/*
 * NTP client/server, based on OpenNTPD 3.9p1
 *
 * Author: Adam Tkac <vonsch@gmail.com>
 *
 * Licensed under GPLv2, see file LICENSE in this tarball for details.
 *
 * Parts of OpenNTPD clock syncronization code is replaced by
 * code which is based on ntp-4.2.6, whuch carries the following
 * copyright notice:
 *
 ***********************************************************************
 *                                                                     *
 * Copyright (c) University of Delaware 1992-2009                      *
 *                                                                     *
 * Permission to use, copy, modify, and distribute this software and   *
 * its documentation for any purpose with or without fee is hereby     *
 * granted, provided that the above copyright notice appears in all    *
 * copies and that both the copyright notice and this permission       *
 * notice appear in supporting documentation, and that the name        *
 * University of Delaware not be used in advertising or publicity      *
 * pertaining to distribution of the software without specific,        *
 * written prior permission. The University of Delaware makes no       *
 * representations about the suitability this software for any         *
 * purpose. It is provided "as is" without express or implied          *
 * warranty.                                                           *
 *                                                                     *
 ***********************************************************************
 */
#include "libbb.h"
#include <math.h>
#include <netinet/ip.h> /* For IPTOS_LOWDELAY definition */
#include <sys/timex.h>
#ifndef IPTOS_LOWDELAY
# define IPTOS_LOWDELAY 0x10
#endif
#ifndef IP_PKTINFO
# error "Sorry, your kernel has to support IP_PKTINFO"
#endif


/* Verbosity control (max level of -dddd options accepted).
 * max 5 is very talkative (and bloated). 2 is non-bloated,
 * production level setting.
 */
#define MAX_VERBOSE     2


/* High-level description of the algorithm:
 *
 * We start running with very small poll_exp, BURSTPOLL,
 * in order to quickly accumulate INITIAL_SAMLPES datapoints
 * for each peer. Then, time is stepped if the offset is larger
 * than STEP_THRESHOLD, otherwise it isn't; anyway, we enlarge
 * poll_exp to MINPOLL and enter frequency measurement step:
 * we collect new datapoints but ignore them for WATCH_THRESHOLD
 * seconds. After WATCH_THRESHOLD seconds we look at accumulated
 * offset and estimate frequency drift.
 *
 * (frequency measurement step seems to not be strictly needed,
 * it is conditionally disabled with USING_INITIAL_FREQ_ESTIMATION
 * define set to 0)
 *
 * After this, we enter "steady state": we collect a datapoint,
 * we select the best peer, if this datapoint is not a new one
 * (IOW: if this datapoint isn't for selected peer), sleep
 * and collect another one; otherwise, use its offset to update
 * frequency drift, if offset is somewhat large, reduce poll_exp,
 * otherwise increase poll_exp.
 *
 * If offset is larger than STEP_THRESHOLD, which shouldn't normally
 * happen, we assume that something "bad" happened (computer
 * was hibernated, someone set totally wrong date, etc),
 * then the time is stepped, all datapoints are discarded,
 * and we go back to steady state.
 */

#define RETRY_INTERVAL  5       /* on error, retry in N secs */
#define RESPONSE_INTERVAL 15    /* wait for reply up to N secs */
#define INITIAL_SAMLPES 4       /* how many samples do we want for init */

/* Clock discipline parameters and constants */

/* Step threshold (sec). std ntpd uses 0.128.
 * Using exact power of 2 (1/8) results in smaller code */
#define STEP_THRESHOLD  0.125
#define WATCH_THRESHOLD 128     /* stepout threshold (sec). std ntpd uses 900 (11 mins (!)) */
/* NB: set WATCH_THRESHOLD to ~60 when debugging to save time) */
//UNUSED: #define PANIC_THRESHOLD 1000    /* panic threshold (sec) */

#define FREQ_TOLERANCE  0.000015 /* frequency tolerance (15 PPM) */
#define BURSTPOLL       0       /* initial poll */
#define MINPOLL         5       /* minimum poll interval. std ntpd uses 6 (6: 64 sec) */
#define BIGPOLL         10      /* drop to lower poll at any trouble (10: 17 min) */
#define MAXPOLL         12      /* maximum poll interval (12: 1.1h, 17: 36.4h). std ntpd uses 17 */
/* Actively lower poll when we see such big offsets.
 * With STEP_THRESHOLD = 0.125, it means we try to sync more aggressively
 * if offset increases over 0.03 sec */
#define POLLDOWN_OFFSET (STEP_THRESHOLD / 4)
#define MINDISP         0.01    /* minimum dispersion (sec) */
#define MAXDISP         16      /* maximum dispersion (sec) */
#define MAXSTRAT        16      /* maximum stratum (infinity metric) */
#define MAXDIST         1       /* distance threshold (sec) */
#define MIN_SELECTED    1       /* minimum intersection survivors */
#define MIN_CLUSTERED   3       /* minimum cluster survivors */

#define MAXDRIFT        0.000500 /* frequency drift we can correct (500 PPM) */

/* Poll-adjust threshold.
 * When we see that offset is small enough compared to discipline jitter,
 * we grow a counter: += MINPOLL. When it goes over POLLADJ_LIMIT,
 * we poll_exp++. If offset isn't small, counter -= poll_exp*2,
 * and when it goes below -POLLADJ_LIMIT, we poll_exp--
 * (bumped from 30 to 36 since otherwise I often see poll_exp going *2* steps down)
 */
#define POLLADJ_LIMIT   36
/* If offset < POLLADJ_GATE * discipline_jitter, then we can increase
 * poll interval (we think we can't improve timekeeping
 * by staying at smaller poll).
 */
#define POLLADJ_GATE    4
/* Compromise Allan intercept (sec). doc uses 1500, std ntpd uses 512 */
#define ALLAN           512
/* PLL loop gain */
#define PLL             65536
/* FLL loop gain [why it depends on MAXPOLL??] */
#define FLL             (MAXPOLL + 1)
/* Parameter averaging constant */
#define AVG             4


enum {
        NTP_VERSION     = 4,
        NTP_MAXSTRATUM  = 15,

        NTP_DIGESTSIZE     = 16,
        NTP_MSGSIZE_NOAUTH = 48,
        NTP_MSGSIZE        = (NTP_MSGSIZE_NOAUTH + 4 + NTP_DIGESTSIZE),

        /* Status Masks */
        MODE_MASK       = (7 << 0),
        VERSION_MASK    = (7 << 3),
        VERSION_SHIFT   = 3,
        LI_MASK         = (3 << 6),

        /* Leap Second Codes (high order two bits of m_status) */
        LI_NOWARNING    = (0 << 6),    /* no warning */
        LI_PLUSSEC      = (1 << 6),    /* add a second (61 seconds) */
        LI_MINUSSEC     = (2 << 6),    /* minus a second (59 seconds) */
        LI_ALARM        = (3 << 6),    /* alarm condition */

        /* Mode values */
        MODE_RES0       = 0,    /* reserved */
        MODE_SYM_ACT    = 1,    /* symmetric active */
        MODE_SYM_PAS    = 2,    /* symmetric passive */
        MODE_CLIENT     = 3,    /* client */
        MODE_SERVER     = 4,    /* server */
        MODE_BROADCAST  = 5,    /* broadcast */
        MODE_RES1       = 6,    /* reserved for NTP control message */
        MODE_RES2       = 7,    /* reserved for private use */
};

//TODO: better base selection
#define OFFSET_1900_1970 2208988800UL  /* 1970 - 1900 in seconds */

#define NUM_DATAPOINTS  8

typedef struct {
        uint32_t int_partl;
        uint32_t fractionl;
} l_fixedpt_t;

typedef struct {
        uint16_t int_parts;
        uint16_t fractions;
} s_fixedpt_t;

typedef struct {
        uint8_t     m_status;     /* status of local clock and leap info */
        uint8_t     m_stratum;
        uint8_t     m_ppoll;      /* poll value */
        int8_t      m_precision_exp;
        s_fixedpt_t m_rootdelay;
        s_fixedpt_t m_rootdisp;
        uint32_t    m_refid;
        l_fixedpt_t m_reftime;
        l_fixedpt_t m_orgtime;
        l_fixedpt_t m_rectime;
        l_fixedpt_t m_xmttime;
        uint32_t    m_keyid;
        uint8_t     m_digest[NTP_DIGESTSIZE];
} msg_t;

typedef struct {
        double d_recv_time;
        double d_offset;
        double d_dispersion;
} datapoint_t;

typedef struct {
        len_and_sockaddr *p_lsa;
        char             *p_dotted;
        /* when to send new query (if p_fd == -1)
         * or when receive times out (if p_fd >= 0): */
        int              p_fd;
        int              datapoint_idx;
        uint32_t         lastpkt_refid;
        uint8_t          lastpkt_status;
        uint8_t          lastpkt_stratum;
        uint8_t          reachable_bits;
        double           next_action_time;
        double           p_xmttime;
        double           lastpkt_recv_time;
        double           lastpkt_delay;
        double           lastpkt_rootdelay;
        double           lastpkt_rootdisp;
        /* produced by filter algorithm: */
        double           filter_offset;
        double           filter_dispersion;
        double           filter_jitter;
        datapoint_t      filter_datapoint[NUM_DATAPOINTS];
        /* last sent packet: */
        msg_t            p_xmt_msg;
} peer_t;


#define USING_KERNEL_PLL_LOOP          1
#define USING_INITIAL_FREQ_ESTIMATION  0

enum {
        OPT_n = (1 << 0),
        OPT_q = (1 << 1),
        OPT_N = (1 << 2),
        OPT_x = (1 << 3),
        /* Insert new options above this line. */
        /* Non-compat options: */
        OPT_w = (1 << 4),
        OPT_p = (1 << 5),
        OPT_S = (1 << 6),
        OPT_l = (1 << 7) * ENABLE_FEATURE_NTPD_SERVER,
};

struct globals {
        double   cur_time;
        /* total round trip delay to currently selected reference clock */
        double   rootdelay;
        /* reference timestamp: time when the system clock was last set or corrected */
        double   reftime;
        /* total dispersion to currently selected reference clock */
        double   rootdisp;

        double   last_script_run;
        char     *script_name;
        llist_t  *ntp_peers;
#if ENABLE_FEATURE_NTPD_SERVER
        int      listen_fd;
#endif
        unsigned verbose;
        unsigned peer_cnt;
        /* refid: 32-bit code identifying the particular server or reference clock
         *  in stratum 0 packets this is a four-character ASCII string,
         *  called the kiss code, used for debugging and monitoring
         *  in stratum 1 packets this is a four-character ASCII string
         *  assigned to the reference clock by IANA. Example: "GPS "
         *  in stratum 2+ packets, it's IPv4 address or 4 first bytes of MD5 hash of IPv6
         */
        uint32_t refid;
        uint8_t  ntp_status;
        /* precision is defined as the larger of the resolution and time to
         * read the clock, in log2 units.  For instance, the precision of a
         * mains-frequency clock incrementing at 60 Hz is 16 ms, even when the
         * system clock hardware representation is to the nanosecond.
         *
         * Delays, jitters of various kinds are clamper down to precision.
         *
         * If precision_sec is too large, discipline_jitter gets clamped to it
         * and if offset is much smaller than discipline_jitter, poll interval
         * grows even though we really can benefit from staying at smaller one,
         * collecting non-lagged datapoits and correcting the offset.
         * (Lagged datapoits exist when poll_exp is large but we still have
         * systematic offset error - the time distance between datapoints
         * is significat and older datapoints have smaller offsets.
         * This makes our offset estimation a bit smaller than reality)
         * Due to this effect, setting G_precision_sec close to
         * STEP_THRESHOLD isn't such a good idea - offsets may grow
         * too big and we will step. I observed it with -6.
         *
         * OTOH, setting precision too small would result in futile attempts
         * to syncronize to the unachievable precision.
         *
         * -6 is 1/64 sec, -7 is 1/128 sec and so on.
         */
#define G_precision_exp  -8
#define G_precision_sec  (1.0 / (1 << (- G_precision_exp)))
        uint8_t  stratum;
        /* Bool. After set to 1, never goes back to 0: */
        smallint initial_poll_complete;

#define STATE_NSET      0       /* initial state, "nothing is set" */
//#define STATE_FSET    1       /* frequency set from file */
#define STATE_SPIK      2       /* spike detected */
//#define STATE_FREQ    3       /* initial frequency */
#define STATE_SYNC      4       /* clock synchronized (normal operation) */
        uint8_t  discipline_state;      // doc calls it c.state
        uint8_t  poll_exp;              // s.poll
        int      polladj_count;         // c.count
        long     kernel_freq_drift;
        peer_t   *last_update_peer;
        double   last_update_offset;    // c.last
        double   last_update_recv_time; // s.t
        double   discipline_jitter;     // c.jitter
        //double   cluster_offset;        // s.offset
        //double   cluster_jitter;        // s.jitter
#if !USING_KERNEL_PLL_LOOP
        double   discipline_freq_drift; // c.freq
        /* Maybe conditionally calculate wander? it's used only for logging */
        double   discipline_wander;     // c.wander
#endif
};
#define G (*ptr_to_globals)

static const int const_IPTOS_LOWDELAY = IPTOS_LOWDELAY;


#define VERB1 if (MAX_VERBOSE && G.verbose)
#define VERB2 if (MAX_VERBOSE >= 2 && G.verbose >= 2)
#define VERB3 if (MAX_VERBOSE >= 3 && G.verbose >= 3)
#define VERB4 if (MAX_VERBOSE >= 4 && G.verbose >= 4)
#define VERB5 if (MAX_VERBOSE >= 5 && G.verbose >= 5)


static double LOG2D(int a)
{
        if (a < 0)
                return 1.0 / (1UL << -a);
        return 1UL << a;
}
static ALWAYS_INLINE double SQUARE(double x)
{
        return x * x;
}
static ALWAYS_INLINE double MAXD(double a, double b)
{
        if (a > b)
                return a;
        return b;
}
static ALWAYS_INLINE double MIND(double a, double b)
{
        if (a < b)
                return a;
        return b;
}
static NOINLINE double my_SQRT(double X)
{
        union {
                float   f;
                int32_t i;
        } v;
        double invsqrt;
        double Xhalf = X * 0.5;

        /* Fast and good approximation to 1/sqrt(X), black magic */
        v.f = X;
        /*v.i = 0x5f3759df - (v.i >> 1);*/
        v.i = 0x5f375a86 - (v.i >> 1); /* - this constant is slightly better */
        invsqrt = v.f; /* better than 0.2% accuracy */

        /* Refining it using Newton's method: x1 = x0 - f(x0)/f'(x0)
         * f(x) = 1/(x*x) - X  (f==0 when x = 1/sqrt(X))
         * f'(x) = -2/(x*x*x)
         * f(x)/f'(x) = (X - 1/(x*x)) / (2/(x*x*x)) = X*x*x*x/2 - x/2
         * x1 = x0 - (X*x0*x0*x0/2 - x0/2) = 1.5*x0 - X*x0*x0*x0/2 = x0*(1.5 - (X/2)*x0*x0)
         */
        invsqrt = invsqrt * (1.5 - Xhalf * invsqrt * invsqrt); /* ~0.05% accuracy */
        /* invsqrt = invsqrt * (1.5 - Xhalf * invsqrt * invsqrt); 2nd iter: ~0.0001% accuracy */
        /* With 4 iterations, more than half results will be exact,
         * at 6th iterations result stabilizes with about 72% results exact.
         * We are well satisfied with 0.05% accuracy.
         */

        return X * invsqrt; /* X * 1/sqrt(X) ~= sqrt(X) */
}
static ALWAYS_INLINE double SQRT(double X)
{
        /* If this arch doesn't use IEEE 754 floats, fall back to using libm */
        if (sizeof(float) != 4)
                return sqrt(X);

        /* This avoids needing libm, saves about 0.5k on x86-32 */
        return my_SQRT(X);
}

static double
gettime1900d(void)
{
        struct timeval tv;
        gettimeofday(&tv, NULL); /* never fails */
        G.cur_time = tv.tv_sec + (1.0e-6 * tv.tv_usec) + OFFSET_1900_1970;
        return G.cur_time;
}

static void
d_to_tv(double d, struct timeval *tv)
{
        tv->tv_sec = (long)d;
        tv->tv_usec = (d - tv->tv_sec) * 1000000;
}

static double
lfp_to_d(l_fixedpt_t lfp)
{
        double ret;
        lfp.int_partl = ntohl(lfp.int_partl);
        lfp.fractionl = ntohl(lfp.fractionl);
        ret = (double)lfp.int_partl + ((double)lfp.fractionl / UINT_MAX);
        return ret;
}
static double
sfp_to_d(s_fixedpt_t sfp)
{
        double ret;
        sfp.int_parts = ntohs(sfp.int_parts);
        sfp.fractions = ntohs(sfp.fractions);
        ret = (double)sfp.int_parts + ((double)sfp.fractions / USHRT_MAX);
        return ret;
}
#if ENABLE_FEATURE_NTPD_SERVER
static l_fixedpt_t
d_to_lfp(double d)
{
        l_fixedpt_t lfp;
        lfp.int_partl = (uint32_t)d;
        lfp.fractionl = (uint32_t)((d - lfp.int_partl) * UINT_MAX);
        lfp.int_partl = htonl(lfp.int_partl);
        lfp.fractionl = htonl(lfp.fractionl);
        return lfp;
}
static s_fixedpt_t
d_to_sfp(double d)
{
        s_fixedpt_t sfp;
        sfp.int_parts = (uint16_t)d;
        sfp.fractions = (uint16_t)((d - sfp.int_parts) * USHRT_MAX);
        sfp.int_parts = htons(sfp.int_parts);
        sfp.fractions = htons(sfp.fractions);
        return sfp;
}
#endif

static double
dispersion(const datapoint_t *dp)
{
        return dp->d_dispersion + FREQ_TOLERANCE * (G.cur_time - dp->d_recv_time);
}

static double
root_distance(peer_t *p)
{
        /* The root synchronization distance is the maximum error due to
         * all causes of the local clock relative to the primary server.
         * It is defined as half the total delay plus total dispersion
         * plus peer jitter.
         */
        return MAXD(MINDISP, p->lastpkt_rootdelay + p->lastpkt_delay) / 2
                + p->lastpkt_rootdisp
                + p->filter_dispersion
                + FREQ_TOLERANCE * (G.cur_time - p->lastpkt_recv_time)
                + p->filter_jitter;
}

static void
set_next(peer_t *p, unsigned t)
{
        p->next_action_time = G.cur_time + t;
}

/*
 * Peer clock filter and its helpers
 */
static void
filter_datapoints(peer_t *p)
{
        int i, idx;
        int got_newest;
        double minoff, maxoff, wavg, sum, w;
        double x = x; /* for compiler */
        double oldest_off = oldest_off;
        double oldest_age = oldest_age;
        double newest_off = newest_off;
        double newest_age = newest_age;

        minoff = maxoff = p->filter_datapoint[0].d_offset;
        for (i = 1; i < NUM_DATAPOINTS; i++) {
                if (minoff > p->filter_datapoint[i].d_offset)
                        minoff = p->filter_datapoint[i].d_offset;
                if (maxoff < p->filter_datapoint[i].d_offset)
                        maxoff = p->filter_datapoint[i].d_offset;
        }

        idx = p->datapoint_idx; /* most recent datapoint */
        /* Average offset:
         * Drop two outliers and take weighted average of the rest:
         * most_recent/2 + older1/4 + older2/8 ... + older5/32 + older6/32
         * we use older6/32, not older6/64 since sum of weights should be 1:
         * 1/2 + 1/4 + 1/8 + 1/16 + 1/32 + 1/32 = 1
         */
        wavg = 0;
        w = 0.5;
        /*                     n-1
         *                     ---    dispersion(i)
         * filter_dispersion =  \     -------------
         *                      /       (i+1)
         *                     ---     2
         *                     i=0
         */
        got_newest = 0;
        sum = 0;
        for (i = 0; i < NUM_DATAPOINTS; i++) {
                VERB4 {
                        bb_error_msg("datapoint[%d]: off:%f disp:%f(%f) age:%f%s",
                                i,
                                p->filter_datapoint[idx].d_offset,
                                p->filter_datapoint[idx].d_dispersion, dispersion(&p->filter_datapoint[idx]),
                                G.cur_time - p->filter_datapoint[idx].d_recv_time,
                                (minoff == p->filter_datapoint[idx].d_offset || maxoff == p->filter_datapoint[idx].d_offset)
                                        ? " (outlier by offset)" : ""
                        );
                }

                sum += dispersion(&p->filter_datapoint[idx]) / (2 << i);

                if (minoff == p->filter_datapoint[idx].d_offset) {
                        minoff -= 1; /* so that we don't match it ever again */
                } else
                if (maxoff == p->filter_datapoint[idx].d_offset) {
                        maxoff += 1;
                } else {
                        oldest_off = p->filter_datapoint[idx].d_offset;
                        oldest_age = G.cur_time - p->filter_datapoint[idx].d_recv_time;
                        if (!got_newest) {
                                got_newest = 1;
                                newest_off = oldest_off;
                                newest_age = oldest_age;
                        }
                        x = oldest_off * w;
                        wavg += x;
                        w /= 2;
                }

                idx = (idx - 1) & (NUM_DATAPOINTS - 1);
        }
        p->filter_dispersion = sum;
        wavg += x; /* add another older6/64 to form older6/32 */
        /* Fix systematic underestimation with large poll intervals.
         * Imagine that we still have a bit of uncorrected drift,
         * and poll interval is big (say, 100 sec). Offsets form a progression:
         * 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 - 0.7 is most recent.
         * The algorithm above drops 0.0 and 0.7 as outliers,
         * and then we have this estimation, ~25% off from 0.7:
         * 0.1/32 + 0.2/32 + 0.3/16 + 0.4/8 + 0.5/4 + 0.6/2 = 0.503125
         */
        x = oldest_age - newest_age;
        if (x != 0) {
                x = newest_age / x; /* in above example, 100 / (600 - 100) */
                if (x < 1) { /* paranoia check */
                        x = (newest_off - oldest_off) * x; /* 0.5 * 100/500 = 0.1 */
                        wavg += x;
                }
        }
        p->filter_offset = wavg;

        /*                  +-----                 -----+ ^ 1/2
         *                  |       n-1                 |
         *                  |       ---                 |
         *                  |  1    \                2  |
         * filter_jitter =  | --- * /  (avg-offset_j)   |
         *                  |  n    ---                 |
         *                  |       j=0                 |
         *                  +-----                 -----+
         * where n is the number of valid datapoints in the filter (n > 1);
         * if filter_jitter < precision then filter_jitter = precision
         */
        sum = 0;
        for (i = 0; i < NUM_DATAPOINTS; i++) {
                sum += SQUARE(wavg - p->filter_datapoint[i].d_offset);
        }
        sum = SQRT(sum / NUM_DATAPOINTS);
        p->filter_jitter = sum > G_precision_sec ? sum : G_precision_sec;

        VERB3 bb_error_msg("filter offset:%f(corr:%e) disp:%f jitter:%f",
                        p->filter_offset, x,
                        p->filter_dispersion,
                        p->filter_jitter);

}

static void
reset_peer_stats(peer_t *p, double offset)
{
        int i;
        bool small_ofs = fabs(offset) < 16 * STEP_THRESHOLD;

        for (i = 0; i < NUM_DATAPOINTS; i++) {
                if (small_ofs) {
                        p->filter_datapoint[i].d_recv_time -= offset;
                        if (p->filter_datapoint[i].d_offset != 0) {
                                p->filter_datapoint[i].d_offset -= offset;
                        }
                } else {
                        p->filter_datapoint[i].d_recv_time  = G.cur_time;
                        p->filter_datapoint[i].d_offset     = 0;
                        p->filter_datapoint[i].d_dispersion = MAXDISP;
                }
        }
        if (small_ofs) {
                p->lastpkt_recv_time -= offset;
        } else {
                p->reachable_bits = 0;
                p->lastpkt_recv_time = G.cur_time;
        }
        filter_datapoints(p); /* recalc p->filter_xxx */
        p->next_action_time -= offset;
        VERB5 bb_error_msg("%s->lastpkt_recv_time=%f", p->p_dotted, p->lastpkt_recv_time);
}

static void
add_peers(char *s)
{
        peer_t *p;

        p = xzalloc(sizeof(*p));
        p->p_lsa = xhost2sockaddr(s, 123);
        p->p_dotted = xmalloc_sockaddr2dotted_noport(&p->p_lsa->u.sa);
        p->p_fd = -1;
        p->p_xmt_msg.m_status = MODE_CLIENT | (NTP_VERSION << 3);
        p->next_action_time = G.cur_time; /* = set_next(p, 0); */
        reset_peer_stats(p, 16 * STEP_THRESHOLD);

        llist_add_to(&G.ntp_peers, p);
        G.peer_cnt++;
}

static int
do_sendto(int fd,
                const struct sockaddr *from, const struct sockaddr *to, socklen_t addrlen,
                msg_t *msg, ssize_t len)
{
        ssize_t ret;

        errno = 0;
        if (!from) {
                ret = sendto(fd, msg, len, MSG_DONTWAIT, to, addrlen);
        } else {
                ret = send_to_from(fd, msg, len, MSG_DONTWAIT, to, from, addrlen);
        }
        if (ret != len) {
                bb_perror_msg("send failed");
                return -1;
        }
        return 0;
}

static void
send_query_to_peer(peer_t *p)
{
        /* Why do we need to bind()?
         * See what happens when we don't bind:
         *
         * socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
         * setsockopt(3, SOL_IP, IP_TOS, [16], 4) = 0
         * gettimeofday({1259071266, 327885}, NULL) = 0
         * sendto(3, "xxx", 48, MSG_DONTWAIT, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("10.34.32.125")}, 16) = 48
         * ^^^ we sent it from some source port picked by kernel.
         * time(NULL)              = 1259071266
         * write(2, "ntpd: entering poll 15 secs\n", 28) = 28
         * poll([{fd=3, events=POLLIN}], 1, 15000) = 1 ([{fd=3, revents=POLLIN}])
         * recv(3, "yyy", 68, MSG_DONTWAIT) = 48
         * ^^^ this recv will receive packets to any local port!
         *
         * Uncomment this and use strace to see it in action:
         */
#define PROBE_LOCAL_ADDR /* { len_and_sockaddr lsa; lsa.len = LSA_SIZEOF_SA; getsockname(p->query.fd, &lsa.u.sa, &lsa.len); } */

        if (p->p_fd == -1) {
                int fd, family;
                len_and_sockaddr *local_lsa;

                family = p->p_lsa->u.sa.sa_family;
                p->p_fd = fd = xsocket_type(&local_lsa, family, SOCK_DGRAM);
                /* local_lsa has "null" address and port 0 now.
                 * bind() ensures we have a *particular port* selected by kernel
                 * and remembered in p->p_fd, thus later recv(p->p_fd)
                 * receives only packets sent to this port.
                 */
                PROBE_LOCAL_ADDR
                xbind(fd, &local_lsa->u.sa, local_lsa->len);
                PROBE_LOCAL_ADDR
#if ENABLE_FEATURE_IPV6
                if (family == AF_INET)
#endif
                        setsockopt(fd, IPPROTO_IP, IP_TOS, &const_IPTOS_LOWDELAY, sizeof(const_IPTOS_LOWDELAY));
                free(local_lsa);
        }

        /*
         * Send out a random 64-bit number as our transmit time.  The NTP
         * server will copy said number into the originate field on the
         * response that it sends us.  This is totally legal per the SNTP spec.
         *
         * The impact of this is two fold: we no longer send out the current
         * system time for the world to see (which may aid an attacker), and
         * it gives us a (not very secure) way of knowing that we're not
         * getting spoofed by an attacker that can't capture our traffic
         * but can spoof packets from the NTP server we're communicating with.
         *
         * Save the real transmit timestamp locally.
         */
        p->p_xmt_msg.m_xmttime.int_partl = random();
        p->p_xmt_msg.m_xmttime.fractionl = random();
        p->p_xmttime = gettime1900d();

        if (do_sendto(p->p_fd, /*from:*/ NULL, /*to:*/ &p->p_lsa->u.sa, /*addrlen:*/ p->p_lsa->len,
                        &p->p_xmt_msg, NTP_MSGSIZE_NOAUTH) == -1
        ) {
                close(p->p_fd);
                p->p_fd = -1;
                set_next(p, RETRY_INTERVAL);
                return;
        }

        p->reachable_bits <<= 1;
        VERB1 bb_error_msg("sent query to %s", p->p_dotted);
        set_next(p, RESPONSE_INTERVAL);
}


/* Note that there is no provision to prevent several run_scripts
 * to be done in quick succession. In fact, it happens rather often
 * if initial syncronization results in a step.
 * You will see "step" and then "stratum" script runs, sometimes
 * as close as only 0.002 seconds apart.
 * Script should be ready to deal with this.
 */
static void run_script(const char *action, double offset)
{
        char *argv[3];
        char *env1, *env2, *env3, *env4;

        if (!G.script_name)
                return;

        argv[0] = (char*) G.script_name;
        argv[1] = (char*) action;
        argv[2] = NULL;

        VERB1 bb_error_msg("executing '%s %s'", G.script_name, action);

        env1 = xasprintf("%s=%u", "stratum", G.stratum);
        putenv(env1);
        env2 = xasprintf("%s=%ld", "freq_drift_ppm", G.kernel_freq_drift);
        putenv(env2);
        env3 = xasprintf("%s=%u", "poll_interval", 1 << G.poll_exp);
        putenv(env3);
        env4 = xasprintf("%s=%f", "offset", offset);
        putenv(env4);
        /* Other items of potential interest: selected peer,
         * rootdelay, reftime, rootdisp, refid, ntp_status,
         * last_update_offset, last_update_recv_time, discipline_jitter,
         * how many peers have reachable_bits = 0?
         */

        /* Don't want to wait: it may run hwclock --systohc, and that
         * may take some time (seconds): */
        /*wait4pid(spawn(argv));*/
        spawn(argv);

        unsetenv("stratum");
        unsetenv("freq_drift_ppm");
        unsetenv("poll_interval");
        unsetenv("offset");
        free(env1);
        free(env2);
        free(env3);
        free(env4);

        G.last_script_run = G.cur_time;
}

static NOINLINE void
step_time(double offset)
{
        llist_t *item;
        double dtime;
        struct timeval tv;
        char buf[80];
        time_t tval;

        gettimeofday(&tv, NULL); /* never fails */
        dtime = offset + tv.tv_sec;
        dtime += 1.0e-6 * tv.tv_usec;
        d_to_tv(dtime, &tv);

        if (settimeofday(&tv, NULL) == -1)
                bb_perror_msg_and_die("settimeofday");

        tval = tv.tv_sec;
        strftime(buf, sizeof(buf), "%a %b %e %H:%M:%S %Z %Y", localtime(&tval));

        bb_error_msg("setting clock to %s (offset %fs)", buf, offset);

        /* Correct various fields which contain time-relative values: */

        /* p->lastpkt_recv_time, p->next_action_time and such: */
        for (item = G.ntp_peers; item != NULL; item = item->link) {
                peer_t *pp = (peer_t *) item->data;
                reset_peer_stats(pp, offset);
        }
        /* Globals: */
        G.cur_time -= offset;
        G.last_update_recv_time -= offset;
        G.last_script_run -= offset;
}


/*
 * Selection and clustering, and their helpers
 */
typedef struct {
        peer_t *p;
        int    type;
        double edge;
        double opt_rd; /* optimization */
} point_t;
static int
compare_point_edge(const void *aa, const void *bb)
{
        const point_t *a = aa;
        const point_t *b = bb;
        if (a->edge < b->edge) {
                return -1;
        }
        return (a->edge > b->edge);
}
typedef struct {
        peer_t *p;
        double metric;
} survivor_t;
static int
compare_survivor_metric(const void *aa, const void *bb)
{
        const survivor_t *a = aa;
        const survivor_t *b = bb;
        if (a->metric < b->metric) {
                return -1;
        }
        return (a->metric > b->metric);
}
static int
fit(peer_t *p, double rd)
{
        if ((p->reachable_bits & (p->reachable_bits-1)) == 0) {
                /* One or zero bits in reachable_bits */
                VERB3 bb_error_msg("peer %s unfit for selection: unreachable", p->p_dotted);
                return 0;
        }
#if 0   /* we filter out such packets earlier */
        if ((p->lastpkt_status & LI_ALARM) == LI_ALARM
         || p->lastpkt_stratum >= MAXSTRAT
        ) {
                VERB3 bb_error_msg("peer %s unfit for selection: bad status/stratum", p->p_dotted);
                return 0;
        }
#endif
        /* rd is root_distance(p) */
        if (rd > MAXDIST + FREQ_TOLERANCE * (1 << G.poll_exp)) {
                VERB3 bb_error_msg("peer %s unfit for selection: root distance too high", p->p_dotted);
                return 0;
        }
//TODO
//      /* Do we have a loop? */
//      if (p->refid == p->dstaddr || p->refid == s.refid)
//              return 0;
        return 1;
}
static peer_t*
select_and_cluster(void)
{
        peer_t     *p;
        llist_t    *item;
        int        i, j;
        int        size = 3 * G.peer_cnt;
        /* for selection algorithm */
        point_t    point[size];
        unsigned   num_points, num_candidates;
        double     low, high;
        unsigned   num_falsetickers;
        /* for cluster algorithm */
        survivor_t survivor[size];
        unsigned   num_survivors;

        /* Selection */

        num_points = 0;
        item = G.ntp_peers;
        if (G.initial_poll_complete) while (item != NULL) {
                double rd, offset;

                p = (peer_t *) item->data;
                rd = root_distance(p);
                offset = p->filter_offset;
                if (!fit(p, rd)) {
                        item = item->link;
                        continue;
                }

                VERB4 bb_error_msg("interval: [%f %f %f] %s",
                                offset - rd,
                                offset,
                                offset + rd,
                                p->p_dotted
                );
                point[num_points].p = p;
                point[num_points].type = -1;
                point[num_points].edge = offset - rd;
                point[num_points].opt_rd = rd;
                num_points++;
                point[num_points].p = p;
                point[num_points].type = 0;
                point[num_points].edge = offset;
                point[num_points].opt_rd = rd;
                num_points++;
                point[num_points].p = p;
                point[num_points].type = 1;
                point[num_points].edge = offset + rd;
                point[num_points].opt_rd = rd;
                num_points++;
                item = item->link;
        }
        num_candidates = num_points / 3;
        if (num_candidates == 0) {
                VERB3 bb_error_msg("no valid datapoints, no peer selected");
                return NULL;
        }
//TODO: sorting does not seem to be done in reference code
        qsort(point, num_points, sizeof(point[0]), compare_point_edge);

        /* Start with the assumption that there are no falsetickers.
         * Attempt to find a nonempty intersection interval containing
         * the midpoints of all truechimers.
         * If a nonempty interval cannot be found, increase the number
         * of assumed falsetickers by one and try again.
         * If a nonempty interval is found and the number of falsetickers
         * is less than the number of truechimers, a majority has been found
         * and the midpoint of each truechimer represents
         * the candidates available to the cluster algorithm.
         */
        num_falsetickers = 0;
        while (1) {
                int c;
                unsigned num_midpoints = 0;

                low = 1 << 9;
                high = - (1 << 9);
                c = 0;
                for (i = 0; i < num_points; i++) {
                        /* We want to do:
                         * if (point[i].type == -1) c++;
                         * if (point[i].type == 1) c--;
                         * and it's simpler to do it this way:
                         */
                        c -= point[i].type;
                        if (c >= num_candidates - num_falsetickers) {
                                /* If it was c++ and it got big enough... */
                                low = point[i].edge;
                                break;
                        }
                        if (point[i].type == 0)
                                num_midpoints++;
                }
                c = 0;
                for (i = num_points-1; i >= 0; i--) {
                        c += point[i].type;
                        if (c >= num_candidates - num_falsetickers) {
                                high = point[i].edge;
                                break;
                        }
                        if (point[i].type == 0)
                                num_midpoints++;
                }
                /* If the number of midpoints is greater than the number
                 * of allowed falsetickers, the intersection contains at
                 * least one truechimer with no midpoint - bad.
                 * Also, interval should be nonempty.
                 */
                if (num_midpoints <= num_falsetickers && low < high)
                        break;
                num_falsetickers++;
                if (num_falsetickers * 2 >= num_candidates) {
                        VERB3 bb_error_msg("too many falsetickers:%d (candidates:%d), no peer selected",

                                        num_falsetickers, num_candidates);
                        return NULL;
                }
        }
        VERB3 bb_error_msg("selected interval: [%f, %f]; candidates:%d falsetickers:%d",
                        low, high, num_candidates, num_falsetickers);

        /* Clustering */

        /* Construct a list of survivors (p, metric)
         * from the chime list, where metric is dominated
         * first by stratum and then by root distance.
         * All other things being equal, this is the order of preference.
         */
        num_survivors = 0;
        for (i = 0; i < num_points; i++) {
                if (point[i].edge < low || point[i].edge > high)
                        continue;
                p = point[i].p;
                survivor[num_survivors].p = p;
                /* x.opt_rd == root_distance(p); */
                survivor[num_survivors].metric = MAXDIST * p->lastpkt_stratum + point[i].opt_rd;
                VERB4 bb_error_msg("survivor[%d] metric:%f peer:%s",
                        num_survivors, survivor[num_survivors].metric, p->p_dotted);
                num_survivors++;
        }
        /* There must be at least MIN_SELECTED survivors to satisfy the
         * correctness assertions. Ordinarily, the Byzantine criteria
         * require four survivors, but for the demonstration here, one
         * is acceptable.
         */
        if (num_survivors < MIN_SELECTED) {
                VERB3 bb_error_msg("num_survivors %d < %d, no peer selected",
                                num_survivors, MIN_SELECTED);
                return NULL;
        }

//looks like this is ONLY used by the fact that later we pick survivor[0].
//we can avoid sorting then, just find the minimum once!
        qsort(survivor, num_survivors, sizeof(survivor[0]), compare_survivor_metric);

        /* For each association p in turn, calculate the selection
         * jitter p->sjitter as the square root of the sum of squares
         * (p->offset - q->offset) over all q associations. The idea is
         * to repeatedly discard the survivor with maximum selection
         * jitter until a termination condition is met.
         */
        while (1) {
                unsigned max_idx = max_idx;
                double max_selection_jitter = max_selection_jitter;
                double min_jitter = min_jitter;

                if (num_survivors <= MIN_CLUSTERED) {
                        VERB3 bb_error_msg("num_survivors %d <= %d, not discarding more",
                                        num_survivors, MIN_CLUSTERED);
                        break;
                }

                /* To make sure a few survivors are left
                 * for the clustering algorithm to chew on,
                 * we stop if the number of survivors
                 * is less than or equal to MIN_CLUSTERED (3).
                 */
                for (i = 0; i < num_survivors; i++) {
                        double selection_jitter_sq;

                        p = survivor[i].p;
                        if (i == 0 || p->filter_jitter < min_jitter)
                                min_jitter = p->filter_jitter;

                        selection_jitter_sq = 0;
                        for (j = 0; j < num_survivors; j++) {
                                peer_t *q = survivor[j].p;
                                selection_jitter_sq += SQUARE(p->filter_offset - q->filter_offset);
                        }
                        if (i == 0 || selection_jitter_sq > max_selection_jitter) {
                                max_selection_jitter = selection_jitter_sq;
                                max_idx = i;
                        }
                        VERB5 bb_error_msg("survivor %d selection_jitter^2:%f",
                                        i, selection_jitter_sq);
                }
                max_selection_jitter = SQRT(max_selection_jitter / num_survivors);
                VERB4 bb_error_msg("max_selection_jitter (at %d):%f min_jitter:%f",
                                max_idx, max_selection_jitter, min_jitter);

                /* If the maximum selection jitter is less than the
                 * minimum peer jitter, then tossing out more survivors
                 * will not lower the minimum peer jitter, so we might
                 * as well stop.
                 */
                if (max_selection_jitter < min_jitter) {
                        VERB3 bb_error_msg("max_selection_jitter:%f < min_jitter:%f, num_survivors:%d, not discarding more",
                                        max_selection_jitter, min_jitter, num_survivors);
                        break;
                }

                /* Delete survivor[max_idx] from the list
                 * and go around again.
                 */
                VERB5 bb_error_msg("dropping survivor %d", max_idx);
                num_survivors--;
                while (max_idx < num_survivors) {
                        survivor[max_idx] = survivor[max_idx + 1];
                        max_idx++;
                }
        }

        if (0) {
                /* Combine the offsets of the clustering algorithm survivors
                 * using a weighted average with weight determined by the root
                 * distance. Compute the selection jitter as the weighted RMS
                 * difference between the first survivor and the remaining
                 * survivors. In some cases the inherent clock jitter can be
                 * reduced by not using this algorithm, especially when frequent
                 * clockhopping is involved. bbox: thus we don't do it.
                 */
                double x, y, z, w;
                y = z = w = 0;
                for (i = 0; i < num_survivors; i++) {
                        p = survivor[i].p;
                        x = root_distance(p);
                        y += 1 / x;
                        z += p->filter_offset / x;
                        w += SQUARE(p->filter_offset - survivor[0].p->filter_offset) / x;
                }
                //G.cluster_offset = z / y;
                //G.cluster_jitter = SQRT(w / y);
        }

        /* Pick the best clock. If the old system peer is on the list
         * and at the same stratum as the first survivor on the list,
         * then don't do a clock hop. Otherwise, select the first
         * survivor on the list as the new system peer.
         */
        p = survivor[0].p;
        if (G.last_update_peer
         && G.last_update_peer->lastpkt_stratum <= p->lastpkt_stratum
        ) {
                /* Starting from 1 is ok here */
                for (i = 1; i < num_survivors; i++) {
                        if (G.last_update_peer == survivor[i].p) {
                                VERB4 bb_error_msg("keeping old synced peer");
                                p = G.last_update_peer;
                                goto keep_old;
                        }
                }
        }
        G.last_update_peer = p;
 keep_old:
        VERB3 bb_error_msg("selected peer %s filter_offset:%f age:%f",
                        p->p_dotted,
                        p->filter_offset,
                        G.cur_time - p->lastpkt_recv_time
        );
        return p;
}


/*
 * Local clock discipline and its helpers
 */
static void
set_new_values(int disc_state, double offset, double recv_time)
{
        /* Enter new state and set state variables. Note we use the time
         * of the last clock filter sample, which must be earlier than
         * the current time.
         */
        VERB3 bb_error_msg("disc_state=%d last update offset=%f recv_time=%f",
                        disc_state, offset, recv_time);
        G.discipline_state = disc_state;
        G.last_update_offset = offset;
        G.last_update_recv_time = recv_time;
}
/* Return: -1: decrease poll interval, 0: leave as is, 1: increase */
static NOINLINE int
update_local_clock(peer_t *p)
{
        int rc;
        struct timex tmx;
        /* Note: can use G.cluster_offset instead: */
        double offset = p->filter_offset;
        double recv_time = p->lastpkt_recv_time;
        double abs_offset;
#if !USING_KERNEL_PLL_LOOP
        double freq_drift;
#endif
        double since_last_update;
        double etemp, dtemp;

        abs_offset = fabs(offset);

#if 0
        /* If needed, -S script can do it by looking at $offset
         * env var and killing parent */
        /* If the offset is too large, give up and go home */
        if (abs_offset > PANIC_THRESHOLD) {
                bb_error_msg_and_die("offset %f far too big, exiting", offset);
        }
#endif

        /* If this is an old update, for instance as the result
         * of a system peer change, avoid it. We never use
         * an old sample or the same sample twice.
         */
        if (recv_time <= G.last_update_recv_time) {
                VERB3 bb_error_msg("same or older datapoint: %f >= %f, not using it",
                                G.last_update_recv_time, recv_time);
                return 0; /* "leave poll interval as is" */
        }

        /* Clock state machine transition function. This is where the
         * action is and defines how the system reacts to large time
         * and frequency errors.
         */
        since_last_update = recv_time - G.reftime;
#if !USING_KERNEL_PLL_LOOP
        freq_drift = 0;
#endif
#if USING_INITIAL_FREQ_ESTIMATION
        if (G.discipline_state == STATE_FREQ) {
                /* Ignore updates until the stepout threshold */
                if (since_last_update < WATCH_THRESHOLD) {
                        VERB3 bb_error_msg("measuring drift, datapoint ignored, %f sec remains",
                                        WATCH_THRESHOLD - since_last_update);
                        return 0; /* "leave poll interval as is" */
                }
# if !USING_KERNEL_PLL_LOOP
                freq_drift = (offset - G.last_update_offset) / since_last_update;
# endif
        }
#endif

        /* There are two main regimes: when the
         * offset exceeds the step threshold and when it does not.
         */
        if (abs_offset > STEP_THRESHOLD) {
                switch (G.discipline_state) {
                case STATE_SYNC:
                        /* The first outlyer: ignore it, switch to SPIK state */
                        VERB3 bb_error_msg("offset:%f - spike detected", offset);
                        G.discipline_state = STATE_SPIK;
                        return -1; /* "decrease poll interval" */

                case STATE_SPIK:
                        /* Ignore succeeding outlyers until either an inlyer
                         * is found or the stepout threshold is exceeded.
                         */
                        if (since_last_update < WATCH_THRESHOLD) {
                                VERB3 bb_error_msg("spike detected, datapoint ignored, %f sec remains",
                                                WATCH_THRESHOLD - since_last_update);
                                return -1; /* "decrease poll interval" */
                        }
                        /* fall through: we need to step */
                } /* switch */

                /* Step the time and clamp down the poll interval.
                 *
                 * In NSET state an initial frequency correction is
                 * not available, usually because the frequency file has
                 * not yet been written. Since the time is outside the
                 * capture range, the clock is stepped. The frequency
                 * will be set directly following the stepout interval.
                 *
                 * In FSET state the initial frequency has been set
                 * from the frequency file. Since the time is outside
                 * the capture range, the clock is stepped immediately,
                 * rather than after the stepout interval. Guys get
                 * nervous if it takes 17 minutes to set the clock for
                 * the first time.
                 *
                 * In SPIK state the stepout threshold has expired and
                 * the phase is still above the step threshold. Note
                 * that a single spike greater than the step threshold
                 * is always suppressed, even at the longer poll
                 * intervals.
                 */
                VERB3 bb_error_msg("stepping time by %f; poll_exp=MINPOLL", offset);
                step_time(offset);
                if (option_mask32 & OPT_q) {
                        /* We were only asked to set time once. Done. */
                        exit(0);
                }

                G.polladj_count = 0;
                G.poll_exp = MINPOLL;
                G.stratum = MAXSTRAT;

                run_script("step", offset);

#if USING_INITIAL_FREQ_ESTIMATION
                if (G.discipline_state == STATE_NSET) {
                        set_new_values(STATE_FREQ, /*offset:*/ 0, recv_time);
                        return 1; /* "ok to increase poll interval" */
                }
#endif
                set_new_values(STATE_SYNC, /*offset:*/ 0, recv_time);

        } else { /* abs_offset <= STEP_THRESHOLD */

                if (G.poll_exp < MINPOLL && G.initial_poll_complete) {
                        VERB3 bb_error_msg("small offset:%f, disabling burst mode", offset);
                        G.polladj_count = 0;
                        G.poll_exp = MINPOLL;
                }

                /* Compute the clock jitter as the RMS of exponentially
                 * weighted offset differences. Used by the poll adjust code.
                 */
                etemp = SQUARE(G.discipline_jitter);
                dtemp = SQUARE(MAXD(fabs(offset - G.last_update_offset), G_precision_sec));
                G.discipline_jitter = SQRT(etemp + (dtemp - etemp) / AVG);
                VERB3 bb_error_msg("discipline jitter=%f", G.discipline_jitter);

                switch (G.discipline_state) {
                case STATE_NSET:
                        if (option_mask32 & OPT_q) {
                                /* We were only asked to set time once.
                                 * The clock is precise enough, no need to step.
                                 */
                                exit(0);
                        }
#if USING_INITIAL_FREQ_ESTIMATION
                        /* This is the first update received and the frequency
                         * has not been initialized. The first thing to do
                         * is directly measure the oscillator frequency.
                         */
                        set_new_values(STATE_FREQ, offset, recv_time);
#else
                        set_new_values(STATE_SYNC, offset, recv_time);
#endif
                        VERB3 bb_error_msg("transitioning to FREQ, datapoint ignored");
                        return 0; /* "leave poll interval as is" */

#if 0 /* this is dead code for now */
                case STATE_FSET:
                        /* This is the first update and the frequency
                         * has been initialized. Adjust the phase, but
                         * don't adjust the frequency until the next update.
                         */
                        set_new_values(STATE_SYNC, offset, recv_time);
                        /* freq_drift remains 0 */
                        break;
#endif

#if USING_INITIAL_FREQ_ESTIMATION
                case STATE_FREQ:
                        /* since_last_update >= WATCH_THRESHOLD, we waited enough.
                         * Correct the phase and frequency and switch to SYNC state.
                         * freq_drift was already estimated (see code above)
                         */
                        set_new_values(STATE_SYNC, offset, recv_time);
                        break;
#endif

                default:
#if !USING_KERNEL_PLL_LOOP
                        /* Compute freq_drift due to PLL and FLL contributions.
                         *
                         * The FLL and PLL frequency gain constants
                         * depend on the poll interval and Allan
                         * intercept. The FLL is not used below one-half
                         * the Allan intercept. Above that the loop gain
                         * increases in steps to 1 / AVG.
                         */
                        if ((1 << G.poll_exp) > ALLAN / 2) {
                                etemp = FLL - G.poll_exp;
                                if (etemp < AVG)
                                        etemp = AVG;
                                freq_drift += (offset - G.last_update_offset) / (MAXD(since_last_update, ALLAN) * etemp);
                        }
                        /* For the PLL the integration interval
                         * (numerator) is the minimum of the update
                         * interval and poll interval. This allows
                         * oversampling, but not undersampling.
                         */
                        etemp = MIND(since_last_update, (1 << G.poll_exp));
                        dtemp = (4 * PLL) << G.poll_exp;
                        freq_drift += offset * etemp / SQUARE(dtemp);
#endif
                        set_new_values(STATE_SYNC, offset, recv_time);
                        break;
                }
                if (G.stratum != p->lastpkt_stratum + 1) {
                        G.stratum = p->lastpkt_stratum + 1;
                        run_script("stratum", offset);
                }
        }

        G.reftime = G.cur_time;
        G.ntp_status = p->lastpkt_status;
        G.refid = p->lastpkt_refid;
        G.rootdelay = p->lastpkt_rootdelay + p->lastpkt_delay;
        dtemp = p->filter_jitter; // SQRT(SQUARE(p->filter_jitter) + SQUARE(G.cluster_jitter));
        dtemp += MAXD(p->filter_dispersion + FREQ_TOLERANCE * (G.cur_time - p->lastpkt_recv_time) + abs_offset, MINDISP);
        G.rootdisp = p->lastpkt_rootdisp + dtemp;
        VERB3 bb_error_msg("updating leap/refid/reftime/rootdisp from peer %s", p->p_dotted);

        /* We are in STATE_SYNC now, but did not do adjtimex yet.
         * (Any other state does not reach this, they all return earlier)
         * By this time, freq_drift and G.last_update_offset are set
         * to values suitable for adjtimex.
         */
#if !USING_KERNEL_PLL_LOOP
        /* Calculate the new frequency drift and frequency stability (wander).
         * Compute the clock wander as the RMS of exponentially weighted
         * frequency differences. This is not used directly, but can,
         * along with the jitter, be a highly useful monitoring and
         * debugging tool.
         */
        dtemp = G.discipline_freq_drift + freq_drift;
        G.discipline_freq_drift = MAXD(MIND(MAXDRIFT, dtemp), -MAXDRIFT);
        etemp = SQUARE(G.discipline_wander);
        dtemp = SQUARE(dtemp);
        G.discipline_wander = SQRT(etemp + (dtemp - etemp) / AVG);

        VERB3 bb_error_msg("discipline freq_drift=%.9f(int:%ld corr:%e) wander=%f",
                        G.discipline_freq_drift,
                        (long)(G.discipline_freq_drift * 65536e6),
                        freq_drift,
                        G.discipline_wander);
#endif
        VERB3 {
                memset(&tmx, 0, sizeof(tmx));
                if (adjtimex(&tmx) < 0)
                        bb_perror_msg_and_die("adjtimex");
                VERB3 bb_error_msg("p adjtimex freq:%ld offset:%ld constant:%ld status:0x%x",
                                tmx.freq, tmx.offset, tmx.constant, tmx.status);
        }

        memset(&tmx, 0, sizeof(tmx));
#if 0
//doesn't work, offset remains 0 (!) in kernel:
//ntpd:  set adjtimex freq:1786097 tmx.offset:77487
//ntpd: prev adjtimex freq:1786097 tmx.offset:0
//ntpd:  cur adjtimex freq:1786097 tmx.offset:0
        tmx.modes = ADJ_FREQUENCY | ADJ_OFFSET;
        /* 65536 is one ppm */
        tmx.freq = G.discipline_freq_drift * 65536e6;
        tmx.offset = G.last_update_offset * 1000000; /* usec */
#endif
        tmx.modes = ADJ_OFFSET | ADJ_STATUS | ADJ_TIMECONST;// | ADJ_MAXERROR | ADJ_ESTERROR;
        tmx.offset = (G.last_update_offset * 1000000); /* usec */
                        /* + (G.last_update_offset < 0 ? -0.5 : 0.5) - too small to bother */
        tmx.status = STA_PLL;
        if (G.ntp_status & LI_PLUSSEC)
                tmx.status |= STA_INS;
        if (G.ntp_status & LI_MINUSSEC)
                tmx.status |= STA_DEL;
        tmx.constant = G.poll_exp - 4;
        //tmx.esterror = (u_int32)(clock_jitter * 1e6);
        //tmx.maxerror = (u_int32)((sys_rootdelay / 2 + sys_rootdisp) * 1e6);
        rc = adjtimex(&tmx);
        if (rc < 0)
                bb_perror_msg_and_die("adjtimex");
        /* NB: here kernel returns constant == G.poll_exp, not == G.poll_exp - 4.
         * Not sure why. Perhaps it is normal.
         */
        VERB3 bb_error_msg("adjtimex:%d freq:%ld offset:%ld constant:%ld status:0x%x",
                                rc, tmx.freq, tmx.offset, tmx.constant, tmx.status);
#if 0
        VERB3 {
                /* always gives the same output as above msg */
                memset(&tmx, 0, sizeof(tmx));
                if (adjtimex(&tmx) < 0)
                        bb_perror_msg_and_die("adjtimex");
                VERB3 bb_error_msg("c adjtimex freq:%ld offset:%ld constant:%ld status:0x%x",
                                tmx.freq, tmx.offset, tmx.constant, tmx.status);
        }
#endif
        G.kernel_freq_drift = tmx.freq / 65536;
        VERB2 bb_error_msg("update peer:%s, offset:%f, clock drift:%ld ppm",
                        p->p_dotted, G.last_update_offset, G.kernel_freq_drift);

        return 1; /* "ok to increase poll interval" */
}


/*
 * We've got a new reply packet from a peer, process it
 * (helpers first)
 */
static unsigned
retry_interval(void)
{
        /* Local problem, want to retry soon */
        unsigned interval, r;
        interval = RETRY_INTERVAL;
        r = random();
        interval += r % (unsigned)(RETRY_INTERVAL / 4);
        VERB3 bb_error_msg("chose retry interval:%u", interval);
        return interval;
}
static unsigned
poll_interval(int exponent)
{
        unsigned interval, r;
        exponent = G.poll_exp + exponent;
        if (exponent < 0)
                exponent = 0;
        interval = 1 << exponent;
        r = random();
        interval += ((r & (interval-1)) >> 4) + ((r >> 8) & 1); /* + 1/16 of interval, max */
        VERB3 bb_error_msg("chose poll interval:%u (poll_exp:%d exp:%d)", interval, G.poll_exp, exponent);
        return interval;
}
static NOINLINE void
recv_and_process_peer_pkt(peer_t *p)
{
        int         rc;
        ssize_t     size;
        msg_t       msg;
        double      T1, T2, T3, T4;
        unsigned    interval;
        datapoint_t *datapoint;
        peer_t      *q;

        /* We can recvfrom here and check from.IP, but some multihomed
         * ntp servers reply from their *other IP*.
         * TODO: maybe we should check at least what we can: from.port == 123?
         */
        size = recv(p->p_fd, &msg, sizeof(msg), MSG_DONTWAIT);
        if (size == -1) {
                bb_perror_msg("recv(%s) error", p->p_dotted);
                if (errno == EHOSTUNREACH || errno == EHOSTDOWN
                 || errno == ENETUNREACH || errno == ENETDOWN
                 || errno == ECONNREFUSED || errno == EADDRNOTAVAIL
                 || errno == EAGAIN
                ) {
//TODO: always do this?
                        interval = retry_interval();
                        goto set_next_and_close_sock;
                }
                xfunc_die();
        }

        if (size != NTP_MSGSIZE_NOAUTH && size != NTP_MSGSIZE) {
                bb_error_msg("malformed packet received from %s", p->p_dotted);
                goto bail;
        }

        if (msg.m_orgtime.int_partl != p->p_xmt_msg.m_xmttime.int_partl
         || msg.m_orgtime.fractionl != p->p_xmt_msg.m_xmttime.fractionl
        ) {
                goto bail;
        }

        if ((msg.m_status & LI_ALARM) == LI_ALARM
         || msg.m_stratum == 0
         || msg.m_stratum > NTP_MAXSTRATUM
        ) {
// TODO: stratum 0 responses may have commands in 32-bit m_refid field:
// "DENY", "RSTR" - peer does not like us at all
// "RATE" - peer is overloaded, reduce polling freq
                interval = poll_interval(0);
                bb_error_msg("reply from %s: not synced, next query in %us", p->p_dotted, interval);
                goto set_next_and_close_sock;
        }

//      /* Verify valid root distance */
//      if (msg.m_rootdelay / 2 + msg.m_rootdisp >= MAXDISP || p->lastpkt_reftime > msg.m_xmt)
//              return;                 /* invalid header values */

        p->lastpkt_status = msg.m_status;
        p->lastpkt_stratum = msg.m_stratum;
        p->lastpkt_rootdelay = sfp_to_d(msg.m_rootdelay);
        p->lastpkt_rootdisp = sfp_to_d(msg.m_rootdisp);
        p->lastpkt_refid = msg.m_refid;

        /*
         * From RFC 2030 (with a correction to the delay math):
         *
         * Timestamp Name          ID   When Generated
         * ------------------------------------------------------------
         * Originate Timestamp     T1   time request sent by client
         * Receive Timestamp       T2   time request received by server
         * Transmit Timestamp      T3   time reply sent by server
         * Destination Timestamp   T4   time reply received by client
         *
         * The roundtrip delay and local clock offset are defined as
         *
         * delay = (T4 - T1) - (T3 - T2); offset = ((T2 - T1) + (T3 - T4)) / 2
         */
        T1 = p->p_xmttime;
        T2 = lfp_to_d(msg.m_rectime);
        T3 = lfp_to_d(msg.m_xmttime);
        T4 = G.cur_time;

        p->lastpkt_recv_time = T4;

        VERB5 bb_error_msg("%s->lastpkt_recv_time=%f", p->p_dotted, p->lastpkt_recv_time);
        p->datapoint_idx = p->reachable_bits ? (p->datapoint_idx + 1) % NUM_DATAPOINTS : 0;
        datapoint = &p->filter_datapoint[p->datapoint_idx];
        datapoint->d_recv_time = T4;
        datapoint->d_offset    = ((T2 - T1) + (T3 - T4)) / 2;
        /* The delay calculation is a special case. In cases where the
         * server and client clocks are running at different rates and
         * with very fast networks, the delay can appear negative. In
         * order to avoid violating the Principle of Least Astonishment,
         * the delay is clamped not less than the system precision.
         */
        p->lastpkt_delay = (T4 - T1) - (T3 - T2);
        if (p->lastpkt_delay < G_precision_sec)
                p->lastpkt_delay = G_precision_sec;
        datapoint->d_dispersion = LOG2D(msg.m_precision_exp) + G_precision_sec;
        if (!p->reachable_bits) {
                /* 1st datapoint ever - replicate offset in every element */
                int i;
                for (i = 1; i < NUM_DATAPOINTS; i++) {
                        p->filter_datapoint[i].d_offset = datapoint->d_offset;
                }
        }

        p->reachable_bits |= 1;
        if ((MAX_VERBOSE && G.verbose) || (option_mask32 & OPT_w)) {
                bb_error_msg("reply from %s: reach 0x%02x offset %f delay %f status 0x%02x strat %d refid 0x%08x rootdelay %f",
                        p->p_dotted,
                        p->reachable_bits,
                        datapoint->d_offset,
                        p->lastpkt_delay,
                        p->lastpkt_status,
                        p->lastpkt_stratum,
                        p->lastpkt_refid,
                        p->lastpkt_rootdelay
                        /* not shown: m_ppoll, m_precision_exp, m_rootdisp,
                         * m_reftime, m_orgtime, m_rectime, m_xmttime
                         */
                );
        }

        /* Muck with statictics and update the clock */
        filter_datapoints(p);
        q = select_and_cluster();
        rc = -1;
        if (q) {
                rc = 0;
                if (!(option_mask32 & OPT_w)) {
                        rc = update_local_clock(q);
                        /* If drift is dangerously large, immediately
                         * drop poll interval one step down.
                         */
                        if (fabs(q->filter_offset) >= POLLDOWN_OFFSET) {
                                VERB3 bb_error_msg("offset:%f > POLLDOWN_OFFSET", q->filter_offset);
                                goto poll_down;
                        }
                }
        }
        /* else: no peer selected, rc = -1: we want to poll more often */

        if (rc != 0) {
                /* Adjust the poll interval by comparing the current offset
                 * with the clock jitter. If the offset is less than
                 * the clock jitter times a constant, then the averaging interval
                 * is increased, otherwise it is decreased. A bit of hysteresis
                 * helps calm the dance. Works best using burst mode.
                 */
                VERB4 if (rc > 0) {
                        bb_error_msg("offset:%f POLLADJ_GATE*discipline_jitter:%f poll:%s",
                                q->filter_offset, POLLADJ_GATE * G.discipline_jitter,
                                fabs(q->filter_offset) < POLLADJ_GATE * G.discipline_jitter
                                        ? "grows" : "falls"
                        );
                }
                if (rc > 0 && fabs(q->filter_offset) < POLLADJ_GATE * G.discipline_jitter) {
                        /* was += G.poll_exp but it is a bit
                         * too optimistic for my taste at high poll_exp's */
                        G.polladj_count += MINPOLL;
                        if (G.polladj_count > POLLADJ_LIMIT) {
                                G.polladj_count = 0;
                                if (G.poll_exp < MAXPOLL) {
                                        G.poll_exp++;
                                        VERB3 bb_error_msg("polladj: discipline_jitter:%f ++poll_exp=%d",
                                                        G.discipline_jitter, G.poll_exp);
                                }
                        } else {
                                VERB3 bb_error_msg("polladj: incr:%d", G.polladj_count);
                        }
                } else {
                        G.polladj_count -= G.poll_exp * 2;
                        if (G.polladj_count < -POLLADJ_LIMIT || G.poll_exp >= BIGPOLL) {
 poll_down:
                                G.polladj_count = 0;
                                if (G.poll_exp > MINPOLL) {
                                        llist_t *item;

                                        G.poll_exp--;
                                        /* Correct p->next_action_time in each peer
                                         * which waits for sending, so that they send earlier.
                                         * Old pp->next_action_time are on the order
                                         * of t + (1 << old_poll_exp) + small_random,
                                         * we simply need to subtract ~half of that.
                                         */
                                        for (item = G.ntp_peers; item != NULL; item = item->link) {
                                                peer_t *pp = (peer_t *) item->data;
                                                if (pp->p_fd < 0)
                                                        pp->next_action_time -= (1 << G.poll_exp);
                                        }
                                        VERB3 bb_error_msg("polladj: discipline_jitter:%f --poll_exp=%d",
                                                        G.discipline_jitter, G.poll_exp);
                                }
                        } else {
                                VERB3 bb_error_msg("polladj: decr:%d", G.polladj_count);
                        }
                }
        }

        /* Decide when to send new query for this peer */
        interval = poll_interval(0);

 set_next_and_close_sock:
        set_next(p, interval);
        /* We do not expect any more packets from this peer for now.
         * Closing the socket informs kernel about it.
         * We open a new socket when we send a new query.
         */
        close(p->p_fd);
        p->p_fd = -1;
 bail:
        return;
}

#if ENABLE_FEATURE_NTPD_SERVER
static NOINLINE void
recv_and_process_client_pkt(void /*int fd*/)
{
        ssize_t          size;
        uint8_t          version;
        len_and_sockaddr *to;
        struct sockaddr  *from;
        msg_t            msg;
        uint8_t          query_status;
        l_fixedpt_t      query_xmttime;

        to = get_sock_lsa(G.listen_fd);
        from = xzalloc(to->len);

        size = recv_from_to(G.listen_fd, &msg, sizeof(msg), MSG_DONTWAIT, from, &to->u.sa, to->len);
        if (size != NTP_MSGSIZE_NOAUTH && size != NTP_MSGSIZE) {
                char *addr;
                if (size < 0) {
                        if (errno == EAGAIN)
                                goto bail;
                        bb_perror_msg_and_die("recv");
                }
                addr = xmalloc_sockaddr2dotted_noport(from);
                bb_error_msg("malformed packet received from %s: size %u", addr, (int)size);
                free(addr);
                goto bail;
        }

        query_status = msg.m_status;
        query_xmttime = msg.m_xmttime;

        /* Build a reply packet */
        memset(&msg, 0, sizeof(msg));
        msg.m_status = G.stratum < MAXSTRAT ? G.ntp_status : LI_ALARM;
        msg.m_status |= (query_status & VERSION_MASK);
        msg.m_status |= ((query_status & MODE_MASK) == MODE_CLIENT) ?
                         MODE_SERVER : MODE_SYM_PAS;
        msg.m_stratum = G.stratum;
        msg.m_ppoll = G.poll_exp;
        msg.m_precision_exp = G_precision_exp;
        /* this time was obtained between poll() and recv() */
        msg.m_rectime = d_to_lfp(G.cur_time);
        msg.m_xmttime = d_to_lfp(gettime1900d()); /* this instant */
        msg.m_reftime = d_to_lfp(G.reftime);
        msg.m_orgtime = query_xmttime;
        msg.m_rootdelay = d_to_sfp(G.rootdelay);
//simple code does not do this, fix simple code!
        msg.m_rootdisp = d_to_sfp(G.rootdisp);
        version = (query_status & VERSION_MASK); /* ... >> VERSION_SHIFT - done below instead */
        msg.m_refid = G.refid; // (version > (3 << VERSION_SHIFT)) ? G.refid : G.refid3;

        /* We reply from the local address packet was sent to,
         * this makes to/from look swapped here: */
        do_sendto(G.listen_fd,
                /*from:*/ &to->u.sa, /*to:*/ from, /*addrlen:*/ to->len,
                &msg, size);

 bail:
        free(to);
        free(from);
}
#endif

/* Upstream ntpd's options:
 *
 * -4   Force DNS resolution of host names to the IPv4 namespace.
 * -6   Force DNS resolution of host names to the IPv6 namespace.
 * -a   Require cryptographic authentication for broadcast client,
 *      multicast client and symmetric passive associations.
 *      This is the default.
 * -A   Do not require cryptographic authentication for broadcast client,
 *      multicast client and symmetric passive associations.
 *      This is almost never a good idea.
 * -b   Enable the client to synchronize to broadcast servers.
 * -c conffile
 *      Specify the name and path of the configuration file,
 *      default /etc/ntp.conf
 * -d   Specify debugging mode. This option may occur more than once,
 *      with each occurrence indicating greater detail of display.
 * -D level
 *      Specify debugging level directly.
 * -f driftfile
 *      Specify the name and path of the frequency file.
 *      This is the same operation as the "driftfile FILE"
 *      configuration command.
 * -g   Normally, ntpd exits with a message to the system log
 *      if the offset exceeds the panic threshold, which is 1000 s
 *      by default. This option allows the time to be set to any value
 *      without restriction; however, this can happen only once.
 *      If the threshold is exceeded after that, ntpd will exit
 *      with a message to the system log. This option can be used
 *      with the -q and -x options. See the tinker command for other options.
 * -i jaildir
 *      Chroot the server to the directory jaildir. This option also implies
 *      that the server attempts to drop root privileges at startup
 *      (otherwise, chroot gives very little additional security).
 *      You may need to also specify a -u option.
 * -k keyfile
 *      Specify the name and path of the symmetric key file,
 *      default /etc/ntp/keys. This is the same operation
 *      as the "keys FILE" configuration command.
 * -l logfile
 *      Specify the name and path of the log file. The default
 *      is the system log file. This is the same operation as
 *      the "logfile FILE" configuration command.
 * -L   Do not listen to virtual IPs. The default is to listen.
 * -n   Don't fork.
 * -N   To the extent permitted by the operating system,
 *      run the ntpd at the highest priority.
 * -p pidfile
 *      Specify the name and path of the file used to record the ntpd
 *      process ID. This is the same operation as the "pidfile FILE"
 *      configuration command.
 * -P priority
 *      To the extent permitted by the operating system,
 *      run the ntpd at the specified priority.
 * -q   Exit the ntpd just after the first time the clock is set.
 *      This behavior mimics that of the ntpdate program, which is
 *      to be retired. The -g and -x options can be used with this option.
 *      Note: The kernel time discipline is disabled with this option.
 * -r broadcastdelay
 *      Specify the default propagation delay from the broadcast/multicast
 *      server to this client. This is necessary only if the delay
 *      cannot be computed automatically by the protocol.
 * -s statsdir
 *      Specify the directory path for files created by the statistics
 *      facility. This is the same operation as the "statsdir DIR"
 *      configuration command.
 * -t key
 *      Add a key number to the trusted key list. This option can occur
 *      more than once.
 * -u user[:group]
 *      Specify a user, and optionally a group, to switch to.
 * -v variable
 * -V variable
 *      Add a system variable listed by default.
 * -x   Normally, the time is slewed if the offset is less than the step
 *      threshold, which is 128 ms by default, and stepped if above
 *      the threshold. This option sets the threshold to 600 s, which is
 *      well within the accuracy window to set the clock manually.
 *      Note: since the slew rate of typical Unix kernels is limited
 *      to 0.5 ms/s, each second of adjustment requires an amortization
 *      interval of 2000 s. Thus, an adjustment as much as 600 s
 *      will take almost 14 days to complete. This option can be used
 *      with the -g and -q options. See the tinker command for other options.
 *      Note: The kernel time discipline is disabled with this option.
 */

/* By doing init in a separate function we decrease stack usage
 * in main loop.
 */
static NOINLINE void ntp_init(char **argv)
{
        unsigned opts;
        llist_t *peers;

        srandom(getpid());

        if (getuid())
                bb_error_msg_and_die(bb_msg_you_must_be_root);

        /* Set some globals */
        G.stratum = MAXSTRAT;
        if (BURSTPOLL != 0)
                G.poll_exp = BURSTPOLL; /* speeds up initial sync */
        G.last_script_run = G.reftime = G.last_update_recv_time = gettime1900d(); /* sets G.cur_time too */

        /* Parse options */
        peers = NULL;
        opt_complementary = "dd:p::wn"; /* d: counter; p: list; -w implies -n */
        opts = getopt32(argv,
                        "nqNx" /* compat */
                        "wp:S:"IF_FEATURE_NTPD_SERVER("l") /* NOT compat */
                        "d" /* compat */
                        "46aAbgL", /* compat, ignored */
                        &peers, &G.script_name, &G.verbose);
        if (!(opts & (OPT_p|OPT_l)))
                bb_show_usage();
//      if (opts & OPT_x) /* disable stepping, only slew is allowed */
//              G.time_was_stepped = 1;
        while (peers)
                add_peers(llist_pop(&peers));
        if (!(opts & OPT_n)) {
                bb_daemonize_or_rexec(DAEMON_DEVNULL_STDIO, argv);
                logmode = LOGMODE_NONE;
        }
#if ENABLE_FEATURE_NTPD_SERVER
        G.listen_fd = -1;
        if (opts & OPT_l) {
                G.listen_fd = create_and_bind_dgram_or_die(NULL, 123);
                socket_want_pktinfo(G.listen_fd);
                setsockopt(G.listen_fd, IPPROTO_IP, IP_TOS, &const_IPTOS_LOWDELAY, sizeof(const_IPTOS_LOWDELAY));
        }
#endif
        /* I hesitate to set -20 prio. -15 should be high enough for timekeeping */
        if (opts & OPT_N)
                setpriority(PRIO_PROCESS, 0, -15);

        bb_signals((1 << SIGTERM) | (1 << SIGINT), record_signo);
        /* Removed SIGHUP here: */
        bb_signals((1 << SIGPIPE) | (1 << SIGCHLD), SIG_IGN);
}

int ntpd_main(int argc UNUSED_PARAM, char **argv) MAIN_EXTERNALLY_VISIBLE;
int ntpd_main(int argc UNUSED_PARAM, char **argv)
{
#undef G
        struct globals G;
        struct pollfd *pfd;
        peer_t **idx2peer;
        unsigned cnt;

        memset(&G, 0, sizeof(G));
        SET_PTR_TO_GLOBALS(&G);

        ntp_init(argv);

        /* If ENABLE_FEATURE_NTPD_SERVER, + 1 for listen_fd: */
        cnt = G.peer_cnt + ENABLE_FEATURE_NTPD_SERVER;
        idx2peer = xzalloc(sizeof(idx2peer[0]) * cnt);
        pfd = xzalloc(sizeof(pfd[0]) * cnt);

        /* Countdown: we never sync before we sent INITIAL_SAMLPES+1
         * packets to each peer.
         * NB: if some peer is not responding, we may end up sending
         * fewer packets to it and more to other peers.
         * NB2: sync usually happens using INITIAL_SAMLPES packets,
         * since last reply does not come back instantaneously.
         */
        cnt = G.peer_cnt * (INITIAL_SAMLPES + 1);

        while (!bb_got_signal) {
                llist_t *item;
                unsigned i, j;
                int nfds, timeout;
                double nextaction;

                /* Nothing between here and poll() blocks for any significant time */

                nextaction = G.cur_time + 3600;

                i = 0;
#if ENABLE_FEATURE_NTPD_SERVER
                if (G.listen_fd != -1) {
                        pfd[0].fd = G.listen_fd;
                        pfd[0].events = POLLIN;
                        i++;
                }
#endif
                /* Pass over peer list, send requests, time out on receives */
                for (item = G.ntp_peers; item != NULL; item = item->link) {
                        peer_t *p = (peer_t *) item->data;

                        if (p->next_action_time <= G.cur_time) {
                                if (p->p_fd == -1) {
                                        /* Time to send new req */
                                        if (--cnt == 0) {
                                                G.initial_poll_complete = 1;
                                        }
                                        send_query_to_peer(p);
                                } else {
                                        /* Timed out waiting for reply */
                                        close(p->p_fd);
                                        p->p_fd = -1;
                                        timeout = poll_interval(-2); /* -2: try a bit sooner */
                                        bb_error_msg("timed out waiting for %s, reach 0x%02x, next query in %us",
                                                        p->p_dotted, p->reachable_bits, timeout);
                                        set_next(p, timeout);
                                }
                        }

                        if (p->next_action_time < nextaction)
                                nextaction = p->next_action_time;

                        if (p->p_fd >= 0) {
                                /* Wait for reply from this peer */
                                pfd[i].fd = p->p_fd;

                                pfd[i].events = POLLIN;
                                idx2peer[i] = p;
                                i++;
                        }
                }

                timeout = nextaction - G.cur_time;
                if (timeout < 0)
                        timeout = 0;
                timeout++; /* (nextaction - G.cur_time) rounds down, compensating */

                /* Here we may block */
                VERB2 bb_error_msg("poll %us, sockets:%u, poll interval:%us", timeout, i, 1 << G.poll_exp);
                nfds = poll(pfd, i, timeout * 1000);
                gettime1900d(); /* sets G.cur_time */
                if (nfds <= 0) {
                        if (G.script_name && G.cur_time - G.last_script_run > 11*60) {
                                /* Useful for updating battery-backed RTC and such */
                                run_script("periodic", G.last_update_offset);
                                gettime1900d(); /* sets G.cur_time */
                        }
                        continue;
                }

                /* Process any received packets */
                j = 0;
#if ENABLE_FEATURE_NTPD_SERVER
                if (G.listen_fd != -1) {
                        if (pfd[0].revents /* & (POLLIN|POLLERR)*/) {
                                nfds--;
                                recv_and_process_client_pkt(/*G.listen_fd*/);
                                gettime1900d(); /* sets G.cur_time */
                        }
                        j = 1;
                }
#endif
                for (; nfds != 0 && j < i; j++) {
                        if (pfd[j].revents /* & (POLLIN|POLLERR)*/) {
                                nfds--;
                                recv_and_process_peer_pkt(idx2peer[j]);
                                gettime1900d(); /* sets G.cur_time */
                        }
                }
        } /* while (!bb_got_signal) */

        kill_myself_with_sig(bb_got_signal);
}






/*** openntpd-4.6 uses only adjtime, not adjtimex ***/

/*** ntp-4.2.6/ntpd/ntp_loopfilter.c - adjtimex usage ***/

#if 0
static double
direct_freq(double fp_offset)
{

#ifdef KERNEL_PLL
        /*
         * If the kernel is enabled, we need the residual offset to
         * calculate the frequency correction.
         */
        if (pll_control && kern_enable) {
                memset(&ntv, 0, sizeof(ntv));
                ntp_adjtime(&ntv);
#ifdef STA_NANO
                clock_offset = ntv.offset / 1e9;
#else /* STA_NANO */
                clock_offset = ntv.offset / 1e6;
#endif /* STA_NANO */
                drift_comp = FREQTOD(ntv.freq);
        }
#endif /* KERNEL_PLL */
        set_freq((fp_offset - clock_offset) / (current_time - clock_epoch) + drift_comp);
        wander_resid = 0;
        return drift_comp;
}

static void
set_freq(double freq) /* frequency update */
{
        char tbuf[80];

        drift_comp = freq;

#ifdef KERNEL_PLL
        /*
         * If the kernel is enabled, update the kernel frequency.
         */
        if (pll_control && kern_enable) {
                memset(&ntv, 0, sizeof(ntv));
                ntv.modes = MOD_FREQUENCY;
                ntv.freq = DTOFREQ(drift_comp);
                ntp_adjtime(&ntv);
                snprintf(tbuf, sizeof(tbuf), "kernel %.3f PPM", drift_comp * 1e6);
                report_event(EVNT_FSET, NULL, tbuf);
        } else {
                snprintf(tbuf, sizeof(tbuf), "ntpd %.3f PPM", drift_comp * 1e6);
                report_event(EVNT_FSET, NULL, tbuf);
        }
#else /* KERNEL_PLL */
        snprintf(tbuf, sizeof(tbuf), "ntpd %.3f PPM", drift_comp * 1e6);
        report_event(EVNT_FSET, NULL, tbuf);
#endif /* KERNEL_PLL */
}

...
...
...

#ifdef KERNEL_PLL
        /*
         * This code segment works when clock adjustments are made using
         * precision time kernel support and the ntp_adjtime() system
         * call. This support is available in Solaris 2.6 and later,
         * Digital Unix 4.0 and later, FreeBSD, Linux and specially
         * modified kernels for HP-UX 9 and Ultrix 4. In the case of the
         * DECstation 5000/240 and Alpha AXP, additional kernel
         * modifications provide a true microsecond clock and nanosecond
         * clock, respectively.
         *
         * Important note: The kernel discipline is used only if the
         * step threshold is less than 0.5 s, as anything higher can
         * lead to overflow problems. This might occur if some misguided
         * lad set the step threshold to something ridiculous.
         */
        if (pll_control && kern_enable) {

#define MOD_BITS (MOD_OFFSET | MOD_MAXERROR | MOD_ESTERROR | MOD_STATUS | MOD_TIMECONST)

                /*
                 * We initialize the structure for the ntp_adjtime()
                 * system call. We have to convert everything to
                 * microseconds or nanoseconds first. Do not update the
                 * system variables if the ext_enable flag is set. In
                 * this case, the external clock driver will update the
                 * variables, which will be read later by the local
                 * clock driver. Afterwards, remember the time and
                 * frequency offsets for jitter and stability values and
                 * to update the frequency file.
                 */
                memset(&ntv,  0, sizeof(ntv));
                if (ext_enable) {
                        ntv.modes = MOD_STATUS;
                } else {
#ifdef STA_NANO
                        ntv.modes = MOD_BITS | MOD_NANO;
#else /* STA_NANO */
                        ntv.modes = MOD_BITS;
#endif /* STA_NANO */
                        if (clock_offset < 0)
                                dtemp = -.5;
                        else
                                dtemp = .5;
#ifdef STA_NANO
                        ntv.offset = (int32)(clock_offset * 1e9 + dtemp);
                        ntv.constant = sys_poll;
#else /* STA_NANO */
                        ntv.offset = (int32)(clock_offset * 1e6 + dtemp);
                        ntv.constant = sys_poll - 4;
#endif /* STA_NANO */
                        ntv.esterror = (u_int32)(clock_jitter * 1e6);
                        ntv.maxerror = (u_int32)((sys_rootdelay / 2 + sys_rootdisp) * 1e6);
                        ntv.status = STA_PLL;

                        /*
                         * Enable/disable the PPS if requested.
                         */
                        if (pps_enable) {
                                if (!(pll_status & STA_PPSTIME))
                                        report_event(EVNT_KERN,
                                            NULL, "PPS enabled");
                                ntv.status |= STA_PPSTIME | STA_PPSFREQ;
                        } else {
                                if (pll_status & STA_PPSTIME)
                                        report_event(EVNT_KERN,
                                            NULL, "PPS disabled");
                                ntv.status &= ~(STA_PPSTIME |
                                    STA_PPSFREQ);
                        }
                        if (sys_leap == LEAP_ADDSECOND)
                                ntv.status |= STA_INS;
                        else if (sys_leap == LEAP_DELSECOND)
                                ntv.status |= STA_DEL;
                }

                /*
                 * Pass the stuff to the kernel. If it squeals, turn off
                 * the pps. In any case, fetch the kernel offset,
                 * frequency and jitter.
                 */
                if (ntp_adjtime(&ntv) == TIME_ERROR) {
                        if (!(ntv.status & STA_PPSSIGNAL))
                                report_event(EVNT_KERN, NULL,
                                    "PPS no signal");
                }
                pll_status = ntv.status;
#ifdef STA_NANO
                clock_offset = ntv.offset / 1e9;
#else /* STA_NANO */
                clock_offset = ntv.offset / 1e6;
#endif /* STA_NANO */
                clock_frequency = FREQTOD(ntv.freq);

                /*
                 * If the kernel PPS is lit, monitor its performance.
                 */
                if (ntv.status & STA_PPSTIME) {
#ifdef STA_NANO
                        clock_jitter = ntv.jitter / 1e9;
#else /* STA_NANO */
                        clock_jitter = ntv.jitter / 1e6;
#endif /* STA_NANO */
                }

#if defined(STA_NANO) && NTP_API == 4
                /*
                 * If the TAI changes, update the kernel TAI.
                 */
                if (loop_tai != sys_tai) {
                        loop_tai = sys_tai;
                        ntv.modes = MOD_TAI;
                        ntv.constant = sys_tai;
                        ntp_adjtime(&ntv);
                }
#endif /* STA_NANO */
        }
#endif /* KERNEL_PLL */
#endif