER@}.  The configure script has a
@code{--with-user} option, which sets the default value.
@c }}}
@c }}}
@c {{{ S:Running chronyc
@@ -3341,6 +3435,7 @@ interface.
 * dump command::                Dump measurement histories to files
 * exit command::                Exit from chronyc
 * help command::                Generate help summary
 * keygen command::              Generate key for key file
 * local command::               Let computer be a server when it is unsynchronised
 * makestep command::            Correct the system clock by stepping instead of slewing
 * manual command::              Enable/disable/configure options for settime
@@ -3360,6 +3455,7 @@ interface.
 * reselectdist command::        Set improvement in distance needed to reselect a source
 * retries command::             Set maximum number of retries
 * rtcdata command::             Display RTC parameters
 * serverstats command::         Display statistics of the server
 * settime command::             Provide a manual input of the current time
 * smoothing command::           Display current time smoothing state
 * smoothtime command::          Reset/activate server time smoothing
@@ -3574,24 +3670,24 @@ burst 2/10 foo.example.net
@node clients command
@comment  node-name,  next,  previous,  up
@subsubsection clients
-This command shows a list of all clients that have accessed the server,
+This command shows a list of clients that have accessed the server,
 through either the NTP or command/monitoring ports.  It doesn't include
-access to the Unix domain comamnd socket.  There are no arguments.
+accesses over the Unix domain comamnd socket.  There are no arguments.
 An example of the output is
@example
-Hostname                   Client    Peer CmdAuth CmdNorm  CmdBad  LstN  LstC
+Hostname                      NTP   Drop Int IntL Last     Cmd   Drop Int  Last
-=========================  ======  ======  ======  ======  ======  ====  ====
+===============================================================================
-localhost                       0       0       0       1       0   29y     0
+localhost                       2      0   2   -   133      15      0  -1     7
-aardvark.xxx                    4       0       0       0       0    49   29y
+foo.example.net                12      0   6   -    23       0      0   -     -
 badger.xxx                      4       0       0       0       0     6   29y
@end example
 Each row shows the data for a single host.  Only hosts that have passed
 the host access checks (set with the @code{allow}, @code{deny},
@code{cmdallow} and @code{cmddeny} commands or configuration file
-directives) are logged.
+directives) are logged.  The intervals are displayed as a power of 2 in
 seconds.
 The columns are as follows:
@@ -3599,29 +3695,24 @@ The columns are as follows:
@item
 The hostname of the client
@item
-The number of times the client has accessed the server using an NTP
+The number of NTP packets received from the client.
 client mode packet.
@item
-The number of times the client has accessed the server using an NTP
+The number of NTP packets dropped to limit the response rate.
 symmetric active mode packet.
@item
-The number of authenticated command packets that have been processed from the
+The average interval between NTP packets.
 client.  Authentication is no longer supported in command packets, so the
 number should be always zero.
@item
-The number of unauthenticated command packets that have been processed
+The average interval between NTP packets after limiting the response rate.
 from the client.
@item
 The number of bad command packets received from the client (not all
 forms of bad packet are logged).
@item
 Time since the last NTP packet was received
@item
-Time since the last command packet was received
+The number of command packets received from the client.
@item
 The number of command packets dropped to limit the response rate.
@item
 The average interval between command packets.
@item
 Time since the last command packet was received.
@end enumerate
 The last two entries will be shown as the time since 1970 if no packet
 of that type has ever been received.
@c }}}
@c {{{ cmdaccheck
@node cmdaccheck command
@@ -3775,6 +3866,31 @@ The exit command exits from chronyc and returns the user to the shell
@subsubsection help
 The help command displays a summary of the commands and their arguments.
@c }}}
@c {{{ keygen
@node keygen command
@subsubsection keygen
 The @code{keygen} command generates a key that can be added to the
 key file (@pxref{keyfile directive}) to allow NTP authentication between
 server and client, or peers.  The key is generated from the @code{/dev/urandom}
 device and it's printed to standard output.
 The command has three optional arguments.  The first argument is the key number
 (by default 1), which will be specified with the @code{key} option of the
@code{server} or @code{peer} directives in the configuration file.  The second
 argument is the hash function (by default SHA1 or MD5 if SHA1 is not available)
 and the third argument is the number of bits the key should have, between 80
 and 4096 bits (by default 160 bits).
 An example is
@example
 keygen 73 SHA1 256
@end example
 which generates a 256-bit SHA-1 key with number 73.  The printed line would
 then be securely transferred and added to key files on both server and client,
 or peers.
@c }}}
@c {{{ local
@node local command
@subsubsection local
@@ -4059,8 +4175,8 @@ next measurement has been made.
@node offline command
@subsubsection offline
 The @code{offline} command is used to warn @code{chronyd} that the network
-connection to a particular host or hosts is about to be lost.  It should
+connection to a particular host or hosts is about to be lost.  It can
-be used on computers with a dial-up or similar connection to their time
+be used on computers with intermittent connection to their time
 sources, to warn @code{chronyd} that the connection is about to be broken.
 An example of how to use @code{offline} in this case is shown in
@@ -4097,14 +4213,6 @@ achieve this.  The situation is shown in the figure below.
@end example
 If the source to which @code{chronyd} is currently synchronised is indicated
 offline in this way, @code{chronyd} will continue to treat it as the
 synchronisation source.  If the network connection were broken without
 the @code{offline} command being used, @code{chronyd} would assume that the
 source had failed and would attempt to pick another synchronisation
 source.
 There are four forms of the @code{offline} command.  The first form is a
 wildcard, meaning all sources.  The second form allows an IP address mask
 and a masked address to be specified.  The third form uses the CIDR
@@ -4261,6 +4369,24 @@ right when it crosses a particular second boundary.  Then it would be 1
 microsecond fast when it crosses its next second boundary.
@end table
@c }}}
@c {{{ serverstats command
@node serverstats command
@subsubsection serverstats command
 The @code{serverstats} command displays how many valid NTP and command requests
@code{chronyd} as a server received from clients, how many of them were dropped
 to limit the response rate as configured by the @code{ratelimit} and
@code{cmdratelimit} directives, and how many client log records were dropped
 due to the memory limit configured by the @code{clientloglimit} directive.  An
 example of the output is shown below.
@example
 NTP packets received       : 1598
 NTP packets dropped        : 8
 Command packets received   : 19
 Command packets dropped    : 0
 Client log records dropped : 0
@end example
@c }}}
@c {{{ settime
@node settime command
@subsubsection settime
@@ -4692,10 +4818,10 @@ with the @code{rtcautotrim} directive (@pxref{rtcautotrim directive}).
@subsubsection waitsync
 The @code{waitsync} command waits for @code{chronyd} to synchronise.
-Up to three optional arguments can be specified, the first is the maximum
+Up to four optional arguments can be specified, the first is the maximum
-number of tries in 10 second intervals before giving up and returning a
+number of tries before giving up and returning a non-zero error code.  When 0
-non-zero error code.  When 0 is specified, or there are no arguments, the
+is specified, or there are no arguments, the number of tries will not be
-number of tries will not be limited.
+limited.
 The second and third arguments are the maximum allowed remaining correction of
 the system clock and the maximum allowed skew (in ppm) as reported by the
@@ -4703,14 +4829,18 @@ the system clock and the maximum allowed skew (in ppm) as reported by the
 and @code{Skew} fields.  If not specified or zero, the value will not be
 checked.
 The fourth argument is the interval in which the check is repeated.  The
 interval is 10 seconds by default.
 An example is
@example
 waitsync 60 0.01
@end example
-which will wait up to about 10 minutes for @code{chronyd} to synchronise to a
+which will wait up to about 10 minutes (60 times 10 seconds) for @code{chronyd}
-source and the remaining correction to be less than 10 milliseconds.
+to synchronise to a source and the remaining correction to be less than 10
 milliseconds.
@c }}}
@c {{{ writertc
@node writertc command
--- a/chronyd.8.in
+++ b/chronyd.8.in
@@ -80,13 +80,9 @@ option is useful when restarting \fBchronyd\fR and can be used in conjunction
 with the \fB-r\fR option.
 .TP
 .B \-s
-This option will set the system clock from the computer's real-time
+This option will set the system clock from the computer's real-time clock or
-clock.  This is analogous to supplying the \fI-s\fR flag to the
+to the last modification time of the file specified by the \fIdriftfile\fR
-\fI/sbin/hwclock\fR program during the Linux boot sequence.
+directive.  Real-time clocks are supported only on Linux.
 Support for real-time clocks is limited at present - the criteria
 are described in the section on the \fIrtcfile\fR directive in the
 documentation supplied with the distribution.
 If used in conjunction with the \fB-r\fR flag, \fBchronyd\fR will attempt
 to preserve the old samples after setting the system clock from
@@ -97,24 +93,33 @@ not in use.  For this to work well, it relies on \fBchronyd\fR having
 been able to determine accurate statistics for the difference
 between the RTC and system clock last time the computer was on.
-If \fBchronyd\fR doesn't support the RTC on your computer or there is no RTC
+If the last modification time of the drift file is later than the current time
-installed, the system clock will be set with this option forward to the time of
+and the RTC time, the system time will be set to it to restore the time when
-the last modification of the drift file (specified by the \fIdriftfile\fR
+\fBchronyd\fR was previously stopped.  This is useful on computers that have no
-directive) to restore the system time at which \fBchronyd\fR was previously
+RTC or the RTC is broken (e.g. it has no battery).
 stopped.
 .TP
 \fB\-u\fR \fIuser\fR
 This option sets the name of the system user to which \fBchronyd\fR will switch
 after start in order to drop root privileges.  It overrides the \fBuser\fR
-directive (default \fB@DEFAULT_USER@\fR).  It may be set to a non-root user
+directive from the configuration file (default \fB@DEFAULT_USER@\fR).
-only when \fBchronyd\fR is compiled with support for Linux capabilities
+
-(libcap) or on NetBSD with the \fB/dev/clockctl\fR device.
+On Linux, \fBchronyd\fR needs to be compiled with support for the \fBlibcap\fR
 library.  On Mac OS X, FreeBSD, NetBSD and Solaris \fBchronyd\fR forks into two
 processes.  The child process retains root privileges, but can only perform a
 very limited range of privileged system calls on behalf of the parent.
 .TP
 \fB\-F\fR \fIlevel\fR
 This option configures a system call filter when \fBchronyd\fR is compiled with
 support for the Linux secure computing (seccomp) facility. In level 1 the
 process is killed when a forbidden system call is made, in level -1 the SYSSIG
 signal is thrown instead and in level 0 the filter is disabled (default 0).
 It's recommended to enable the filter only when it's known to work on the
 version of the system where \fBchrony\fR is installed as the filter needs to
 allow also system calls made from libraries that \fBchronyd\fR is using (e.g.
 libc) and different versions or implementations of the libraries may make
 different system calls.  If the filter is missing some system call,
 \fBchronyd\fR could be killed even in normal operation.
 .TP
 .B \-q
 When run in this mode, chronyd will set the system clock once
--- a/client.c
+++ b/client.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009-2015
+ * Copyright (C) Miroslav Lichvar  2009-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -135,14 +135,12 @@ read_line(void)
 /* ================================================== */
 #define MAX_ADDRESSES 16
 static ARR_Instance
 get_sockaddrs(const char *hostnames, int port)
 {
  ARR_Instance addrs;
  char *hostname, *s1, *s2;
-  IPAddr ip_addrs[MAX_ADDRESSES];
+  IPAddr ip_addrs[DNS_MAX_ADDRESSES];
  union sockaddr_all *addr;
  int i;
@@ -163,12 +161,12 @@ get_sockaddrs(const char *hostnames, int port)
        LOG_FATAL(LOGF_Client, "Unix socket path too long");
      addr->un.sun_family = AF_UNIX;
    } else {
-      if (DNS_Name2IPAddress(hostname, ip_addrs, MAX_ADDRESSES) != DNS_Success) {
+      if (DNS_Name2IPAddress(hostname, ip_addrs, DNS_MAX_ADDRESSES) != DNS_Success) {
        DEBUG_LOG(LOGF_Client, "Could not get IP address for %s", hostname);
        break;
      }
-      for (i = 0; i < MAX_ADDRESSES && ip_addrs[i].family != IPADDR_UNSPEC; i++) {
+      for (i = 0; i < DNS_MAX_ADDRESSES && ip_addrs[i].family != IPADDR_UNSPEC; i++) {
        addr = (union sockaddr_all *)ARR_GetNewElement(addrs);
        UTI_IPAndPortToSockaddr(&ip_addrs[i], port, (struct sockaddr *)addr);
        DEBUG_LOG(LOGF_Client, "Resolved %s to %s", hostname, UTI_IPToString(&ip_addrs[i]));
@@ -1117,8 +1115,10 @@ process_cmd_add_server_or_peer(CMD_Request *msg, char *line)
          (data.params.online ? REQ_ADDSRC_ONLINE : 0) |
          (data.params.auto_offline ? REQ_ADDSRC_AUTOOFFLINE : 0) |
          (data.params.iburst ? REQ_ADDSRC_IBURST : 0) |
-          (data.params.sel_option == SRC_SelectPrefer ? REQ_ADDSRC_PREFER : 0) |
+          (data.params.sel_options & SRC_SELECT_PREFER ? REQ_ADDSRC_PREFER : 0) |
-          (data.params.sel_option == SRC_SelectNoselect ? REQ_ADDSRC_NOSELECT : 0));
+          (data.params.sel_options & SRC_SELECT_NOSELECT ? REQ_ADDSRC_NOSELECT : 0) |
          (data.params.sel_options & SRC_SELECT_TRUST ? REQ_ADDSRC_TRUST : 0) |
          (data.params.sel_options & SRC_SELECT_REQUIRE ? REQ_ADDSRC_REQUIRE : 0));
      result = 1;
      break;
@@ -1191,7 +1191,7 @@ give_help(void)
    "makestep\0Correct clock by stepping immediately\0"
    "makestep <threshold> <updates>\0Configure automatic clock stepping\0"
    "maxupdateskew <skew>\0Modify maximum valid skew to update frequency\0"
-    "waitsync [max-tries [max-correction [max-skew]]]\0"
+    "waitsync [<max-tries> [<max-correction> [<max-skew> [<interval>]]]]\0"
                          "Wait until synchronised in specified limits\0"
    "\0\0"
    "Time sources:\0\0"
@@ -1225,6 +1225,7 @@ give_help(void)
    "\0\0NTP access:\0\0"
    "accheck <address>\0Check whether address is allowed\0"
    "clients\0Report on clients that have accessed the server\0"
    "serverstats\0Display statistics of the server\0"
    "allow [<subnet>]\0Allow access to subnet as a default\0"
    "allow all [<subnet>]\0Allow access to subnet and all children\0"
    "deny [<subnet>]\0Deny access to subnet as a default\0"
@@ -1255,6 +1256,7 @@ give_help(void)
    "dns -4|-6|-46\0Resolve hostnames only to IPv4/IPv6/both addresses\0"
    "timeout <milliseconds>\0Set initial response timeout\0"
    "retries <retries>\0Set maximum number of retries\0"
    "keygen [<id> [<type> [<bits>]]]\0Generate key for key file\0"
    "exit|quit\0Leave the program\0"
    "help\0Generate this help\0"
    "\0";
@@ -1366,6 +1368,7 @@ submit_request(CMD_Request *request, CMD_Reply *reply)
      if (recv_status < 0) {
        /* If we get connrefused here, it suggests the sendto is
           going to a dead port */
        DEBUG_LOG(LOGF_Client, "Could not receive : %s", strerror(errno));
        n_attempts++;
        if (n_attempts > max_retries) {
@@ -1543,7 +1546,10 @@ static void
 print_seconds(unsigned long s)
 {
  unsigned long d;
-  if (s <= 1024) {
+
  if (s == (uint32_t)-1) {
    printf("   -");
  } else if (s <= 1024) {
    printf("%4ld", s);
  } else if (s < 36000) {
    printf("%3ldm", s / 60);
@@ -1643,6 +1649,18 @@ print_signed_freq_ppm(double f)
 /* ================================================== */
 static void
 print_clientlog_interval(int rate)
 {
  if (rate >= 127) {
    printf(" -");
  } else {
    printf("%2d", rate);
  }
 }
 /* ================================================== */
 static int
 check_for_verbose_flag(char *line)
 {
@@ -1945,6 +1963,29 @@ process_cmd_tracking(char *line)
  }
  return 0;
 }
 /* ================================================== */
 static int
 process_cmd_serverstats(char *line)
 {
  CMD_Request request;
  CMD_Reply reply;
  request.command = htons(REQ_SERVER_STATS);
  if (!request_reply(&request, &reply, RPY_SERVER_STATS, 0))
    return 0;
  printf("NTP packets received       : %"PRIu32"\n", ntohl(reply.data.server_stats.ntp_hits));
  printf("NTP packets dropped        : %"PRIu32"\n", ntohl(reply.data.server_stats.ntp_drops));
  printf("Command packets received   : %"PRIu32"\n", ntohl(reply.data.server_stats.cmd_hits));
  printf("Command packets dropped    : %"PRIu32"\n", ntohl(reply.data.server_stats.cmd_drops));
  printf("Client log records dropped : %"PRIu32"\n", ntohl(reply.data.server_stats.log_drops));
  return 1;
 }
 /* ================================================== */
 static int
@@ -2046,87 +2087,65 @@ process_cmd_clients(char *line)
 {
  CMD_Request request;
  CMD_Reply reply;
  unsigned long next_index;
  int j;
  IPAddr ip;
-  unsigned long client_hits;
+  uint32_t i, n_clients, next_index, n_indices;
-  unsigned long peer_hits;
+  RPY_ClientAccesses_Client *client;
-  unsigned long cmd_hits_auth;
+  char hostname[26];
  unsigned long cmd_hits_normal;
  unsigned long cmd_hits_bad;
  unsigned long last_ntp_hit_ago;
  unsigned long last_cmd_hit_ago;
  char hostname_buf[50];
  int n_replies;
  int n_indices_in_table;
  next_index = 0;
-  printf("Hostname                   Client    Peer CmdAuth CmdNorm  CmdBad  LstN  LstC\n"
+  printf("Hostname                      NTP   Drop Int IntL Last     Cmd   Drop Int  Last\n"
-         "=========================  ======  ======  ======  ======  ======  ====  ====\n");
+         "===============================================================================\n");
-  do {
+  while (1) {
-
+    request.command = htons(REQ_CLIENT_ACCESSES_BY_INDEX2);
    request.command = htons(REQ_CLIENT_ACCESSES_BY_INDEX);
    request.data.client_accesses_by_index.first_index = htonl(next_index);
-    request.data.client_accesses_by_index.n_indices = htonl(MAX_CLIENT_ACCESSES);
+    request.data.client_accesses_by_index.n_clients = htonl(MAX_CLIENT_ACCESSES);
-    if (request_reply(&request, &reply, RPY_CLIENT_ACCESSES_BY_INDEX, 0)) {
+    if (!request_reply(&request, &reply, RPY_CLIENT_ACCESSES_BY_INDEX2, 0))
-          n_replies = ntohl(reply.data.client_accesses_by_index.n_clients);
+      return 0;
          n_indices_in_table = ntohl(reply.data.client_accesses_by_index.n_indices);
          if (n_replies == 0) {
            goto finished;
          }
          for (j=0; j<n_replies; j++) {
            UTI_IPNetworkToHost(&reply.data.client_accesses_by_index.clients[j].ip, &ip);
            if (ip.family != IPADDR_UNSPEC) {
              /* UNSPEC implies that the node could not be found in
                 the daemon's tables; we shouldn't ever generate this
                 case, but ignore it if we do.  (In future there might
                 be a protocol to reset the client logging; if another
                 administrator runs that while we're doing the clients
                 command, there will be a race condition that could
                 cause this). */
-              client_hits = ntohl(reply.data.client_accesses_by_index.clients[j].client_hits);
+    n_clients = ntohl(reply.data.client_accesses_by_index.n_clients);
-              peer_hits = ntohl(reply.data.client_accesses_by_index.clients[j].peer_hits);
+    n_indices = ntohl(reply.data.client_accesses_by_index.n_indices);
              cmd_hits_auth = ntohl(reply.data.client_accesses_by_index.clients[j].cmd_hits_auth);
              cmd_hits_normal = ntohl(reply.data.client_accesses_by_index.clients[j].cmd_hits_normal);
              cmd_hits_bad = ntohl(reply.data.client_accesses_by_index.clients[j].cmd_hits_bad);
              last_ntp_hit_ago = ntohl(reply.data.client_accesses_by_index.clients[j].last_ntp_hit_ago);
              last_cmd_hit_ago = ntohl(reply.data.client_accesses_by_index.clients[j].last_cmd_hit_ago);
-              if (no_dns) {
+    for (i = 0; i < n_clients && i < MAX_CLIENT_ACCESSES; i++) {
-                snprintf(hostname_buf, sizeof(hostname_buf),
+      client = &reply.data.client_accesses_by_index.clients[i];
-                         "%s", UTI_IPToString(&ip));
+
-              } else {
+      UTI_IPNetworkToHost(&client->ip, &ip);
-                DNS_IPAddress2Name(&ip, hostname_buf, sizeof(hostname_buf));
+
-                hostname_buf[25] = 0;
+      /* UNSPEC means the record could not be found in the daemon's tables.
-              }
+         We shouldn't ever generate this case, but ignore it if we do. */
-              printf("%-25s  %6ld  %6ld  %6ld  %6ld  %6ld  ",
+      if (ip.family == IPADDR_UNSPEC)
-                     hostname_buf,
+        continue;
-                     client_hits, peer_hits,
+
-                     cmd_hits_auth, cmd_hits_normal, cmd_hits_bad);
+      if (no_dns)
-              print_seconds(last_ntp_hit_ago);
+        snprintf(hostname, sizeof (hostname), "%s", UTI_IPToString(&ip));
      else
        DNS_IPAddress2Name(&ip, hostname, sizeof (hostname));
      printf("%-25s", hostname);
      printf("  %6"PRIu32"  %5"PRIu32"  ",
             ntohl(client->ntp_hits), ntohl(client->ntp_drops));
      print_clientlog_interval(client->ntp_interval);
      printf("  ");
-              print_seconds(last_cmd_hit_ago);
+      print_clientlog_interval(client->ntp_timeout_interval);
      printf("  ");
      print_seconds(ntohl(client->last_ntp_hit_ago));
      printf("  %6"PRIu32"  %5"PRIu32"  ",
             ntohl(client->cmd_hits), ntohl(client->cmd_drops));
      print_clientlog_interval(client->cmd_interval);
      printf("  ");
      print_seconds(ntohl(client->last_cmd_hit_ago));
      printf("\n");
    }
          }              
    /* Set the next index to probe based on what the server tells us */
    next_index = ntohl(reply.data.client_accesses_by_index.next_index);
          if (next_index >= n_indices_in_table) {
            goto finished;
          }
    } else {
      return 0;
    }
  } while (1); /* keep going until all subnets have been expanded,
                  down to single nodes */
-finished:
+    if (next_index >= n_indices || n_clients < MAX_CLIENT_ACCESSES)
      break;
  }
  return 1;
 }
@@ -2313,14 +2332,20 @@ process_cmd_waitsync(char *line)
  CMD_Request request;
  CMD_Reply reply;
  uint32_t ref_id, a, b, c, d;
-  double correction, skew_ppm, max_correction, max_skew_ppm;
+  double correction, skew_ppm, max_correction, max_skew_ppm, interval;
  int ret = 0, max_tries, i;
  struct timeval timeout;
  max_tries = 0;
  max_correction = 0.0;
  max_skew_ppm = 0.0;
  interval = 10.0;
-  sscanf(line, "%d %lf %lf", &max_tries, &max_correction, &max_skew_ppm);
+  sscanf(line, "%d %lf %lf %lf", &max_tries, &max_correction, &max_skew_ppm, &interval);
  /* Don't allow shorter interval than 0.1 seconds */
  if (interval < 0.1)
    interval = 0.1;
  request.command = htons(REQ_TRACKING);
@@ -2347,7 +2372,9 @@ process_cmd_waitsync(char *line)
    }
    if (!ret && (!max_tries || i < max_tries) && !quit) {
-      sleep(10);
+      UTI_DoubleToTimeval(interval, &timeout);
      if (select(0, NULL, NULL, NULL, &timeout))
        break;
    } else {
      break;
    }
@@ -2411,6 +2438,39 @@ process_cmd_retries(const char *line)
 /* ================================================== */
 static int
 process_cmd_keygen(char *line)
 {
  char hash_name[17];
  unsigned char key[512];
  unsigned int i, length, id = 1, bits = 160;
 #ifdef FEAT_SECHASH
  snprintf(hash_name, sizeof (hash_name), "SHA1");
 #else
  snprintf(hash_name, sizeof (hash_name), "MD5");
 #endif
  sscanf(line, "%u %16s %d", &id, hash_name, &bits);
  length = CLAMP(10, (bits + 7) / 8, sizeof (key));
  if (HSH_GetHashId(hash_name) < 0) {
    LOG(LOGS_ERR, LOGF_Client, "Unknown hash function %s", hash_name);
    return 0;
  }
  UTI_GetRandomBytesUrandom(key, length);
  printf("%u %s HEX:", id, hash_name);
  for (i = 0; i < length; i++)
    printf("%02hhX", key[i]);
  printf("\n");
  return 1;
 }
 /* ================================================== */
 static int
 process_line(char *line)
 {
@@ -2497,6 +2557,9 @@ process_line(char *line)
    do_normal_submit = 0;
    give_help();
    ret = 1;
  } else if (!strcmp(command, "keygen")) {
    ret = process_cmd_keygen(line);
    do_normal_submit = 0;
  } else if (!strcmp(command, "local")) {
    do_normal_submit = process_cmd_local(&tx_message, line);
  } else if (!strcmp(command, "makestep")) {
@@ -2548,6 +2611,9 @@ process_line(char *line)
  } else if (!strcmp(command, "rtcdata")) {
    do_normal_submit = 0;
    ret = process_cmd_rtcreport(line);
  } else if (!strcmp(command, "serverstats")) {
    do_normal_submit = 0;
    ret = process_cmd_serverstats(line);
  } else if (!strcmp(command, "settime")) {
    do_normal_submit = 0;
    ret = process_cmd_settime(line);
@@ -2645,7 +2711,7 @@ static void
 display_gpl(void)
 {
    printf("chrony version %s\n"
-           "Copyright (C) 1997-2003, 2007, 2009-2015 Richard P. Curnow and others\n"
+           "Copyright (C) 1997-2003, 2007, 2009-2016 Richard P. Curnow and others\n"
           "chrony comes with ABSOLUTELY NO WARRANTY.  This is free software, and\n"
           "you are welcome to redistribute it under certain conditions.  See the\n"
           "GNU General Public License version 2 for details.\n\n",
--- a/clientlog.c
+++ b/clientlog.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009
+ * Copyright (C) Miroslav Lichvar  2009, 2015-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -34,6 +34,8 @@
 #include "config.h"
 #include "sysincl.h"
 #include "array.h"
 #include "clientlog.h"
 #include "conf.h"
 #include "memory.h"
@@ -41,110 +43,240 @@
 #include "util.h"
 #include "logging.h"
-/* Number of bits of address per layer of the table.  This value has
+typedef struct {
   been chosen on the basis that a server will predominantly be serving
   a lot of hosts in a few subnets, rather than a few hosts scattered
   across many subnets. */
 #define NBITS 8
 /* Number of entries in each subtable */
 #define TABLE_SIZE (1UL<<NBITS)
 typedef struct _Node {
  IPAddr ip_addr;
-  unsigned long client_hits;
+  uint32_t last_ntp_hit;
-  unsigned long peer_hits;
+  uint32_t last_cmd_hit;
-  unsigned long cmd_hits_bad;
+  uint32_t ntp_hits;
-  unsigned long cmd_hits_normal;
+  uint32_t cmd_hits;
-  unsigned long cmd_hits_auth;
+  uint16_t ntp_drops;
-  time_t last_ntp_hit;
+  uint16_t cmd_drops;
-  time_t last_cmd_hit;
+  uint16_t ntp_tokens;
-} Node;
+  uint16_t cmd_tokens;
  int8_t ntp_rate;
  int8_t cmd_rate;
  int8_t ntp_timeout_rate;
  uint8_t flags;
 } Record;
-typedef struct _Subnet {
+/* Hash table of records, there is a fixed number of records per slot */
-  void *entry[TABLE_SIZE];
+static ARR_Instance records;
 } Subnet;
-/* ================================================== */
+#define SLOT_BITS 4
-/* Table for the IPv4 class A subnet */
+/* Number of records in one slot of the hash table */
-static Subnet top_subnet4;
+#define SLOT_SIZE (1U << SLOT_BITS)
 /* Table for IPv6 */
 static Subnet top_subnet6;
-/* Table containing pointers directly to all nodes that have been
+/* Minimum number of slots */
-   allocated. */
+#define MIN_SLOTS 1
 static Node **nodes = NULL;
-/* Number of nodes actually in the table. */
+/* Maximum number of slots, this is a hard limit */
-static int n_nodes = 0;
+#define MAX_SLOTS (1U << (24 - SLOT_BITS))
-/* Number of entries for which the table has been sized. */
+/* Number of slots in the hash table */
-static int max_nodes = 0;
+static unsigned int slots;
 /* Maximum number of slots given memory allocation limit */
 static unsigned int max_slots;
 /* Times of last hits are saved as 32-bit fixed point values */
 #define TS_FRAC 4
 #define INVALID_TS 0
 /* Request rates are saved in the record as 8-bit scaled log2 values */
 #define RATE_SCALE 4
 #define MIN_RATE (-14 * RATE_SCALE)
 #define INVALID_RATE -128
 /* Response rates are controlled by token buckets.  The capacity and
   number of tokens spent on response are determined from configured
   minimum inverval between responses (in log2) and burst length. */
 #define MIN_LIMIT_INTERVAL (-TS_FRAC)
 #define MAX_LIMIT_INTERVAL 12
 #define MIN_LIMIT_BURST 1
 #define MAX_LIMIT_BURST 255
 static uint16_t max_ntp_tokens;
 static uint16_t max_cmd_tokens;
 static uint16_t ntp_tokens_per_packet;
 static uint16_t cmd_tokens_per_packet;
 /* Reduction of token rates to avoid overflow of 16-bit counters */
 static int ntp_token_shift;
 static int cmd_token_shift;
 /* Rates at which responses are randomly allowed (in log2) when the
   buckets don't have enough tokens.  This is necessary in order to
   prevent an attacker sending requests with spoofed source address
   from blocking responses to the address completely. */
 #define MIN_LEAK_RATE 1
 #define MAX_LEAK_RATE 4
 static int ntp_leak_rate;
 static int cmd_leak_rate;
 /* Flag indicating whether the last response was dropped */
 #define FLAG_NTP_DROPPED 0x1
 /* Flag indicating whether facility is turned on or not */
-static int active = 0;
+static int active;
-/* Flag indicating whether memory allocation limit has been reached
+/* Global statistics */
-   and no new nodes or subnets should be allocated */
+static uint32_t total_ntp_hits;
-static int alloc_limit_reached;
+static uint32_t total_cmd_hits;
-
+static uint32_t total_ntp_drops;
-static unsigned long alloc_limit;
+static uint32_t total_cmd_drops;
-static unsigned long alloced;
+static uint32_t total_record_drops;
 /* ================================================== */
-static void
+static int expand_hashtable(void);
 split_ip6(IPAddr *ip, uint32_t *dst)
 {
  int i;
-  for (i = 0; i < 4; i++)
+/* ================================================== */
-    dst[i] = ip->addr.in6[i * 4 + 0] << 24 |
+
-             ip->addr.in6[i * 4 + 1] << 16 |
+static int
-             ip->addr.in6[i * 4 + 2] << 8 |
+compare_ts(uint32_t x, uint32_t y)
-             ip->addr.in6[i * 4 + 3];
+{
  if (x == y)
    return 0;
  if (y == INVALID_TS)
    return 1;
  return (int32_t)(x - y) > 0 ? 1 : -1;
 }
 /* ================================================== */
-inline static uint32_t
+static Record *
-get_subnet(uint32_t *addr, unsigned int where)
+get_record(IPAddr *ip)
 {
-  int off;
+  unsigned int first, i;
  time_t last_hit, oldest_hit = 0;
  Record *record, *oldest_record;
-  off = where / 32;
+  if (ip->family != IPADDR_INET4 && ip->family != IPADDR_INET6)
-  where %= 32;
+    return NULL;
-  return (addr[off] >> (32 - NBITS - where)) & ((1UL << NBITS) - 1);
+  while (1) {
-}
+    /* Get index of the first record in the slot */
    first = UTI_IPToHash(ip) % slots * SLOT_SIZE;
-/* ================================================== */
+    for (i = 0, oldest_record = NULL; i < SLOT_SIZE; i++) {
      record = ARR_GetElement(records, first + i);
      if (!UTI_CompareIPs(ip, &record->ip_addr, NULL))
        return record;
-static void
+      if (record->ip_addr.family == IPADDR_UNSPEC)
-clear_subnet(Subnet *subnet)
+        break;
 {
  int i;
-  for (i=0; i<TABLE_SIZE; i++) {
+      last_hit = compare_ts(record->last_ntp_hit, record->last_cmd_hit) > 0 ?
-    subnet->entry[i] = NULL;
+                 record->last_ntp_hit : record->last_cmd_hit;
      if (!oldest_record || compare_ts(oldest_hit, last_hit) > 0 ||
          (oldest_hit == last_hit && record->ntp_hits + record->cmd_hits <
           oldest_record->ntp_hits + oldest_record->cmd_hits)) {
        oldest_record = record;
        oldest_hit = last_hit;
      }
    }
    /* If the slot still has an empty record, use it */
    if (record->ip_addr.family == IPADDR_UNSPEC)
      break;
    /* Resize the table if possible and try again as the new slot may
       have some empty records */
    if (expand_hashtable())
      continue;
    /* There is no other option, replace the oldest record */
    record = oldest_record;
    total_record_drops++;
    break;
  }
  record->ip_addr = *ip;
  record->last_ntp_hit = record->last_cmd_hit = INVALID_TS;
  record->ntp_hits = record->cmd_hits = 0;
  record->ntp_drops = record->cmd_drops = 0;
  record->ntp_tokens = max_ntp_tokens;
  record->cmd_tokens = max_cmd_tokens;
  record->ntp_rate = record->cmd_rate = INVALID_RATE;
  record->ntp_timeout_rate = INVALID_RATE;
  record->flags = 0;
  return record;
 }
 /* ================================================== */
 static int
 expand_hashtable(void)
 {
  ARR_Instance old_records;
  Record *old_record, *new_record;
  unsigned int i;
  old_records = records;
  if (2 * slots > max_slots)
    return 0;
  records = ARR_CreateInstance(sizeof (Record));
  slots = MAX(MIN_SLOTS, 2 * slots);
  assert(slots <= max_slots);
  ARR_SetSize(records, slots * SLOT_SIZE);
  /* Mark all new records as empty */
  for (i = 0; i < slots * SLOT_SIZE; i++) {
    new_record = ARR_GetElement(records, i);
    new_record->ip_addr.family = IPADDR_UNSPEC;
  }
  if (!old_records)
    return 1;
  /* Copy old records to the new hash table */
  for (i = 0; i < ARR_GetSize(old_records); i++) {
    old_record = ARR_GetElement(old_records, i);
    if (old_record->ip_addr.family == IPADDR_UNSPEC)
      continue;
    new_record = get_record(&old_record->ip_addr);
    assert(new_record);
    *new_record = *old_record;
  }
  ARR_DestroyInstance(old_records);
  return 1;
 }
 /* ================================================== */
 static void
-clear_node(Node *node)
+set_bucket_params(int interval, int burst, uint16_t *max_tokens,
                  uint16_t *tokens_per_packet, int *token_shift)
 {
-  node->client_hits = 0;
+  interval = CLAMP(MIN_LIMIT_INTERVAL, interval, MAX_LIMIT_INTERVAL);
-  node->peer_hits = 0;
+  burst = CLAMP(MIN_LIMIT_BURST, burst, MAX_LIMIT_BURST);
-  node->cmd_hits_auth = 0;
+
-  node->cmd_hits_normal = 0;
+  /* Find smallest shift with which the maximum number fits in 16 bits */
-  node->cmd_hits_bad = 0;
+  for (*token_shift = 0; *token_shift < interval + TS_FRAC; (*token_shift)++) {
-  node->last_ntp_hit = (time_t) 0;
+    if (burst << (TS_FRAC + interval - *token_shift) < 1U << 16)
-  node->last_cmd_hit = (time_t) 0;
+      break;
  }
  *tokens_per_packet = 1U << (TS_FRAC + interval - *token_shift);
  *max_tokens = *tokens_per_packet * burst;
  DEBUG_LOG(LOGF_ClientLog, "Tokens max %d packet %d shift %d",
            *max_tokens, *tokens_per_packet, *token_shift);
 }
 /* ================================================== */
@@ -152,21 +284,42 @@ clear_node(Node *node)
 void
 CLG_Initialise(void)
 {
-  clear_subnet(&top_subnet4);
+  int interval, burst, leak_rate;
-  clear_subnet(&top_subnet6);
+
-  if (CNF_GetNoClientLog()) {
+  max_ntp_tokens = max_cmd_tokens = 0;
-    active = 0;
+  ntp_tokens_per_packet = cmd_tokens_per_packet = 0;
-  } else {
+  ntp_token_shift = cmd_token_shift = 0;
-    active = 1;
+  ntp_leak_rate = cmd_leak_rate = 0;
  if (CNF_GetNTPRateLimit(&interval, &burst, &leak_rate)) {
    set_bucket_params(interval, burst, &max_ntp_tokens, &ntp_tokens_per_packet,
                      &ntp_token_shift);
    ntp_leak_rate = CLAMP(MIN_LEAK_RATE, leak_rate, MAX_LEAK_RATE);
  }
-  nodes = NULL;
+  if (CNF_GetCommandRateLimit(&interval, &burst, &leak_rate)) {
-  max_nodes = 0;
+    set_bucket_params(interval, burst, &max_cmd_tokens, &cmd_tokens_per_packet,
-  n_nodes = 0;
+                      &cmd_token_shift);
    cmd_leak_rate = CLAMP(MIN_LEAK_RATE, leak_rate, MAX_LEAK_RATE);
  }
-  alloced = 0;
+  active = !CNF_GetNoClientLog();
-  alloc_limit = CNF_GetClientLogLimit();
+  if (!active) {
-  alloc_limit_reached = 0;
+    if (ntp_leak_rate || cmd_leak_rate)
      LOG_FATAL(LOGF_ClientLog, "ratelimit cannot be used with noclientlog");
    return;
  }
  /* Calculate the maximum number of slots that can be allocated in the
     configured memory limit.  Take into account expanding of the hash
     table where two copies exist at the same time. */
  max_slots = CNF_GetClientLogLimit() / (sizeof (Record) * SLOT_SIZE * 3 / 2);
  max_slots = CLAMP(MIN_SLOTS, max_slots, MAX_SLOTS);
  slots = 0;
  records = NULL;
  expand_hashtable();
 }
 /* ================================================== */
@@ -174,208 +327,302 @@ CLG_Initialise(void)
 void
 CLG_Finalise(void)
 {
-  int i;
+  if (!active)
    return;
-  for (i = 0; i < n_nodes; i++)
+  ARR_DestroyInstance(records);
    Free(nodes[i]);
  Free(nodes);
 }
 /* ================================================== */
-static void check_alloc_limit() {
+static uint32_t
-  if (alloc_limit_reached)
+get_ts_from_timeval(struct timeval *tv)
-    return;
+{
  uint32_t sec = tv->tv_sec, usec = tv->tv_usec;
-  if (alloced >= alloc_limit) {
+  return sec << TS_FRAC | (4295U * usec - (usec >> 5)) >> (32 - TS_FRAC);
    LOG(LOGS_WARN, LOGF_ClientLog, "Client log memory limit reached");
    alloc_limit_reached = 1;
  }
 }
 /* ================================================== */
 static void
-create_subnet(Subnet *parent_subnet, int the_entry)
+update_record(struct timeval *now, uint32_t *last_hit, uint32_t *hits,
              uint16_t *tokens, uint32_t max_tokens, int token_shift, int8_t *rate)
 {
-  parent_subnet->entry[the_entry] = (void *) MallocNew(Subnet);
+  uint32_t interval, now_ts, prev_hit, new_tokens;
-  clear_subnet((Subnet *) parent_subnet->entry[the_entry]);
+  int interval2;
  alloced += sizeof (Subnet);
  check_alloc_limit();
 }
-/* ================================================== */
+  now_ts = get_ts_from_timeval(now);
-static void
+  prev_hit = *last_hit;
-create_node(Subnet *parent_subnet, int the_entry)
+  *last_hit = now_ts;
-{
+  (*hits)++;
  Node *new_node;
  new_node = MallocNew(Node);
  parent_subnet->entry[the_entry] = (void *) new_node;
  clear_node(new_node);
-  alloced += sizeof (Node);
+  interval = now_ts - prev_hit;
-  if (n_nodes == max_nodes) {
+  if (prev_hit == INVALID_TS || (int32_t)interval < 0)
-    if (nodes) {
+    return;
-      assert(max_nodes > 0);
+
-      max_nodes *= 2;
+  new_tokens = (now_ts >> token_shift) - (prev_hit >> token_shift);
-      nodes = ReallocArray(Node *, max_nodes, nodes);
+  *tokens = MIN(*tokens + new_tokens, max_tokens);
  /* Convert the interval to scaled and rounded log2 */
  if (interval) {
    interval += interval >> 1;
    for (interval2 = -RATE_SCALE * TS_FRAC; interval2 < -MIN_RATE;
         interval2 += RATE_SCALE) {
      if (interval <= 1)
        break;
      interval >>= 1;
    }
  } else {
-      assert(max_nodes == 0);
+    interval2 = -RATE_SCALE * (TS_FRAC + 1);
      max_nodes = 16;
      nodes = MallocArray(Node *, max_nodes);
  }
    alloced += sizeof (Node *) * (max_nodes - n_nodes);
  }
  nodes[n_nodes++] = (Node *) new_node;
  check_alloc_limit();
 }
-/* ================================================== */
+  /* Update the rate in a rough approximation of exponential moving average */
-/* Recursively seek out the Node entry for a particular address,
+  if (*rate == INVALID_RATE) {
-   expanding subnet tables and node entries as we go if necessary. */
+    *rate = -interval2;
 static void *
 find_subnet(Subnet *subnet, uint32_t *addr, int addr_len, int bits_consumed)
 {
  uint32_t this_subnet;
  this_subnet = get_subnet(addr, bits_consumed);
  bits_consumed += NBITS;
  if (bits_consumed < 32 * addr_len) {
    if (!subnet->entry[this_subnet]) {
      if (alloc_limit_reached)
        return NULL;
      create_subnet(subnet, this_subnet);
    }
    return find_subnet((Subnet *) subnet->entry[this_subnet], addr, addr_len, bits_consumed);
  } else {
-    if (!subnet->entry[this_subnet]) {
+    if (*rate < -interval2) {
-      if (alloc_limit_reached)
+      (*rate)++;
-        return NULL;
+    } else if (*rate > -interval2) {
-      create_node(subnet, this_subnet);
+      if (*rate > RATE_SCALE * 5 / 2 - interval2)
        *rate = RATE_SCALE * 5 / 2 - interval2;
      else
        *rate = (*rate - interval2 - 1) / 2;
    }
    return subnet->entry[this_subnet];
  }
 }
 /* ================================================== */
-static Node *
+static int
-get_node(IPAddr *ip)
+get_index(Record *record)
 {
-  uint32_t ip6[4];
+  return record - (Record *)ARR_GetElements(records);
 }
-  switch (ip->family) {
+/* ================================================== */
-    case IPADDR_INET4:
+
-      return (Node *)find_subnet(&top_subnet4, &ip->addr.in4, 1, 0);
+int
-    case IPADDR_INET6:
+CLG_LogNTPAccess(IPAddr *client, struct timeval *now)
-      split_ip6(ip, ip6);
+{
-      return (Node *)find_subnet(&top_subnet6, ip6, 4, 0);
+  Record *record;
-    default:
+
-      return NULL;
+  total_ntp_hits++;
  if (!active)
    return -1;
  record = get_record(client);
  if (record == NULL)
    return -1;
  /* Update one of the two rates depending on whether the previous request
     of the client had a reply or it timed out */
  update_record(now, &record->last_ntp_hit, &record->ntp_hits,
                &record->ntp_tokens, max_ntp_tokens, ntp_token_shift,
                record->flags & FLAG_NTP_DROPPED ?
                &record->ntp_timeout_rate : &record->ntp_rate);
  DEBUG_LOG(LOGF_ClientLog, "NTP hits %"PRIu32" rate %d trate %d tokens %d",
            record->ntp_hits, record->ntp_rate, record->ntp_timeout_rate,
            record->ntp_tokens);
  return get_index(record);
 }
 /* ================================================== */
 int
 CLG_LogCommandAccess(IPAddr *client, struct timeval *now)
 {
  Record *record;
  total_cmd_hits++;
  if (!active)
    return -1;
  record = get_record(client);
  if (record == NULL)
    return -1;
  update_record(now, &record->last_cmd_hit, &record->cmd_hits,
                &record->cmd_tokens, max_cmd_tokens, cmd_token_shift,
                &record->cmd_rate);
  DEBUG_LOG(LOGF_ClientLog, "Cmd hits %"PRIu32" rate %d tokens %d",
            record->cmd_hits, record->cmd_rate, record->cmd_tokens);
  return get_index(record);
 }
 /* ================================================== */
 static int
 limit_response_random(int leak_rate)
 {
  static uint32_t rnd;
  static int bits_left = 0;
  int r;
  if (bits_left < leak_rate) {
    UTI_GetRandomBytes(&rnd, sizeof (rnd));
    bits_left = 8 * sizeof (rnd);
  }
  /* Return zero on average once per 2^leak_rate */
  r = rnd % (1U << leak_rate) ? 1 : 0;
  rnd >>= leak_rate;
  bits_left -= leak_rate;
  return r;
 }
 /* ================================================== */
 int
 CLG_LimitNTPResponseRate(int index)
 {
  Record *record;
  int drop;
  if (!ntp_tokens_per_packet)
    return 0;
  record = ARR_GetElement(records, index);
  record->flags &= ~FLAG_NTP_DROPPED;
  if (record->ntp_tokens >= ntp_tokens_per_packet) {
    record->ntp_tokens -= ntp_tokens_per_packet;
    return 0;
  }
  drop = limit_response_random(ntp_leak_rate);
  /* Poorly implemented clients may send new requests at even a higher rate
     when they are not getting replies.  If the request rate seems to be more
     than twice as much as when replies are sent, give up on rate limiting to
     reduce the amount of traffic.  Invert the sense of the leak to respond to
     most of the requests, but still keep the estimated rate updated. */
  if (record->ntp_timeout_rate != INVALID_RATE &&
      record->ntp_timeout_rate > record->ntp_rate + RATE_SCALE)
    drop = !drop;
  if (!drop) {
    record->ntp_tokens = 0;
    return 0;
  }
  record->flags |= FLAG_NTP_DROPPED;
  record->ntp_drops++;
  total_ntp_drops++;
  return 1;
 }
 /* ================================================== */
 int
 CLG_LimitCommandResponseRate(int index)
 {
  Record *record;
  if (!cmd_tokens_per_packet)
    return 0;
  record = ARR_GetElement(records, index);
  if (record->cmd_tokens >= cmd_tokens_per_packet) {
    record->cmd_tokens -= cmd_tokens_per_packet;
    return 0;
  }
  if (!limit_response_random(cmd_leak_rate)) {
    record->cmd_tokens = 0;
    return 0;
  }
  record->cmd_drops++;
  total_cmd_drops++;
  return 1;
 }
 /* ================================================== */
 extern int
 CLG_GetNumberOfIndices(void)
 {
  if (!active)
    return -1;
  return ARR_GetSize(records);
 }
 /* ================================================== */
 static int get_interval(int rate)
 {
  if (rate == INVALID_RATE)
    return 127;
  rate += rate > 0 ? RATE_SCALE / 2 : -RATE_SCALE / 2;
  return rate / -RATE_SCALE;
 }
 /* ================================================== */
 static uint32_t get_last_ago(uint32_t x, uint32_t y)
 {
  if (y == INVALID_TS || (int32_t)(x - y) < 0)
    return -1;
  return (x - y) >> TS_FRAC;
 }
 /* ================================================== */
 int
 CLG_GetClientAccessReportByIndex(int index, RPT_ClientAccessByIndex_Report *report, struct timeval *now)
 {
  Record *record;
  uint32_t now_ts;
  if (!active || index < 0 || index >= ARR_GetSize(records))
    return 0;
  record = ARR_GetElement(records, index);
  if (record->ip_addr.family == IPADDR_UNSPEC)
    return 0;
  now_ts = get_ts_from_timeval(now);
  report->ip_addr = record->ip_addr;
  report->ntp_hits = record->ntp_hits;
  report->cmd_hits = record->cmd_hits;
  report->ntp_drops = record->ntp_drops;
  report->cmd_drops = record->cmd_drops;
  report->ntp_interval = get_interval(record->ntp_rate);
  report->cmd_interval = get_interval(record->cmd_rate);
  report->ntp_timeout_interval = get_interval(record->ntp_timeout_rate);
  report->last_ntp_hit_ago = get_last_ago(now_ts, record->last_ntp_hit);
  report->last_cmd_hit_ago = get_last_ago(now_ts, record->last_cmd_hit);
  return 1;
 }
 /* ================================================== */
 void
-CLG_LogNTPClientAccess (IPAddr *client, time_t now)
+CLG_GetServerStatsReport(RPT_ServerStatsReport *report)
 {
-  Node *node;
+  report->ntp_hits = total_ntp_hits;
-
+  report->cmd_hits = total_cmd_hits;
-  if (active) {
+  report->ntp_drops = total_ntp_drops;
-    node = get_node(client);
+  report->cmd_drops = total_cmd_drops;
-    if (node == NULL)
+  report->log_drops = total_record_drops;
      return;
    node->ip_addr = *client;
    ++node->client_hits;
    node->last_ntp_hit = now;
  }
 }
 /* ================================================== */
 void
 CLG_LogNTPPeerAccess(IPAddr *client, time_t now)
 {
  Node *node;
  if (active) {
    node = get_node(client);
    if (node == NULL)
      return;
    node->ip_addr = *client;
    ++node->peer_hits;
    node->last_ntp_hit = now;
  }
 }
 /* ================================================== */
 void
 CLG_LogCommandAccess(IPAddr *client, CLG_Command_Type type, time_t now)
 {
  Node *node;
  if (active) {
    node = get_node(client);
    if (node == NULL)
      return;
    node->ip_addr = *client;
    node->last_cmd_hit = now;
    switch (type) {
      case CLG_CMD_AUTH:
        ++node->cmd_hits_auth;
        break;
      case CLG_CMD_NORMAL:
        ++node->cmd_hits_normal;
        break;
      case CLG_CMD_BAD_PKT:
        ++node->cmd_hits_bad;
        break;
      default:
        assert(0);
        break;
    }
  }
 }
 /* ================================================== */
 CLG_Status
 CLG_GetClientAccessReportByIndex(int index, RPT_ClientAccessByIndex_Report *report,
                                 time_t now, unsigned long *n_indices)
 {
  Node *node;
  *n_indices = n_nodes;
  if (!active) {
    return CLG_INACTIVE;
  } else {
    if ((index < 0) || (index >= n_nodes)) {
      return CLG_INDEXTOOLARGE;
    }
    node = nodes[index];
    report->ip_addr = node->ip_addr;
    report->client_hits = node->client_hits;
    report->peer_hits = node->peer_hits;
    report->cmd_hits_auth = node->cmd_hits_auth;
    report->cmd_hits_normal = node->cmd_hits_normal;
    report->cmd_hits_bad = node->cmd_hits_bad;
    report->last_ntp_hit_ago = now - node->last_ntp_hit;
    report->last_cmd_hit_ago = now - node->last_cmd_hit;
    return CLG_SUCCESS;
  }
 }
--- a/clientlog.h
+++ b/clientlog.h
@@ -33,32 +33,15 @@
 extern void CLG_Initialise(void);
 extern void CLG_Finalise(void);
-extern void CLG_LogNTPClientAccess(IPAddr *client, time_t now);
+extern int CLG_LogNTPAccess(IPAddr *client, struct timeval *now);
-extern void CLG_LogNTPPeerAccess(IPAddr *client, time_t now);
+extern int CLG_LogCommandAccess(IPAddr *client, struct timeval *now);
-
+extern int CLG_LimitNTPResponseRate(int index);
-/* When logging command packets, there are several subtypes */
+extern int CLG_LimitCommandResponseRate(int index);
 typedef enum {
  CLG_CMD_AUTH,                 /* authenticated */
  CLG_CMD_NORMAL,               /* normal */
  CLG_CMD_BAD_PKT               /* bad version or packet length */
 } CLG_Command_Type;
 extern void CLG_LogCommandAccess(IPAddr *client, CLG_Command_Type type, time_t now);
 /* And some reporting functions, for use by chronyc. */
 /* TBD */
-typedef enum {
+extern int CLG_GetNumberOfIndices(void);
-  CLG_SUCCESS,                  /* All is well */
+extern int CLG_GetClientAccessReportByIndex(int index, RPT_ClientAccessByIndex_Report *report, struct timeval *now);
-  CLG_EMPTYSUBNET,              /* No hosts logged in requested subnet */
+extern void CLG_GetServerStatsReport(RPT_ServerStatsReport *report);
  CLG_BADSUBNET,                /* Subnet requested is not 0, 8, 16 or 24 bits */
  CLG_INACTIVE,                 /* Facility not active */
  CLG_INDEXTOOLARGE             /* Node index is higher than number of nodes present */
 } CLG_Status;
 CLG_Status
 CLG_GetClientAccessReportByIndex(int index, RPT_ClientAccessByIndex_Report *report,
                                 time_t now, unsigned long *n_indices);
 #endif /* GOT_CLIENTLOG_H */
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009-2015
+ * Copyright (C) Miroslav Lichvar  2009-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -130,6 +130,8 @@ static const char permissions[] = {
  PERMIT_OPEN, /* SMOOTHING */
  PERMIT_AUTH, /* SMOOTHTIME */
  PERMIT_AUTH, /* REFRESH */
  PERMIT_AUTH, /* SERVER_STATS */
  PERMIT_AUTH, /* CLIENT_ACCESSES_BY_INDEX2 */
 };
 /* ================================================== */
@@ -265,7 +267,20 @@ CAM_Initialise(int family)
    command_length = PKL_CommandLength(&r);
    padding_length = PKL_CommandPaddingLength(&r);
    assert(padding_length <= MAX_PADDING_LENGTH && padding_length <= command_length);
-    assert(command_length == 0 || command_length >= offsetof(CMD_Reply, data));
+    assert((command_length >= offsetof(CMD_Request, data) &&
            command_length <= sizeof (CMD_Request)) || command_length == 0);
  }
  for (i = 1; i < N_REPLY_TYPES; i++) {
    CMD_Reply r;
    int reply_length;
    r.reply = htons(i);
    r.status = STT_SUCCESS;
    r.data.manual_list.n_samples = htonl(MAX_MANUAL_LIST_SAMPLES);
    reply_length = PKL_ReplyLength(&r);
    assert((reply_length >= offsetof(CMD_Reply, data) &&
            reply_length <= sizeof (CMD_Reply)) || reply_length == 0);
  }
  sock_fdu = -1;
@@ -661,17 +676,11 @@ handle_source_data(CMD_Request *rx_message, CMD_Reply *tx_message)
        tx_message->data.source_data.mode    = htons(RPY_SD_MD_REF);
        break;
    }
-    switch (report.sel_option) {
+    tx_message->data.source_data.flags =
-      case RPT_NORMAL:
+                  htons((report.sel_options & SRC_SELECT_PREFER ? RPY_SD_FLAG_PREFER : 0) |
-        tx_message->data.source_data.flags = htons(0);
+                        (report.sel_options & SRC_SELECT_NOSELECT ? RPY_SD_FLAG_NOSELECT : 0) |
-        break;
+                        (report.sel_options & SRC_SELECT_TRUST ? RPY_SD_FLAG_TRUST : 0) |
-      case RPT_PREFER:
+                        (report.sel_options & SRC_SELECT_REQUIRE ? RPY_SD_FLAG_REQUIRE : 0));
        tx_message->data.source_data.flags = htons(RPY_SD_FLAG_PREFER);
        break;
      case RPT_NOSELECT:
        tx_message->data.source_data.flags = htons(RPY_SD_FLAG_NOSELECT);
        break;
    }
    tx_message->data.source_data.reachability = htons(report.reachability);
    tx_message->data.source_data.since_sample = htonl(report.latest_meas_ago);
    tx_message->data.source_data.orig_latest_meas = UTI_FloatHostToNetwork(report.orig_latest_meas);
@@ -764,8 +773,11 @@ handle_add_source(NTP_Source_Type type, CMD_Request *rx_message, CMD_Reply *tx_m
  params.online  = ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_ONLINE ? 1 : 0;
  params.auto_offline = ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_AUTOOFFLINE ? 1 : 0;
  params.iburst = ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_IBURST ? 1 : 0;
-  params.sel_option = ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_PREFER ? SRC_SelectPrefer :
+  params.sel_options =
-                      ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_NOSELECT ? SRC_SelectNoselect : SRC_SelectNormal;
+    (ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_PREFER ? SRC_SELECT_PREFER : 0) |
    (ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_NOSELECT ? SRC_SELECT_NOSELECT : 0) |
    (ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_TRUST ? SRC_SELECT_TRUST : 0) |
    (ntohl(rx_message->data.ntp_source.flags) & REQ_ADDSRC_REQUIRE ? SRC_SELECT_REQUIRE : 0);
  params.max_delay = UTI_FloatNetworkToHost(rx_message->data.ntp_source.max_delay);
  params.max_delay_ratio = UTI_FloatNetworkToHost(rx_message->data.ntp_source.max_delay_ratio);
@@ -1017,50 +1029,50 @@ handle_cyclelogs(CMD_Request *rx_message, CMD_Reply *tx_message)
 static void
 handle_client_accesses_by_index(CMD_Request *rx_message, CMD_Reply *tx_message)
 {
  CLG_Status result;
  RPT_ClientAccessByIndex_Report report;
-  unsigned long first_index, n_indices, n_indices_in_table;
+  RPY_ClientAccesses_Client *client;
-  int i, j;
+  int n_indices;
  uint32_t i, j, req_first_index, req_n_clients;
  struct timeval now;
  SCH_GetLastEventTime(&now, NULL, NULL);
-  first_index = ntohl(rx_message->data.client_accesses_by_index.first_index);
+  req_first_index = ntohl(rx_message->data.client_accesses_by_index.first_index);
-  n_indices = ntohl(rx_message->data.client_accesses_by_index.n_indices);
+  req_n_clients = ntohl(rx_message->data.client_accesses_by_index.n_clients);
-  if (n_indices > MAX_CLIENT_ACCESSES)
+  if (req_n_clients > MAX_CLIENT_ACCESSES)
-    n_indices = MAX_CLIENT_ACCESSES;
+    req_n_clients = MAX_CLIENT_ACCESSES;
-  tx_message->reply = htons(RPY_CLIENT_ACCESSES_BY_INDEX);
+  n_indices = CLG_GetNumberOfIndices();
-
+  if (n_indices < 0) {
  for (i = 0, j = 0; i < n_indices; i++) {
    result = CLG_GetClientAccessReportByIndex(first_index + i, &report,
                                              now.tv_sec, &n_indices_in_table);
    tx_message->data.client_accesses_by_index.n_indices = htonl(n_indices_in_table);
    switch (result) {
      case CLG_SUCCESS:
        UTI_IPHostToNetwork(&report.ip_addr, &tx_message->data.client_accesses_by_index.clients[j].ip);
        tx_message->data.client_accesses_by_index.clients[j].client_hits = htonl(report.client_hits);
        tx_message->data.client_accesses_by_index.clients[j].peer_hits = htonl(report.peer_hits);
        tx_message->data.client_accesses_by_index.clients[j].cmd_hits_auth = htonl(report.cmd_hits_auth);
        tx_message->data.client_accesses_by_index.clients[j].cmd_hits_normal = htonl(report.cmd_hits_normal);
        tx_message->data.client_accesses_by_index.clients[j].cmd_hits_bad = htonl(report.cmd_hits_bad);
        tx_message->data.client_accesses_by_index.clients[j].last_ntp_hit_ago = htonl(report.last_ntp_hit_ago);
        tx_message->data.client_accesses_by_index.clients[j].last_cmd_hit_ago = htonl(report.last_cmd_hit_ago);
        j++;
        break;
      case CLG_INDEXTOOLARGE:
        break; /* ignore this index */
      case CLG_INACTIVE:
    tx_message->status = htons(STT_INACTIVE);
    return;
      default:
        assert(0);
        break;
    }
  }
-  tx_message->data.client_accesses_by_index.next_index = htonl(first_index + i);
+  tx_message->reply = htons(RPY_CLIENT_ACCESSES_BY_INDEX2);
  tx_message->data.client_accesses_by_index.n_indices = htonl(n_indices);
  memset(tx_message->data.client_accesses_by_index.clients, 0,
         sizeof (tx_message->data.client_accesses_by_index.clients));
  for (i = req_first_index, j = 0; i < (uint32_t)n_indices && j < req_n_clients; i++) {
    if (!CLG_GetClientAccessReportByIndex(i, &report, &now))
      continue;
    client = &tx_message->data.client_accesses_by_index.clients[j++];
    UTI_IPHostToNetwork(&report.ip_addr, &client->ip);
    client->ntp_hits = htonl(report.ntp_hits);
    client->cmd_hits = htonl(report.cmd_hits);
    client->ntp_drops = htonl(report.ntp_drops);
    client->cmd_drops = htonl(report.cmd_drops);
    client->ntp_interval = report.ntp_interval;
    client->cmd_interval = report.cmd_interval;
    client->ntp_timeout_interval = report.ntp_timeout_interval;
    client->last_ntp_hit_ago = htonl(report.last_ntp_hit_ago);
    client->last_cmd_hit_ago = htonl(report.last_cmd_hit_ago);
  }
  tx_message->data.client_accesses_by_index.next_index = htonl(i);
  tx_message->data.client_accesses_by_index.n_clients = htonl(j);
 }
@@ -1149,36 +1161,43 @@ handle_refresh(CMD_Request *rx_message, CMD_Reply *tx_message)
  NSR_RefreshAddresses();
 }
 /* ================================================== */
 static void
 handle_server_stats(CMD_Request *rx_message, CMD_Reply *tx_message)
 {
  RPT_ServerStatsReport report;
  CLG_GetServerStatsReport(&report);
  tx_message->reply = htons(RPY_SERVER_STATS);
  tx_message->data.server_stats.ntp_hits = htonl(report.ntp_hits);
  tx_message->data.server_stats.cmd_hits = htonl(report.cmd_hits);
  tx_message->data.server_stats.ntp_drops = htonl(report.ntp_drops);
  tx_message->data.server_stats.cmd_drops = htonl(report.cmd_drops);
  tx_message->data.server_stats.log_drops = htonl(report.log_drops);
 }
 /* ================================================== */
 /* Read a packet and process it */
 static void
 read_from_cmd_socket(void *anything)
 {
  int status;
  int read_length; /* Length of packet read */
  int expected_length; /* Expected length of packet without auth data */
  unsigned long flags;
  CMD_Request rx_message;
  CMD_Reply tx_message;
-  int rx_message_length;
+  int status, read_length, expected_length, rx_message_length;
-  int sock_fd;
+  int localhost, allowed, sock_fd, log_index;
  union sockaddr_all where_from;
  socklen_t from_length;
  IPAddr remote_ip;
-  unsigned short remote_port;
+  unsigned short remote_port, rx_command;
-  int localhost;
+  struct timeval now, cooked_now;
  int allowed;
  unsigned short rx_command;
  struct timeval now;
  struct timeval cooked_now;
  flags = 0;
  rx_message_length = sizeof(rx_message);
  from_length = sizeof(where_from);
  sock_fd = (long)anything;
-  status = recvfrom(sock_fd, (char *)&rx_message, rx_message_length, flags,
+  status = recvfrom(sock_fd, (char *)&rx_message, rx_message_length, 0,
                    &where_from.sa, &from_length);
  if (status < 0) {
@@ -1235,25 +1254,19 @@ read_from_cmd_socket(void *anything)
    return;
  }
-  /* Message size sanity check */
+  if (read_length < offsetof(CMD_Request, data) ||
  if (read_length >= offsetof(CMD_Request, data)) {
    expected_length = PKL_CommandLength(&rx_message);
  } else {
    expected_length = 0;
  }
  if (expected_length < offsetof(CMD_Request, data) ||
      read_length < offsetof(CMD_Reply, data) ||
      rx_message.pkt_type != PKT_TYPE_CMD_REQUEST ||
      rx_message.res1 != 0 ||
      rx_message.res2 != 0) {
-    /* We don't know how to process anything like this */
+    /* We don't know how to process anything like this or an error reply
-    CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec);
+       would be larger than the request */
-    
+    DEBUG_LOG(LOGF_CmdMon, "Command packet dropped");
    return;
  }
  expected_length = PKL_CommandLength(&rx_message);
  rx_command = ntohs(rx_message.command);
  tx_message.version = PROTO_VERSION_NUMBER;
@@ -1271,10 +1284,8 @@ read_from_cmd_socket(void *anything)
  tx_message.pad5 = 0;
  if (rx_message.version != PROTO_VERSION_NUMBER) {
-    DEBUG_LOG(LOGF_CmdMon, "Read command packet with protocol version %d (expected %d) from %s",
+    DEBUG_LOG(LOGF_CmdMon, "Command packet has invalid version (%d != %d)",
-              rx_message.version, PROTO_VERSION_NUMBER, UTI_SockaddrToString(&where_from.sa));
+              rx_message.version, PROTO_VERSION_NUMBER);
    CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec);
    if (rx_message.version >= PROTO_VERSION_MISMATCH_COMPAT_SERVER) {
      tx_message.status = htons(STT_BADPKTVERSION);
@@ -1283,11 +1294,9 @@ read_from_cmd_socket(void *anything)
    return;
  }
-  if (rx_command >= N_REQUEST_TYPES) {
+  if (rx_command >= N_REQUEST_TYPES ||
-    DEBUG_LOG(LOGF_CmdMon, "Read command packet with invalid command %d from %s",
+      expected_length < (int)offsetof(CMD_Request, data)) {
-              rx_command, UTI_SockaddrToString(&where_from.sa));
+    DEBUG_LOG(LOGF_CmdMon, "Command packet has invalid command %d", rx_command);
    CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec);
    tx_message.status = htons(STT_INVALID);
    transmit_reply(&tx_message, &where_from);
@@ -1295,10 +1304,8 @@ read_from_cmd_socket(void *anything)
  }
  if (read_length < expected_length) {
-    DEBUG_LOG(LOGF_CmdMon, "Read incorrectly sized command packet from %s",
+    DEBUG_LOG(LOGF_CmdMon, "Command packet is too short (%d < %d)", read_length,
-              UTI_SockaddrToString(&where_from.sa));
+              expected_length);
    CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec);
    tx_message.status = htons(STT_BADPKTLENGTH);
    transmit_reply(&tx_message, &where_from);
@@ -1307,7 +1314,14 @@ read_from_cmd_socket(void *anything)
  /* OK, we have a valid message.  Now dispatch on message type and process it. */
-  CLG_LogCommandAccess(&remote_ip, CLG_CMD_NORMAL, cooked_now.tv_sec);
+  log_index = CLG_LogCommandAccess(&remote_ip, &cooked_now);
  /* Don't reply to all requests from hosts other than localhost if the rate
     is excessive */
  if (!localhost && log_index >= 0 && CLG_LimitCommandResponseRate(log_index)) {
      DEBUG_LOG(LOGF_CmdMon, "Command packet discarded to limit response rate");
      return;
  }
  if (rx_command >= N_REQUEST_TYPES) {
    /* This should be already handled */
@@ -1507,7 +1521,7 @@ read_from_cmd_socket(void *anything)
          handle_cyclelogs(&rx_message, &tx_message);
          break;
-        case REQ_CLIENT_ACCESSES_BY_INDEX:
+        case REQ_CLIENT_ACCESSES_BY_INDEX2:
          handle_client_accesses_by_index(&rx_message, &tx_message);
          break;
@@ -1547,8 +1561,13 @@ read_from_cmd_socket(void *anything)
          handle_refresh(&rx_message, &tx_message);
          break;
        case REQ_SERVER_STATS:
          handle_server_stats(&rx_message, &tx_message);
          break;
        default:
-          assert(0);
+          DEBUG_LOG(LOGF_CmdMon, "Unhandled command %d", rx_command);
          tx_message.status = htons(STT_FAILED);
          break;
      }
    } else {
--- a/cmdparse.c
+++ b/cmdparse.c
@@ -63,7 +63,7 @@ CPS_ParseNTPSourceAdd(char *line, CPS_NTP_Source *src)
  src->params.max_sources = SRC_DEFAULT_MAXSOURCES;
  src->params.min_samples = SRC_DEFAULT_MINSAMPLES;
  src->params.max_samples = SRC_DEFAULT_MAXSAMPLES;
-  src->params.sel_option = SRC_SelectNormal;
+  src->params.sel_options = 0;
  result = CPS_Success;
@@ -165,10 +165,16 @@ CPS_ParseNTPSourceAdd(char *line, CPS_NTP_Source *src)
          }
        } else if (!strcasecmp(cmd, "noselect")) {
-          src->params.sel_option = SRC_SelectNoselect;
+          src->params.sel_options |= SRC_SELECT_NOSELECT;
        } else if (!strcasecmp(cmd, "prefer")) {
-          src->params.sel_option = SRC_SelectPrefer;
+          src->params.sel_options |= SRC_SELECT_PREFER;
        } else if (!strcasecmp(cmd, "trust")) {
          src->params.sel_options |= SRC_SELECT_TRUST;
        } else if (!strcasecmp(cmd, "require")) {
          src->params.sel_options |= SRC_SELECT_REQUIRE;
        } else if (!strcasecmp(cmd, "version")) {
          if (sscanf(line, "%d%n", &src->params.version, &n) != 1) {
--- a/conf.c
+++ b/conf.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009-2015
+ * Copyright (C) Miroslav Lichvar  2009-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -50,15 +50,12 @@ static int parse_int(char *line, int *result);
 static int parse_double(char *line, double *result);
 static int parse_null(char *line);
-static void parse_allow(char *);
+static void parse_allow_deny(char *line, ARR_Instance restrictions, int allow);
 static void parse_bindacqaddress(char *);
 static void parse_bindaddress(char *);
 static void parse_bindcmdaddress(char *);
 static void parse_broadcast(char *);
 static void parse_clientloglimit(char *);
 static void parse_cmdallow(char *);
 static void parse_cmddeny(char *);
 static void parse_deny(char *);
 static void parse_fallbackdrift(char *);
 static void parse_include(char *);
 static void parse_initstepslew(char *);
@@ -68,11 +65,11 @@ static void parse_log(char *);
 static void parse_mailonchange(char *);
 static void parse_makestep(char *);
 static void parse_maxchange(char *);
-static void parse_peer(char *);
+static void parse_ratelimit(char *line, int *enabled, int *interval,
-static void parse_pool(char *);
+                            int *burst, int *leak);
 static void parse_refclock(char *);
 static void parse_server(char *);
 static void parse_smoothtime(char *);
 static void parse_source(char *line, NTP_Source_Type type, int pool);
 static void parse_tempcomp(char *);
 /* ================================================== */
@@ -124,7 +121,7 @@ static int enable_manual=0;
 static int rtc_on_utc = 0;
 /* Filename used to read the hwclock(8) LOCAL/UTC setting */
-static char *hwclock_file = NULL;
+static char *hwclock_file;
 /* Flag set if the RTC should be automatically synchronised by kernel */
 static int rtc_sync = 0;
@@ -149,10 +146,8 @@ static double max_offset;
 static int max_samples = 0; /* no limit */
 static int min_samples = 0;
-/* Flag set if we should log to syslog when a time adjustment
+/* Threshold for a time adjustment to be logged to syslog */
-   exceeding the threshold is initiated */
+static double log_change_threshold = 1.0;
 static int do_log_change = 0;
 static double log_change_threshold = 0.0;
 static char *mail_user_on_change = NULL;
 static double mail_change_threshold = 0.0;
@@ -187,6 +182,16 @@ static char *bind_cmd_path;
 * chronyds being started. */
 static char *pidfile;
 /* Rate limiting parameters */
 static int ntp_ratelimit_enabled = 0;
 static int ntp_ratelimit_interval = 3;
 static int ntp_ratelimit_burst = 8;
 static int ntp_ratelimit_leak = 3;
 static int cmd_ratelimit_enabled = 0;
 static int cmd_ratelimit_interval = 1;
 static int cmd_ratelimit_burst = 16;
 static int cmd_ratelimit_leak = 2;
 /* Smoothing constants */
 static double smooth_max_freq = 0.0; /* in ppm */
 static double smooth_max_wander = 0.0; /* in ppm/s */
@@ -324,6 +329,7 @@ CNF_Initialise(int r)
  bind_cmd_path = Strdup(DEFAULT_COMMAND_SOCKET);
  pidfile = Strdup("/var/run/chronyd.pid");
  rtc_device = Strdup("/dev/rtc");
  hwclock_file = Strdup(DEFAULT_HWCLOCK_FILE);
  user = Strdup(DEFAULT_USER);
 }
@@ -413,7 +419,7 @@ CNF_ParseLine(const char *filename, int number, char *line)
  if (!strcasecmp(command, "acquisitionport")) {
    parse_int(p, &acquisition_port);
  } else if (!strcasecmp(command, "allow")) {
-    parse_allow(p);
+    parse_allow_deny(p, ntp_restrictions, 1);
  } else if (!strcasecmp(command, "bindacqaddress")) {
    parse_bindacqaddress(p);
  } else if (!strcasecmp(command, "bindaddress")) {
@@ -425,17 +431,20 @@ CNF_ParseLine(const char *filename, int number, char *line)
  } else if (!strcasecmp(command, "clientloglimit")) {
    parse_clientloglimit(p);
  } else if (!strcasecmp(command, "cmdallow")) {
-    parse_cmdallow(p);
+    parse_allow_deny(p, cmd_restrictions, 1);
  } else if (!strcasecmp(command, "cmddeny")) {
-    parse_cmddeny(p);
+    parse_allow_deny(p, cmd_restrictions, 0);
  } else if (!strcasecmp(command, "cmdport")) {
    parse_int(p, &cmd_port);
  } else if (!strcasecmp(command, "cmdratelimit")) {
    parse_ratelimit(p, &cmd_ratelimit_enabled, &cmd_ratelimit_interval,
                    &cmd_ratelimit_burst, &cmd_ratelimit_leak);
  } else if (!strcasecmp(command, "combinelimit")) {
    parse_double(p, &combine_limit);
  } else if (!strcasecmp(command, "corrtimeratio")) {
    parse_double(p, &correction_time_ratio);
  } else if (!strcasecmp(command, "deny")) {
-    parse_deny(p);
+    parse_allow_deny(p, ntp_restrictions, 0);
  } else if (!strcasecmp(command, "driftfile")) {
    parse_string(p, &drift_file);
  } else if (!strcasecmp(command, "dumpdir")) {
@@ -465,7 +474,7 @@ CNF_ParseLine(const char *filename, int number, char *line)
  } else if (!strcasecmp(command, "logbanner")) {
    parse_int(p, &log_banner);
  } else if (!strcasecmp(command, "logchange")) {
-    do_log_change = parse_double(p, &log_change_threshold);
+    parse_double(p, &log_change_threshold);
  } else if (!strcasecmp(command, "logdir")) {
    parse_string(p, &logdir);
  } else if (!strcasecmp(command, "mailonchange")) {
@@ -493,13 +502,16 @@ CNF_ParseLine(const char *filename, int number, char *line)
  } else if (!strcasecmp(command, "noclientlog")) {
    no_client_log = parse_null(p);
  } else if (!strcasecmp(command, "peer")) {
-    parse_peer(p);
+    parse_source(p, NTP_PEER, 0);
  } else if (!strcasecmp(command, "pidfile")) {
    parse_string(p, &pidfile);
  } else if (!strcasecmp(command, "pool")) {
-    parse_pool(p);
+    parse_source(p, NTP_SERVER, 1);
  } else if (!strcasecmp(command, "port")) {
    parse_int(p, &ntp_port);
  } else if (!strcasecmp(command, "ratelimit")) {
    parse_ratelimit(p, &ntp_ratelimit_enabled, &ntp_ratelimit_interval,
                    &ntp_ratelimit_burst, &ntp_ratelimit_leak);
  } else if (!strcasecmp(command, "refclock")) {
    parse_refclock(p);
  } else if (!strcasecmp(command, "reselectdist")) {
@@ -517,7 +529,7 @@ CNF_ParseLine(const char *filename, int number, char *line)
  } else if (!strcasecmp(command, "sched_priority")) {
    parse_int(p, &sched_priority);
  } else if (!strcasecmp(command, "server")) {
-    parse_server(p);
+    parse_source(p, NTP_SERVER, 0);
  } else if (!strcasecmp(command, "smoothtime")) {
    parse_smoothtime(p);
  } else if (!strcasecmp(command, "stratumweight")) {
@@ -608,25 +620,30 @@ parse_source(char *line, NTP_Source_Type type, int pool)
 /* ================================================== */
 static void
-parse_server(char *line)
+parse_ratelimit(char *line, int *enabled, int *interval, int *burst, int *leak)
 {
-  parse_source(line, NTP_SERVER, 0);
+  int n, val;
-}
+  char *opt;
-/* ================================================== */
+  *enabled = 1;
-static void
+  while (*line) {
-parse_peer(char *line)
+    opt = line;
-{
+    line = CPS_SplitWord(line);
-  parse_source(line, NTP_PEER, 0);
+    if (sscanf(line, "%d%n", &val, &n) != 1) {
-}
+      command_parse_error();
-
+      return;
-/* ================================================== */
+    }
-
+    line += n;
-static void
+    if (!strcasecmp(opt, "interval"))
-parse_pool(char *line)
+      *interval = val;
-{
+    else if (!strcasecmp(opt, "burst"))
-  parse_source(line, NTP_SERVER, 1);
+      *burst = val;
    else if (!strcasecmp(opt, "leak"))
      *leak = val;
    else
      command_parse_error();
  }
 }
 /* ================================================== */
@@ -634,12 +651,11 @@ parse_pool(char *line)
 static void
 parse_refclock(char *line)
 {
-  int n, poll, dpoll, filter_length, pps_rate, min_samples, max_samples;
+  int n, poll, dpoll, filter_length, pps_rate, min_samples, max_samples, sel_options;
  uint32_t ref_id, lock_ref_id;
  double offset, delay, precision, max_dispersion;
  char *p, *cmd, *name, *param;
  unsigned char ref[5];
  SRC_SelectOption sel_option;
  RefclockParameters *refclock;
  poll = 4;
@@ -648,13 +664,13 @@ parse_refclock(char *line)
  pps_rate = 0;
  min_samples = SRC_DEFAULT_MINSAMPLES;
  max_samples = SRC_DEFAULT_MAXSAMPLES;
  sel_options = 0;
  offset = 0.0;
  delay = 1e-9;
  precision = 0.0;
  max_dispersion = 0.0;
  ref_id = 0;
  lock_ref_id = 0;
  sel_option = SRC_SelectNormal;
  if (!*line) {
    command_parse_error();
@@ -681,11 +697,11 @@ parse_refclock(char *line)
    if (!strcasecmp(cmd, "refid")) {
      if (sscanf(line, "%4s%n", (char *)ref, &n) != 1)
        break;
-      ref_id = ref[0] << 24 | ref[1] << 16 | ref[2] << 8 | ref[3];
+      ref_id = (uint32_t)ref[0] << 24 | ref[1] << 16 | ref[2] << 8 | ref[3];
    } else if (!strcasecmp(cmd, "lock")) {
      if (sscanf(line, "%4s%n", (char *)ref, &n) != 1)
        break;
-      lock_ref_id = ref[0] << 24 | ref[1] << 16 | ref[2] << 8 | ref[3];
+      lock_ref_id = (uint32_t)ref[0] << 24 | ref[1] << 16 | ref[2] << 8 | ref[3];
    } else if (!strcasecmp(cmd, "poll")) {
      if (sscanf(line, "%d%n", &poll, &n) != 1) {
        break;
@@ -721,18 +737,25 @@ parse_refclock(char *line)
        break;
    } else if (!strcasecmp(cmd, "noselect")) {
      n = 0;
-      sel_option = SRC_SelectNoselect;
+      sel_options |= SRC_SELECT_NOSELECT;
    } else if (!strcasecmp(cmd, "prefer")) {
      n = 0;
-      sel_option = SRC_SelectPrefer;
+      sel_options |= SRC_SELECT_PREFER;
    } else if (!strcasecmp(cmd, "trust")) {
      n = 0;
      sel_options |= SRC_SELECT_TRUST;
    } else if (!strcasecmp(cmd, "require")) {
      n = 0;
      sel_options |= SRC_SELECT_REQUIRE;
    } else {
-      break;
+      other_parse_error("Invalid refclock option");
      return;
    }
    line += n;
  }
  if (*line) {
-    other_parse_error("Invalid/unreadable refclock parameter");
+    command_parse_error();
    return;
  }
@@ -745,11 +768,11 @@ parse_refclock(char *line)
  refclock->pps_rate = pps_rate;
  refclock->min_samples = min_samples;
  refclock->max_samples = max_samples;
  refclock->sel_options = sel_options;
  refclock->offset = offset;
  refclock->delay = delay;
  refclock->precision = precision;
  refclock->max_dispersion = max_dispersion;
  refclock->sel_option = sel_option;
  refclock->ref_id = ref_id;
  refclock->lock_ref_id = lock_ref_id;
 }
@@ -860,11 +883,6 @@ parse_clientloglimit(char *line)
  if (sscanf(line, "%lu", &client_log_limit) != 1) {
    command_parse_error();
  }
  if (client_log_limit == 0) {
    /* unlimited */
    client_log_limit = (unsigned long)-1;
  }
 }
 /* ================================================== */
@@ -1026,41 +1044,6 @@ parse_allow_deny(char *line, ARR_Instance restrictions, int allow)
  }
 }
 /* ================================================== */
 static void
 parse_allow(char *line)
 {
  parse_allow_deny(line, ntp_restrictions, 1);
 }
 /* ================================================== */
 static void
 parse_deny(char *line)
 {
  parse_allow_deny(line, ntp_restrictions, 0);
 }
 /* ================================================== */
 static void
 parse_cmdallow(char *line)
 {
  parse_allow_deny(line, cmd_restrictions, 1);
 }
 /* ================================================== */
 static void
 parse_cmddeny(char *line)
 {
  parse_allow_deny(line, cmd_restrictions, 0);
 }
 /* ================================================== */
 static void
@@ -1622,11 +1605,10 @@ CNF_GetMaxChange(int *delay, int *ignore, double *offset)
 /* ================================================== */
-void
+double
-CNF_GetLogChange(int *enabled, double *threshold)
+CNF_GetLogChange(void)
 {
-  *enabled = do_log_change;
+  return log_change_threshold;
  *threshold = log_change_threshold;
 }
 /* ================================================== */
@@ -1788,6 +1770,26 @@ CNF_GetLockMemory(void)
 /* ================================================== */
 int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak)
 {
  *interval = ntp_ratelimit_interval;
  *burst = ntp_ratelimit_burst;
  *leak = ntp_ratelimit_leak;
  return ntp_ratelimit_enabled;
 }
 /* ================================================== */
 int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak)
 {
  *interval = cmd_ratelimit_interval;
  *burst = cmd_ratelimit_burst;
  *leak = cmd_ratelimit_leak;
  return cmd_ratelimit_enabled;
 }
 /* ================================================== */
 void
 CNF_GetSmooth(double *max_freq, double *max_wander, int *leap_only)
 {
--- a/conf.h
+++ b/conf.h
@@ -67,7 +67,7 @@ extern int CNF_GetRtcOnUtc(void);
 extern int CNF_GetRtcSync(void);
 extern void CNF_GetMakeStep(int *limit, double *threshold);
 extern void CNF_GetMaxChange(int *delay, int *ignore, double *offset);
-extern void CNF_GetLogChange(int *enabled, double *threshold);
+extern double CNF_GetLogChange(void);
 extern void CNF_GetMailOnChange(int *enabled, double *threshold, char **user);
 extern int CNF_GetNoClientLog(void);
 extern unsigned long CNF_GetClientLogLimit(void);
@@ -98,6 +98,8 @@ extern void CNF_SetupAccessRestrictions(void);
 extern int CNF_GetSchedPriority(void);
 extern int CNF_GetLockMemory(void);
 extern int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak);
 extern int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak);
 extern void CNF_GetSmooth(double *max_freq, double *max_wander, int *leap_only);
 extern void CNF_GetTempComp(char **file, double *interval, char **point_file, double *T0, double *k0, double *k1, double *k2);
--- a/71
+++ b/71
@@ -95,13 +95,14 @@ For better control, use the options below.
  --disable-rtc          Don't include RTC even on Linux
  --disable-privdrop     Disable support for dropping root privileges
  --without-libcap       Don't use libcap even if it is available
-  --disable-scfilter     Disable support for system call filtering
+  --enable-scfilter      Enable support for system call filtering
  --without-seccomp      Don't use seccomp even if it is available
  --disable-asyncdns     Disable asynchronous name resolving
  --disable-forcednsretry Don't retry on permanent DNS error
  --with-ntp-era=SECONDS Specify earliest assumed NTP time in seconds
                         since 1970-01-01 [50*365 days ago]
  --with-user=USER       Specify default chronyd user [root]
  --with-hwclockfile=PATH Specify default path to hwclock(8) adjtime file
  --with-sendmail=PATH   Path to sendmail binary [/usr/lib/sendmail]
  --enable-debug         Enable debugging support
@@ -199,8 +200,9 @@ try_rtc=0
 feat_droproot=1
 try_libcap=-1
 try_clockctl=0
-feat_scfilter=1
+feat_scfilter=0
 try_seccomp=-1
 priv_ops=""
 readline_lib=""
 readline_inc=""
 ncurses_lib=""
@@ -214,6 +216,7 @@ feat_asyncdns=1
 feat_forcednsretry=1
 ntp_era_split=""
 default_user="root"
 default_hwclockfile=""
 mail_program="/usr/lib/sendmail"
 for option
@@ -303,6 +306,9 @@ do
    --without-libcap|--disable-linuxcaps)
      try_libcap=0
    ;;
    --enable-scfilter)
      feat_scfilter=1
    ;;
    --disable-scfilter)
      feat_scfilter=0
    ;;
@@ -321,6 +327,9 @@ do
    --with-user=* )
      default_user=`echo $option | sed -e 's/^.*=//;'`
    ;;
    --with-hwclockfile=* )
      default_hwclockfile=`echo $option | sed -e 's/^.*=//;'`
    ;;
    --with-sendmail=* )
      mail_program=`echo $option | sed -e 's/^.*=//;'`
    ;;
@@ -367,10 +376,13 @@ case $OPERATINGSYSTEM in
        add_def LINUX
        echo "Configuring for " $SYSTEM
    ;;
    FreeBSD)
        EXTRA_OBJECTS="sys_generic.o sys_netbsd.o sys_timex.o"
        add_def FREEBSD
        if [ $feat_droproot = "1" ]; then
          add_def FEAT_PRIVDROP
          priv_ops="ADJUSTTIME ADJUSTTIMEX SETTIME BINDSOCKET"
        fi
        echo "Configuring for $SYSTEM"
    ;;
    NetBSD)
@@ -384,6 +396,10 @@ case $OPERATINGSYSTEM in
        EXTRA_LIBS="-lresolv"
        EXTRA_CLI_LIBS="-lresolv"
        add_def MACOSX
        if [ $feat_droproot = "1" ]; then
          add_def FEAT_PRIVDROP
          priv_ops="ADJUSTTIME SETTIME BINDSOCKET"
        fi
        echo "Configuring for MacOS X (" $SYSTEM "MacOS X version" $VERSION ")"
    ;;
    SunOS)
@@ -395,6 +411,10 @@ case $OPERATINGSYSTEM in
        add_def __EXTENSIONS__
        add_def _XOPEN_SOURCE 1
        add_def _XOPEN_SOURCE_EXTENDED 1
        if [ $feat_droproot = "1" ]; then
          add_def FEAT_PRIVDROP
          priv_ops="ADJUSTTIMEX SETTIME BINDSOCKET"
        fi
        echo "Configuring for Solaris (" $SYSTEM "SunOS version" $VERSION ")" 
    ;;                                                                        
    * )
@@ -471,7 +491,7 @@ then
    split_days=0
  else
    split_seconds=`date '+%s'`
-    if [ "x$split_seconds" = "" ]; then
+    if [ "x$split_seconds" = "x" ]; then
      echo "error: could not get current time, --with-ntp-era option is needed"
      exit 1
    fi
@@ -514,6 +534,13 @@ if test_code '<inttypes.h>' 'inttypes.h' '' '' ''; then
  add_def HAVE_INTTYPES_H
 fi
 if test_code 'struct in_pktinfo' 'sys/socket.h netinet/in.h' '' '' '
  struct in_pktinfo ipi;
  return sizeof (ipi.ipi_spec_dst.s_addr) + IP_PKTINFO;'
 then
  add_def HAVE_IN_PKTINFO
 fi
 if [ $feat_ipv6 = "1" ] && \
  test_code 'IPv6 support' 'arpa/inet.h sys/socket.h netinet/in.h' '' "$EXTRA_LIBS" '
    struct sockaddr_in6 n;
@@ -522,13 +549,13 @@ if [ $feat_ipv6 = "1" ] && \
    return !inet_ntop(AF_INET6, &n.sin6_addr.s6_addr, p, sizeof(p));'
 then
  add_def FEAT_IPV6
-  if test_code 'in6_pktinfo' 'sys/socket.h netinet/in.h' '' '' '
+  if test_code 'struct in6_pktinfo' 'sys/socket.h netinet/in.h' '' '' '
-    return sizeof(struct in6_pktinfo);'
+    return sizeof (struct in6_pktinfo) + IPV6_PKTINFO;'
  then
    add_def HAVE_IN6_PKTINFO
  else
-    if test_code 'in6_pktinfo with _GNU_SOURCE' 'sys/socket.h netinet/in.h' \
+    if test_code 'struct in6_pktinfo with _GNU_SOURCE' 'sys/socket.h netinet/in.h' \
-      '-D_GNU_SOURCE' '' 'return sizeof(struct in6_pktinfo);'
+      '-D_GNU_SOURCE' '' 'return sizeof (struct in6_pktinfo) + IPV6_PKTINFO;'
    then
      add_def _GNU_SOURCE
      add_def HAVE_IN6_PKTINFO
@@ -552,6 +579,10 @@ then
  MYCFLAGS="$MYCFLAGS -pthread"
 fi
 if test_code 'arc4random_buf()' 'stdlib.h' '' '' 'arc4random_buf(NULL, 0);'; then
  add_def HAVE_ARC4RANDOM
 fi
 timepps_h=""
 if [ $feat_refclock = "1" ] && [ $feat_pps = "1" ]; then
  if test_code '<sys/timepps.h>' 'sys/timepps.h' '' '' ''; then
@@ -590,6 +621,7 @@ if [ $feat_droproot = "1" ] && [ $try_clockctl = "1" ] && \
  test_code '<sys/clockctl.h>' 'sys/clockctl.h' '' '' ''
 then
  add_def FEAT_PRIVDROP
  priv_ops="BINDSOCKET"
 fi
 if [ $feat_scfilter = "1" ] && [ $try_seccomp = "1" ] && \
@@ -597,9 +629,21 @@ if [ $feat_scfilter = "1" ] && [ $try_seccomp = "1" ] && \
    'seccomp_init(SCMP_ACT_KILL);'
 then
  add_def FEAT_SCFILTER
  # NAME2IPADDRESS shouldn't be enabled with other operations as the helper
  # process works on one request at the time and the async resolver could
  # block the main thread
  priv_ops="NAME2IPADDRESS"
  EXTRA_LIBS="$EXTRA_LIBS -lseccomp"
 fi
 if [ "x$priv_ops" != "x" ]; then
  EXTRA_OBJECTS="$EXTRA_OBJECTS privops.o"
  add_def PRIVOPS_HELPER
  for o in $priv_ops; do
    add_def PRIVOPS_$o
  done
 fi
 if [ $feat_rtc = "1" ] && [ $try_rtc = "1" ] && \
  test_code '<linux/rtc.h>' 'sys/ioctl.h linux/rtc.h' '' '' \
    'ioctl(1, RTC_UIE_ON&RTC_UIE_OFF&RTC_RD_TIME&RTC_SET_TIME, 0&RTC_UF);'
@@ -784,6 +828,7 @@ if [ "x$SETCHRONYVARDIR" != "x" ]; then
 fi
 add_def DEFAULT_CONF_FILE "\"$SYSCONFDIR/chrony.conf\""
 add_def DEFAULT_HWCLOCK_FILE "\"$default_hwclockfile\""
 add_def DEFAULT_USER "\"$default_user\""
 add_def DEFAULT_COMMAND_SOCKET "\"$CHRONYSOCKDIR/chronyd.sock\""
 add_def MAIL_PROGRAM "\"$mail_program\""
@@ -796,11 +841,13 @@ add_def CHRONYD_FEATURES "\"$chronyd_features $common_features\""
 echo "Features : $chronyd_features $chronyc_features $common_features"
 if [ -f version.txt ]; then
-  add_def CHRONY_VERSION "\"`cat version.txt`\""
+  CHRONY_VERSION="`cat version.txt`"
 else
-  add_def CHRONY_VERSION "\"DEVELOPMENT\""
+  CHRONY_VERSION="DEVELOPMENT"
 fi
 add_def CHRONY_VERSION "\"${CHRONY_VERSION}\""
 for f in Makefile chrony.conf.5 chrony.texi chronyc.1 chronyd.8
 do
  echo Creating $f
@@ -824,7 +871,9 @@ do
          s%@LOCALSTATEDIR@%${LOCALSTATEDIR}%;\
          s%@CHRONYSOCKDIR@%${CHRONYSOCKDIR}%;\
          s%@CHRONYVARDIR@%${CHRONYVARDIR}%;\
-          s%@DEFAULT_USER@%${default_user}%;"\
+          s%@DEFAULT_HWCLOCK_FILE@%${default_hwclockfile}%;\
          s%@DEFAULT_USER@%${default_user}%;\
          s%@CHRONY_VERSION@%${CHRONY_VERSION}%;" \
          < ${f}.in > $f
 done
--- a/contrib/bryan_christianson_1/chronylogrotate.sh
+++ b/contrib/bryan_christianson_1/chronylogrotate.sh
@@ -1,20 +1,27 @@
 #!/bin/sh
-#  chronylogrotate.sh
+#  chronyd/chronyc - Programs for keeping computer clocks accurate.
 #  ChronyControl
 #
 #  Created by Bryan Christianson on 12/07/15.
 #
 #  **********************************************************************
 #  * Copyright (C) Bryan Christianson  2015
 #  *
 #  * This program is free software; you can redistribute it and/or modify
 #  * it under the terms of version 2 of the GNU General Public License as
 #  * published by the Free Software Foundation.
 #  *
 #  * This program is distributed in the hope that it will be useful, but
 #  * WITHOUT ANY WARRANTY; without even the implied warranty of
 #  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 #  * General Public License for more details.
 #  *
 #  * You should have received a copy of the GNU General Public License along
 #  * with this program; if not, write to the Free Software Foundation, Inc.,
 #  * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 #  *
 #  **********************************************************************
 LOGDIR=/var/log/chrony
 if [ ! -e "$LOGDIR" ]; then
  echo "missing directory: $LOGDIR"
  exit 1
 fi
 cd $LOGDIR
 rotate () {
  prefix=$1
@@ -33,13 +40,19 @@ rotate () {
  fi
 }
 if [ ! -e "$LOGDIR" ]; then
  logger -s "missing directory: $LOGDIR"
  exit 1
 fi
 cd $LOGDIR
 rotate measurements
 rotate statistics
 rotate tracking
 #
 # signal chronyd via chronyc
-
+/usr/local/bin/chronyc cyclelogs > /dev/null
 /usr/local/bin/chronyc -a -f /etc/chrony.d/chrony.conf cyclelogs > /dev/null
 exit $?
--- a/doc/faq.adoc
+++ b/doc/faq.adoc
@@ -49,6 +49,44 @@ added to +chrony+ to deal with this.
 == Configuration issues
 === What is the minimum recommended configuration for an NTP client?
 First, the client needs to know which NTP servers it should ask for the current
 time.  They are specified by the +server+ or +pool+ directive.  The +pool+
 directive can be used for names that resolve to multiple addresses.  For good
 reliability the client should have at least three servers.  The +iburst+ option
 speeds up the initial synchronisation.
 To stabilize the initial synchronisation on the next start, the estimated drift
 of the system clock is saved by adding the +driftfile+ directive.
 If the system clock can be far from the true time after boot for any reason,
 +chronyd+ should be allowed to correct it quickly by stepping instead of
 slewing, which would take a very long time.  The +makestep+ directive does
 that.
 In order to keep the real-time clock (RTC) close to the true time on Linux, so
 the system time is reasonably close to the true time when it's initialized on
 the next boot from the RTC, the +rtcsync+ directive enables a kernel mode in
 which the system time is copied to the RTC every 11 minutes.
 If you want to use public NTP servers from the
 http://www.pool.ntp.org/[pool.ntp.org] project, the minimal 'chrony.conf' file
 could be:
 ----
 pool pool.ntp.org iburst
 driftfile /var/lib/chrony/drift
 makestep 1 3
 rtcsync
 ----
 === How do I make an NTP server from an NTP client?
 You need to add an +allow+ directive to the 'chrony.conf' file in order to open
 the NTP port and allow +chronyd+ to reply to client requests.  +allow+ with no
 specified subnet allows all IPv4 and IPv6 addresses.
 === I have several computers on a LAN. Should be all clients of an external server?
 The best configuration is usually to make one computer the master, with
@@ -90,21 +128,24 @@ under the root or chrony user (which can access +chronyd+ through a Unix domain
 socket since version 2.2), you can disable the internet command sockets
 completely by adding +cmdport 0+ to the configuration file.
-On Linux, if +chronyd+ is compiled with support for Linux capabilities
+You can specify an unprivileged user with the +-u+ option, or the +user+
-(available in the libcap library), or on NetBSD with the +/dev/clockctl+
+directive in the 'chrony.conf' file, to which +chronyd+ will switch after start
-device, you can specify an unprivileged user with the +-u+ option or +user+
+in order to drop root privileges.  The configure script has a +--with-user+
-directive in the 'chrony.conf' file to drop root privileges after start.  The
+option, which sets the default user.  On Linux, +chronyd+ needs to be compiled
-configure option +--with-user+ can be used to drop the privileges by default.
+with support for the +libcap+ library.  On other systems, +chronyd+ forks into
 two processes.  The child process retains root privileges, but can only perform
 a very limited range of privileged system calls on behalf of the parent.
 Also, if +chronyd+ is compiled with support for the Linux secure computing
 (seccomp) facility, you can enable a system call filter with the +-F+ option.
 It will significantly reduce the kernel attack surface and possibly prevent
-kernel exploits from the +chronyd+ process if compromised.  The filter
+kernel exploits from the +chronyd+ process if it's compromised.  It's
-shouldn't be enabled without testing that it allows all system calls needed
+recommended to enable the filter only when it's known to work on the version of
-with the specific configuration and libraries that +chronyd+ is using (e.g.
+the system where +chrony+ is installed as the filter needs to allow also system
-libc and its NSS configuration).  If +chronyd+ is getting killed, some system
+calls made from libraries that +chronyd+ is using (e.g. libc) and different
-call is missing and the filter has to be disabled until it's patched to allow
+versions or implementations of the libraries may make different system calls.
-that call.
+If the filter is missing some system call, +chronyd+ could be killed even in
 normal operation.
 === How can I improve the accuracy of the system clock with NTP sources?
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
@@ -9,7 +9,7 @@ Wants=time-sync.target
 Type=oneshot
 # Wait up to ~10 minutes for chronyd to synchronize and the remaining
 # clock correction to be less than 0.1 seconds
-ExecStart=/usr/bin/chronyc waitsync 60 0.1
+ExecStart=/usr/bin/chronyc waitsync 600 0.1 0.0 1
 RemainAfterExit=yes
 StandardOutput=null
--- a/examples/chrony.conf.example1
+++ b/examples/chrony.conf.example1
@@ -5,8 +5,8 @@ pool pool.ntp.org iburst
 driftfile /var/lib/chrony/drift
 # In first three updates step the system clock instead of slew
-# if the adjustment is larger than 10 seconds.
+# if the adjustment is larger than 1 second.
-makestep 10 3
+makestep 1.0 3
 # Enable kernel synchronization of the real-time clock (RTC).
 rtcsync
--- a/examples/chrony.conf.example2
+++ b/examples/chrony.conf.example2
@@ -6,8 +6,8 @@ pool pool.ntp.org iburst
 driftfile /var/lib/chrony/drift
 # In first three updates step the system clock instead of slew
-# if the adjustment is larger than 10 seconds.
+# if the adjustment is larger than 1 second.
-makestep 10 3
+makestep 1.0 3
 # Enable kernel synchronization of the real-time clock (RTC).
 rtcsync
@@ -21,12 +21,6 @@ rtcsync
 # Specify file containing keys for NTP authentication.
 #keyfile /etc/chrony.keys
 # Disable logging of client accesses.
 noclientlog
 # Send message to syslog when clock adjustment is larger than 0.5 seconds.
 logchange 0.5
 # Specify directory for log files.
 logdir /var/log/chrony
--- a/examples/chrony.conf.example3
+++ b/examples/chrony.conf.example3
@@ -5,22 +5,6 @@
 # want to enable.  The more obscure options are not included.  Refer
 # to the documentation for these.
 #
 # Copyright 2002 Richard P. Curnow
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of version 2 of the GNU General Public License as
 # published by the Free Software Foundation.
 # 
 # This program is distributed in the hope that it will be useful, but
 # WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 # General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License along
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 # 
 #
 #######################################################################
 ### COMMENTS
 # Any of the following lines are comments (you have a choice of
@@ -128,15 +112,15 @@ driftfile /var/lib/chrony/drift
 #######################################################################
 ### INITIAL CLOCK CORRECTION
 # This option is useful to quickly correct the clock on start if it's
-# off by a large amount.  The value '10' means that if the error is less
+# off by a large amount.  The value '1.0' means that if the error is less
-# than 10 seconds, it will be gradually removed by speeding up or
+# than 1 second, it will be gradually removed by speeding up or slowing
-# slowing down your computer's clock until it is correct.  If the error
+# down your computer's clock until it is correct.  If the error is above
-# is above 10 seconds, an immediate time jump will be applied to correct
+# 1 second, an immediate time jump will be applied to correct it.  The
-# it.  The value '1' means the step is allowed only on the first update
+# value '3' means the step is allowed only in the first three updates of
-# of the clock.  Some software can get upset if the system clock jumps
+# the clock.  Some software can get upset if the system clock jumps
 # (especially backwards), so be careful!
-! makestep 10 1
+! makestep 1.0 3
 #######################################################################
 ### LOGGING
@@ -207,6 +191,13 @@ driftfile /var/lib/chrony/drift
 ! clientloglimit 4194304
 # By default, chronyd tries to respond to all valid NTP requests from
 # allowed addresses.  If you want to limit the response rate for NTP
 # clients that are sending requests too frequently, uncomment and edit
 # the following line.
 ! limitrate interval 3 burst 8
 #######################################################################
 ### REPORTING BIG CLOCK CHANGES
 # Perhaps you want to know if chronyd suddenly detects any large error
@@ -233,6 +224,7 @@ driftfile /var/lib/chrony/drift
 # By default chronyd binds to the loopback interface.  Uncomment the
 # following lines to allow receiving command packets from remote hosts.
 ! bindcmdaddress 0.0.0.0
 ! bindcmdaddress ::
@@ -248,6 +240,11 @@ driftfile /var/lib/chrony/drift
 # syntax and meaning is the same as for 'allow' and 'deny', except that
 # 'cmdallow' and 'cmddeny' control access to the chronyd's command port.
 # Rate limiting can be enabled also for command packets.  (Note,
 # commands from localhost are never limited.)
 ! cmdratelimit interval 1 burst 16
 #######################################################################
 ### REAL TIME CLOCK
 # chronyd can characterise the system's real-time clock.  This is the
--- a/examples/chrony.keys.example
+++ b/examples/chrony.keys.example
@@ -1,15 +1,12 @@
 # This is an example chrony keys file.  It is used for NTP authentication with
 # symmetric keys.  It should be readable only by root or the user to which
-# chronyd is configured to switch to.
+# chronyd is configured to switch to after start.
 #
-# Don't use the example keys!  The keys need to be random for maximum security.
+# Don't use the example keys!  It's recommended to generate random keys using
-# These shell commands can be used to generate random MD5 and SHA1 keys on
+# the chronyc keygen command.
 # systems which have the /dev/urandom device:
 # echo "1 MD5 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 32)"
 # echo "1 SHA1 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 40)"
 # Examples of valid keys:
-#1 ALongAndRandomPassword
+#1 MD5 AVeryLongAndRandomPassword
-#2 MD5 HEX:B028F91EA5C38D06C2E140B26C7F41EC
+#2 MD5 HEX:12114855C7931009B4049EF3EFC48A139C3F989F
-#3 SHA1 HEX:1DC764E0791B11FA67EFC7ECBC4B0D73F68A070C
+#3 SHA1 HEX:B2159C05D6A219673A3B7E896B6DE07F6A440995
--- a/keys.c
+++ b/keys.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2012-2014
+ * Copyright (C) Miroslav Lichvar  2012-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -39,6 +39,8 @@
 #include "local.h"
 #include "logging.h"
 /* Consider 80 bits as the absolute minimum for a secure key */
 #define MIN_SECURE_KEY_LENGTH 10
 typedef struct {
  uint32_t id;
@@ -290,6 +292,21 @@ KEY_GetAuthDelay(uint32_t key_id)
 /* ================================================== */
 int
 KEY_CheckKeyLength(uint32_t key_id)
 {
  Key *key;
  key = get_key_by_id(key_id);
  if (!key)
    return 0;
  return key->len >= MIN_SECURE_KEY_LENGTH;
 }
 /* ================================================== */
 int
 KEY_GenerateAuth(uint32_t key_id, const unsigned char *data, int data_len,
    unsigned char *auth, int auth_len)
--- a/keys.h
+++ b/keys.h
@@ -37,6 +37,7 @@ extern void KEY_Reload(void);
 extern int KEY_GetKey(uint32_t key_id, char **key, int *len);
 extern int KEY_KeyKnown(uint32_t key_id);
 extern int KEY_GetAuthDelay(uint32_t key_id);
 extern int KEY_CheckKeyLength(uint32_t key_id);
 extern int KEY_GenerateAuth(uint32_t key_id, const unsigned char *data,
    int data_len, unsigned char *auth, int auth_len);
--- a/logging.h
+++ b/logging.h
@@ -47,7 +47,7 @@ extern int log_debug_enabled;
 #if DEBUG > 0
 #define LOG_MESSAGE(severity, facility, ...) \
-  LOG_Message(LOGS_DEBUG, facility, __LINE__, __FILE__, FUNCTION_NAME, __VA_ARGS__);
+  LOG_Message(severity, facility, __LINE__, __FILE__, FUNCTION_NAME, __VA_ARGS__);
 #else
 #define LOG_MESSAGE(severity, facility, ...) \
  LOG_Message(severity, __VA_ARGS__);
@@ -100,6 +100,7 @@ typedef enum {
  LOGF_Keys,
  LOGF_Logging,
  LOGF_Nameserv,
  LOGF_PrivOps,
  LOGF_Rtc,
  LOGF_Regress,
  LOGF_Sys,
@@ -108,7 +109,6 @@ typedef enum {
  LOGF_SysMacOSX,
  LOGF_SysNetBSD,
  LOGF_SysSolaris,
  LOGF_SysSunOS,
  LOGF_SysTimex,
  LOGF_SysWinnt,
  LOGF_TempComp,
--- a/main.c
+++ b/main.c
@@ -49,6 +49,7 @@
 #include "refclock.h"
 #include "clientlog.h"
 #include "nameserv.h"
 #include "privops.h"
 #include "smooth.h"
 #include "tempcomp.h"
 #include "util.h"
@@ -68,6 +69,18 @@ static REF_Mode ref_mode = REF_ModeNormal;
 /* ================================================== */
 static void
 do_platform_checks(void)
 {
  /* Require at least 32-bit integers, two's complement representation and
     the usual implementation of conversion of unsigned integers */
  assert(sizeof (int) >= 4);
  assert(-1 == ~0);
  assert((int32_t)4294967295U == (int32_t)-1);
 }
 /* ================================================== */
 static void
 delete_pidfile(void)
 {
@@ -107,6 +120,7 @@ MAI_CleanupAndExit(void)
  SYS_Finalise();
  SCH_Finalise();
  LCL_Finalise();
  PRV_Finalise();
  delete_pidfile();
@@ -351,6 +365,8 @@ int main
  int system_log = 1;
  int config_args = 0;
  do_platform_checks();
  LOG_Initialise();
  /* Parse command line options */
@@ -463,6 +479,7 @@ int main
   * be done *AFTER* the daemon-creation fork() */
  write_lockfile();
  PRV_Initialise();
  LCL_Initialise();
  SCH_Initialise();
  SYS_Initialise();
--- a/nameserv.c
+++ b/nameserv.c
@@ -50,6 +50,8 @@ DNS_Name2IPAddress(const char *name, IPAddr *ip_addrs, int max_addrs)
  struct addrinfo hints, *res, *ai;
  int i, result;
  max_addrs = MIN(max_addrs, DNS_MAX_ADDRESSES);
  memset(&hints, 0, sizeof (hints));
  hints.ai_family = AF_UNSPEC;
  hints.ai_socktype = SOCK_STREAM;
@@ -99,6 +101,8 @@ DNS_Name2IPAddress(const char *name, IPAddr *ip_addrs, int max_addrs)
  if (address_family != IPADDR_UNSPEC && address_family != IPADDR_INET4)
    return DNS_Failure;
  max_addrs = MIN(max_addrs, DNS_MAX_ADDRESSES);
  host = gethostbyname(name);
  if (host == NULL) {
--- a/nameserv.h
+++ b/nameserv.h
@@ -39,6 +39,9 @@ typedef enum {
 /* Resolve names only to selected address family */
 extern void DNS_SetAddressFamily(int family);
 /* Maximum number of addresses returned by DNS_Name2IPAddress */
 #define DNS_MAX_ADDRESSES 16
 extern DNS_Status DNS_Name2IPAddress(const char *name, IPAddr *ip_addrs, int max_addrs);
 extern int DNS_IPAddress2Name(IPAddr *ip_addr, char *name, int len);
--- a/nameserv_async.c
+++ b/nameserv_async.c
@@ -31,20 +31,19 @@
 #include "nameserv_async.h"
 #include "logging.h"
 #include "memory.h"
 #include "privops.h"
 #include "sched.h"
 #include "util.h"
 #ifdef USE_PTHREAD_ASYNCDNS
 #include <pthread.h>
 #define MAX_ADDRESSES 16
 /* ================================================== */
 struct DNS_Async_Instance {
  const char *name;
  DNS_Status status;
-  IPAddr addresses[MAX_ADDRESSES];
+  IPAddr addresses[DNS_MAX_ADDRESSES];
  DNS_NameResolveHandler handler;
  void *arg;
@@ -61,7 +60,7 @@ start_resolving(void *anything)
 {
  struct DNS_Async_Instance *inst = (struct DNS_Async_Instance *)anything;
-  inst->status = DNS_Name2IPAddress(inst->name, inst->addresses, MAX_ADDRESSES);
+  inst->status = PRV_Name2IPAddress(inst->name, inst->addresses, DNS_MAX_ADDRESSES);
  /* Notify the main thread that the result is ready */
  if (write(inst->pipe[1], "", 1) < 0)
@@ -88,7 +87,7 @@ end_resolving(void *anything)
  close(inst->pipe[0]);
  close(inst->pipe[1]);
-  for (i = 0; inst->status == DNS_Success && i < MAX_ADDRESSES &&
+  for (i = 0; inst->status == DNS_Success && i < DNS_MAX_ADDRESSES &&
              inst->addresses[i].family != IPADDR_UNSPEC; i++)
    ;
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009-2015
+ * Copyright (C) Miroslav Lichvar  2009-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -71,10 +71,8 @@ struct NCR_Instance_Record {
                                   (client/server or symmetric active peer) */
  OperatingMode opmode;         /* Whether we are sampling this source
                                   or not and in what way */
-  int timer_running;            /* Boolean indicating whether we have a timeout
+  SCH_TimeoutID rx_timeout_id;  /* Timeout ID for latest received response */
-                                   pending to transmit to the source */
+  SCH_TimeoutID tx_timeout_id;  /* Timeout ID for next transmission */
  SCH_TimeoutID timeout_id;     /* Scheduler's timeout ID, if we are
                                   running on a timer. */
  int tx_suspended;             /* Boolean indicating we can't transmit yet */
  int auto_offline;             /* If 1, automatically go offline if server/peer
@@ -217,6 +215,9 @@ static ARR_Instance broadcasts;
 /* Invalid stratum number */
 #define NTP_INVALID_STRATUM 0
 /* Maximum allowed time for server to process client packet */
 #define MAX_SERVER_INTERVAL 4.0
 /* Minimum and maximum allowed poll interval */
 #define MIN_POLL 0
 #define MAX_POLL 24
@@ -285,8 +286,8 @@ do_time_checks(void)
  NTP_int64 ntv1, ntv2;
  int r;
-  UTI_TimevalToInt64(&tv1, &ntv1, 0);
+  UTI_TimevalToInt64(&tv1, &ntv1, NULL);
-  UTI_TimevalToInt64(&tv2, &ntv2, 0);
+  UTI_TimevalToInt64(&tv2, &ntv2, NULL);
  UTI_Int64ToTimeval(&ntv1, &tv1);
  UTI_Int64ToTimeval(&ntv2, &tv2);
@@ -353,20 +354,20 @@ restart_timeout(NCR_Instance inst, double delay)
 {
  /* Check if we can transmit */
  if (inst->tx_suspended) {
-    assert(!inst->timer_running);
+    assert(!inst->tx_timeout_id);
    return;
  }
-  /* Stop old timer if running */
+  /* Stop both rx and tx timers if running */
-  if (inst->timer_running)
+  SCH_RemoveTimeout(inst->rx_timeout_id);
-    SCH_RemoveTimeout(inst->timeout_id);
+  inst->rx_timeout_id = 0;
  SCH_RemoveTimeout(inst->tx_timeout_id);
  /* Start new timer for transmission */
-  inst->timeout_id = SCH_AddTimeoutInClass(delay, SAMPLING_SEPARATION,
+  inst->tx_timeout_id = SCH_AddTimeoutInClass(delay, SAMPLING_SEPARATION,
                                              SAMPLING_RANDOMNESS,
                                              SCH_NtpSamplingClass,
                                              transmit_timeout, (void *)inst);
  inst->timer_running = 1;
 }
 /* ================================================== */
@@ -374,14 +375,28 @@ restart_timeout(NCR_Instance inst, double delay)
 static void
 start_initial_timeout(NCR_Instance inst)
 {
-  if (!inst->timer_running) {
+  double delay, last_tx;
  struct timeval now;
  if (!inst->tx_timeout_id) {
    /* This will be the first transmission after mode change */
    /* Mark source active */
    SRC_SetActive(inst->source);
  }
-  restart_timeout(inst, INITIAL_DELAY);
+  /* In case the offline period was too short, adjust the delay to keep
     the interval between packets at least as long as the current polling
     interval */
  SCH_GetLastEventTime(&now, NULL, NULL);
  UTI_DiffTimevalsToDouble(&last_tx, &now, &inst->local_tx);
  if (last_tx < 0.0)
    last_tx = 0.0;
  delay = get_transmit_delay(inst, 0, 0.0) - last_tx;
  if (delay < INITIAL_DELAY)
    delay = INITIAL_DELAY;
  restart_timeout(inst, delay);
 }
 /* ================================================== */
@@ -393,6 +408,9 @@ close_client_socket(NCR_Instance inst)
    NIO_CloseClientSocket(inst->local_addr.sock_fd);
    inst->local_addr.sock_fd = INVALID_SOCK_FD;
  }
  SCH_RemoveTimeout(inst->rx_timeout_id);
  inst->rx_timeout_id = 0;
 }
 /* ================================================== */
@@ -401,10 +419,9 @@ static void
 take_offline(NCR_Instance inst)
 {
  inst->opmode = MD_OFFLINE;
-  if (inst->timer_running) {
+
-    SCH_RemoveTimeout(inst->timeout_id);
+  SCH_RemoveTimeout(inst->tx_timeout_id);
-    inst->timer_running = 0;
+  inst->tx_timeout_id = 0;
  }
  /* Mark source unreachable */
  SRC_ResetReachability(inst->source);
@@ -480,22 +497,29 @@ NCR_GetInstance(NTP_Remote_Address *remote_addr, NTP_Source_Type type, SourcePar
    result->do_auth = 1;
    result->auth_key_id = params->authkey;
    if (!KEY_KeyKnown(result->auth_key_id)) {
-      LOG(LOGS_WARN, LOGF_NtpCore, "Source %s added with unknown key %"PRIu32,
+      LOG(LOGS_WARN, LOGF_NtpCore, "Key %"PRIu32" used by source %s is %s",
-          UTI_IPToString(&result->remote_addr.ip_addr), result->auth_key_id);
+          result->auth_key_id, UTI_IPToString(&result->remote_addr.ip_addr),
          "missing");
    } else if (!KEY_CheckKeyLength(result->auth_key_id)) {
      LOG(LOGS_WARN, LOGF_NtpCore, "Key %"PRIu32" used by source %s is %s",
          result->auth_key_id, UTI_IPToString(&result->remote_addr.ip_addr),
          "too short");
    }
  }
  /* Create a source instance for this NTP source */
  result->source = SRC_CreateNewInstance(UTI_IPToRefid(&remote_addr->ip_addr),
-                                         SRC_NTP, params->sel_option,
+                                         SRC_NTP, params->sel_options,
                                         &result->remote_addr.ip_addr,
                                         params->min_samples, params->max_samples);
-  result->timer_running = 0;
+  result->rx_timeout_id = 0;
-  result->timeout_id = 0;
+  result->tx_timeout_id = 0;
  result->tx_suspended = 1;
  result->opmode = params->online ? MD_ONLINE : MD_OFFLINE;
  result->local_poll = result->minpoll;
  result->local_tx.tv_sec = 0;
  result->local_tx.tv_usec = 0;
  NCR_ResetInstance(result);
@@ -553,8 +577,6 @@ NCR_ResetInstance(NCR_Instance instance)
  instance->remote_orig.lo = 0;
  instance->local_rx.tv_sec = 0;
  instance->local_rx.tv_usec = 0;
  instance->local_tx.tv_sec = 0;
  instance->local_tx.tv_usec = 0;
  instance->local_ntp_tx.hi = 0;
  instance->local_ntp_tx.lo = 0;
@@ -562,7 +584,7 @@ NCR_ResetInstance(NCR_Instance instance)
    instance->local_poll = instance->minpoll;
    /* The timer was set with a longer poll interval, restart it */
-    if (instance->timer_running)
+    if (instance->tx_timeout_id)
      restart_timeout(instance, get_transmit_delay(instance, 0, 0.0));
  }
 }
@@ -738,6 +760,22 @@ get_transmit_delay(NCR_Instance inst, int on_tx, double last_tx)
  return delay_time;
 }
 /* ================================================== */
 /* Timeout handler for closing the client socket when no acceptable
   reply can be received from the server */
 static void
 receive_timeout(void *arg)
 {
  NCR_Instance inst = (NCR_Instance)arg;
  DEBUG_LOG(LOGF_NtpCore, "Receive timeout for [%s:%d]",
            UTI_IPToString(&inst->remote_addr.ip_addr), inst->remote_addr.port);
  inst->rx_timeout_id = 0;
  close_client_socket(inst);
 }
 /* ================================================== */
 static int
@@ -762,13 +800,14 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
                )
 {
  NTP_Packet message;
-  int leap, auth_len, length, ret;
+  int leap, auth_len, length, ret, precision;
  struct timeval local_receive, local_transmit;
  NTP_int64 ts_fuzz;
  /* Parameters read from reference module */
  int are_we_synchronised, our_stratum, smooth_time;
  NTP_Leap leap_status;
-  uint32_t our_ref_id, ts_fuzz;
+  uint32_t our_ref_id;
  struct timeval our_ref_time;
  double our_root_delay, our_root_dispersion, smooth_offset;
@@ -777,8 +816,18 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
    version = NTP_VERSION;
  }
  smooth_time = 0;
  smooth_offset = 0.0;
  if (my_mode == MODE_CLIENT) {
    /* Don't reveal local time or state of the clock in client packets */
    precision = 32;
    are_we_synchronised = leap_status = our_stratum = our_ref_id = 0;
    our_ref_time.tv_sec = our_ref_time.tv_usec = 0;
    our_root_delay = our_root_dispersion = 0.0;
  } else {
    /* This is accurate enough and cheaper than calling LCL_ReadCookedTime.
-     A more accurate time stamp will be taken later in this function. */
+       A more accurate timestamp will be taken later in this function. */
    SCH_GetLastEventTime(&local_transmit, NULL, NULL);
    REF_GetReferenceParams(&local_transmit,
@@ -796,9 +845,9 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
      if (REF_GetLeapMode() == REF_LeapModeSlew &&
          (leap_status == LEAP_InsertSecond || leap_status == LEAP_DeleteSecond))
        leap_status = LEAP_Normal;
-  } else {
+    }
-    smooth_time = 0;
+
-    smooth_offset = 0.0;
+    precision = LCL_GetSysPrecisionAsLog();
  }
  if (smooth_time) {
@@ -825,7 +874,7 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
  }
  message.poll = my_poll;
-  message.precision = LCL_GetSysPrecisionAsLog();
+  message.precision = precision;
  /* If we're sending a client mode packet and we aren't synchronized yet, 
     we might have to set up artificial values for some of these parameters */
@@ -836,19 +885,22 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
  /* Now fill in timestamps */
-  UTI_TimevalToInt64(&our_ref_time, &message.reference_ts, 0);
+  UTI_TimevalToInt64(&our_ref_time, &message.reference_ts, NULL);
  /* Originate - this comes from the last packet the source sent us */
  message.originate_ts = *orig_ts;
  /* Prepare random bits which will be added to the receive timestamp */
  UTI_GetInt64Fuzz(&ts_fuzz, precision);
  /* Receive - this is when we received the last packet from the source.
     This timestamp will have been adjusted so that it will now look to
     the source like we have been running on our latest estimate of
     frequency all along */
-  UTI_TimevalToInt64(&local_receive, &message.receive_ts, 0);
+  UTI_TimevalToInt64(&local_receive, &message.receive_ts, &ts_fuzz);
  /* Prepare random bits which will be added to the transmit timestamp. */
-  ts_fuzz = UTI_GetNTPTsFuzz(message.precision);
+  UTI_GetInt64Fuzz(&ts_fuzz, precision);
  /* Transmit - this our local time right now!  Also, we might need to
     store this for our own use later, next time we receive a message
@@ -866,7 +918,7 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
       take to generate the authentication data. */
    local_transmit.tv_usec += KEY_GetAuthDelay(key_id);
    UTI_NormaliseTimeval(&local_transmit);
-    UTI_TimevalToInt64(&local_transmit, &message.transmit_ts, ts_fuzz);
+    UTI_TimevalToInt64(&local_transmit, &message.transmit_ts, &ts_fuzz);
    auth_len = KEY_GenerateAuth(key_id, (unsigned char *) &message,
        offsetof(NTP_Packet, auth_keyid),
@@ -886,7 +938,7 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
      message.auth_keyid = 0;
      length += sizeof (message.auth_keyid);
    }
-    UTI_TimevalToInt64(&local_transmit, &message.transmit_ts, ts_fuzz);
+    UTI_TimevalToInt64(&local_transmit, &message.transmit_ts, &ts_fuzz);
  }
  ret = NIO_SendPacket(&message, where_to, from, length);
@@ -911,7 +963,7 @@ transmit_timeout(void *arg)
  NCR_Instance inst = (NCR_Instance) arg;
  int sent;
-  inst->timer_running = 0;
+  inst->tx_timeout_id = 0;
  switch (inst->opmode) {
    case MD_BURST_WAS_ONLINE:
@@ -1008,8 +1060,14 @@ transmit_timeout(void *arg)
  /* Restart timer for this message */
  restart_timeout(inst, get_transmit_delay(inst, 1, 0.0));
 }
  /* If a client packet was just sent, schedule a timeout to close the socket
     at the time when all server replies would fail the delay test, so the
     socket is not open for longer than necessary */
  if (inst->mode == MODE_CLIENT)
    inst->rx_timeout_id = SCH_AddTimeoutByDelay(inst->max_delay + MAX_SERVER_INTERVAL,
                                                receive_timeout, (void *)inst);
 }
 /* ================================================== */
@@ -1099,7 +1157,7 @@ static int
 receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Instance inst, NTP_Local_Address *local_addr, int length)
 {
  int pkt_leap;
-  uint32_t pkt_refid;
+  uint32_t pkt_refid, pkt_key_id;
  double pkt_root_delay;
  double pkt_root_dispersion;
@@ -1190,11 +1248,13 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
     function is called only for known sources. */
  /* Test 5 checks for authentication failure.  If we expect authenticated info
-     from this peer/server and the packet doesn't have it or the authentication
+     from this peer/server and the packet doesn't have it, the authentication
-     is bad, it's got to fail.  If the peer or server sends us an authenticated
+     is bad, or it's authenticated with a different key than expected, it's got
-     frame, but we're not bothered about whether he authenticates or not, just
+     to fail.  If we don't expect the packet to be authenticated, just ignore
-     ignore the test. */
+     the test. */
-  test5 = inst->do_auth ? check_packet_auth(message, length, NULL, NULL) : 1;
+  test5 = !inst->do_auth ||
          (check_packet_auth(message, length, NULL, &pkt_key_id) &&
           pkt_key_id == inst->auth_key_id);
  /* Test 6 checks for unsynchronised server */
  test6 = pkt_leap != LEAP_Unsynchronised &&
@@ -1271,9 +1331,10 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
    /* Additional tests required to pass before accumulating the sample */
-    /* Test A requires that the round trip delay is less than an
+    /* Test A requires that the peer delay is not larger than the configured
-       administrator-defined value */ 
+       maximum and in client mode also that the server processing time is sane */
-    testA = delay <= inst->max_delay;
+    testA = delay <= inst->max_delay &&
            (inst->mode != MODE_CLIENT || remote_interval <= MAX_SERVER_INTERVAL);
    /* Test B requires that the ratio of the round trip delay to the
       minimum one currently in the stats data register is less than an
@@ -1326,24 +1387,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
  /* Reduce polling rate if KoD RATE was received */
  if (kod_rate) {
    if (message->poll > inst->minpoll) {
      /* Set our minpoll to message poll, but use a reasonable maximum */
      if (message->poll <= MAX_KOD_RATE_POLL)
        inst->minpoll = message->poll;
      else if (inst->minpoll < MAX_KOD_RATE_POLL)
        inst->minpoll = MAX_KOD_RATE_POLL;
      if (inst->minpoll > inst->maxpoll)
        inst->maxpoll = inst->minpoll;
      if (inst->minpoll > inst->local_poll)
        inst->local_poll = inst->minpoll;
      LOG(LOGS_WARN, LOGF_NtpCore,
          "Received KoD RATE with poll %d from %s, minpoll set to %d",
          message->poll, UTI_IPToString(&inst->remote_addr.ip_addr),
          inst->minpoll);
    }
    /* Stop ongoing burst */
    if (inst->opmode == MD_BURST_WAS_OFFLINE || inst->opmode == MD_BURST_WAS_ONLINE) {
      inst->burst_good_samples_to_go = 0;
@@ -1368,8 +1411,7 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
                           &sample_time,
                           offset, delay, dispersion,
                           root_delay, root_dispersion,
-                           message->stratum > inst->min_stratum ?
+                           MAX(message->stratum, inst->min_stratum),
                             message->stratum : inst->min_stratum,
                           (NTP_Leap) pkt_leap);
      SRC_SelectSource(inst->source);
@@ -1421,7 +1463,7 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
    }
    /* Get rid of old timeout and start a new one */
-    assert(inst->timer_running);
+    assert(inst->tx_timeout_id);
    restart_timeout(inst, delay_time);
  }
@@ -1481,7 +1523,7 @@ NCR_ProcessKnown
 int length                     /* the length of the received packet */
 )
 {
-  int pkt_mode, proc_packet, proc_as_unknown, log_peer_access;
+  int pkt_mode, proc_packet, proc_as_unknown;
  if (!check_packet_format(message, length))
    return 0;
@@ -1489,7 +1531,6 @@ NCR_ProcessKnown
  pkt_mode = NTP_LVM_TO_MODE(message->lvm);
  proc_packet = 0;
  proc_as_unknown = 0;
  log_peer_access = 0;
  /* Now, depending on the mode we decide what to do */
  switch (pkt_mode) {
@@ -1497,7 +1538,6 @@ NCR_ProcessKnown
      switch (inst->mode) {
        case MODE_ACTIVE:
          /* Ordinary symmetric peering */
          log_peer_access = 1;
          proc_packet = 1;
          break;
        case MODE_PASSIVE:
@@ -1520,7 +1560,6 @@ NCR_ProcessKnown
        case MODE_ACTIVE:
          /* This would arise if we have the remote configured as a peer and
             he does not have us configured */
          log_peer_access = 1;
          proc_packet = 1;
          break;
        case MODE_PASSIVE:
@@ -1574,9 +1613,6 @@ NCR_ProcessKnown
      break;
  }
  if (log_peer_access)
    CLG_LogNTPPeerAccess(&inst->remote_addr.ip_addr, now->tv_sec);
  if (proc_packet) {
    /* Check if the reply was received by the socket that sent the request */
    if (local_addr->sock_fd != inst->local_addr.sock_fd) {
@@ -1620,7 +1656,7 @@ NCR_ProcessUnknown
 )
 {
  NTP_Mode pkt_mode, my_mode;
-  int has_auth, valid_auth;
+  int has_auth, valid_auth, log_index;
  uint32_t key_id;
  /* Ignore the packet if it wasn't received by server socket */
@@ -1646,12 +1682,10 @@ NCR_ProcessUnknown
    case MODE_ACTIVE:
      /* We are symmetric passive, even though we don't ever lock to him */
      my_mode = MODE_PASSIVE;
      CLG_LogNTPPeerAccess(&remote_addr->ip_addr, now->tv_sec);
      break;
    case MODE_CLIENT:
      /* Reply with server packet */
      my_mode = MODE_SERVER;
      CLG_LogNTPClientAccess(&remote_addr->ip_addr, now->tv_sec);
      break;
    default:
      /* Discard */
@@ -1659,6 +1693,14 @@ NCR_ProcessUnknown
      return;
  }
  log_index = CLG_LogNTPAccess(&remote_addr->ip_addr, now);
  /* Don't reply to all requests if the rate is excessive */
  if (log_index >= 0 && CLG_LimitNTPResponseRate(log_index)) {
      DEBUG_LOG(LOGF_NtpCore, "NTP packet discarded to limit response rate");
      return;
  }
  /* Check if the packet includes MAC that authenticates properly */
  valid_auth = check_packet_auth(message, length, &has_auth, &key_id);
--- a/ntp_io.c
+++ b/ntp_io.c
@@ -37,6 +37,7 @@
 #include "local.h"
 #include "logging.h"
 #include "conf.h"
 #include "privops.h"
 #include "util.h"
 #define INVALID_SOCK_FD -1
@@ -189,7 +190,7 @@ prepare_socket(int family, int port_number, int client_only)
 #endif
  if (family == AF_INET) {
-#ifdef IP_PKTINFO
+#ifdef HAVE_IN_PKTINFO
    /* We want the local IP info on server sockets */
    if (setsockopt(sock_fd, IPPROTO_IP, IP_PKTINFO, (char *)&on_off, sizeof(on_off)) < 0) {
      LOG(LOGS_ERR, LOGF_NtpIO, "Could not set packet info socket option");
@@ -206,20 +207,22 @@ prepare_socket(int family, int port_number, int client_only)
    }
 #endif
 #ifdef HAVE_IN6_PKTINFO
 #ifdef IPV6_RECVPKTINFO
    if (setsockopt(sock_fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, (char *)&on_off, sizeof(on_off)) < 0) {
      LOG(LOGS_ERR, LOGF_NtpIO, "Could not set IPv6 packet info socket option");
    }
-#elif defined(IPV6_PKTINFO)
+#else
    if (setsockopt(sock_fd, IPPROTO_IPV6, IPV6_PKTINFO, (char *)&on_off, sizeof(on_off)) < 0) {
      LOG(LOGS_ERR, LOGF_NtpIO, "Could not set IPv6 packet info socket option");
    }
 #endif
 #endif
  }
 #endif
  /* Bind the socket if a port or address was specified */
-  if (my_addr_len > 0 && bind(sock_fd, &my_addr.u, my_addr_len) < 0) {
+  if (my_addr_len > 0 && PRV_BindSocket(sock_fd, &my_addr.u, my_addr_len) < 0) {
    LOG(LOGS_ERR, LOGF_NtpIO, "Could not bind %s NTP socket : %s",
        UTI_SockaddrFamilyToString(family), strerror(errno));
    close(sock_fd);
@@ -531,7 +534,7 @@ read_from_socket(void *anything)
    local_addr.sock_fd = sock_fd;
    for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
-#ifdef IP_PKTINFO
+#ifdef HAVE_IN_PKTINFO
      if (cmsg->cmsg_level == IPPROTO_IP && cmsg->cmsg_type == IP_PKTINFO) {
        struct in_pktinfo ipi;
@@ -541,7 +544,7 @@ read_from_socket(void *anything)
      }
 #endif
-#if defined(IPV6_PKTINFO) && defined(HAVE_IN6_PKTINFO)
+#ifdef HAVE_IN6_PKTINFO
      if (cmsg->cmsg_level == IPPROTO_IPV6 && cmsg->cmsg_type == IPV6_PKTINFO) {
        struct in6_pktinfo ipi;
@@ -629,7 +632,7 @@ send_packet(void *packet, int packetlen, NTP_Remote_Address *remote_addr, NTP_Lo
  msg.msg_flags = 0;
  cmsglen = 0;
-#ifdef IP_PKTINFO
+#ifdef HAVE_IN_PKTINFO
  if (local_addr->ip_addr.family == IPADDR_INET4) {
    struct cmsghdr *cmsg;
    struct in_pktinfo *ipi;
@@ -647,7 +650,7 @@ send_packet(void *packet, int packetlen, NTP_Remote_Address *remote_addr, NTP_Lo
  }
 #endif
-#if defined(IPV6_PKTINFO) && defined(HAVE_IN6_PKTINFO)
+#ifdef HAVE_IN6_PKTINFO
  if (local_addr->ip_addr.family == IPADDR_INET6) {
    struct cmsghdr *cmsg;
    struct in6_pktinfo *ipi;
--- a/ntp_sources.c
+++ b/ntp_sources.c
@@ -57,7 +57,8 @@ typedef struct {
                                   sources from the pool respond first */
 } SourceRecord;
-/* Hash table of SourceRecord, the size should be a power of two */
+/* Hash table of SourceRecord, its size is a power of two and it's never
   more than half full */
 static ARR_Instance records;
 /* Number of sources in the hash table */
@@ -202,26 +203,16 @@ find_slot(NTP_Remote_Address *remote_addr, int *slot, int *found)
  uint32_t hash;
  unsigned int i, size;
  unsigned short port;
  uint8_t *ip6;
  size = ARR_GetSize(records);
-  switch (remote_addr->ip_addr.family) {
+  if (remote_addr->ip_addr.family != IPADDR_INET4 &&
-    case IPADDR_INET6:
+      remote_addr->ip_addr.family != IPADDR_INET6) {
      ip6 = remote_addr->ip_addr.addr.in6;
      hash = (ip6[0] ^ ip6[4] ^ ip6[8] ^ ip6[12]) |
           (ip6[1] ^ ip6[5] ^ ip6[9] ^ ip6[13]) << 8 |
           (ip6[2] ^ ip6[6] ^ ip6[10] ^ ip6[14]) << 16 |
           (ip6[3] ^ ip6[7] ^ ip6[11] ^ ip6[15]) << 24;
      break;
    case IPADDR_INET4:
      hash = remote_addr->ip_addr.addr.in4;
      break;
    default:
    *found = *slot = 0;
    return;
  }
  hash = UTI_IPToHash(&remote_addr->ip_addr);
  port = remote_addr->port;
  for (i = 0; i < size / 2; i++) {
@@ -243,12 +234,12 @@ find_slot(NTP_Remote_Address *remote_addr, int *slot, int *found)
 }
 /* ================================================== */
 /* Check if hash table of given size is sufficient to contain sources */
 static int
 check_hashtable_size(unsigned int sources, unsigned int size)
 {
-  return sources * 2 + 1 < size;
+  return sources * 2 <= size;
 }
 /* ================================================== */
@@ -266,7 +257,7 @@ rehash_records(void)
  memcpy(temp_records, ARR_GetElements(records), old_size * sizeof (SourceRecord));
  /* The size of the hash table is always a power of two */
-  for (new_size = 4; !check_hashtable_size(n_sources, new_size); new_size *= 2)
+  for (new_size = 1; !check_hashtable_size(n_sources, new_size); new_size *= 2)
    ;
  ARR_SetSize(records, new_size);
--- a/pktlength.c
+++ b/pktlength.c
@@ -3,6 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2002
 * Copyright (C) Miroslav Lichvar  2014-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -33,145 +34,120 @@
 #include "util.h"
 #include "pktlength.h"
 #define PADDING_LENGTH_(request_length, reply_length) \
  (uint16_t)((request_length) < (reply_length) ? (reply_length) - (request_length) : 0)
 #define PADDING_LENGTH(request_data, reply_data) \
  PADDING_LENGTH_(offsetof(CMD_Request, request_data), offsetof(CMD_Reply, reply_data))
 #define REQ_LENGTH_ENTRY(request_data_field, reply_data_field) \
  { offsetof(CMD_Request, data.request_data_field.EOR), \
    PADDING_LENGTH(data.request_data_field.EOR, data.reply_data_field.EOR) }
 #define RPY_LENGTH_ENTRY(reply_data_field) \
  offsetof(CMD_Reply, data.reply_data_field.EOR)
 /* ================================================== */
-static int
+struct request_length {
-command_unpadded_length(CMD_Request *r)
+  uint16_t command;
-{
+  uint16_t padding;
-  int type;
+};
  type = ntohs(r->command);
  if (type < 0 || type >= N_REQUEST_TYPES) {
    return 0;
  } else {
    switch (type) {
      case REQ_NULL:
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_ONLINE:
        return offsetof(CMD_Request, data.online.EOR);
      case REQ_OFFLINE:
        return offsetof(CMD_Request, data.offline.EOR);
      case REQ_BURST:
        return offsetof(CMD_Request, data.burst.EOR);
      case REQ_MODIFY_MINPOLL:
        return offsetof(CMD_Request, data.modify_minpoll.EOR);
      case REQ_MODIFY_MAXPOLL:
        return offsetof(CMD_Request, data.modify_maxpoll.EOR);
      case REQ_DUMP:
        return offsetof(CMD_Request, data.dump.EOR);
      case REQ_MODIFY_MAXDELAY:
        return offsetof(CMD_Request, data.modify_maxdelay.EOR);
      case REQ_MODIFY_MAXDELAYRATIO:
        return offsetof(CMD_Request, data.modify_maxdelayratio.EOR);
      case REQ_MODIFY_MAXDELAYDEVRATIO:
        return offsetof(CMD_Request, data.modify_maxdelaydevratio.EOR);
      case REQ_MODIFY_MAXUPDATESKEW:
        return offsetof(CMD_Request, data.modify_maxupdateskew.EOR);
      case REQ_MODIFY_MAKESTEP:
        return offsetof(CMD_Request, data.modify_makestep.EOR);
      case REQ_LOGON :
        return offsetof(CMD_Request, data.logon.EOR);
      case REQ_SETTIME :
        return offsetof(CMD_Request, data.settime.EOR);
      case REQ_LOCAL :
        return offsetof(CMD_Request, data.local.EOR);
      case REQ_MANUAL :
        return offsetof(CMD_Request, data.manual.EOR);
      case REQ_N_SOURCES :
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_SOURCE_DATA :
        return offsetof(CMD_Request, data.source_data.EOR);
      case REQ_REKEY :
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_ALLOW :
        return offsetof(CMD_Request, data.allow_deny.EOR);
      case REQ_ALLOWALL :
        return offsetof(CMD_Request, data.allow_deny.EOR);
      case REQ_DENY :
        return offsetof(CMD_Request, data.allow_deny.EOR);
      case REQ_DENYALL :
        return offsetof(CMD_Request, data.allow_deny.EOR);
      case REQ_CMDALLOW :
        return offsetof(CMD_Request, data.allow_deny.EOR);
      case REQ_CMDALLOWALL :
        return offsetof(CMD_Request, data.allow_deny.EOR);
      case REQ_CMDDENY :
        return offsetof(CMD_Request, data.allow_deny.EOR);
      case REQ_CMDDENYALL :
        return offsetof(CMD_Request, data.allow_deny.EOR);
      case REQ_ACCHECK :
        return offsetof(CMD_Request, data.ac_check.EOR);
      case REQ_CMDACCHECK :
        return offsetof(CMD_Request, data.ac_check.EOR);
      case REQ_ADD_SERVER :
        return offsetof(CMD_Request, data.ntp_source.EOR);
      case REQ_ADD_PEER :
        return offsetof(CMD_Request, data.ntp_source.EOR);
      case REQ_DEL_SOURCE :
        return offsetof(CMD_Request, data.del_source.EOR);
      case REQ_WRITERTC :
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_DFREQ :
        return offsetof(CMD_Request, data.dfreq.EOR);
      case REQ_DOFFSET :
        return offsetof(CMD_Request, data.doffset.EOR);
      case REQ_TRACKING :
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_SOURCESTATS :
        return offsetof(CMD_Request, data.sourcestats.EOR);
      case REQ_RTCREPORT :
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_TRIMRTC :
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_CYCLELOGS :
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_SUBNETS_ACCESSED :
      case REQ_CLIENT_ACCESSES:
        /* No longer supported */
        return 0;
      case REQ_CLIENT_ACCESSES_BY_INDEX:
        return offsetof(CMD_Request, data.client_accesses_by_index.EOR);
      case REQ_MANUAL_LIST:
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_MANUAL_DELETE:
        return offsetof(CMD_Request, data.manual_delete.EOR);
      case REQ_MAKESTEP:
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_ACTIVITY:
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_RESELECT:
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_RESELECTDISTANCE:
        return offsetof(CMD_Request, data.reselect_distance.EOR);
      case REQ_MODIFY_MINSTRATUM:
        return offsetof(CMD_Request, data.modify_minstratum.EOR);
      case REQ_MODIFY_POLLTARGET:
        return offsetof(CMD_Request, data.modify_polltarget.EOR);
      case REQ_SMOOTHING:
        return offsetof(CMD_Request, data.null.EOR);
      case REQ_SMOOTHTIME:
        return offsetof(CMD_Request, data.smoothtime.EOR);
      case REQ_REFRESH:
        return offsetof(CMD_Request, data.null.EOR);
      default:
        /* If we fall through the switch, it most likely means we've forgotten to implement a new case */
        assert(0);
    }
  }
-  /* Catch-all case */
+static const struct request_length request_lengths[] = {
-  return 0;
+  REQ_LENGTH_ENTRY(null, null),                 /* NULL */
-
+  REQ_LENGTH_ENTRY(online, null),               /* ONLINE */
-}
+  REQ_LENGTH_ENTRY(offline, null),              /* OFFLINE */
  REQ_LENGTH_ENTRY(burst, null),                /* BURST */
  REQ_LENGTH_ENTRY(modify_minpoll, null),       /* MODIFY_MINPOLL */
  REQ_LENGTH_ENTRY(modify_maxpoll, null),       /* MODIFY_MAXPOLL */
  REQ_LENGTH_ENTRY(dump, null),                 /* DUMP */
  REQ_LENGTH_ENTRY(modify_maxdelay, null),      /* MODIFY_MAXDELAY */
  REQ_LENGTH_ENTRY(modify_maxdelayratio, null), /* MODIFY_MAXDELAYRATIO */
  REQ_LENGTH_ENTRY(modify_maxupdateskew, null), /* MODIFY_MAXUPDATESKEW */
  REQ_LENGTH_ENTRY(logon, null),                /* LOGON */
  REQ_LENGTH_ENTRY(settime, manual_timestamp),  /* SETTIME */
  REQ_LENGTH_ENTRY(local, null),                /* LOCAL */
  REQ_LENGTH_ENTRY(manual, null),               /* MANUAL */
  REQ_LENGTH_ENTRY(null, n_sources),            /* N_SOURCES */
  REQ_LENGTH_ENTRY(source_data, source_data),   /* SOURCE_DATA */
  REQ_LENGTH_ENTRY(null, null),                 /* REKEY */
  REQ_LENGTH_ENTRY(allow_deny, null),           /* ALLOW */
  REQ_LENGTH_ENTRY(allow_deny, null),           /* ALLOWALL */
  REQ_LENGTH_ENTRY(allow_deny, null),           /* DENY */
  REQ_LENGTH_ENTRY(allow_deny, null),           /* DENYALL */
  REQ_LENGTH_ENTRY(allow_deny, null),           /* CMDALLOW */
  REQ_LENGTH_ENTRY(allow_deny, null),           /* CMDALLOWALL */
  REQ_LENGTH_ENTRY(allow_deny, null),           /* CMDDENY */
  REQ_LENGTH_ENTRY(allow_deny, null),           /* CMDDENYALL */
  REQ_LENGTH_ENTRY(ac_check, null),             /* ACCHECK */
  REQ_LENGTH_ENTRY(ac_check, null),             /* CMDACCHECK */
  REQ_LENGTH_ENTRY(ntp_source, null),           /* ADD_SERVER */
  REQ_LENGTH_ENTRY(ntp_source, null),           /* ADD_PEER */
  REQ_LENGTH_ENTRY(del_source, null),           /* DEL_SOURCE */
  REQ_LENGTH_ENTRY(null, null),                 /* WRITERTC */
  REQ_LENGTH_ENTRY(dfreq, null),                /* DFREQ */
  REQ_LENGTH_ENTRY(doffset, null),              /* DOFFSET */
  REQ_LENGTH_ENTRY(null, tracking),             /* TRACKING */
  REQ_LENGTH_ENTRY(sourcestats, sourcestats),   /* SOURCESTATS */
  REQ_LENGTH_ENTRY(null, rtc),                  /* RTCREPORT */
  REQ_LENGTH_ENTRY(null, null),                 /* TRIMRTC */
  REQ_LENGTH_ENTRY(null, null),                 /* CYCLELOGS */
  { 0, 0 },                                     /* SUBNETS_ACCESSED - not supported */
  { 0, 0 },                                     /* CLIENT_ACCESSES - not supported */
  { 0, 0 },                                     /* CLIENT_ACCESSES_BY_INDEX - not supported */
  REQ_LENGTH_ENTRY(null, manual_list),          /* MANUAL_LIST */
  REQ_LENGTH_ENTRY(manual_delete, null),        /* MANUAL_DELETE */
  REQ_LENGTH_ENTRY(null, null),                 /* MAKESTEP */
  REQ_LENGTH_ENTRY(null, activity),             /* ACTIVITY */
  REQ_LENGTH_ENTRY(modify_minstratum, null),    /* MODIFY_MINSTRATUM */
  REQ_LENGTH_ENTRY(modify_polltarget, null),    /* MODIFY_POLLTARGET */
  REQ_LENGTH_ENTRY(modify_maxdelaydevratio, null), /* MODIFY_MAXDELAYDEVRATIO */
  REQ_LENGTH_ENTRY(null, null),                 /* RESELECT */
  REQ_LENGTH_ENTRY(reselect_distance, null),    /* RESELECTDISTANCE */
  REQ_LENGTH_ENTRY(modify_makestep, null),      /* MODIFY_MAKESTEP */
  REQ_LENGTH_ENTRY(null, smoothing),            /* SMOOTHING */
  REQ_LENGTH_ENTRY(smoothtime, null),           /* SMOOTHTIME */
  REQ_LENGTH_ENTRY(null, null),                 /* REFRESH */
  REQ_LENGTH_ENTRY(null, server_stats),         /* SERVER_STATS */
  REQ_LENGTH_ENTRY(client_accesses_by_index,
                   client_accesses_by_index),   /* CLIENT_ACCESSES_BY_INDEX2 */
 };
 static const uint16_t reply_lengths[] = {
  0,                                            /* empty slot */
  RPY_LENGTH_ENTRY(null),                       /* NULL */
  RPY_LENGTH_ENTRY(n_sources),                  /* N_SOURCES */
  RPY_LENGTH_ENTRY(source_data),                /* SOURCE_DATA */
  RPY_LENGTH_ENTRY(manual_timestamp),           /* MANUAL_TIMESTAMP */
  RPY_LENGTH_ENTRY(tracking),                   /* TRACKING */
  RPY_LENGTH_ENTRY(sourcestats),                /* SOURCESTATS */
  RPY_LENGTH_ENTRY(rtc),                        /* RTC */
  0,                                            /* SUBNETS_ACCESSED - not supported */
  0,                                            /* CLIENT_ACCESSES - not supported */
  0,                                            /* CLIENT_ACCESSES_BY_INDEX - not supported */
  0,                                            /* MANUAL_LIST - variable length */
  RPY_LENGTH_ENTRY(activity),                   /* ACTIVITY */
  RPY_LENGTH_ENTRY(smoothing),                  /* SMOOTHING */
  RPY_LENGTH_ENTRY(server_stats),               /* SERVER_STATS */
  RPY_LENGTH_ENTRY(client_accesses_by_index),   /* CLIENT_ACCESSES_BY_INDEX2 */
 };
 /* ================================================== */
 int
 PKL_CommandLength(CMD_Request *r)
 {
  uint32_t type;
  int command_length;
-  command_length = command_unpadded_length(r);
+  assert(sizeof (request_lengths) / sizeof (request_lengths[0]) == N_REQUEST_TYPES);
  type = ntohs(r->command);
  if (type >= N_REQUEST_TYPES)
    return 0;
  command_length = request_lengths[type].command;
  if (!command_length)
    return 0;
@@ -180,139 +156,20 @@ PKL_CommandLength(CMD_Request *r)
 /* ================================================== */
 #define PADDING_LENGTH_(request_length, reply_length) \
  ((request_length) < (reply_length) ? (reply_length) - (request_length) : 0)
 #define PADDING_LENGTH(request_data, reply_data) \
  PADDING_LENGTH_(offsetof(CMD_Request, request_data), offsetof(CMD_Reply, reply_data))
 int
 PKL_CommandPaddingLength(CMD_Request *r)
 {
-  int type;
+  uint32_t type;
  if (r->version < PROTO_VERSION_PADDING)
    return 0;
  type = ntohs(r->command);
-  if (type < 0 || type >= N_REQUEST_TYPES)
+  if (type >= N_REQUEST_TYPES)
    return 0;
-  switch (type) {
+  return request_lengths[ntohs(r->command)].padding;
    case REQ_NULL:
      return PADDING_LENGTH(data, data.null.EOR);
    case REQ_ONLINE:
      return PADDING_LENGTH(data.online.EOR, data.null.EOR);
    case REQ_OFFLINE:
      return PADDING_LENGTH(data.offline.EOR, data.null.EOR);
    case REQ_BURST:
      return PADDING_LENGTH(data.burst.EOR, data.null.EOR);
    case REQ_MODIFY_MINPOLL:
      return PADDING_LENGTH(data.modify_minpoll.EOR, data.null.EOR);
    case REQ_MODIFY_MAXPOLL:
      return PADDING_LENGTH(data.modify_maxpoll.EOR, data.null.EOR);
    case REQ_DUMP:
      return PADDING_LENGTH(data.dump.EOR, data.null.EOR);
    case REQ_MODIFY_MAXDELAY:
      return PADDING_LENGTH(data.modify_maxdelay.EOR, data.null.EOR);
    case REQ_MODIFY_MAXDELAYRATIO:
      return PADDING_LENGTH(data.modify_maxdelayratio.EOR, data.null.EOR);
    case REQ_MODIFY_MAXDELAYDEVRATIO:
      return PADDING_LENGTH(data.modify_maxdelaydevratio.EOR, data.null.EOR);
    case REQ_MODIFY_MAXUPDATESKEW:
      return PADDING_LENGTH(data.modify_maxupdateskew.EOR, data.null.EOR);
    case REQ_MODIFY_MAKESTEP:
      return PADDING_LENGTH(data.modify_makestep.EOR, data.null.EOR);
    case REQ_LOGON:
      return PADDING_LENGTH(data.logon.EOR, data.null.EOR);
    case REQ_SETTIME:
      return PADDING_LENGTH(data.settime.EOR, data.manual_timestamp.EOR);
    case REQ_LOCAL:
      return PADDING_LENGTH(data.local.EOR, data.null.EOR);
    case REQ_MANUAL:
      return PADDING_LENGTH(data.manual.EOR, data.null.EOR);
    case REQ_N_SOURCES:
      return PADDING_LENGTH(data.null.EOR, data.n_sources.EOR);
    case REQ_SOURCE_DATA:
      return PADDING_LENGTH(data.source_data.EOR, data.source_data.EOR);
    case REQ_REKEY:
      return PADDING_LENGTH(data.null.EOR, data.null.EOR);
    case REQ_ALLOW:
      return PADDING_LENGTH(data.allow_deny.EOR, data.null.EOR);
    case REQ_ALLOWALL:
      return PADDING_LENGTH(data.allow_deny.EOR, data.null.EOR);
    case REQ_DENY:
      return PADDING_LENGTH(data.allow_deny.EOR, data.null.EOR);
    case REQ_DENYALL:
      return PADDING_LENGTH(data.allow_deny.EOR, data.null.EOR);
    case REQ_CMDALLOW:
      return PADDING_LENGTH(data.allow_deny.EOR, data.null.EOR);
    case REQ_CMDALLOWALL:
      return PADDING_LENGTH(data.allow_deny.EOR, data.null.EOR);
    case REQ_CMDDENY:
      return PADDING_LENGTH(data.allow_deny.EOR, data.null.EOR);
    case REQ_CMDDENYALL:
      return PADDING_LENGTH(data.allow_deny.EOR, data.null.EOR);
    case REQ_ACCHECK:
      return PADDING_LENGTH(data.ac_check.EOR, data.null.EOR);
    case REQ_CMDACCHECK:
      return PADDING_LENGTH(data.ac_check.EOR, data.null.EOR);
    case REQ_ADD_SERVER:
      return PADDING_LENGTH(data.ntp_source.EOR, data.null.EOR);
    case REQ_ADD_PEER:
      return PADDING_LENGTH(data.ntp_source.EOR, data.null.EOR);
    case REQ_DEL_SOURCE:
      return PADDING_LENGTH(data.del_source.EOR, data.null.EOR);
    case REQ_WRITERTC:
      return PADDING_LENGTH(data.null.EOR, data.null.EOR);
    case REQ_DFREQ:
      return PADDING_LENGTH(data.dfreq.EOR, data.null.EOR);
    case REQ_DOFFSET:
      return PADDING_LENGTH(data.doffset.EOR, data.null.EOR);
    case REQ_TRACKING:
      return PADDING_LENGTH(data.null.EOR, data.tracking.EOR);
    case REQ_SOURCESTATS:
      return PADDING_LENGTH(data.sourcestats.EOR, data.sourcestats.EOR);
    case REQ_RTCREPORT:
      return PADDING_LENGTH(data.null.EOR, data.rtc.EOR);
    case REQ_TRIMRTC:
      return PADDING_LENGTH(data.null.EOR, data.null.EOR);
    case REQ_CYCLELOGS:
      return PADDING_LENGTH(data.null.EOR, data.null.EOR);
    case REQ_SUBNETS_ACCESSED:
    case REQ_CLIENT_ACCESSES:
      /* No longer supported */
      return 0;
    case REQ_CLIENT_ACCESSES_BY_INDEX:
      return PADDING_LENGTH(data.client_accesses_by_index.EOR, data.client_accesses_by_index.EOR);
    case REQ_MANUAL_LIST:
      return PADDING_LENGTH(data.null.EOR, data.manual_list.EOR);
    case REQ_MANUAL_DELETE:
      return PADDING_LENGTH(data.manual_delete.EOR, data.null.EOR);
    case REQ_MAKESTEP:
      return PADDING_LENGTH(data.null.EOR, data.null.EOR);
    case REQ_ACTIVITY:
      return PADDING_LENGTH(data.null.EOR, data.activity.EOR);
    case REQ_RESELECT:
      return PADDING_LENGTH(data.null.EOR, data.null.EOR);
    case REQ_RESELECTDISTANCE:
      return PADDING_LENGTH(data.reselect_distance.EOR, data.null.EOR);
    case REQ_MODIFY_MINSTRATUM:
      return PADDING_LENGTH(data.modify_minstratum.EOR, data.null.EOR);
    case REQ_MODIFY_POLLTARGET:
      return PADDING_LENGTH(data.modify_polltarget.EOR, data.null.EOR);
    case REQ_SMOOTHING:
      return PADDING_LENGTH(data.null.EOR, data.smoothing.EOR);
    case REQ_SMOOTHTIME:
      return PADDING_LENGTH(data.smoothtime.EOR, data.null.EOR);
    case REQ_REFRESH:
      return PADDING_LENGTH(data.null.EOR, data.null.EOR);
    default:
      /* If we fall through the switch, it most likely means we've forgotten to implement a new case */
      assert(0);
      return 0;
  }
 }
 /* ================================================== */
@@ -320,65 +177,32 @@ PKL_CommandPaddingLength(CMD_Request *r)
 int
 PKL_ReplyLength(CMD_Reply *r)
 {
-  int type;
+  uint32_t type;
  assert(sizeof (reply_lengths) / sizeof (reply_lengths[0]) == N_REPLY_TYPES);
  type = ntohs(r->reply);
  /* Note that reply type codes start from 1, not 0 */
-  if (type < 1 || type >= N_REPLY_TYPES) {
+  if (type < 1 || type >= N_REPLY_TYPES)
    return 0;
-  } else {
+
-    switch (type) {
+  /* Length of MANUAL_LIST depends on number of samples stored in it */
-      case RPY_NULL:
+  if (type == RPY_MANUAL_LIST) {
-        return offsetof(CMD_Reply, data.null.EOR);
+    uint32_t ns;
-      case RPY_N_SOURCES:
+
-        return offsetof(CMD_Reply, data.n_sources.EOR);
+    if (r->status != htons(STT_SUCCESS))
      case RPY_SOURCE_DATA:
        return offsetof(CMD_Reply, data.source_data.EOR);
      case RPY_MANUAL_TIMESTAMP:
        return offsetof(CMD_Reply, data.manual_timestamp.EOR);
      case RPY_TRACKING:
        return offsetof(CMD_Reply, data.tracking.EOR);
      case RPY_SOURCESTATS:
        return offsetof(CMD_Reply, data.sourcestats.EOR);
      case RPY_RTC:
        return offsetof(CMD_Reply, data.rtc.EOR);
      case RPY_SUBNETS_ACCESSED :
      case RPY_CLIENT_ACCESSES:
        /* No longer supported */
        return 0;
      case RPY_CLIENT_ACCESSES_BY_INDEX:
        {
          unsigned long nc = ntohl(r->data.client_accesses_by_index.n_clients);
          if (r->status == htons(STT_SUCCESS)) {
            if (nc > MAX_CLIENT_ACCESSES)
              return 0;
            return (offsetof(CMD_Reply, data.client_accesses_by_index.clients) +
                    nc * sizeof(RPY_ClientAccesses_Client));
          } else {
      return offsetof(CMD_Reply, data);
-          }
+
-        }
+    ns = ntohl(r->data.manual_list.n_samples);
      case RPY_MANUAL_LIST:
        {
          unsigned long ns = ntohl(r->data.manual_list.n_samples);
    if (ns > MAX_MANUAL_LIST_SAMPLES)
      return 0;
-          if (r->status == htons(STT_SUCCESS)) {
+
-            return (offsetof(CMD_Reply, data.manual_list.samples) +
+    return offsetof(CMD_Reply, data.manual_list.samples) +
-                    ns * sizeof(RPY_ManualListSample));
+           ns * sizeof (RPY_ManualListSample);
          } else {
            return offsetof(CMD_Reply, data);
          }
        }
      case RPY_ACTIVITY:
        return offsetof(CMD_Reply, data.activity.EOR);
      case RPY_SMOOTHING:
        return offsetof(CMD_Reply, data.smoothing.EOR);
      default:
        assert(0);
    }
  }
-  return 0;
+  return reply_lengths[type];
 }
 /* ================================================== */
--- a/privops.c
+++ b/privops.c
@@ -0,0 +1,689 @@
 /*
  chronyd/chronyc - Programs for keeping computer clocks accurate.
 **********************************************************************
 * Copyright (C) Bryan Christianson 2015
 * Copyright (C) Miroslav Lichvar  2016
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 *
 **********************************************************************
  =======================================================================
  Perform privileged operations over a unix socket to a privileged fork.
  */
 #include "config.h"
 #include "sysincl.h"
 #include "conf.h"
 #include "nameserv.h"
 #include "logging.h"
 #include "privops.h"
 #include "util.h"
 #define OP_ADJUSTTIME     1024
 #define OP_ADJUSTTIMEX    1025
 #define OP_SETTIME        1026
 #define OP_BINDSOCKET     1027
 #define OP_NAME2IPADDRESS 1028
 #define OP_QUIT           1099
 union sockaddr_in46 {
  struct sockaddr_in in4;
 #ifdef FEAT_IPV6
  struct sockaddr_in6 in6;
 #endif
  struct sockaddr u;
 };
 /* daemon request structs */
 typedef struct {
  struct timeval tv;
 } ReqAdjustTime;
 #ifdef PRIVOPS_ADJUSTTIMEX
 typedef struct {
  struct timex tmx;
 } ReqAdjustTimex;
 #endif
 typedef struct {
  struct timeval tv;
 } ReqSetTime;
 typedef struct {
  int sock;
  socklen_t sa_len;
  union sockaddr_in46 sa;
 } ReqBindSocket;
 typedef struct {
  char name[256];
 } ReqName2IPAddress;
 typedef struct {
  int op;
  union {
    ReqAdjustTime adjust_time;
 #ifdef PRIVOPS_ADJUSTTIMEX
    ReqAdjustTimex adjust_timex;
 #endif
    ReqSetTime set_time;
    ReqBindSocket bind_socket;
 #ifdef PRIVOPS_NAME2IPADDRESS
    ReqName2IPAddress name_to_ipaddress;
 #endif
  } data;
 } PrvRequest;
 /* helper response structs */
 typedef struct {
  struct timeval tv;
 } ResAdjustTime;
 #ifdef PRIVOPS_ADJUSTTIMEX
 typedef struct {
  struct timex tmx;
 } ResAdjustTimex;
 #endif
 typedef struct {
  IPAddr addresses[DNS_MAX_ADDRESSES];
 } ResName2IPAddress;
 typedef struct {
  char msg[256];
 } ResFatalMsg;
 typedef struct {
  int fatal_error;
  int rc;
  int res_errno;
  union {
    ResFatalMsg fatal_msg;
    ResAdjustTime adjust_time;
 #ifdef PRIVOPS_ADJUSTTIMEX
    ResAdjustTimex adjust_timex;
 #endif
 #ifdef PRIVOPS_NAME2IPADDRESS
    ResName2IPAddress name_to_ipaddress;
 #endif
  } data;
 } PrvResponse;
 static int helper_fd;
 static pid_t helper_pid;
 static int
 have_helper(void)
 {
  return helper_fd >= 0;
 }
 /* ======================================================================= */
 /* HELPER - prepare fatal error for daemon */
 static void
 res_fatal(PrvResponse *res, const char *fmt, ...)
 {
  va_list ap;
  res->fatal_error = 1;
  va_start(ap, fmt);
  vsnprintf(res->data.fatal_msg.msg, sizeof (res->data.fatal_msg.msg), fmt, ap);
  va_end(ap);
 }
 /* ======================================================================= */
 /* HELPER - send response to the fd */
 static int
 send_response(int fd, const PrvResponse *res)
 {
  if (send(fd, res, sizeof (*res), 0) != sizeof (*res))
    return 0;
  return 1;
 }
 /* ======================================================================= */
 /* receive daemon request plus optional file descriptor over a unix socket */
 static int
 receive_from_daemon(int fd, PrvRequest *req)
 {
  struct msghdr msg;
  struct cmsghdr *cmsg;
  struct iovec iov;
  char cmsgbuf[256];
  iov.iov_base = req;
  iov.iov_len = sizeof (*req);
  msg.msg_name = NULL;
  msg.msg_namelen = 0;
  msg.msg_iov = &iov;
  msg.msg_iovlen = 1;
  msg.msg_control = (void *)cmsgbuf;
  msg.msg_controllen = sizeof (cmsgbuf);
  msg.msg_flags = MSG_WAITALL;
  /* read the data */
  if (recvmsg(fd, &msg, 0) != sizeof (*req))
    return 0;
  if (req->op == OP_BINDSOCKET) {
    /* extract transferred descriptor */
    req->data.bind_socket.sock = -1;
    for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
      if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS)
        memcpy(&req->data.bind_socket.sock, CMSG_DATA(cmsg), sizeof (int));
    }
    /* return error if valid descriptor not found */
    if (req->data.bind_socket.sock < 0)
      return 0;
  }
  return 1;
 }
 /* ======================================================================= */
 /* HELPER - perform adjtime() */
 #ifdef PRIVOPS_ADJUSTTIME
 static void
 do_adjust_time(const ReqAdjustTime *req, PrvResponse *res)
 {
  res->rc = adjtime(&req->tv, &res->data.adjust_time.tv);
  if (res->rc)
    res->res_errno = errno;
 }
 #endif
 /* ======================================================================= */
 /* HELPER - perform ntp_adjtime() */
 #ifdef PRIVOPS_ADJUSTTIMEX
 static void
 do_adjust_timex(const ReqAdjustTimex *req, PrvResponse *res)
 {
  res->data.adjust_timex.tmx = req->tmx;
  res->rc = ntp_adjtime(&res->data.adjust_timex.tmx);
  if (res->rc < 0)
    res->res_errno = errno;
 }
 #endif
 /* ======================================================================= */
 /* HELPER - perform settimeofday() */
 #ifdef PRIVOPS_SETTIME
 static void
 do_set_time(const ReqSetTime *req, PrvResponse *res)
 {
  res->rc = settimeofday(&req->tv, NULL);
  if (res->rc)
    res->res_errno = errno;
 }
 #endif
 /* ======================================================================= */
 /* HELPER - perform bind() */
 #ifdef PRIVOPS_BINDSOCKET
 static void
 do_bind_socket(ReqBindSocket *req, PrvResponse *res)
 {
  unsigned short port;
  IPAddr ip;
  int sock_fd;
  struct sockaddr *sa;
  socklen_t sa_len;
  sa = &req->sa.u;
  sa_len = req->sa_len;
  sock_fd = req->sock;
  UTI_SockaddrToIPAndPort(sa, &ip, &port);
  if (port && port != CNF_GetNTPPort()) {
    close(sock_fd);
    res_fatal(res, "Invalid port %d", port);
    return;
  }
  res->rc = bind(sock_fd, sa, sa_len);
  if (res->rc)
    res->res_errno = errno;
  /* sock is still open on daemon side, but we're done with it in the helper */
  close(sock_fd);
 }
 #endif
 /* ======================================================================= */
 /* HELPER - perform DNS_Name2IPAddress() */
 #ifdef PRIVOPS_NAME2IPADDRESS
 static void
 do_name_to_ipaddress(ReqName2IPAddress *req, PrvResponse *res)
 {
  /* make sure the string is terminated */
  req->name[sizeof (req->name) - 1] = '\0';
  DNS_Reload();
  res->rc = DNS_Name2IPAddress(req->name, res->data.name_to_ipaddress.addresses,
                               DNS_MAX_ADDRESSES);
 }
 #endif
 /* ======================================================================= */
 /* HELPER - main loop - action requests from the daemon */
 static void
 helper_main(int fd)
 {
  PrvRequest req;
  PrvResponse res;
  int quit = 0;
  while (!quit) {
    if (!receive_from_daemon(fd, &req))
      /* read error or closed input - we cannot recover - give up */
      break;
    memset(&res, 0, sizeof (res));
    switch (req.op) {
 #ifdef PRIVOPS_ADJUSTTIME
      case OP_ADJUSTTIME:
        do_adjust_time(&req.data.adjust_time, &res);
        break;
 #endif
 #ifdef PRIVOPS_ADJUSTTIMEX
      case OP_ADJUSTTIMEX:
        do_adjust_timex(&req.data.adjust_timex, &res);
        break;
 #endif
 #ifdef PRIVOPS_SETTIME
      case OP_SETTIME:
        do_set_time(&req.data.set_time, &res);
        break;
 #endif
 #ifdef PRIVOPS_BINDSOCKET
      case OP_BINDSOCKET:
        do_bind_socket(&req.data.bind_socket, &res);
        break;
 #endif
 #ifdef PRIVOPS_NAME2IPADDRESS
      case OP_NAME2IPADDRESS:
        do_name_to_ipaddress(&req.data.name_to_ipaddress, &res);
        break;
 #endif
      case OP_QUIT:
        quit = 1;
        continue;
      default:
        res_fatal(&res, "Unexpected operator %d", req.op);
        break;
    }
    send_response(fd, &res);
  }
  close(fd);
  exit(0);
 }
 /* ======================================================================= */
 /* DAEMON - receive helper response */
 static void
 receive_response(PrvResponse *res)
 {
  int resp_len;
  resp_len = recv(helper_fd, res, sizeof (*res), 0);
  if (resp_len < 0)
    LOG_FATAL(LOGF_PrivOps, "Could not read from helper : %s", strerror(errno));
  if (resp_len != sizeof (*res))
    LOG_FATAL(LOGF_PrivOps, "Invalid helper response");
  if (res->fatal_error)
    LOG_FATAL(LOGF_PrivOps, "Error in helper : %s", res->data.fatal_msg.msg);
  DEBUG_LOG(LOGF_PrivOps, "Received response rc=%d", res->rc);
  /* if operation failed in the helper, set errno so daemon can print log message */
  if (res->res_errno)
    errno = res->res_errno;
 }
 /* ======================================================================= */
 /* DAEMON - send daemon request to the helper */
 static void
 send_request(PrvRequest *req)
 {
  struct msghdr msg;
  struct iovec iov;
  char cmsgbuf[256];
  iov.iov_base = req;
  iov.iov_len = sizeof (*req);
  msg.msg_name = NULL;
  msg.msg_namelen = 0;
  msg.msg_iov = &iov;
  msg.msg_iovlen = 1;
  msg.msg_control = NULL;
  msg.msg_controllen = 0;
  msg.msg_flags = 0;
  if (req->op == OP_BINDSOCKET) {
    /* send file descriptor as a control message */
    struct cmsghdr *cmsg;
    int *ptr_send_fd;
    msg.msg_control = cmsgbuf;
    msg.msg_controllen = CMSG_SPACE(sizeof (int));
    cmsg = CMSG_FIRSTHDR(&msg);
    memset(cmsg, 0, CMSG_SPACE(sizeof (int)));
    cmsg->cmsg_level = SOL_SOCKET;
    cmsg->cmsg_type = SCM_RIGHTS;
    cmsg->cmsg_len = CMSG_LEN(sizeof (int));
    ptr_send_fd = (int *)CMSG_DATA(cmsg);
    *ptr_send_fd = req->data.bind_socket.sock;
  }
  if (sendmsg(helper_fd, &msg, 0) < 0) {
    /* don't try to send another request from exit() */
    helper_fd = -1;
    LOG_FATAL(LOGF_PrivOps, "Could not send to helper : %s", strerror(errno));
  }
  DEBUG_LOG(LOGF_PrivOps, "Sent request op=%d", req->op);
 }
 /* ======================================================================= */
 /* DAEMON - send daemon request and wait for response */
 static void
 submit_request(PrvRequest *req, PrvResponse *res)
 {
  send_request(req);
  receive_response(res);
 }
 /* ======================================================================= */
 /* DAEMON - send the helper a request to exit and wait until it exits */
 static void
 stop_helper(void)
 {
  PrvRequest req;
  int status;
  if (!have_helper())
    return;
  memset(&req, 0, sizeof (req));
  req.op = OP_QUIT;
  send_request(&req);
  waitpid(helper_pid, &status, 0);
 }
 /* ======================================================================= */
 /* DAEMON - request adjtime() */
 #ifdef PRIVOPS_ADJUSTTIME
 int
 PRV_AdjustTime(const struct timeval *delta, struct timeval *olddelta)
 {
  PrvRequest req;
  PrvResponse res;
  if (!have_helper() || delta == NULL)
    /* helper is not running or read adjustment call */
    return adjtime(delta, olddelta);
  memset(&req, 0, sizeof (req));
  req.op = OP_ADJUSTTIME;
  req.data.adjust_time.tv = *delta;
  submit_request(&req, &res);
  if (olddelta)
    *olddelta = res.data.adjust_time.tv;
  return res.rc;
 }
 #endif
 /* ======================================================================= */
 /* DAEMON - request ntp_adjtime() */
 #ifdef PRIVOPS_ADJUSTTIMEX
 int
 PRV_AdjustTimex(struct timex *tmx)
 {
  PrvRequest req;
  PrvResponse res;
  if (!have_helper())
    return ntp_adjtime(tmx);
  memset(&req, 0, sizeof (req));
  req.op = OP_ADJUSTTIMEX;
  req.data.adjust_timex.tmx = *tmx;
  submit_request(&req, &res);
  *tmx = res.data.adjust_timex.tmx;
  return res.rc;
 }
 #endif
 /* ======================================================================= */
 /* DAEMON - request settimeofday() */
 #ifdef PRIVOPS_SETTIME
 int
 PRV_SetTime(const struct timeval *tp, const struct timezone *tzp)
 {
  PrvRequest req;
  PrvResponse res;
  /* only support setting the time */
  assert(tp != NULL);
  assert(tzp == NULL);
  if (!have_helper())
    return settimeofday(tp, NULL);
  memset(&req, 0, sizeof (req));
  req.op = OP_SETTIME;
  req.data.set_time.tv = *tp;
  submit_request(&req, &res);
  return res.rc;
 }
 #endif
 /* ======================================================================= */
 /* DAEMON - request bind() */
 #ifdef PRIVOPS_BINDSOCKET
 int
 PRV_BindSocket(int sock, struct sockaddr *address, socklen_t address_len)
 {
  PrvRequest req;
  PrvResponse res;
  IPAddr ip;
  unsigned short port;
  UTI_SockaddrToIPAndPort(address, &ip, &port);
  assert(!port || port == CNF_GetNTPPort());
  if (!have_helper())
    return bind(sock, address, address_len);
  memset(&req, 0, sizeof (req));
  req.op = OP_BINDSOCKET;
  req.data.bind_socket.sock = sock;
  req.data.bind_socket.sa_len = address_len;
  memcpy(&req.data.bind_socket.sa.u, address, address_len);
  submit_request(&req, &res);
  return res.rc;
 }
 #endif
 /* ======================================================================= */
 /* DAEMON - request DNS_Name2IPAddress() */
 #ifdef PRIVOPS_NAME2IPADDRESS
 int
 PRV_Name2IPAddress(const char *name, IPAddr *ip_addrs, int max_addrs)
 {
  PrvRequest req;
  PrvResponse res;
  int i;
  if (!have_helper())
    return DNS_Name2IPAddress(name, ip_addrs, max_addrs);
  memset(&req, 0, sizeof (req));
  req.op = OP_NAME2IPADDRESS;
  if (snprintf(req.data.name_to_ipaddress.name, sizeof (req.data.name_to_ipaddress.name),
               "%s", name) >= sizeof (req.data.name_to_ipaddress.name)) {
    DEBUG_LOG(LOGF_PrivOps, "Name too long");
    return DNS_Failure;
  }
  submit_request(&req, &res);
  for (i = 0; i < max_addrs && i < DNS_MAX_ADDRESSES; i++)
    ip_addrs[i] = res.data.name_to_ipaddress.addresses[i];
  return res.rc;
 }
 #endif
 /* ======================================================================= */
 void
 PRV_Initialise(void)
 {
  helper_fd = -1;
 }
 /* ======================================================================= */
 /* DAEMON - setup socket(s) then fork to run the helper */
 /* must be called before privileges are dropped */
 void
 PRV_StartHelper(void)
 {
  pid_t pid;
  int fd, sock_pair[2];
  if (have_helper())
    LOG_FATAL(LOGF_PrivOps, "Helper already running");
  if (
 #ifdef SOCK_SEQPACKET
      socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sock_pair) &&
 #endif
      socketpair(AF_UNIX, SOCK_DGRAM, 0, sock_pair))
    LOG_FATAL(LOGF_PrivOps, "socketpair() failed : %s", strerror(errno));
  UTI_FdSetCloexec(sock_pair[0]);
  UTI_FdSetCloexec(sock_pair[1]);
  pid = fork();
  if (pid < 0)
    LOG_FATAL(LOGF_PrivOps, "fork() failed : %s", strerror(errno));
  if (pid == 0) {
    /* child process */
    close(sock_pair[0]);
    /* close other descriptors inherited from the parent process */
    for (fd = 0; fd < 1024; fd++) {
      if (fd != sock_pair[1])
        close(fd);
    }
    /* ignore signals, the process will exit on OP_QUIT request */
    UTI_SetQuitSignalsHandler(SIG_IGN);
    helper_main(sock_pair[1]);
  } else {
    /* parent process */
    close(sock_pair[1]);
    helper_fd = sock_pair[0];
    helper_pid = pid;
    /* stop the helper even when not exiting cleanly from the main function */
    atexit(stop_helper);
  }
 }
 /* ======================================================================= */
 /* DAEMON - graceful shutdown of the helper */
 void
 PRV_Finalise(void)
 {
  if (!have_helper())
    return;
  stop_helper();
  close(helper_fd);
  helper_fd = -1;
 }
--- a/privops.h
+++ b/privops.h
@@ -0,0 +1,71 @@
 /*
  chronyd/chronyc - Programs for keeping computer clocks accurate.
 **********************************************************************
 * Copyright (C) Bryan Christianson 2015
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 *
 **********************************************************************
  =======================================================================
  Perform privileged operations over a unix socket to a privileged fork.
 */
 #ifndef GOT_PRIVOPS_H
 #define GOT_PRIVOPS_H
 #ifdef PRIVOPS_ADJUSTTIME
 int PRV_AdjustTime(const struct timeval *delta, struct timeval *olddelta);
 #else
 #define PRV_AdjustTime adjtime
 #endif
 #ifdef PRIVOPS_ADJUSTTIMEX
 int PRV_AdjustTimex(struct timex *txc);
 #else
 #define PRV_AdjustTimex ntp_adjtime
 #endif
 #ifdef PRIVOPS_SETTIME
 int PRV_SetTime(const struct timeval *tp, const struct timezone *tzp);
 #else
 #define PRV_SetTime settimeofday
 #endif
 #ifdef PRIVOPS_BINDSOCKET
 int PRV_BindSocket(int sock, struct sockaddr *address, socklen_t address_len);
 #else
 #define PRV_BindSocket bind
 #endif
 #ifdef PRIVOPS_NAME2IPADDRESS
 int PRV_Name2IPAddress(const char *name, IPAddr *ip_addrs, int max_addrs);
 #else
 #define PRV_Name2IPAddress DNS_Name2IPAddress
 #endif
 #ifdef PRIVOPS_HELPER
 void PRV_Initialise(void);
 void PRV_StartHelper(void);
 void PRV_Finalise(void);
 #else
 #define PRV_Initialise()
 #define PRV_StartHelper()
 #define PRV_Finalise()
 #endif
 #endif
--- a/refclock.c
+++ b/refclock.c
@@ -233,7 +233,7 @@ RCL_AddRefclock(RefclockParameters *params)
    if (index >= 10)
      ref[2] = (index / 10) % 10 + '0';
-    inst->ref_id = ref[0] << 24 | ref[1] << 16 | ref[2] << 8 | ref[3];
+    inst->ref_id = (uint32_t)ref[0] << 24 | ref[1] << 16 | ref[2] << 8 | ref[3];
  }
  if (inst->driver->poll) {
@@ -260,7 +260,7 @@ RCL_AddRefclock(RefclockParameters *params)
  filter_init(&inst->filter, params->filter_length, params->max_dispersion);
-  inst->source = SRC_CreateNewInstance(inst->ref_id, SRC_REFCLOCK, params->sel_option, NULL,
+  inst->source = SRC_CreateNewInstance(inst->ref_id, SRC_REFCLOCK, params->sel_options, NULL,
                                       params->min_samples, params->max_samples);
  DEBUG_LOG(LOGF_Refclock, "refclock %s refid=%s poll=%d dpoll=%d filter=%d",
@@ -372,8 +372,6 @@ RCL_AddSample(RCL_Instance instance, struct timeval *sample_time, double offset,
      !valid_sample_time(instance, sample_time))
    return 0;
  filter_add_sample(&instance->filter, &cooked_time, offset - correction + instance->offset, dispersion);
  switch (leap) {
    case LEAP_Normal:
    case LEAP_InsertSecond:
@@ -381,10 +379,11 @@ RCL_AddSample(RCL_Instance instance, struct timeval *sample_time, double offset,
      instance->leap_status = leap;
      break;
    default:
-      instance->leap_status = LEAP_Unsynchronised;
+      DEBUG_LOG(LOGF_Refclock, "refclock sample ignored bad leap %d", leap);
-      break;
+      return 0;
  }
  filter_add_sample(&instance->filter, &cooked_time, offset - correction + instance->offset, dispersion);
  instance->pps_active = 0;
  log_sample(instance, &cooked_time, 0, 0, offset, offset - correction + instance->offset, dispersion);
--- a/refclock.h
+++ b/refclock.h
@@ -40,13 +40,13 @@ typedef struct {
  int pps_rate;
  int min_samples;
  int max_samples;
  int sel_options;
  uint32_t ref_id;
  uint32_t lock_ref_id;
  double offset;
  double delay;
  double precision;
  double max_dispersion;
  SRC_SelectOption sel_option;
 } RefclockParameters;
 typedef struct RCL_Instance_Record *RCL_Instance;
--- a/refclock_sock.c
+++ b/refclock_sock.c
@@ -37,11 +37,23 @@
 #define SOCK_MAGIC 0x534f434b
 struct sock_sample {
  /* Time of the measurement (system time) */
  struct timeval tv;
  /* Offset between the true time and the system time (in seconds) */
  double offset;
  /* Non-zero if the sample is from a PPS signal, i.e. another source
     is needed to obtain seconds */
  int pulse;
  /* 0 - normal, 1 - insert leap second, 2 - delete leap second */
  int leap;
  /* Padding, ignored */
  int _pad;
  /* Protocol identifier (0x534f434b) */
  int magic;
 };
--- a/reference.c
+++ b/reference.c
@@ -80,8 +80,7 @@ static int max_offset_delay;
 static int max_offset_ignore;
 static double max_offset;
-/* Flag and threshold for logging clock changes to syslog */
+/* Threshold for logging clock changes to syslog */
 static int do_log_change;
 static double log_change_threshold;
 /* Flag, threshold and user for sending mail notification on large clock changes */
@@ -106,7 +105,6 @@ static REF_LeapMode leap_mode;
 static int leap_in_progress;
 /* Timer for the leap second handler */
 static int leap_timer_running;
 static SCH_TimeoutID leap_timeout_id;
 /* Name of a system timezone containing leap seconds occuring at midnight */
@@ -234,7 +232,7 @@ REF_Initialise(void)
  enable_local_stratum = CNF_AllowLocalReference(&local_stratum);
-  leap_timer_running = 0;
+  leap_timeout_id = 0;
  leap_in_progress = 0;
  leap_mode = CNF_GetLeapSecMode();
  /* Switch to step mode if the system driver doesn't support leap */
@@ -255,8 +253,8 @@ REF_Initialise(void)
  CNF_GetMakeStep(&make_step_limit, &make_step_threshold);
  CNF_GetMaxChange(&max_offset_delay, &max_offset_ignore, &max_offset);
  CNF_GetLogChange(&do_log_change, &log_change_threshold);
  CNF_GetMailOnChange(&do_mail_change, &mail_change_threshold, &mail_change_user);
  log_change_threshold = CNF_GetLogChange();
  CNF_GetFallbackDrifts(&fb_drift_min, &fb_drift_max);
@@ -264,7 +262,7 @@ REF_Initialise(void)
    fb_drifts = MallocArray(struct fb_drift, fb_drift_max - fb_drift_min + 1);
    memset(fb_drifts, 0, sizeof (struct fb_drift) * (fb_drift_max - fb_drift_min + 1));
    next_fb_drift = 0;
-    fb_drift_timeout_id = -1;
+    fb_drift_timeout_id = 0;
  }
  last_ref_update.tv_sec = 0;
@@ -273,11 +271,6 @@ REF_Initialise(void)
  LCL_AddParameterChangeHandler(handle_slew, NULL);
  /* And just to prevent anything wierd ... */
  if (do_log_change) {
    log_change_threshold = fabs(log_change_threshold);
  }
  /* Make first entry in tracking log */
  REF_SetUnsynchronised();
 }
@@ -428,10 +421,8 @@ update_fb_drifts(double freq_ppm, double update_interval)
    next_fb_drift = 0;
  }
  if (fb_drift_timeout_id != -1) {
  SCH_RemoveTimeout(fb_drift_timeout_id);
-    fb_drift_timeout_id = -1;
+  fb_drift_timeout_id = 0;
  }
  if (update_interval < 1.0 || update_interval > last_ref_update_interval * 4.0)
    return;
@@ -464,7 +455,7 @@ fb_drift_timeout(void *arg)
 {
  assert(next_fb_drift >= fb_drift_min && next_fb_drift <= fb_drift_max);
-  fb_drift_timeout_id = -1;
+  fb_drift_timeout_id = 0;
  DEBUG_LOG(LOGF_Reference, "Fallback drift %d active: %f ppm",
            next_fb_drift, fb_drifts[next_fb_drift - fb_drift_min].freq);
@@ -481,7 +472,7 @@ schedule_fb_drift(struct timeval *now)
  double unsynchronised;
  struct timeval when;
-  if (fb_drift_timeout_id != -1)
+  if (fb_drift_timeout_id)
    return; /* already scheduled */
  UTI_DiffTimevalsToDouble(&unsynchronised, now, &last_ref_update);
@@ -539,8 +530,7 @@ maybe_log_offset(double offset, time_t now)
  abs_offset = fabs(offset);
-  if (do_log_change &&
+  if (abs_offset > log_change_threshold) {
      (abs_offset > log_change_threshold)) {
    LOG(LOGS_WARN, LOGF_Reference,
        "System clock wrong by %.6f seconds, adjustment started",
        -offset);
@@ -686,7 +676,7 @@ get_tz_leap(time_t when)
 static void
 leap_end_timeout(void *arg)
 {
-  leap_timer_running = 0;
+  leap_timeout_id = 0;
  leap_in_progress = 0;
  our_leap_sec = 0;
@@ -738,11 +728,9 @@ set_leap_timeout(time_t now)
  struct timeval when;
  /* Stop old timer if there is one */
  if (leap_timer_running) {
  SCH_RemoveTimeout(leap_timeout_id);
-    leap_timer_running = 0;
+  leap_timeout_id = 0;
  leap_in_progress = 0;
  }
  if (!our_leap_sec)
    return;
@@ -760,7 +748,6 @@ set_leap_timeout(time_t now)
  }
  leap_timeout_id = SCH_AddTimeout(&when, leap_start_timeout, NULL);
  leap_timer_running = 1;
 }
 /* ================================================== */
--- a/reports.h
+++ b/reports.h
@@ -38,7 +38,7 @@ typedef struct {
  int poll;
  enum {RPT_NTP_CLIENT, RPT_NTP_PEER, RPT_LOCAL_REFERENCE} mode;
  enum {RPT_SYNC, RPT_UNREACH, RPT_FALSETICKER, RPT_JITTERY, RPT_CANDIDATE, RPT_OUTLIER} state;
-  enum {RPT_NORMAL, RPT_PREFER, RPT_NOSELECT} sel_option;
+  int sel_options;
  int reachability;
  unsigned long latest_meas_ago; /* seconds */
@@ -88,15 +88,25 @@ typedef struct {
 typedef struct {
  IPAddr ip_addr;
-  unsigned long client_hits;
+  uint32_t ntp_hits;
-  unsigned long peer_hits;
+  uint32_t cmd_hits;
-  unsigned long cmd_hits_auth;
+  uint16_t ntp_drops;
-  unsigned long cmd_hits_normal;
+  uint16_t cmd_drops;
-  unsigned long cmd_hits_bad;
+  int8_t ntp_interval;
-  unsigned long last_ntp_hit_ago;
+  int8_t cmd_interval;
-  unsigned long last_cmd_hit_ago;
+  int8_t ntp_timeout_interval;
  uint32_t last_ntp_hit_ago;
  uint32_t last_cmd_hit_ago;
 } RPT_ClientAccessByIndex_Report;
 typedef struct {
  uint32_t ntp_hits;
  uint32_t cmd_hits;
  uint32_t ntp_drops;
  uint32_t cmd_drops;
  uint32_t log_drops;
 } RPT_ServerStatsReport;
 typedef struct {
  struct timeval when;
  double slewed_offset;
--- a/rtc.c
+++ b/rtc.c
@@ -39,11 +39,12 @@
 /* ================================================== */
 static int driver_initialised = 0;
 static int driver_preinit_ok = 0;
 static struct {
  int  (*init)(void);
  void (*fini)(void);
-  int  (*time_pre_init)(void);
+  int  (*time_pre_init)(time_t driftfile_time);
  void (*time_init)(void (*after_hook)(void*), void *anything);
  void (*start_measurements)(void);
  int  (*write_parameters)(void);
@@ -73,29 +74,37 @@ static struct {
 };
 /* ================================================== */
-/* Set the system clock to the time of last modification of driftfile
+/* Get the last modification time of the driftfile */
   if it's in the future */
-static void
+static time_t
-fallback_time_init(void)
+get_driftfile_time(void)
 {
  struct timeval now;
  struct stat buf;
  char *drift_file;
  drift_file = CNF_GetDriftFile();
  if (!drift_file)
-    return;
+    return 0;
  if (stat(drift_file, &buf))
-    return;
+    return 0;
  return buf.st_mtime;
 }
 /* ================================================== */
 /* Set the system time to the driftfile time if it's in the future */
 static void
 apply_driftfile_time(time_t t)
 {
  struct timeval now;
  LCL_ReadCookedTime(&now, NULL);
-  if (now.tv_sec < buf.st_mtime) {
+  if (now.tv_sec < t) {
-    if (LCL_ApplyStepOffset(now.tv_sec - buf.st_mtime))
+    if (LCL_ApplyStepOffset(now.tv_sec - t))
-      LOG(LOGS_INFO, LOGF_Rtc, "System clock set from driftfile %s",
+      LOG(LOGS_INFO, LOGF_Rtc, "System time restored from driftfile");
          drift_file);
  }
 }
@@ -104,15 +113,24 @@ fallback_time_init(void)
 void
 RTC_Initialise(int initial_set)
 {
  time_t driftfile_time;
  char *file_name;
-  /* Do an initial read of the RTC and set the system time to it.  This
+  /* If the -s option was specified, try to do an initial read of the RTC and
-     is analogous to what /sbin/hwclock -s would do on Linux.  If that fails
+     set the system time to it.  Also, read the last modification time of the
-     or RTC is not supported, set the clock to the time of the last
+     driftfile (i.e. system time when chronyd was previously stopped) and set
-     modification of driftfile, so we at least get closer to the truth. */
+     the system time to it if it's in the future to bring the clock closer to
     the true time when the RTC is broken (e.g. it has no battery), is missing,
     or there is no RTC driver. */
  if (initial_set) {
-    if (!driver.time_pre_init || !driver.time_pre_init()) {
+    driftfile_time = get_driftfile_time();
-      fallback_time_init();
+
    if (driver.time_pre_init && driver.time_pre_init(driftfile_time)) {
      driver_preinit_ok = 1;
    } else {
      driver_preinit_ok = 0;
      if (driftfile_time)
        apply_driftfile_time(driftfile_time);
    }
  }
@@ -150,9 +168,9 @@ RTC_Finalise(void)
 /* ================================================== */
 /* Start the processing to get a single measurement from the real time
   clock, and use it to trim the system time, based on knowing the
-   drift rate of the RTC and the error the last time we set it.  The
+   drift rate of the RTC and the error the last time we set it.  If the
-   TimePreInit routine has already run, so we can be sure that the
+   TimePreInit routine has succeeded, we can be sure that the trim required
-   trim required is not *too* large.
+   is not *too* large.
   We are called with a hook to a function to be called after the
   initialisation is complete.  We also call this if we cannot do the
@@ -161,7 +179,7 @@ RTC_Finalise(void)
 void
 RTC_TimeInit(void (*after_hook)(void *), void *anything)
 {
-  if (driver_initialised) {
+  if (driver_initialised && driver_preinit_ok) {
    (driver.time_init)(after_hook, anything);
  } else {
    (after_hook)(anything);
--- a/rtc_linux.c
+++ b/rtc_linux.c
@@ -72,8 +72,7 @@ static int fd = -1;
 static int measurement_period = LOWEST_MEASUREMENT_PERIOD;
-static int timeout_running = 0;
+static SCH_TimeoutID timeout_id = 0;
 static SCH_TimeoutID timeout_id;
 static int skip_interrupts;
@@ -367,6 +366,9 @@ t_from_rtc(struct tm *stm) {
  t2 = mktime(&temp2);
  diff = t2 - t1;
  if (t1 - diff == -1)
    DEBUG_LOG(LOGF_RtcLinux, "Could not convert RTC time");
  return t1 - diff;
 }
@@ -379,13 +381,13 @@ read_hwclock_file(const char *hwclock_file)
  char line[256];
  int i;
-  if (!hwclock_file)
+  if (!hwclock_file || !hwclock_file[0])
    return;
  in = fopen(hwclock_file, "r");
  if (!in) {
-    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not open hwclockfile %s",
+    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not open %s : %s",
-        hwclock_file);
+        hwclock_file, strerror(errno));
    return;
  }
@@ -402,7 +404,7 @@ read_hwclock_file(const char *hwclock_file)
  } else if (i == 3 && !strncmp(line, "UTC", 3)) {
    rtc_on_utc = 1;
  } else {
-    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not read LOCAL/UTC setting from hwclockfile %s",
+    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not read RTC LOCAL/UTC setting from %s",
        hwclock_file);
  }
 }
@@ -445,7 +447,7 @@ read_coefs_from_file(void)
                 &file_ref_offset,
                 &file_rate_ppm) == 4) {
      } else {
-        LOG(LOGS_WARN, LOGF_RtcLinux, "Could not read coefficients from RTC file %s",
+        LOG(LOGS_WARN, LOGF_RtcLinux, "Could not read coefficients from %s",
            coefs_file_name);
      }
      fclose(in);
@@ -578,10 +580,8 @@ RTC_Linux_Initialise(void)
 void
 RTC_Linux_Finalise(void)
 {
  if (timeout_running) {
  SCH_RemoveTimeout(timeout_id);
-    timeout_running = 0;
+  timeout_id = 0;
  }
  /* Remove input file handler */
  if (fd >= 0) {
@@ -607,14 +607,16 @@ switch_interrupts(int onoff)
  if (onoff) {
    status = ioctl(fd, RTC_UIE_ON, 0);
    if (status < 0) {
-      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not start measurement : %s", strerror(errno));
+      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not %s RTC interrupt : %s",
          "enable", strerror(errno));
      return;
    }
    skip_interrupts = 1;
  } else {
    status = ioctl(fd, RTC_UIE_OFF, 0);
    if (status < 0) {
-      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not stop measurement : %s", strerror(errno));
+      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not %s RTC interrupt : %s",
          "disable", strerror(errno));
      return;
    }
  }
@@ -625,7 +627,7 @@ switch_interrupts(int onoff)
 static void
 measurement_timeout(void *any)
 {
-  timeout_running = 0;
+  timeout_id = 0;
  switch_interrupts(1);
 }
@@ -694,10 +696,11 @@ handle_initial_trim(void)
    /* sys_error_now is positive if the system clock is fast */
    sys_error_now = rtc_error_now - coef_seconds_fast;
    LOG(LOGS_INFO, LOGF_RtcLinux, "System trim from RTC = %f", sys_error_now);
    LCL_AccumulateOffset(sys_error_now, 0.0);
    LOG(LOGS_INFO, LOGF_RtcLinux, "System clock off from RTC by %f seconds (slew)",
        sys_error_now);
  } else {
-    LOG(LOGS_WARN, LOGF_RtcLinux, "No valid file coefficients, cannot trim system time");
+    LOG(LOGS_WARN, LOGF_RtcLinux, "No valid rtcfile coefficients");
  }
  coefs_valid = 0;
@@ -722,7 +725,7 @@ handle_relock_after_trim(void)
  if (valid) {
    write_coefs_to_file(1,ref,fast,saved_coef_gain_rate);
  } else {
-    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not do regression after trim");
+    DEBUG_LOG(LOGF_RtcLinux, "Could not do regression after trim");
  }
  coefs_valid = 0;
@@ -857,7 +860,6 @@ read_from_device(void *any)
    rtc_t = t_from_rtc(&rtc_tm);
    if (rtc_t == (time_t)(-1)) {
      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not convert RTC time to timeval");
      error = 1;
      goto turn_off_interrupt;
    }      
@@ -883,13 +885,12 @@ turn_off_interrupt:
  switch (operating_mode) {
    case OM_INITIAL:
      if (error) {
-        LOG(LOGS_WARN, LOGF_RtcLinux, "Could not complete initial step due to errors");
+        DEBUG_LOG(LOGF_RtcLinux, "Could not complete initial step due to errors");
        operating_mode = OM_NORMAL;
        (after_init_hook)(after_init_hook_arg);
        switch_interrupts(0);
        timeout_running = 1;
        timeout_id = SCH_AddTimeoutByDelay((double) measurement_period, measurement_timeout, NULL);
      }
@@ -897,12 +898,11 @@ turn_off_interrupt:
    case OM_AFTERTRIM:
      if (error) {
-        LOG(LOGS_WARN, LOGF_RtcLinux, "Could not complete after trim relock due to errors");
+        DEBUG_LOG(LOGF_RtcLinux, "Could not complete after trim relock due to errors");
        operating_mode = OM_NORMAL;
        switch_interrupts(0);
        timeout_running = 1;
        timeout_id = SCH_AddTimeoutByDelay((double) measurement_period, measurement_timeout, NULL);
      }
@@ -911,7 +911,6 @@ turn_off_interrupt:
    case OM_NORMAL:
      switch_interrupts(0);
      timeout_running = 1;
      timeout_id = SCH_AddTimeoutByDelay((double) measurement_period, measurement_timeout, NULL);
      break;
@@ -931,9 +930,8 @@ RTC_Linux_TimeInit(void (*after_hook)(void *), void *anything)
  after_init_hook_arg = anything;
  operating_mode = OM_INITIAL;
-  timeout_running = 0;
+  timeout_id = 0;
  switch_interrupts(1);
 }
 /* ================================================== */
@@ -941,7 +939,6 @@ RTC_Linux_TimeInit(void (*after_hook)(void *), void *anything)
 void
 RTC_Linux_StartMeasurements(void)
 {
  timeout_running = 0;
  measurement_timeout(NULL);
 }
@@ -974,7 +971,7 @@ RTC_Linux_WriteParameters(void)
   RTC behaviour than we do for the rest of the module. */
 int
-RTC_Linux_TimePreInit(void)
+RTC_Linux_TimePreInit(time_t driftfile_time)
 {
  int fd, status;
  struct rtc_time rtc_raw, rtc_raw_retry;
@@ -1039,16 +1036,19 @@ RTC_Linux_TimePreInit(void)
      UTI_AddDoubleToTimeval(&new_sys_time, -accumulated_error, &new_sys_time);
      if (new_sys_time.tv_sec < driftfile_time) {
        LOG(LOGS_WARN, LOGF_RtcLinux, "RTC time before last driftfile modification (ignored)");
        return 0;
      }
      UTI_DiffTimevalsToDouble(&sys_offset, &old_sys_time, &new_sys_time);
      /* Set system time only if the step is larger than 1 second */
      if (fabs(sys_offset) >= 1.0) {
        if (LCL_ApplyStepOffset(sys_offset))
-          LOG(LOGS_INFO, LOGF_RtcLinux, "Set system time, error in RTC = %f",
+          LOG(LOGS_INFO, LOGF_RtcLinux, "System time set from RTC");
              accumulated_error);
      }
    } else {
      LOG(LOGS_WARN, LOGF_RtcLinux, "Could not convert RTC reading to seconds since 1/1/1970");
      return 0;
    }
  } else {
@@ -1092,7 +1092,8 @@ RTC_Linux_Trim(void)
  if (fabs(coef_seconds_fast) > 1.0) {
-    LOG(LOGS_INFO, LOGF_RtcLinux, "Trimming RTC, error = %.3f seconds", coef_seconds_fast);
+    LOG(LOGS_INFO, LOGF_RtcLinux, "RTC wrong by %.3f seconds (step)",
        coef_seconds_fast);
    /* Do processing to set clock.  Let R be the value we set the
       RTC to, then in 500ms the RTC ticks (R+1) (see comments in
@@ -1117,10 +1118,8 @@ RTC_Linux_Trim(void)
    coef_ref_time = now.tv_sec;
    /* And start rapid sampling, interrupts on now */
    if (timeout_running) {
    SCH_RemoveTimeout(timeout_id);
-      timeout_running = 0;
+    timeout_id = 0;
    }
    switch_interrupts(1);
  }
--- a/rtc_linux.h
+++ b/rtc_linux.h
@@ -30,7 +30,7 @@
 extern int RTC_Linux_Initialise(void);
 extern void RTC_Linux_Finalise(void);
-extern int RTC_Linux_TimePreInit(void);
+extern int RTC_Linux_TimePreInit(time_t driftile_time);
 extern void RTC_Linux_TimeInit(void (*after_hook)(void *), void *anything);
 extern void RTC_Linux_StartMeasurements(void);
--- a/sched.c
+++ b/sched.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2011, 2013-2014
+ * Copyright (C) Miroslav Lichvar  2011, 2013-2015
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -150,8 +150,6 @@ SCH_Initialise(void)
  LCL_ReadRawTime(&last_select_ts_raw);
  last_select_ts = last_select_ts_raw;
  srandom(last_select_ts.tv_sec << 16 ^ last_select_ts.tv_usec);
  initialised = 1;
 }
@@ -278,6 +276,26 @@ release_tqe(TimerQueueEntry *node)
 /* ================================================== */
 static SCH_TimeoutID
 get_new_tqe_id(void)
 {
  TimerQueueEntry *ptr;
 try_again:
  next_tqe_id++;
  if (!next_tqe_id)
    goto try_again;
  /* Make sure the ID isn't already used */
  for (ptr = timer_queue.next; ptr != &timer_queue; ptr = ptr->next)
    if (ptr->id == next_tqe_id)
      goto try_again;
  return next_tqe_id;
 }
 /* ================================================== */
 SCH_TimeoutID
 SCH_AddTimeout(struct timeval *tv, SCH_TimeoutHandler handler, SCH_ArbitraryArgument arg)
 {
@@ -288,7 +306,7 @@ SCH_AddTimeout(struct timeval *tv, SCH_TimeoutHandler handler, SCH_ArbitraryArgu
  new_tqe = allocate_tqe();
-  new_tqe->id = next_tqe_id++;
+  new_tqe->id = get_new_tqe_id();
  new_tqe->handler = handler;
  new_tqe->arg = arg;
  new_tqe->tv = *tv;
@@ -356,7 +374,10 @@ SCH_AddTimeoutInClass(double min_delay, double separation, double randomness,
  assert(class < SCH_NumberOfClasses);
  if (randomness > 0.0) {
-    r = random() % 0xffff / (0xffff - 1.0) * randomness + 1.0;
+    uint16_t rnd;
    UTI_GetRandomBytes(&rnd, sizeof (rnd));
    r = rnd / (double)0xffff * randomness + 1.0;
    min_delay *= r;
    separation *= r;
  }
@@ -397,7 +418,7 @@ SCH_AddTimeoutInClass(double min_delay, double separation, double randomness,
  /* We have located the insertion point */
  new_tqe = allocate_tqe();
-  new_tqe->id = next_tqe_id++;
+  new_tqe->id = get_new_tqe_id();
  new_tqe->handler = handler;
  new_tqe->arg = arg;
  UTI_AddDoubleToTimeval(&now, new_min_delay, &new_tqe->tv);
@@ -421,6 +442,9 @@ SCH_RemoveTimeout(SCH_TimeoutID id)
  assert(initialised);
  if (!id)
    return;
  for (ptr = timer_queue.next; ptr != &timer_queue; ptr = ptr->next) {
    if (ptr->id == id) {
@@ -436,9 +460,12 @@ SCH_RemoveTimeout(SCH_TimeoutID id)
      /* Release memory back to the operating system */
      release_tqe(ptr);
-      break;
+      return;
    }
  }
  /* Catch calls with invalid non-zero ID */
  assert(0);
 }
 /* ================================================== */
--- a/sched.h
+++ b/sched.h
@@ -29,7 +29,8 @@
 #include "sysincl.h"
-typedef unsigned long SCH_TimeoutID;
+/* Type for timeout IDs, valid IDs are always greater than zero */
 typedef unsigned int SCH_TimeoutID;
 typedef enum {
  SCH_ReservedTimeoutValue = 0,
--- a/sources.c
+++ b/sources.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2011-2014
+ * Copyright (C) Miroslav Lichvar  2011-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -118,7 +118,7 @@ struct SRC_Instance_Record {
  SRC_Type type;
  /* Options used when selecting sources */ 
-  SRC_SelectOption sel_option;
+  int sel_options;
  /* Score against currently selected source */
  double sel_score;
@@ -209,7 +209,7 @@ void SRC_Finalise(void)
 /* Function to create a new instance.  This would be called by one of
   the individual source-type instance creation routines. */
-SRC_Instance SRC_CreateNewInstance(uint32_t ref_id, SRC_Type type, SRC_SelectOption sel_option, IPAddr *addr, int min_samples, int max_samples)
+SRC_Instance SRC_CreateNewInstance(uint32_t ref_id, SRC_Type type, int sel_options, IPAddr *addr, int min_samples, int max_samples)
 {
  SRC_Instance result;
@@ -241,7 +241,7 @@ SRC_Instance SRC_CreateNewInstance(uint32_t ref_id, SRC_Type type, SRC_SelectOpt
  result->index = n_sources;
  result->type = type;
-  result->sel_option = sel_option;
+  result->sel_options = sel_options;
  SRC_SetRefid(result, ref_id, addr);
  SRC_ResetInstance(result);
@@ -414,7 +414,7 @@ SRC_UpdateReachability(SRC_Instance inst, int reachable)
 {
  inst->reachability <<= 1;
  inst->reachability |= !!reachable;
-  inst->reachability &= ~(-1 << SOURCE_REACH_BITS);
+  inst->reachability %= 1U << SOURCE_REACH_BITS;
  if (inst->reachability_size < SOURCE_REACH_BITS)
      inst->reachability_size++;
@@ -602,8 +602,9 @@ SRC_SelectSource(SRC_Instance updated_inst)
  struct SelectInfo *si;
  struct timeval now, ref_time;
  int i, j, j1, j2, index, sel_prefer, n_endpoints, n_sel_sources;
-  int n_badstats_sources, max_sel_reach, max_badstat_reach;
+  int n_badstats_sources, max_sel_reach, max_badstat_reach, sel_req_source;
-  int depth, best_depth, combined, stratum, min_stratum, max_score_index;
+  int depth, best_depth, trust_depth, best_trust_depth;
  int combined, stratum, min_stratum, max_score_index;
  double src_offset, src_offset_sd, src_frequency, src_skew;
  double src_root_delay, src_root_dispersion;
  double best_lo, best_hi, distance, sel_src_distance, max_score;
@@ -630,14 +631,20 @@ SRC_SelectSource(SRC_Instance updated_inst)
  n_endpoints = 0;
  n_sel_sources = 0;
  n_badstats_sources = 0;
  sel_req_source = 0;
  max_sel_reach = max_badstat_reach = 0;
  max_reach_sample_ago = 0.0;
  for (i = 0; i < n_sources; i++) {
    assert(sources[i]->status != SRC_OK);
    /* If some sources are specified with the require option, at least one
       of them will have to be selectable in order to update the clock */
    if (sources[i]->sel_options & SRC_SELECT_REQUIRE)
      sel_req_source = 1;
    /* Ignore sources which were added with the noselect option */
-    if (sources[i]->sel_option == SRC_SelectNoselect) {
+    if (sources[i]->sel_options & SRC_SELECT_NOSELECT) {
      sources[i]->status = SRC_UNSELECTABLE;
      continue;
    }
@@ -741,6 +748,7 @@ SRC_SelectSource(SRC_Instance updated_inst)
         <===========>
     we will build the interval as shown with '=', whereas with an extra source we get
     <----------------------->
        <------->
         <-->
@@ -750,8 +758,12 @@ SRC_SelectSource(SRC_Instance updated_inst)
     The first case is just bad luck - we need extra sources to
     detect the falseticker, so just make an arbitrary choice based
     on stratum & stability etc.
     Intervals from sources specified with the trust option have higher
     priority in the search.
     */
  trust_depth = best_trust_depth = 0;
  depth = best_depth = 0;
  best_lo = best_hi = 0.0;
@@ -759,14 +771,20 @@ SRC_SelectSource(SRC_Instance updated_inst)
    switch (sort_list[i].tag) {
      case LOW:
        depth++;
-        if (depth > best_depth) {
+        if (sources[sort_list[i].index]->sel_options & SRC_SELECT_TRUST)
          trust_depth++;
        if (trust_depth > best_trust_depth ||
            (trust_depth == best_trust_depth && depth > best_depth)) {
          best_trust_depth = trust_depth;
          best_depth = depth;
          best_lo = sort_list[i].offset;
        }
        break;
      case HIGH:
-        if (depth == best_depth)
+        if (trust_depth == best_trust_depth && depth == best_depth)
          best_hi = sort_list[i].offset;
        if (sources[sort_list[i].index]->sel_options & SRC_SELECT_TRUST)
          trust_depth--;
        depth--;
        break;
      default:
@@ -774,9 +792,9 @@ SRC_SelectSource(SRC_Instance updated_inst)
    }
  }
-  if (best_depth <= n_sel_sources / 2) {
+  if (best_depth <= n_sel_sources / 2 && !best_trust_depth) {
-    /* Could not even get half the reachable sources to agree -
+    /* Could not even get half the reachable sources to agree and there
-       clearly we can't synchronise. */
+       are no trusted sources - clearly we can't synchronise */
    if (selected_source_index != INVALID_SOURCE) {
      log_selection_message("Can't synchronise: no majority", NULL);
@@ -797,28 +815,35 @@ SRC_SelectSource(SRC_Instance updated_inst)
  n_sel_sources = 0;
  for (i = 0; i < n_sources; i++) {
    /* This should be the same condition to get into the endpoint
       list */
    if (sources[i]->status != SRC_OK)
      continue;
-    /* This should be the same condition to get into the endpoint
+    /* Check if source's interval contains the best interval, or is wholly
-       list */
+       contained within it.  If there are any trusted sources the first
-    /* Check if source's interval contains the best interval, or
+       condition is applied only to them to not allow non-trusted sources to
-       is wholly contained within it */
+       move the final offset outside the interval. */
-    if ((sources[i]->sel_info.lo_limit <= best_lo &&
+    if (((!best_trust_depth || sources[i]->sel_options & SRC_SELECT_TRUST) &&
         sources[i]->sel_info.lo_limit <= best_lo &&
         sources[i]->sel_info.hi_limit >= best_hi) ||
        (sources[i]->sel_info.lo_limit >= best_lo &&
         sources[i]->sel_info.hi_limit <= best_hi)) {
      sel_sources[n_sel_sources++] = i;
      if (sources[i]->sel_options & SRC_SELECT_REQUIRE)
        sel_req_source = 0;
    } else {
      sources[i]->status = SRC_FALSETICKER;
    }
  }
-  if (n_sel_sources == 0 || n_sel_sources < CNF_GetMinSources()) {
+  if (!n_sel_sources || sel_req_source || n_sel_sources < CNF_GetMinSources()) {
    if (selected_source_index != INVALID_SOURCE) {
      log_selection_message("Can't synchronise: %s selectable sources",
-                            n_sel_sources ? "not enough" : "no");
+                            !n_sel_sources ? "no" :
                            sel_req_source ? "no required source in" : "not enough");
      selected_source_index = INVALID_SOURCE;
    }
    mark_ok_sources(SRC_WAITS_SOURCES);
@@ -844,12 +869,12 @@ SRC_SelectSource(SRC_Instance updated_inst)
  /* If there are any sources with prefer option, reduce the list again
     only to the preferred sources */
  for (i = 0; i < n_sel_sources; i++) {
-    if (sources[sel_sources[i]]->sel_option == SRC_SelectPrefer)
+    if (sources[sel_sources[i]]->sel_options & SRC_SELECT_PREFER)
      break;
  }
  if (i < n_sel_sources) {
    for (i = j = 0; i < n_sel_sources; i++) {
-      if (sources[sel_sources[i]]->sel_option != SRC_SelectPrefer)
+      if (!(sources[sel_sources[i]]->sel_options & SRC_SELECT_PREFER))
        sources[sel_sources[i]]->status = SRC_NONPREFERRED;
      else
        sel_sources[j++] = sel_sources[i];
@@ -885,7 +910,7 @@ SRC_SelectSource(SRC_Instance updated_inst)
  for (i = 0; i < n_sources; i++) {
    /* Reset score for non-selectable sources */
    if (sources[i]->status != SRC_OK ||
-        (sel_prefer && sources[i]->sel_option != SRC_SelectPrefer)) {
+        (sel_prefer && !(sources[i]->sel_options & SRC_SELECT_PREFER))) {
      sources[i]->sel_score = 1.0;
      sources[i]->distant = DISTANT_PENALTY;
      continue;
@@ -1255,20 +1280,7 @@ SRC_ReportSource(int index, RPT_SourceReport *report, struct timeval *now)
        break;
    }
-    switch (src->sel_option) {
+    report->sel_options = src->sel_options;
      case SRC_SelectNormal:
        report->sel_option = RPT_NORMAL;
        break;
      case SRC_SelectPrefer:
        report->sel_option = RPT_PREFER;
        break;
      case SRC_SelectNoselect:
        report->sel_option = RPT_NOSELECT;
        break;
      default:
        assert(0);
    }
    report->reachability = src->reachability;
    /* Call stats module to fill out estimates */
--- a/sources.h
+++ b/sources.h
@@ -55,17 +55,10 @@ typedef enum {
  SRC_REFCLOCK                  /* Rerefence clock */
 } SRC_Type;
 /* Options used when selecting sources */ 
 typedef enum {
  SRC_SelectNormal,
  SRC_SelectNoselect,
  SRC_SelectPrefer
 } SRC_SelectOption;
 /* Function to create a new instance.  This would be called by one of
   the individual source-type instance creation routines. */
-extern SRC_Instance SRC_CreateNewInstance(uint32_t ref_id, SRC_Type type, SRC_SelectOption sel_option, IPAddr *addr, int min_samples, int max_samples);
+extern SRC_Instance SRC_CreateNewInstance(uint32_t ref_id, SRC_Type type, int sel_options, IPAddr *addr, int min_samples, int max_samples);
 /* Function to get rid of a source when it is being unconfigured.
   This may cause the current reference source to be reselected, if this
--- a/sourcestats.c
+++ b/sourcestats.c
@@ -845,7 +845,7 @@ SST_DoSourceReport(SST_Stats inst, RPT_SourceReport *report, struct timeval *now
    UTI_DiffTimevals(&ago, now, &inst->sample_times[i]);
    report->latest_meas_ago = ago.tv_sec;
  } else {
-    report->latest_meas_ago = 86400 * 365 * 10;
+    report->latest_meas_ago = (uint32_t)-1;
    report->orig_latest_meas = 0;
    report->latest_meas = 0;
    report->latest_meas_err = 0;
--- a/srcparams.h
+++ b/srcparams.h
@@ -42,11 +42,11 @@ typedef struct {
  int max_sources;
  int min_samples;
  int max_samples;
  int sel_options;
  uint32_t authkey;
  double max_delay;
  double max_delay_ratio;
  double max_delay_dev_ratio;
  SRC_SelectOption sel_option;
 } SourceParameters;
 #define SRC_DEFAULT_PORT 123
@@ -63,4 +63,10 @@ typedef struct {
 #define SRC_DEFAULT_MAXSAMPLES (-1)
 #define INACTIVE_AUTHKEY 0
 /* Flags for source selection */
 #define SRC_SELECT_NOSELECT 0x1
 #define SRC_SELECT_PREFER 0x2
 #define SRC_SELECT_TRUST 0x4
 #define SRC_SELECT_REQUIRE 0x8
 #endif /* GOT_SRCPARAMS_H */
--- a/stubs.c
+++ b/stubs.c
@@ -38,13 +38,12 @@
 #include "ntp_core.h"
 #include "ntp_io.h"
 #include "ntp_sources.h"
 #include "privops.h"
 #include "refclock.h"
 #include "sched.h"
 #ifndef FEAT_ASYNCDNS
 #define MAX_ADDRESSES 16
 /* This is a blocking implementation used when asynchronous resolving is not available */
 struct DNS_Async_Instance {
@@ -57,14 +56,14 @@ static void
 resolve_name(void *anything)
 {
  struct DNS_Async_Instance *inst;
-  IPAddr addrs[MAX_ADDRESSES];
+  IPAddr addrs[DNS_MAX_ADDRESSES];
  DNS_Status status;
  int i;
  inst = (struct DNS_Async_Instance *)anything;
-  status = DNS_Name2IPAddress(inst->name, addrs, MAX_ADDRESSES);
+  status = PRV_Name2IPAddress(inst->name, addrs, DNS_MAX_ADDRESSES);
-  for (i = 0; status == DNS_Success && i < MAX_ADDRESSES &&
+  for (i = 0; status == DNS_Success && i < DNS_MAX_ADDRESSES &&
       addrs[i].family != IPADDR_UNSPEC; i++)
    ;
--- a/sys.c
+++ b/sys.c
@@ -36,8 +36,6 @@
 #include "sys_linux.h"
 #elif defined(SOLARIS)
 #include "sys_solaris.h"
 #elif defined(SUNOS)
 #include "sys_sunos.h"
 #elif defined(NETBSD) || defined(FREEBSD)
 #include "sys_netbsd.h"
 #elif defined(MACOSX)
@@ -53,8 +51,6 @@ SYS_Initialise(void)
  SYS_Linux_Initialise();
 #elif defined(SOLARIS)
  SYS_Solaris_Initialise();
 #elif defined(SUNOS)
  SYS_SunOS_Initialise();
 #elif defined(NETBSD) || defined(FREEBSD)
  SYS_NetBSD_Initialise();
 #elif defined(MACOSX)
@@ -73,8 +69,6 @@ SYS_Finalise(void)
  SYS_Linux_Finalise();
 #elif defined(SOLARIS)
  SYS_Solaris_Finalise();
 #elif defined(SUNOS)
  SYS_SunOS_Finalise();
 #elif defined(NETBSD) || defined(FREEBSD)
  SYS_NetBSD_Finalise();
 #elif defined(MACOSX)
@@ -90,8 +84,12 @@ void SYS_DropRoot(uid_t uid, gid_t gid)
 {
 #if defined(LINUX) && defined (FEAT_PRIVDROP)
  SYS_Linux_DropRoot(uid, gid);
-#elif defined(NETBSD) && defined(FEAT_PRIVDROP)
+#elif defined(SOLARIS) && defined(FEAT_PRIVDROP)
  SYS_Solaris_DropRoot(uid, gid);
 #elif (defined(NETBSD) || defined(FREEBSD)) && defined(FEAT_PRIVDROP)
  SYS_NetBSD_DropRoot(uid, gid);
 #elif defined(MACOSX) && defined(FEAT_PRIVDROP)
  SYS_MacOSX_DropRoot(uid, gid);
 #else
  LOG_FATAL(LOGF_Sys, "dropping root privileges not supported");
 #endif
--- a/sys_generic.c
+++ b/sys_generic.c
@@ -34,6 +34,7 @@
 #include "local.h"
 #include "localp.h"
 #include "logging.h"
 #include "privops.h"
 #include "sched.h"
 #include "util.h"
@@ -76,9 +77,8 @@ static struct timeval slew_start;
 #define MIN_SLEW_TIMEOUT 1.0
 #define MAX_SLEW_TIMEOUT 1.0e4
-/* Scheduler timeout ID and flag if the timer is currently running */
+/* Scheduler timeout ID for ending of the currently running slew */
 static SCH_TimeoutID slew_timeout_id;
 static int slew_timer_running;
 /* Suggested offset correction rate (correction time * offset) */
 static double correction_rate;
@@ -173,7 +173,6 @@ update_slew(void)
  double old_slew_freq, total_freq, corr_freq, duration;
  /* Remove currently running timeout */
  if (slew_timer_running)
  SCH_RemoveTimeout(slew_timeout_id);
  LCL_ReadRawTime(&now);
@@ -245,9 +244,7 @@ update_slew(void)
  /* Restart timer for the next update */
  UTI_AddDoubleToTimeval(&now, duration, &end_of_slew);
  slew_timeout_id = SCH_AddTimeout(&end_of_slew, handle_end_of_slew, NULL);
  slew_start = now;
  slew_timer_running = 1;
  DEBUG_LOG(LOGF_SysGeneric, "slew offset=%e corr_rate=%e base_freq=%f total_freq=%f slew_freq=%e duration=%f slew_error=%e",
      offset_register, correction_rate, base_freq, total_freq, slew_freq,
@@ -259,7 +256,7 @@ update_slew(void)
 static void
 handle_end_of_slew(void *anything)
 {
-  slew_timer_running = 0;
+  slew_timeout_id = 0;
  update_slew();
 }
@@ -333,7 +330,7 @@ apply_step_offset(double offset)
  LCL_ReadRawTime(&old_time);
  UTI_AddDoubleToTimeval(&old_time, -offset, &new_time);
-  if (settimeofday(&new_time, NULL) < 0) {
+  if (PRV_SetTime(&new_time, NULL) < 0) {
    DEBUG_LOG(LOGF_SysGeneric, "settimeofday() failed");
    return 0;
  }
@@ -410,10 +407,9 @@ SYS_Generic_Finalise(void)
  /* Must *NOT* leave a slew running - clock could drift way off
     if the daemon is not restarted */
-  if (slew_timer_running) {
+
  SCH_RemoveTimeout(slew_timeout_id);
-    slew_timer_running = 0;
+  slew_timeout_id = 0;
  }
  (*drv_set_freq)(clamp_freq(base_freq));
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -45,7 +45,6 @@
 #ifdef FEAT_PRIVDROP
 #include <sys/prctl.h>
 #include <sys/capability.h>
 #include <grp.h>
 #endif
 #ifdef FEAT_SCFILTER
@@ -66,6 +65,8 @@
 #include "sys_timex.h"
 #include "conf.h"
 #include "logging.h"
 #include "privops.h"
 #include "util.h"
 /* Frequency scale to convert from ppm to the timex freq */
 #define FREQ_SCALE (double)(1 << 16)
@@ -403,25 +404,20 @@ SYS_Linux_Finalise(void)
 void
 SYS_Linux_DropRoot(uid_t uid, gid_t gid)
 {
  const char *cap_text;
  cap_t cap;
  if (prctl(PR_SET_KEEPCAPS, 1)) {
    LOG_FATAL(LOGF_SysLinux, "prctl() failed");
  }
-  if (setgroups(0, NULL)) {
+  UTI_DropRoot(uid, gid);
    LOG_FATAL(LOGF_SysLinux, "setgroups() failed");
  }
-  if (setgid(gid)) {
+  /* Keep CAP_NET_BIND_SERVICE only if NTP port can be opened */
-    LOG_FATAL(LOGF_SysLinux, "setgid(%d) failed", gid);
+  cap_text = CNF_GetNTPPort() ?
-  }
+             "cap_net_bind_service,cap_sys_time=ep" : "cap_sys_time=ep";
-  if (setuid(uid)) {
+  if ((cap = cap_from_text(cap_text)) == NULL) {
    LOG_FATAL(LOGF_SysLinux, "setuid(%d) failed", uid);
  }
  if ((cap = cap_from_text("cap_net_bind_service,cap_sys_time=ep")) == NULL) {
    LOG_FATAL(LOGF_SysLinux, "cap_from_text() failed");
  }
@@ -430,8 +426,6 @@ SYS_Linux_DropRoot(uid_t uid, gid_t gid)
  }
  cap_free(cap);
  DEBUG_LOG(LOGF_SysLinux, "Root dropped to uid %d gid %d", uid, gid);
 }
 #endif
@@ -460,15 +454,17 @@ SYS_Linux_EnableSystemCallFilter(int level)
    SCMP_SYS(adjtimex), SCMP_SYS(gettimeofday), SCMP_SYS(settimeofday),
    SCMP_SYS(time),
    /* Process */
-    SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group),
+    SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getrlimit),
-    SCMP_SYS(rt_sigreturn), SCMP_SYS(sigreturn),
+    SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
    SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), SCMP_SYS(wait4),
    /* Memory */
    SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
-    SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+    SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
    /* Filesystem */
-    SCMP_SYS(chmod), SCMP_SYS(chown), SCMP_SYS(chown32), SCMP_SYS(fstat),
+    SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), SCMP_SYS(chown32),
-    SCMP_SYS(fstat64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
+    SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(lseek), SCMP_SYS(rename),
-    SCMP_SYS(stat64), SCMP_SYS(unlink),
+    SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64),
    SCMP_SYS(unlink),
    /* Socket */
    SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname),
    SCMP_SYS(recvfrom), SCMP_SYS(recvmsg), SCMP_SYS(sendmmsg),
@@ -502,7 +498,7 @@ SYS_Linux_EnableSystemCallFilter(int level)
  const static int fcntls[] = { F_GETFD, F_SETFD };
  const static unsigned long ioctls[] = {
-    FIONREAD,
+    FIONREAD, TCGETS,
 #ifdef FEAT_PPS
    PTP_SYS_OFFSET,
 #endif
@@ -520,6 +516,12 @@ SYS_Linux_EnableSystemCallFilter(int level)
  /* Check if the chronyd configuration is supported */
  check_seccomp_applicability();
  /* Start the helper process, which will run without any seccomp filter.  It
     will be used for getaddrinfo(), for which it's difficult to maintain a
     list of required system calls (with glibc it depends on what NSS modules
     are installed and enabled on the system). */
  PRV_StartHelper();
  ctx = seccomp_init(level > 0 ? SCMP_ACT_KILL : SCMP_ACT_TRAP);
  if (ctx == NULL)
      LOG_FATAL(LOGF_SysLinux, "Failed to initialize seccomp");
@@ -563,7 +565,7 @@ SYS_Linux_EnableSystemCallFilter(int level)
  }
  if (seccomp_load(ctx) < 0)
-      LOG(LOGS_INFO, LOGF_SysLinux, "Failed to load seccomp rules");
+    LOG_FATAL(LOGF_SysLinux, "Failed to load seccomp rules");
  LOG(LOGS_INFO, LOGF_SysLinux, "Loaded seccomp filter");
  seccomp_release(ctx);
--- a/sys_macosx.c
+++ b/sys_macosx.c
@@ -31,25 +31,18 @@
 #ifdef MACOSX
-#include <sys/sysctl.h>
+#include "sysincl.h"
 #include <sys/time.h>
 #include <nlist.h>
 #include <fcntl.h>
 #include <assert.h>
 #include <sys/time.h>
 #include <stdio.h>
 #include <signal.h>
 #include <mach/mach.h>
 #include <mach/mach_time.h>
 #include <pthread.h>
 #include "sys_macosx.h"
 #include "conf.h"
 #include "localp.h"
 #include "sched.h"
 #include "logging.h"
 #include "sched.h"
 #include "privops.h"
 #include "util.h"
 /* ================================================== */
@@ -96,6 +89,11 @@ static struct timeval Tdrift;
 #define NANOS_PER_MSEC (1000000ULL)
 /* RTC synchronisation - once an hour */
 static struct timeval last_rtc_sync;
 #define RTC_SYNC_INTERVAL (60 * 60.0)
 /* ================================================== */
 static void
@@ -113,11 +111,12 @@ clock_initialise(void)
    LOG_FATAL(LOGF_SysMacOSX, "gettimeofday() failed");
  }
  Tdrift = T0;
  last_rtc_sync = T0;
  newadj.tv_sec = 0;
  newadj.tv_usec = 0;
-  if (adjtime(&newadj, &oldadj) < 0) {
+  if (PRV_AdjustTime(&newadj, &oldadj) < 0) {
    LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
  }
 }
@@ -169,7 +168,7 @@ start_adjust(void)
  UTI_TimevalToDouble(&newadj, &adjustment_requested);
  rounding_error = adjust_required - adjustment_requested;
-  if (adjtime(&newadj, &oldadj) < 0) {
+  if (PRV_AdjustTime(&newadj, &oldadj) < 0) {
    LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
  }
@@ -193,7 +192,7 @@ stop_adjust(void)
  zeroadj.tv_sec = 0;
  zeroadj.tv_usec = 0;
-  if (adjtime(&zeroadj, &remadj) < 0) {
+  if (PRV_AdjustTime(&zeroadj, &remadj) < 0) {
    LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
  }
@@ -244,12 +243,12 @@ apply_step_offset(double offset)
  UTI_AddDoubleToTimeval(&old_time, -offset, &new_time);
-  if (settimeofday(&new_time, NULL) < 0) {
+  if (PRV_SetTime(&new_time, NULL) < 0) {
    DEBUG_LOG(LOGF_SysMacOSX, "settimeofday() failed");
    return 0;
  }
-  UTI_AddDoubleToTimeval(&T0, offset, &T1);
+  UTI_AddDoubleToTimeval(&T0, -offset, &T1);
  T0 = T1;
  start_adjust();
@@ -294,7 +293,6 @@ get_offset_correction(struct timeval *raw,
 /* Cancel systematic drift */
 static int drift_removal_running = 0;
 static SCH_TimeoutID drift_removal_id;
 /* ================================================== */
@@ -326,7 +324,8 @@ drift_removal_timeout(SCH_ArbitraryArgument not_used)
 /* ================================================== */
-/* use est_error to calculate the drift_removal_interval */
+/* use est_error to calculate the drift_removal_interval and
   update the RTC */
 static void
 set_sync_status(int synchronised, double est_error, double max_error)
@@ -336,6 +335,20 @@ set_sync_status(int synchronised, double est_error, double max_error)
  if (!synchronised) {
    drift_removal_interval = MAX(drift_removal_interval, DRIFT_REMOVAL_INTERVAL);
  } else {
    if (CNF_GetRtcSync()) {
      struct timeval now;
      double rtc_sync_elapsed;
      SCH_GetLastEventTime(NULL, NULL, &now);
      UTI_DiffTimevalsToDouble(&rtc_sync_elapsed, &now, &last_rtc_sync);
      if (fabs(rtc_sync_elapsed) >= RTC_SYNC_INTERVAL) {
        /* update the RTC by applying a step of 0.0 secs */
        apply_step_offset(0.0);
        last_rtc_sync = now;
        DEBUG_LOG(LOGF_SysMacOSX, "rtc synchronised");
      }
    }
    interval = ERROR_WEIGHT * est_error / (fabs(current_freq) + FREQUENCY_RES);
    drift_removal_interval = MAX(interval, DRIFT_REMOVAL_INTERVAL_MIN);
@@ -401,6 +414,17 @@ SYS_MacOSX_SetScheduler(int SchedPriority)
 /* ================================================== */
 #ifdef FEAT_PRIVDROP
 void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid)
 {
  PRV_StartHelper();
  UTI_DropRoot(uid, gid);
 }
 #endif
 /* ================================================== */
 void
 SYS_MacOSX_Initialise(void)
 {
@@ -414,7 +438,6 @@ SYS_MacOSX_Initialise(void)
  drift_removal_id = SCH_AddTimeoutByDelay(drift_removal_interval, drift_removal_timeout, NULL);
  drift_removal_running = 1;
 }
 /* ================================================== */
@@ -422,9 +445,7 @@ SYS_MacOSX_Initialise(void)
 void
 SYS_MacOSX_Finalise(void)
 {
  if (drift_removal_running) {
  SCH_RemoveTimeout(drift_removal_id);
  }
  clock_finalise();
 }
--- a/sys_macosx.h
+++ b/sys_macosx.h
@@ -31,6 +31,7 @@
 #define GOT_SYS_MACOSX_H
 void SYS_MacOSX_SetScheduler(int SchedPriority);
 void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid);
 void SYS_MacOSX_Initialise(void);
 void SYS_MacOSX_Finalise(void);
--- a/sys_netbsd.c
+++ b/sys_netbsd.c
@@ -23,7 +23,7 @@
  =======================================================================
-  Driver file for the NetBSD operating system.
+  Driver file for the NetBSD and FreeBSD operating system.
  */
 #include "config.h"
@@ -33,6 +33,7 @@
 #include "sys_netbsd.h"
 #include "sys_timex.h"
 #include "logging.h"
 #include "privops.h"
 #include "util.h"
 /* Maximum frequency offset accepted by the kernel (in ppm) */
@@ -62,14 +63,14 @@ accrue_offset(double offset, double corr_rate)
  UTI_DoubleToTimeval(-offset, &newadj);
-  if (adjtime(&newadj, &oldadj) < 0)
+  if (PRV_AdjustTime(&newadj, &oldadj) < 0)
    LOG_FATAL(LOGF_SysNetBSD, "adjtime() failed");
  /* Add the old remaining adjustment if not zero */
  UTI_TimevalToDouble(&oldadj, &offset);
  if (offset != 0.0) {
    UTI_AddDoubleToTimeval(&newadj, offset, &newadj);
-    if (adjtime(&newadj, NULL) < 0)
+    if (PRV_AdjustTime(&newadj, NULL) < 0)
      LOG_FATAL(LOGF_SysNetBSD, "adjtime() failed");
  }
 }
@@ -83,7 +84,7 @@ get_offset_correction(struct timeval *raw,
  struct timeval remadj;
  double adjustment_remaining;
-  if (adjtime(NULL, &remadj) < 0)
+  if (PRV_AdjustTime(NULL, &remadj) < 0)
    LOG_FATAL(LOGF_SysNetBSD, "adjtime() failed");
  UTI_TimevalToDouble(&remadj, &adjustment_remaining);
@@ -122,23 +123,22 @@ SYS_NetBSD_Finalise(void)
 void
 SYS_NetBSD_DropRoot(uid_t uid, gid_t gid)
 {
 #ifdef NETBSD
  int fd;
 #endif
-  if (setgroups(0, NULL))
+  /* On NetBSD the helper is used only for socket binding, but on FreeBSD
-    LOG_FATAL(LOGF_SysNetBSD, "setgroups() failed : %s", strerror(errno));
+     it's used also for setting and adjusting the system clock */
  PRV_StartHelper();
-  if (setgid(gid))
+  UTI_DropRoot(uid, gid);
    LOG_FATAL(LOGF_SysNetBSD, "setgid(%d) failed : %s", gid, strerror(errno));
  if (setuid(uid))
    LOG_FATAL(LOGF_SysNetBSD, "setuid(%d) failed : %s", uid, strerror(errno));
  DEBUG_LOG(LOGF_SysNetBSD, "Root dropped to uid %d gid %d", uid, gid);
 #ifdef NETBSD
  /* Check if we have write access to /dev/clockctl */
  fd = open("/dev/clockctl", O_WRONLY);
  if (fd < 0)
    LOG_FATAL(LOGF_SysNetBSD, "Can't write to /dev/clockctl");
  close(fd);
 #endif
 }
 #endif
--- a/sys_solaris.c
+++ b/sys_solaris.c
@@ -28,8 +28,10 @@
 #include "sysincl.h"
 #include "privops.h"
 #include "sys_solaris.h"
 #include "sys_timex.h"
 #include "util.h"
 /* ================================================== */
@@ -37,7 +39,8 @@ void
 SYS_Solaris_Initialise(void)
 {
  /* The kernel allows the frequency to be set in the full range off int32_t */
-  SYS_Timex_InitialiseWithFunctions(32500, 1.0 / 100, NULL, NULL, NULL);
+  SYS_Timex_InitialiseWithFunctions(32500, 1.0 / 100, NULL, NULL, NULL,
                                    0.0, 0.0, NULL, NULL);
 }
 /* ================================================== */
@@ -47,3 +50,14 @@ SYS_Solaris_Finalise(void)
 {
  SYS_Timex_Finalise();
 }
 /* ================================================== */
 #ifdef FEAT_PRIVDROP
 void
 SYS_Solaris_DropRoot(uid_t uid, gid_t gid)
 {
  PRV_StartHelper();
  UTI_DropRoot(uid, gid);
 }
 #endif
--- a/sys_solaris.h
+++ b/sys_solaris.h
@@ -31,4 +31,6 @@ void SYS_Solaris_Initialise(void);
 void SYS_Solaris_Finalise(void);
 void SYS_Solaris_DropRoot(uid_t uid, gid_t gid);
 #endif
--- a/sys_timex.c
+++ b/sys_timex.c
@@ -30,10 +30,15 @@
 #include "sysincl.h"
 #include "conf.h"
 #include "privops.h"
 #include "sys_generic.h"
 #include "sys_timex.h"
 #include "logging.h"
 #ifdef PRIVOPS_ADJUSTTIMEX
 #define NTP_ADJTIME PRV_AdjustTimex
 #define NTP_ADJTIME_NAME "ntp_adjtime"
 #else
 #ifdef LINUX
 #define NTP_ADJTIME adjtimex
 #define NTP_ADJTIME_NAME "adjtimex"
@@ -41,6 +46,7 @@
 #define NTP_ADJTIME ntp_adjtime
 #define NTP_ADJTIME_NAME "ntp_adjtime"
 #endif
 #endif
 /* Maximum frequency offset accepted by the kernel (in ppm) */
 #define MAX_FREQ 500.0
--- a/sys_timex.h
+++ b/sys_timex.h
@@ -27,8 +27,6 @@
 #ifndef GOT_SYS_TIMEX_H
 #define GOT_SYS_TIMEX_H
 #include <sys/timex.h>
 #include "localp.h"
 extern void SYS_Timex_Initialise(void);
--- a/sysincl.h
+++ b/sysincl.h
@@ -35,6 +35,7 @@
 #include <fcntl.h>
 #include <float.h>
 #include <glob.h>
 #include <grp.h>
 #include <math.h>
 #include <netdb.h>
 #include <netinet/in.h>
@@ -53,10 +54,15 @@
 #include <sys/types.h>
 #include <sys/un.h>
 #include <sys/shm.h>
 #include <sys/wait.h>
 #include <syslog.h>
 #include <time.h>
 #include <unistd.h>
 #if defined(LINUX) || defined(FREEBSD) || defined(NETBSD) || defined(SOLARIS)
 #include <sys/timex.h>
 #endif
 #ifdef HAVE_INTTYPES_H
 #include <inttypes.h>
 #elif HAVE_STDINT_H
--- a/test/compilation/001-features
+++ b/test/compilation/001-features
@@ -6,12 +6,12 @@ cd ../..
 for opts in \
 	"--enable-debug" \
 	"--enable-scfilter" \
 	"--disable-asyncdns" \
 	"--disable-ipv6" \
 	"--disable-privdrop" \
 	"--disable-readline" \
 	"--disable-rtc" \
 	"--disable-scfilter" \
 	"--disable-sechash" \
 	"--disable-cmdmon" \
 	"--disable-ntp" \
--- a/test/simulation/009-sourceselection
+++ b/test/simulation/009-sourceselection
@@ -35,7 +35,6 @@ base_delay="(+ 1e-3 (equal 0.1 to 2) (equal 0.1 to 3))"
 run_test || test_fail
 check_chronyd_exit || test_fail
 check_source_selection || test_fail
 check_packet_interval || test_fail
 check_sync || test_fail
 test_pass
--- a/test/simulation/105-ntpauth
+++ b/test/simulation/105-ntpauth
@@ -39,4 +39,24 @@ check_chronyd_exit || test_fail
 # This check must fail as the client doesn't know the key
 check_sync && test_fail
 check_packet_interval || test_fail
 client_conf="keyfile tmp/keys"
 clients=2
 peers=2
 max_sync_time=300
 base_delay="$default_base_delay (* -1 (equal 0.1 from 3) (equal 0.1 to 1))"
 client_lpeer_options="key 1"
 client_rpeer_options="key 1"
 run_test || test_fail
 check_chronyd_exit || test_fail
 check_sync || test_fail
 client_rpeer_options="key 2"
 run_test || test_fail
 check_chronyd_exit || test_fail
 # This check must fail as the peers are using different keys"
 check_sync && test_fail
 test_pass
--- a/test/simulation/120-selectoptions
+++ b/test/simulation/120-selectoptions
@@ -0,0 +1,68 @@
 #!/bin/bash
 . test.common
 test_start "source selection options"
 servers=3
 falsetickers=2
 base_delay=0.6
 client_server_conf="
 server 192.168.123.1
 server 192.168.123.2
 server 192.168.123.3 trust"
 run_test || test_fail
 check_chronyd_exit || test_fail
 check_source_selection || test_fail
 check_packet_interval || test_fail
 check_sync || test_fail
 client_server_conf="
 server 192.168.123.1
 server 192.168.123.2
 server 192.168.123.3 prefer"
 run_test || test_fail
 check_chronyd_exit || test_fail
 check_source_selection || test_fail
 check_packet_interval || test_fail
 # This check is expected to fail
 check_sync && test_fail
 base_delay=1.1
 run_test || test_fail
 check_chronyd_exit || test_fail
 check_source_selection || test_fail
 check_packet_interval || test_fail
 check_sync || test_fail
 base_delay=$default_base_delay
 falsetickers=1
 client_server_conf="
 server 192.168.123.1
 server 192.168.123.2
 server 192.168.123.3 require"
 run_test || test_fail
 check_chronyd_exit || test_fail
 check_source_selection || test_fail
 check_packet_interval || test_fail
 check_sync || test_fail
 client_server_conf="
 server 192.168.123.1 require
 server 192.168.123.2
 server 192.168.123.3"
 run_test || test_fail
 check_chronyd_exit || test_fail
 check_packet_interval || test_fail
 # These checks are expected to fail
 check_source_selection && test_fail
 check_sync && test_fail
 test_pass
--- a/test/simulation/test.common
+++ b/test/simulation/test.common
@@ -69,7 +69,11 @@ default_client_server_conf=""
 default_server_server_options=""
 default_client_server_options=""
 default_server_peer_options=""
 default_server_lpeer_options=""
 default_server_rpeer_options=""
 default_client_peer_options=""
 default_client_lpeer_options=""
 default_client_rpeer_options=""
 default_server_conf=""
 default_client_conf=""
 default_chronyc_conf=""
@@ -189,7 +193,8 @@ get_chronyd_conf() {
 		done
 		for i in $(seq 1 $peers); do
 			[ $i -eq $peer -o $i -gt $servers ] && continue
-			echo "peer 192.168.123.$[$servers * ($stratum - 1) + $i] $server_peer_options"
+			echo -n "peer 192.168.123.$[$servers * ($stratum - 1) + $i] $server_peer_options "
 			[ $i -lt $peer ] && echo "$server_lpeer_options" || echo "$server_rpeer_options"
 		done
 		echo "$server_conf"
 	else
@@ -202,7 +207,8 @@ get_chronyd_conf() {
 		fi
 		for i in $(seq 1 $peers); do
 			[ $i -eq $peer -o $i -gt $clients ] && continue
-			echo "peer 192.168.123.$[$servers * ($stratum - 1) + $i] $client_peer_options"
+			echo -n "peer 192.168.123.$[$servers * ($stratum - 1) + $i] $client_peer_options "
 			[ $i -lt $peer ] && echo "$client_lpeer_options" || echo "$client_rpeer_options"
 		done
 		echo "$client_conf"
 	fi
--- a/util.c
+++ b/util.c
@@ -3,7 +3,7 @@
 **********************************************************************
 * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009, 2012-2015
+ * Copyright (C) Miroslav Lichvar  2009, 2012-2016
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
@@ -352,13 +352,41 @@ UTI_IPToRefid(IPAddr *ip)
        assert(0);
        return 0;
      };
-      return buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
+      return (uint32_t)buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
  }
  return 0;
 }
 /* ================================================== */
 uint32_t
 UTI_IPToHash(IPAddr *ip)
 {
  unsigned char *addr;
  unsigned int i, len;
  uint32_t hash;
  switch (ip->family) {
    case IPADDR_INET4:
      addr = (unsigned char *)&ip->addr.in4;
      len = sizeof (ip->addr.in4);
      break;
    case IPADDR_INET6:
      addr = ip->addr.in6;
      len = sizeof (ip->addr.in6);
      break;
    default:
      return 0;
  }
  for (i = 0, hash = 0; i < len; i++)
    hash = 71 * hash + addr[i];
  return hash;
 }
 /* ================================================== */
 void
 UTI_IPHostToNetwork(IPAddr *src, IPAddr *dest)
 {
@@ -566,16 +594,21 @@ UTI_AdjustTimeval(struct timeval *old_tv, struct timeval *when, struct timeval *
 /* ================================================== */
-uint32_t
+void
-UTI_GetNTPTsFuzz(int precision)
+UTI_GetInt64Fuzz(NTP_int64 *ts, int precision)
 {
-  uint32_t fuzz;
+  int start, bits;
  int fuzz_bits;
-  fuzz_bits = 32 - 1 + precision;
+  assert(precision >= -32 && precision <= 32);
  fuzz = random() % (1 << fuzz_bits);
-  return fuzz;
+  start = sizeof (*ts) - (precision + 32 + 7) / 8;
  ts->hi = ts->lo = 0;
  UTI_GetRandomBytes((unsigned char *)ts + start, sizeof (*ts) - start);
  bits = (precision + 32) % 8;
  if (bits)
    ((unsigned char *)ts)[start] %= 1U << bits;
 }
 /* ================================================== */
@@ -608,9 +641,9 @@ UTI_DoubleToInt32(double x)
 void
 UTI_TimevalToInt64(struct timeval *src,
-                   NTP_int64 *dest, uint32_t fuzz)
+                   NTP_int64 *dest, NTP_int64 *fuzz)
 {
-  uint32_t lo, sec, usec;
+  uint32_t hi, lo, sec, usec;
  sec = (uint32_t)src->tv_sec;
  usec = (uint32_t)src->tv_usec;
@@ -618,18 +651,22 @@ UTI_TimevalToInt64(struct timeval *src,
  /* Recognize zero as a special case - it always signifies
     an 'unknown' value */
  if (!usec && !sec) {
-    dest->hi = dest->lo = 0;
+    hi = lo = 0;
  } else {
-    dest->hi = htonl(sec + JAN_1970);
+    hi = htonl(sec + JAN_1970);
    /* This formula gives an error of about 0.1us worst case */
-    lo = 4295 * usec - (usec>>5) - (usec>>9);
+    lo = htonl(4295 * usec - (usec >> 5) - (usec >> 9));
    /* Add the fuzz */
-    lo ^= fuzz;
+    if (fuzz) {
-
+      hi ^= fuzz->hi;
-    dest->lo = htonl(lo);
+      lo ^= fuzz->lo;
    }
  }
  dest->hi = hi;
  dest->lo = lo;
 }
 /* ================================================== */
@@ -759,11 +796,19 @@ UTI_TimevalHostToNetwork(struct timeval *src, Timeval *dest)
 double
 UTI_FloatNetworkToHost(Float f)
 {
-  int32_t exp, coef, x;
+  int32_t exp, coef;
  uint32_t x;
  x = ntohl(f.f);
  exp = (x >> FLOAT_COEF_BITS) - FLOAT_COEF_BITS;
-  coef = x << FLOAT_EXP_BITS >> FLOAT_EXP_BITS;
+  if (exp >= 1 << (FLOAT_EXP_BITS - 1))
      exp -= 1 << FLOAT_EXP_BITS;
  coef = x % (1U << FLOAT_COEF_BITS);
  if (coef >= 1 << (FLOAT_COEF_BITS - 1))
      coef -= 1 << FLOAT_COEF_BITS;
  return coef * pow(2.0, exp);
 }
@@ -820,7 +865,7 @@ UTI_FloatHostToNetwork(double x)
  if (neg)
    coef = (uint32_t)-coef << FLOAT_EXP_BITS >> FLOAT_EXP_BITS;
-  f.f = htonl(exp << FLOAT_COEF_BITS | coef);
+  f.f = htonl((uint32_t)exp << FLOAT_COEF_BITS | coef);
  return f;
 }
@@ -1070,3 +1115,52 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid)
  return 1;
 }
 /* ================================================== */
 void
 UTI_DropRoot(uid_t uid, gid_t gid)
 {
  /* Drop supplementary groups */
  if (setgroups(0, NULL))
    LOG_FATAL(LOGF_Util, "setgroups() failed : %s", strerror(errno));
  /* Set effective, saved and real group ID */
  if (setgid(gid))
    LOG_FATAL(LOGF_Util, "setgid(%d) failed : %s", gid, strerror(errno));
  /* Set effective, saved and real user ID */
  if (setuid(uid))
    LOG_FATAL(LOGF_Util, "setuid(%d) failed : %s", uid, strerror(errno));
  DEBUG_LOG(LOGF_Util, "Dropped root privileges: UID %d GID %d", uid, gid);
 }
 /* ================================================== */
 #define DEV_URANDOM "/dev/urandom"
 void
 UTI_GetRandomBytesUrandom(void *buf, unsigned int len)
 {
  static FILE *f = NULL;
  if (!f)
    f = fopen(DEV_URANDOM, "r");
  if (!f)
    LOG_FATAL(LOGF_Util, "Can't open %s : %s", DEV_URANDOM, strerror(errno));
  if (fread(buf, 1, len, f) != len)
    LOG_FATAL(LOGF_Util, "Can't read from %s", DEV_URANDOM);
 }
 /* ================================================== */
 void
 UTI_GetRandomBytes(void *buf, unsigned int len)
 {
 #ifdef HAVE_ARC4RANDOM
  arc4random_buf(buf, len);
 #else
  UTI_GetRandomBytesUrandom(buf, len);
 #endif
 }
--- a/util.h
+++ b/util.h
@@ -82,6 +82,7 @@ extern char *UTI_IPToString(IPAddr *ip);
 extern int UTI_StringToIP(const char *addr, IPAddr *ip);
 extern uint32_t UTI_IPToRefid(IPAddr *ip);
 extern uint32_t UTI_IPToHash(IPAddr *ip);
 extern void UTI_IPHostToNetwork(IPAddr *src, IPAddr *dest);
 extern void UTI_IPNetworkToHost(IPAddr *src, IPAddr *dest);
 extern int UTI_CompareIPs(IPAddr *a, IPAddr *b, IPAddr *mask);
@@ -96,13 +97,13 @@ extern char *UTI_TimeToLogForm(time_t t);
 /* Adjust time following a frequency/offset change */
 extern void UTI_AdjustTimeval(struct timeval *old_tv, struct timeval *when, struct timeval *new_tv, double *delta, double dfreq, double doffset);
-/* Get a random value to fuzz an NTP timestamp in the given precision */
+/* Get zero NTP timestamp with random bits below precision */
-extern uint32_t UTI_GetNTPTsFuzz(int precision);
+extern void UTI_GetInt64Fuzz(NTP_int64 *ts, int precision);
 extern double UTI_Int32ToDouble(NTP_int32 x);
 extern NTP_int32 UTI_DoubleToInt32(double x);
-extern void UTI_TimevalToInt64(struct timeval *src, NTP_int64 *dest, uint32_t fuzz);
+extern void UTI_TimevalToInt64(struct timeval *src, NTP_int64 *dest, NTP_int64 *fuzz);
 extern void UTI_Int64ToTimeval(NTP_int64 *src, struct timeval *dest);
@@ -144,4 +145,28 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid
   permissions and its uid/gid must match the specified values. */
 extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid);
 /* Set process user/group IDs and drop supplementary groups */
 extern void UTI_DropRoot(uid_t uid, gid_t gid);
 /* Fill buffer with random bytes from /dev/urandom */
 extern void UTI_GetRandomBytesUrandom(void *buf, unsigned int len);
 /* Fill buffer with random bytes from /dev/urandom or a faster source if it's
   available (e.g. arc4random()), which may not necessarily be suitable for
   generating long-term keys */
 extern void UTI_GetRandomBytes(void *buf, unsigned int len);
 /* Macros to get maximum and minimum of two values */
 #ifdef MAX
 #undef MAX
 #endif
 #define MAX(x, y) ((x) > (y) ? (x) : (y))
 #ifdef MIN
 #undef MIN
 #endif
 #define MIN(x, y) ((x) < (y) ? (x) : (y))
 /* Macro to clamp a value between two values */
 #define CLAMP(min, x, max) (MAX((min), MIN((x), (max))))
 #endif /* GOT_UTIL_H */