1 files changed, 43 insertions, 25 deletions
diff --git a/contrib/ntp/include/ntp.h b/contrib/ntp/include/ntp.h
index 323135d..fb739c7 100644
--- a/contrib/ntp/include/ntp.h
+++ b/contrib/ntp/include/ntp.h
@@ -553,11 +553,13 @@ struct pkt {
 	l_fp	rec;		/* receive time stamp */
 	l_fp	xmt;		/* transmit time stamp */
 
-#define	MIN_V4_PKT_LEN	(12 * sizeof(u_int32)) /* min header length */
-#define	LEN_PKT_NOMAC	(12 * sizeof(u_int32)) /* min header length */
-#define MIN_MAC_LEN	(1 * sizeof(u_int32))	/* crypto_NAK */
-#define MAX_MD5_LEN	(5 * sizeof(u_int32))	/* MD5 */
+#define	MIN_V4_PKT_LEN	(12 * sizeof(u_int32))	/* min header length */
+#define	LEN_PKT_NOMAC	(12 * sizeof(u_int32))	/* min header length */
+#define	MIN_MAC_LEN	(1 * sizeof(u_int32))	/* crypto_NAK */
+#define	MAX_MD5_LEN	(5 * sizeof(u_int32))	/* MD5 */
 #define	MAX_MAC_LEN	(6 * sizeof(u_int32))	/* SHA */
+#define	KEY_MAC_LEN	sizeof(u_int32)		/* key ID in MAC */
+#define	MAX_MDG_LEN	(MAX_MAC_LEN-KEY_MAC_LEN) /* max. digest len */
 
 	/*
 	 * The length of the packet less MAC must be a multiple of 64
@@ -822,11 +824,12 @@ typedef struct res_addr6_tag {
 
 typedef struct restrict_u_tag	restrict_u;
 struct restrict_u_tag {
-	restrict_u *		link;	/* link to next entry */
-	u_int32			count;	/* number of packets matched */
-	u_short			flags;	/* accesslist flags */
-	u_short			mflags;	/* match flags */
-	u_long			expire;	/* valid until time */
+	restrict_u *	link;		/* link to next entry */
+	u_int32		count;		/* number of packets matched */
+	u_short		rflags;		/* restrict (accesslist) flags */
+	u_short		mflags;		/* match flags */
+	short		ippeerlimit;	/* IP peer limit */
+	u_long		expire;		/* valid until time */
 	union {				/* variant starting here */
 		res_addr4 v4;
 		res_addr6 v6;
@@ -837,28 +840,40 @@ struct restrict_u_tag {
 #define	V6_SIZEOF_RESTRICT_U	(offsetof(restrict_u, u)	\
 				 + sizeof(res_addr6))
 
+typedef struct r4addr_tag	r4addr;
+struct r4addr_tag {
+	u_short		rflags;		/* match flags */
+	short		ippeerlimit;	/* IP peer limit */
+};
+
+char *build_iflags(u_int32 flags);
+char *build_mflags(u_short mflags);
+char *build_rflags(u_short rflags);
+
 /*
- * Access flags
+ * Restrict (Access) flags (rflags)
  */
 #define	RES_IGNORE		0x0001	/* ignore packet */
 #define	RES_DONTSERVE		0x0002	/* access denied */
 #define	RES_DONTTRUST		0x0004	/* authentication required */
 #define	RES_VERSION		0x0008	/* version mismatch */
 #define	RES_NOPEER		0x0010	/* new association denied */
-#define RES_LIMITED		0x0020	/* packet rate exceeded */
+#define	RES_NOEPEER		0x0020	/* new ephemeral association denied */
+#define RES_LIMITED		0x0040	/* packet rate exceeded */
 #define RES_FLAGS		(RES_IGNORE | RES_DONTSERVE |\
 				    RES_DONTTRUST | RES_VERSION |\
-				    RES_NOPEER | RES_LIMITED)
+				    RES_NOPEER | RES_NOEPEER | RES_LIMITED)
 
-#define	RES_NOQUERY		0x0040	/* mode 6/7 packet denied */
-#define	RES_NOMODIFY		0x0080	/* mode 6/7 modify denied */
-#define	RES_NOTRAP		0x0100	/* mode 6/7 set trap denied */
-#define	RES_LPTRAP		0x0200	/* mode 6/7 low priority trap */
+#define	RES_NOQUERY		0x0080	/* mode 6/7 packet denied */
+#define	RES_NOMODIFY		0x0100	/* mode 6/7 modify denied */
+#define	RES_NOTRAP		0x0200	/* mode 6/7 set trap denied */
+#define	RES_LPTRAP		0x0400	/* mode 6/7 low priority trap */
 
-#define	RES_KOD			0x0400	/* send kiss of death packet */
-#define	RES_MSSNTP		0x0800	/* enable MS-SNTP authentication */
-#define	RES_FLAKE		0x1000	/* flakeway - drop 10% */
-#define	RES_NOMRULIST		0x2000	/* mode 6 mrulist denied */
+#define	RES_KOD			0x0800	/* send kiss of death packet */
+#define	RES_MSSNTP		0x1000	/* enable MS-SNTP authentication */
+#define	RES_FLAKE		0x2000	/* flakeway - drop 10% */
+#define	RES_NOMRULIST		0x4000	/* mode 6 mrulist denied */
+#define RES_UNUSED		0x8000	/* Unused flag bits */
 
 #define	RES_ALLFLAGS		(RES_FLAGS | RES_NOQUERY |	\
 				 RES_NOMODIFY | RES_NOTRAP |	\
@@ -867,7 +882,7 @@ struct restrict_u_tag {
 				 RES_NOMRULIST)
 
 /*
- * Match flags
+ * Match flags (mflags)
  */
 #define	RESM_INTERFACE		0x1000	/* this is an interface */
 #define	RESM_NTPONLY		0x2000	/* match source port 123 */
@@ -876,10 +891,13 @@ struct restrict_u_tag {
 /*
  * Restriction configuration ops
  */
-#define	RESTRICT_FLAGS		1	/* add flags to restrict entry */
-#define	RESTRICT_UNFLAG		2	/* remove flags from restrict entry */
-#define	RESTRICT_REMOVE		3	/* remove a restrict entry */
-#define	RESTRICT_REMOVEIF	4	/* remove an interface restrict entry */
+typedef enum
+restrict_ops {
+	RESTRICT_FLAGS = 1,	/* add rflags to restrict entry */
+	RESTRICT_UNFLAG,	/* remove rflags from restrict entry */
+	RESTRICT_REMOVE,	/* remove a restrict entry */
+	RESTRICT_REMOVEIF,	/* remove an interface restrict entry */
+} restrict_op;
 
 /*
  * Endpoint structure for the select algorithm