doc: update NEWS

Accept HW timestamp only if it doesn't differ from the kernel/daemon
timestamp by more than one second.

NEWS

@@ -16,8 +16,7 @@ Enhancements
 * Add -t option to chronyd to exit after specified time
 * Add partial protection against replay attacks on symmetric mode
 * Don't reset polling interval when switching sources to online state
-* Enable NTP response rate limiting by default
+* Allow rate limiting with very short intervals
-  (1024 packets per second per IP address and 25% leak)
 * Improve maximum server throughput on Linux and NetBSD
 * Remove dump files after start
 * Add tab-completion to chronyc with libedit/readline

client.c

@@ -2301,7 +2301,7 @@ process_cmd_ntpdata(char *line)
                  "Precision       : %d (%.9f seconds)\n"
                  "Root delay      : %.6f seconds\n"
                  "Root dispersion : %.6f seconds\n"
-                 "Reference ID    : %R\n"
+                 "Reference ID    : %R (%s)\n"
                  "Reference time  : %T\n"
                  "Offset          : %+.9f seconds\n"
                  "Peer delay      : %.9f seconds\n"
@@ -2325,7 +2325,10 @@ process_cmd_ntpdata(char *line)
                  reply.data.ntp_data.precision, UTI_Log2ToDouble(reply.data.ntp_data.precision),
                  UTI_FloatNetworkToHost(reply.data.ntp_data.root_delay),
                  UTI_FloatNetworkToHost(reply.data.ntp_data.root_dispersion),
-                 (unsigned long)ntohl(reply.data.ntp_data.ref_id), &ref_time,
+                 (unsigned long)ntohl(reply.data.ntp_data.ref_id),
+                 reply.data.ntp_data.stratum <= 1 ?
+                   UTI_RefidToString(ntohl(reply.data.ntp_data.ref_id)) : "",
+                 &ref_time,
                  UTI_FloatNetworkToHost(reply.data.ntp_data.offset),
                  UTI_FloatNetworkToHost(reply.data.ntp_data.peer_delay),
                  UTI_FloatNetworkToHost(reply.data.ntp_data.peer_dispersion),

clientlog.c

@@ -119,7 +119,7 @@ static int cmd_token_shift;
    prevent an attacker sending requests with spoofed source address
    from blocking responses to the address completely. */
 
-#define MIN_LEAK_RATE 0
+#define MIN_LEAK_RATE 1
 #define MAX_LEAK_RATE 4
 
 static int ntp_leak_rate;
@@ -305,19 +305,29 @@ CLG_Initialise(void)
 {
   int interval, burst, leak_rate;
 
-  CNF_GetNTPRateLimit(&interval, &burst, &leak_rate);
+  max_ntp_tokens = max_cmd_tokens = 0;
-  set_bucket_params(interval, burst, &max_ntp_tokens, &ntp_tokens_per_packet,
+  ntp_tokens_per_packet = cmd_tokens_per_packet = 0;
-                    &ntp_token_shift);
+  ntp_token_shift = cmd_token_shift = 0;
-  ntp_leak_rate = CLAMP(MIN_LEAK_RATE, leak_rate, MAX_LEAK_RATE);
+  ntp_leak_rate = cmd_leak_rate = 0;
 
-  CNF_GetCommandRateLimit(&interval, &burst, &leak_rate);
+  if (CNF_GetNTPRateLimit(&interval, &burst, &leak_rate)) {
-  set_bucket_params(interval, burst, &max_cmd_tokens, &cmd_tokens_per_packet,
+    set_bucket_params(interval, burst, &max_ntp_tokens, &ntp_tokens_per_packet,
-                    &cmd_token_shift);
+                      &ntp_token_shift);
-  cmd_leak_rate = CLAMP(MIN_LEAK_RATE, leak_rate, MAX_LEAK_RATE);
+    ntp_leak_rate = CLAMP(MIN_LEAK_RATE, leak_rate, MAX_LEAK_RATE);
+  }
+
+  if (CNF_GetCommandRateLimit(&interval, &burst, &leak_rate)) {
+    set_bucket_params(interval, burst, &max_cmd_tokens, &cmd_tokens_per_packet,
+                      &cmd_token_shift);
+    cmd_leak_rate = CLAMP(MIN_LEAK_RATE, leak_rate, MAX_LEAK_RATE);
+  }
 
   active = !CNF_GetNoClientLog();
-  if (!active)
+  if (!active) {
+    if (ntp_leak_rate || cmd_leak_rate)
+      LOG_FATAL(LOGF_ClientLog, "ratelimit cannot be used with noclientlog");
     return;
+  }
 
   /* Calculate the maximum number of slots that can be allocated in the
      configured memory limit.  Take into account expanding of the hash
@@ -520,7 +530,7 @@ CLG_LimitNTPResponseRate(int index)
   Record *record;
   int drop;
 
-  if (!ntp_leak_rate)
+  if (!ntp_tokens_per_packet)
     return 0;
 
   record = ARR_GetElement(records, index);
@@ -561,7 +571,7 @@ CLG_LimitCommandResponseRate(int index)
 {
   Record *record;
 
-  if (!cmd_leak_rate)
+  if (!cmd_tokens_per_packet)
     return 0;
 
   record = ARR_GetElement(records, index);

conf.c

@@ -66,7 +66,8 @@ static void parse_log(char *);
 static void parse_mailonchange(char *);
 static void parse_makestep(char *);
 static void parse_maxchange(char *);
-static void parse_ratelimit(char *line, int *interval, int *burst, int *leak);
+static void parse_ratelimit(char *line, int *enabled, int *interval,
+                            int *burst, int *leak);
 static void parse_refclock(char *);
 static void parse_smoothtime(char *);
 static void parse_source(char *line, NTP_Source_Type type, int pool);
@@ -190,12 +191,14 @@ static char *ntp_signd_socket = NULL;
 static char *pidfile;
 
 /* Rate limiting parameters */
-static int ntp_ratelimit_interval = -10;
+static int ntp_ratelimit_enabled = 0;
-static int ntp_ratelimit_burst = 16;
+static int ntp_ratelimit_interval = 3;
+static int ntp_ratelimit_burst = 8;
 static int ntp_ratelimit_leak = 2;
-static int cmd_ratelimit_interval = -10;
+static int cmd_ratelimit_enabled = 0;
-static int cmd_ratelimit_burst = 16;
+static int cmd_ratelimit_interval = -4;
-static int cmd_ratelimit_leak = 0;
+static int cmd_ratelimit_burst = 8;
+static int cmd_ratelimit_leak = 2;
 
 /* Smoothing constants */
 static double smooth_max_freq = 0.0; /* in ppm */
@@ -220,7 +223,13 @@ static char *leapsec_tz = NULL;
 /* Name of the user to which will be dropped root privileges. */
 static char *user;
 
-/* Array of strings for interfaces with HW timestamping */
+typedef struct {
+  char *name;
+  double tx_comp;
+  double rx_comp;
+} HwTs_Interface;
+
+/* Array of HwTs_Interface */
 static ARR_Instance hwts_interfaces;
 
 typedef struct {
@@ -324,7 +333,7 @@ CNF_Initialise(int r)
 {
   restarted = r;
 
-  hwts_interfaces = ARR_CreateInstance(sizeof (char *));
+  hwts_interfaces = ARR_CreateInstance(sizeof (HwTs_Interface));
 
   init_sources = ARR_CreateInstance(sizeof (IPAddr));
   ntp_sources = ARR_CreateInstance(sizeof (NTP_Source));
@@ -351,7 +360,7 @@ CNF_Finalise(void)
   unsigned int i;
 
   for (i = 0; i < ARR_GetSize(hwts_interfaces); i++)
-    Free(*(char **)ARR_GetElement(hwts_interfaces, i));
+    Free(((HwTs_Interface *)ARR_GetElement(hwts_interfaces, i))->name);
   ARR_DestroyInstance(hwts_interfaces);
 
   for (i = 0; i < ARR_GetSize(ntp_sources); i++)
@@ -452,7 +461,8 @@ CNF_ParseLine(const char *filename, int number, char *line)
   } else if (!strcasecmp(command, "cmdport")) {
     parse_int(p, &cmd_port);
   } else if (!strcasecmp(command, "cmdratelimit")) {
-    parse_ratelimit(p, &cmd_ratelimit_interval, &cmd_ratelimit_burst, &cmd_ratelimit_leak);
+    parse_ratelimit(p, &cmd_ratelimit_enabled, &cmd_ratelimit_interval,
+                    &cmd_ratelimit_burst, &cmd_ratelimit_leak);
   } else if (!strcasecmp(command, "combinelimit")) {
     parse_double(p, &combine_limit);
   } else if (!strcasecmp(command, "corrtimeratio")) {
@@ -532,7 +542,8 @@ CNF_ParseLine(const char *filename, int number, char *line)
   } else if (!strcasecmp(command, "port")) {
     parse_int(p, &ntp_port);
   } else if (!strcasecmp(command, "ratelimit")) {
-    parse_ratelimit(p, &ntp_ratelimit_interval, &ntp_ratelimit_burst, &ntp_ratelimit_leak);
+    parse_ratelimit(p, &ntp_ratelimit_enabled, &ntp_ratelimit_interval,
+                    &ntp_ratelimit_burst, &ntp_ratelimit_leak);
   } else if (!strcasecmp(command, "refclock")) {
     parse_refclock(p);
   } else if (!strcasecmp(command, "reselectdist")) {
@@ -637,11 +648,13 @@ parse_source(char *line, NTP_Source_Type type, int pool)
 /* ================================================== */
 
 static void
-parse_ratelimit(char *line, int *interval, int *burst, int *leak)
+parse_ratelimit(char *line, int *enabled, int *interval, int *burst, int *leak)
 {
   int n, val;
   char *opt;
 
+  *enabled = 1;
+
   while (*line) {
     opt = line;
     line = CPS_SplitWord(line);
@@ -1238,8 +1251,39 @@ parse_tempcomp(char *line)
 static void
 parse_hwtimestamp(char *line)
 {
-  check_number_of_args(line, 1);
+  HwTs_Interface *iface;
-  *(char **)ARR_GetNewElement(hwts_interfaces) = Strdup(line);
+  char *p;
+  int n;
+
+  if (!*line) {
+    command_parse_error();
+    return;
+  }
+
+  p = line;
+  line = CPS_SplitWord(line);
+
+  iface = ARR_GetNewElement(hwts_interfaces);
+  iface->name = Strdup(p);
+  iface->tx_comp = 0.0;
+  iface->rx_comp = 0.0;
+
+  for (p = line; *p; line += n, p = line) {
+    line = CPS_SplitWord(line);
+
+    if (!strcasecmp(p, "rxcomp")) {
+      if (sscanf(line, "%lf%n", &iface->rx_comp, &n) != 1)
+        break;
+    } else if (!strcasecmp(p, "txcomp")) {
+      if (sscanf(line, "%lf%n", &iface->tx_comp, &n) != 1)
+        break;
+    } else {
+      break;
+    }
+  }
+
+  if (*p)
+    command_parse_error();
 }
 
 /* ================================================== */
@@ -1823,20 +1867,22 @@ CNF_GetLockMemory(void)
 
 /* ================================================== */
 
-void CNF_GetNTPRateLimit(int *interval, int *burst, int *leak)
+int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak)
 {
   *interval = ntp_ratelimit_interval;
   *burst = ntp_ratelimit_burst;
   *leak = ntp_ratelimit_leak;
+  return ntp_ratelimit_enabled;
 }
 
 /* ================================================== */
 
-void CNF_GetCommandRateLimit(int *interval, int *burst, int *leak)
+int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak)
 {
   *interval = cmd_ratelimit_interval;
   *burst = cmd_ratelimit_burst;
   *leak = cmd_ratelimit_leak;
+  return cmd_ratelimit_enabled;
 }
 
 /* ================================================== */
@@ -1921,8 +1967,18 @@ CNF_GetInitStepThreshold(void)
 
 /* ================================================== */
 
-ARR_Instance
+int
-CNF_GetHwTsInterfaces(void)
+CNF_GetHwTsInterface(unsigned int index, char **name, double *tx_comp, double *rx_comp)
 {
-  return hwts_interfaces;
+  HwTs_Interface *iface;
+
+  if (index >= ARR_GetSize(hwts_interfaces))
+    return 0;
+
+  iface = ARR_GetElement(hwts_interfaces, index);
+  *name = iface->name;
+  *tx_comp = iface->tx_comp;
+  *rx_comp = iface->rx_comp;
+
+  return 1;
 }

conf.h

@@ -29,7 +29,6 @@
 #define GOT_CONF_H
 
 #include "addressing.h"
-#include "array.h"
 #include "reference.h"
 
 extern void CNF_Initialise(int restarted);
@@ -102,8 +101,8 @@ extern void CNF_SetupAccessRestrictions(void);
 extern int CNF_GetSchedPriority(void);
 extern int CNF_GetLockMemory(void);
 
-extern void CNF_GetNTPRateLimit(int *interval, int *burst, int *leak);
+extern int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak);
-extern void CNF_GetCommandRateLimit(int *interval, int *burst, int *leak);
+extern int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak);
 extern void CNF_GetSmooth(double *max_freq, double *max_wander, int *leap_only);
 extern void CNF_GetTempComp(char **file, double *interval, char **point_file, double *T0, double *k0, double *k1, double *k2);
 
@@ -120,6 +119,6 @@ extern char *CNF_GetHwclockFile(void);
 extern int CNF_GetInitSources(void);
 extern double CNF_GetInitStepThreshold(void);
 
-extern ARR_Instance CNF_GetHwTsInterfaces(void);
+extern int CNF_GetHwTsInterface(unsigned int index, char **name, double *tx_comp, double *rx_comp);
 
 #endif /* GOT_CONF_H */

doc/chrony.conf.adoc

@@ -160,9 +160,8 @@ synchronisation only if they agree with the trusted and required source.
 *xleave*:::
 This option enables an interleaved mode which allows the server or the peer to
 send transmit timestamps captured after the actual transmission (e.g. when the
-server or the peer is running *chronyd* with HW timestamping enabled by the
+server or the peer is running *chronyd* with software (kernel) or hardware
-<<hwtimestamp,*hwtimestamp*>> directive). This can significantly improve the
+timestamping). This can significantly improve the accuracy of the measurements.
-accuracy of the measurements.
 +
 The interleaved mode is compatible with servers that support only the basic
 mode, but peers must both support and have enabled the interleaved mode,
@@ -994,7 +993,7 @@ both a client of its servers, and a server to other clients.
 Examples of the use of the directive are as follows:
 +
 ----
-allow foo.example.net
+allow 1.2.3.4
 allow 1.2
 allow 3.4.5
 allow 6.7.8/22
@@ -1005,7 +1004,8 @@ allow ::/0
 allow
 ----
 +
-The first directive allows the named node to be an NTP client of this computer.
+The first directive allows a node with IPv4 address _1.2.3.4_ to be an NTP
+client of this computer.
 The second directive allows any node with an IPv4 address of the form _1.2.x.y_
 (with _x_ and _y_ arbitrary) to be an NTP client of this computer. Likewise,
 the third directive allows any node with an IPv4 address of the form _3.4.5.x_
@@ -1046,6 +1046,10 @@ Within a configuration file this capability is probably rather moot; however,
 it is of greater use for reconfiguration at run-time via *chronyc* with the
 <<chronyc.adoc#allow,*allow all*>> command.
 +
+The directive allows a hostname to be specified instead of an IP address, but
+the name must be resolvable when *chronyd* is started (i.e. *chronyd* needs
+to be started when the network is already up and DNS is working).
++
 Note, if the <<initstepslew,*initstepslew*>> directive is used in the
 configuration file, each of the computers listed in that directive must allow
 client access by this computer for it to work.
@@ -1221,8 +1225,8 @@ source port used in NTP client requests can be set by the
 <<acquisitionport,*acquisitionport*>> directive.
 
 [[ratelimit]]*ratelimit* [_option_]...::
-This directive configures response rate limiting for NTP packets. Its purpose
+This directive enables response rate limiting for NTP packets. Its purpose is
-is to reduce network traffic with misconfigured or broken NTP clients that are
+to reduce network traffic with misconfigured or broken NTP clients that are
 polling the server too frequently. The limits are applied to individual IP
 addresses. If multiple clients share one IP address (e.g. multiple hosts behind
 NAT), the sum of their traffic will be limited. If a client that increases its
@@ -1237,16 +1241,16 @@ in any order):
 +
 *interval*:::
 This option sets the minimum interval between responses. It is defined as a
-power of 2 in seconds. The default value is -10 (1/1024 of a second, or 1024
+power of 2 in seconds. The default value is 3 (8 seconds). The minimum value
-packets per second). The minimum value is -19 (524288 packets per second) and
+is -19 (524288 packets per second) and the maximum value is 12 (one packet per
-the maximum value is 12 (one packet per 4096 seconds). Note that with values
+4096 seconds). Note that with values below -4 the rate limiting is coarse
-below -4 the rate limiting is coarse (responses are allowed in bursts, even if
+(responses are allowed in bursts, even if the interval between them is shorter
-the interval between them is shorter than the specified interval).
+than the specified interval).
 *burst*:::
 This option sets the maximum number of responses that can be sent in a burst,
 temporarily exceeding the limit specified by the *interval* option. This is
 useful for clients that make rapid measurements on start (e.g. *chronyd* with
-the *iburst* option). The default value is 16. The minimum value is 1 and the
+the *iburst* option). The default value is 8. The minimum value is 1 and the
 maximum value is 255.
 *leak*:::
 This option sets the rate at which responses are randomly allowed even if the
@@ -1254,23 +1258,19 @@ limits specified by the *interval* and *burst* options are exceeded. This is
 necessary to prevent an attacker who is sending requests with a spoofed
 source address from completely blocking responses to that address. The leak
 rate is defined as a power of 1/2 and it is 2 by default, i.e. on average at
-least every fourth request has a response. The minimum value is 0, which
+least every fourth request has a response. The minimum value is 1 and the
-disables the rate limiting, and the maximum value is 4 (one response per 16
+maximum value is 4.
-requests).
 ::
 +
 An example use of the directive is:
 +
 ----
-ratelimit interval 1 burst 8
+ratelimit interval 1 burst 16
 ----
 +
 This would reduce the response rate for IP addresses sending packets on average
-more than once per 2 seconds, or sending packets in bursts of more than 8
+more than once per 2 seconds, or sending packets in bursts of more than 16
 packets, by up to 75% (with default *leak* of 2).
-+
-Rate limiting can be disabled by setting the *leak* option to 0, or by the
-<<noclientlog,*noclientlog*>> directive.
 
 [[smoothtime]]*smoothtime* _max-freq_ _max-wander_ [*leaponly*]::
 The *smoothtime* directive can be used to enable smoothing of the time that
@@ -1397,18 +1397,16 @@ This would make *chronyd* use UDP 257 as its command port. (*chronyc* would
 need to be run with the *-p 257* switch to inter-operate correctly.)
 
 [[cmdratelimit]]*cmdratelimit* [_option_]...::
-This directive is identical to the <<ratelimit,*ratelimit*>> directive, except
+This directive enables response rate limiting for command packets. It is
-it configures rate limiting for command packets and responses to localhost are
+similar to the <<ratelimit,*ratelimit*>> directive, except responses to
-never limited. It is disabled by default (the default *leak* is 0).
+localhost are never limited and the default interval is -4 (16 packets per
+second).
 +
 An example of the use of the directive is:
 +
 ----
-cmdratelimit interval -2 burst 128 leak 2
+cmdratelimit interval 2
 ----
-+
-This would reduce response rate for addresses that send more than 4 requests
-per second, or bursts of more than 128 packets, by up to 75%.
 
 === Real-time clock (RTC)
 
@@ -1782,7 +1780,7 @@ sendmail binary.
 
 === Miscellaneous
 
-[[hwtimestamp]]*hwtimestamp* _interface_::
+[[hwtimestamp]]*hwtimestamp* _interface_ [_option_]...::
 This directive enables hardware timestamping of NTP packets sent to and
 received from the specified network interface. The network interface controller
 (NIC) uses its own clock to accurately timestamp the actual transmissions and
@@ -1813,10 +1811,25 @@ and the <<chronyc.adoc#ntpdata,*ntpdata*>> report in *chronyc*.
 If the specified interface is _*_, *chronyd* will try to enable HW timestamping
 on all available interfaces.
 +
-An example of the directive is:
+The *hwtimestamp* directive has the following options:
++
+*txcomp* _compensation_:::
+This option specifies the difference in seconds between the actual transmission
+time at the physical layer and the reported transmit timestamp. This value will
+be added to transmit timestamps obtained from the NIC. The default value is 0.
+*rxcomp* _compensation_:::
+This option specifies the difference in seconds between the reported receive
+timestamp and the actual reception time at the physical layer. This value will
+be subtracted from receive timestamps obtained from the NIC. The default value
+is 0.
+::
++
+Examples of the directive are:
 +
 ----
 hwtimestamp eth0
+hwtimestamp eth1 txcomp 300e-9 rxcomp 645e-9
+hwtimestamp *
 ----
 
 [[include]]*include* _pattern_::
@@ -2225,24 +2238,34 @@ information to be saved.
 *chronyd* can be configured to operate as a public NTP server, e.g. to join the
 http://www.pool.ntp.org/en/join.html[pool.ntp.org] project. The configuration
 is similar to the NTP client with permanent connection, except it needs to
-allow client access from all addresses. It is recommended to handpick at least
+allow client access from all addresses. It is recommended to find at least four
-few good servers, and possibly combine them with a random selection of other
+good servers (e.g. from the pool, or on the NTP homepage). If the server has a
-servers in the pool. The rate limiting interval can be increased to save more
+hardware reference clock (e.g. a GPS receiver), it can be specified by the
-bandwidth on misconfigured and broken NTP clients. The *-r* option with the
+<<refclock,*refclock*>> directive.
-*dumpdir* directive shortens the time for which *chronyd* will not serve time
-to its clients when it needs to be restarted for any reason.
 
-The configuration file might be:
+The amount of memory used for logging client accesses can be increased in order
+to enable clients to use the interleaved mode even when the server has a large
+number of clients, and better support rate limiting if it is enabled by the
+<<ratelimit,*ratelimit*>> directive. The system timezone database, if it is
+kept up to date and includes the *right/UTC* timezone, can be used as a
+reliable source to determine when a leap second will be applied to UTC. The
+*-r* option with the <<dumpdir,*dumpdir*>> directive shortens the time in which
+*chronyd* will not be able to serve time to its clients when it needs to be
+restarted (e.g. after upgrading to a newer version, or a change in the
+configuration).
+
+The configuration file could look like:
 
 ----
 server foo.example.net iburst
 server bar.example.net iburst
 server baz.example.net iburst
-pool pool.ntp.org iburst
+server qux.example.net iburst
 makestep 1.0 3
 rtcsync
 allow
-ratelimit interval 1
+clientloglimit 100000000
+leapsectz right/UTC
 driftfile @CHRONYVARDIR@/drift
 dumpdir @CHRONYRUNDIR@
 dumponexit

doc/chronyc.adoc

@@ -458,7 +458,7 @@ Poll interval   : 10 (1024 seconds)
 Precision       : -24 (0.000000060 seconds)
 Root delay      : 0.000015 seconds
 Root dispersion : 0.000015 seconds
-Reference ID    : 50505331
+Reference ID    : 47505300 (GPS)
 Reference time  : Fri Nov 25 15:22:12 2016
 Offset          : -0.000060878 seconds
 Peer delay      : 0.000175634 seconds

hwclock.c

@@ -55,6 +55,9 @@ struct HCL_Instance_Record {
   /* Number of samples */
   int n_samples;
 
+  /* Maximum error of the last sample */
+  double last_err;
+
   /* Flag indicating the offset and frequency values are valid */
   int valid_coefs;
 
@@ -151,6 +154,7 @@ HCL_AccumulateSample(HCL_Instance clock, struct timespec *hw_ts,
   clock->n_samples++;
   clock->hw_ref = *hw_ts;
   clock->local_ref = *local_ts;
+  clock->last_err = err;
 
   /* Get new coefficients */
   clock->valid_coefs =
@@ -196,9 +200,9 @@ HCL_CookTime(HCL_Instance clock, struct timespec *raw, struct timespec *cooked,
   offset = clock->offset + elapsed / clock->frequency;
   UTI_AddDoubleToTimespec(&clock->local_ref, offset, cooked);
 
-  /* Estimation of the error is not implemented yet */
+  /* Fow now, just return the error of the last sample */
   if (err)
-    *err = 0.0;
+    *err = clock->last_err;
 
   return 1;
 }

ntp_core.c

@@ -1412,12 +1412,8 @@ receive_packet(NCR_Instance inst, NTP_Local_Address *local_addr,
       sample_rx_tss = rx_ts->source;
     }
 
-    /* Work out 'delay' relative to the source's time */
+    /* Calculate delay */
-    delay = (1.0 - (source_freq_lo + source_freq_hi) / 2.0) *
+    delay = fabs(local_interval - remote_interval);
-              local_interval - remote_interval;
-
-    /* Clamp delay to avoid misleading results later */
-    delay = fabs(delay);
     if (delay < precision)
       delay = precision;
     
@@ -1439,7 +1435,8 @@ receive_packet(NCR_Instance inst, NTP_Local_Address *local_addr,
     skew = (source_freq_hi - source_freq_lo) / 2.0;
     
     /* and then calculate peer dispersion */
-    dispersion = precision + inst->local_tx.err + rx_ts_err + skew * fabs(local_interval);
+    dispersion = MAX(precision, MAX(inst->local_tx.err, rx_ts_err)) +
+                 skew * fabs(local_interval);
     
     /* Additional tests required to pass before accumulating the sample */
 
@@ -1609,13 +1606,14 @@ receive_packet(NCR_Instance inst, NTP_Local_Address *local_addr,
                      UTI_DiffTimespecsToDouble(&inst->local_rx.ts, &inst->local_tx.ts));
 
       if (kod_rate) {
+        LOG(LOGS_WARN, LOGF_NtpCore, "Received KoD RATE from %s",
+            UTI_IPToString(&inst->remote_addr.ip_addr));
+
         /* Back off for a while and stop ongoing burst */
         delay_time += 4 * (1UL << inst->minpoll);
 
         if (inst->opmode == MD_BURST_WAS_OFFLINE || inst->opmode == MD_BURST_WAS_ONLINE) {
           inst->burst_good_samples_to_go = 0;
-          LOG(LOGS_WARN, LOGF_NtpCore, "Received KoD RATE from %s, burst sampling stopped",
-              UTI_IPToString(&inst->remote_addr.ip_addr));
         }
       }
 

ntp_io.c

@@ -364,8 +364,12 @@ NIO_Initialise(int family)
 #ifdef HAVE_LINUX_TIMESTAMPING
   NIO_Linux_Initialise();
 #else
-  if (ARR_GetSize(CNF_GetHwTsInterfaces()))
+  if (1) {
-    LOG_FATAL(LOGF_NtpIO, "HW timestamping not supported");
+    double tx_comp, rx_comp;
+    char *name;
+    if (CNF_GetHwTsInterface(0, &name, &tx_comp, &rx_comp))
+      LOG_FATAL(LOGF_NtpIO, "HW timestamping not supported");
+  }
 #endif
 
   recv_messages = ARR_CreateInstance(sizeof (struct Message));

ntp_io_linux.c

@@ -66,12 +66,18 @@ struct Interface {
   /* Start of UDP data at layer 2 for IPv4 and IPv6 */
   int l2_udp4_ntp_start;
   int l2_udp6_ntp_start;
+  /* Compensation of errors in TX and RX timestamping */
+  double tx_comp;
+  double rx_comp;
   HCL_Instance clock;
 };
 
 /* Number of PHC readings per HW clock sample */
 #define PHC_READINGS 10
 
+/* Maximum acceptable offset between HW and daemon/kernel timestamp */
+#define MAX_TS_DELAY 1.0
+
 /* Array of Interfaces */
 static ARR_Instance interfaces;
 
@@ -85,7 +91,7 @@ static int permanent_ts_options;
 /* ================================================== */
 
 static int
-add_interface(const char *name)
+add_interface(const char *name, double tx_comp, double rx_comp)
 {
   struct ethtool_ts_info ts_info;
   struct hwtstamp_config ts_config;
@@ -166,6 +172,9 @@ add_interface(const char *name)
   iface->l2_udp4_ntp_start = 42;
   iface->l2_udp6_ntp_start = 62;
 
+  iface->tx_comp = tx_comp;
+  iface->rx_comp = rx_comp;
+
   iface->clock = HCL_CreateInstance();
 
   DEBUG_LOG(LOGF_NtpIOLinux, "Enabled HW timestamping on %s", name);
@@ -176,7 +185,7 @@ add_interface(const char *name)
 /* ================================================== */
 
 static int
-add_all_interfaces(void)
+add_all_interfaces(double tx_comp, double rx_comp)
 {
   struct ifaddrs *ifaddr, *ifa;
   int r;
@@ -187,7 +196,7 @@ add_all_interfaces(void)
   }
 
   for (r = 0, ifa = ifaddr; ifa; ifa = ifa->ifa_next) {
-    if (add_interface(ifa->ifa_name))
+    if (add_interface(ifa->ifa_name, tx_comp, rx_comp))
       r = 1;
   }
   
@@ -233,34 +242,30 @@ update_interface_speed(struct Interface *iface)
 void
 NIO_Linux_Initialise(void)
 {
-  ARR_Instance config_hwts_ifaces;
+  double tx_comp, rx_comp;
-  char *if_name;
+  char *name;
   unsigned int i;
-  int wildcard, hwts;
+  int hwts;
 
   interfaces = ARR_CreateInstance(sizeof (struct Interface));
 
-  config_hwts_ifaces = CNF_GetHwTsInterfaces();
-
   /* Enable HW timestamping on specified interfaces.  If "*" was specified, try
      all interfaces.  If no interface was specified, enable SW timestamping. */
 
-  for (i = wildcard = 0; i < ARR_GetSize(config_hwts_ifaces); i++) {
+  for (i = hwts = 0; CNF_GetHwTsInterface(i, &name, &tx_comp, &rx_comp); i++) {
-    if (!strcmp("*", *(char **)ARR_GetElement(config_hwts_ifaces, i)))
+    if (!strcmp("*", name))
-      wildcard = 1;
+      continue;
+    if (!add_interface(name, tx_comp, rx_comp))
+      LOG_FATAL(LOGF_NtpIO, "Could not enable HW timestamping on %s", name);
+    hwts = 1;
   }
 
-  if (!wildcard && ARR_GetSize(config_hwts_ifaces)) {
+  for (i = 0; CNF_GetHwTsInterface(i, &name, &tx_comp, &rx_comp); i++) {
-    for (i = 0; i < ARR_GetSize(config_hwts_ifaces); i++) {
+    if (strcmp("*", name))
-      if_name = *(char **)ARR_GetElement(config_hwts_ifaces, i);
+      continue;
-      if (!add_interface(if_name))
+    if (add_all_interfaces(tx_comp, rx_comp))
-        LOG_FATAL(LOGF_NtpIO, "Could not enable HW timestamping on %s", if_name);
+      hwts = 1;
-    }
+    break;
-    hwts = 1;
-  } else if (wildcard && add_all_interfaces()) {
-    hwts = 1;
-  } else {
-    hwts = 0;
   }
 
   if (hwts) {
@@ -417,8 +422,8 @@ static void
 process_hw_timestamp(struct Interface *iface, struct timespec *hw_ts,
                      NTP_Local_Timestamp *local_ts, int rx_ntp_length, int family)
 {
-  struct timespec sample_phc_ts, sample_local_ts;
+  struct timespec sample_phc_ts, sample_local_ts, ts;
-  double sample_delay, rx_correction;
+  double sample_delay, rx_correction, ts_delay, err;
   int l2_length;
 
   if (HCL_NeedsNewSample(iface->clock, &local_ts->ts)) {
@@ -444,9 +449,23 @@ process_hw_timestamp(struct Interface *iface, struct timespec *hw_ts,
     UTI_AddDoubleToTimespec(hw_ts, rx_correction, hw_ts);
   }
 
-  if (!HCL_CookTime(iface->clock, hw_ts, &local_ts->ts, &local_ts->err))
+  if (!rx_ntp_length && iface->tx_comp)
+    UTI_AddDoubleToTimespec(hw_ts, iface->tx_comp, hw_ts);
+  else if (rx_ntp_length && iface->rx_comp)
+    UTI_AddDoubleToTimespec(hw_ts, -iface->rx_comp, hw_ts);
+
+  if (!HCL_CookTime(iface->clock, hw_ts, &ts, &err))
     return;
 
+  ts_delay = UTI_DiffTimespecsToDouble(&local_ts->ts, &ts);
+
+  if (fabs(ts_delay) > MAX_TS_DELAY) {
+    DEBUG_LOG(LOGF_NtpIOLinux, "Unacceptable timestamp delay %.9f", ts_delay);
+    return;
+  }
+
+  local_ts->ts = ts;
+  local_ts->err = err;
   local_ts->source = NTP_TS_HARDWARE;
 }
 
@@ -536,7 +555,7 @@ NIO_Linux_ProcessMessage(NTP_Remote_Address *remote_addr, NTP_Local_Address *loc
       if (!UTI_IsZeroTimespec(&ts3.ts[0])) {
         LCL_CookTime(&ts3.ts[0], &local_ts->ts, &local_ts->err);
         local_ts->source = NTP_TS_KERNEL;
-      } else {
+      } else if (!UTI_IsZeroTimespec(&ts3.ts[2])) {
         iface = get_interface(if_index);
         if (iface) {
           process_hw_timestamp(iface, &ts3.ts[2], local_ts, !is_tx ? length : 0,

sources.c

@@ -425,10 +425,11 @@ SRC_UpdateReachability(SRC_Instance inst, int reachable)
   }
 
   /* Try to replace NTP sources that are unreachable, falsetickers, or
-     have root distance larger than the allowed maximum */
+     have root distance or jitter larger than the allowed maximums */
   if (inst->type == SRC_NTP &&
       ((!inst->reachability && inst->reachability_size == SOURCE_REACH_BITS) ||
-       inst->status == SRC_FALSETICKER || inst->status == SRC_BAD_DISTANCE)) {
+       inst->status == SRC_BAD_DISTANCE || inst->status == SRC_JITTERY ||
+       inst->status == SRC_FALSETICKER)) {
     NSR_HandleBadSource(inst->ip_addr);
   }
 }