diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2
index 86c20a4d8..838813866 100644
--- a/data/templates/chrony/chrony.conf.j2
+++ b/data/templates/chrony/chrony.conf.j2
@@ -1,68 +1,79 @@
### Autogenerated by service_ntp.py ###
# This would step the system clock if the adjustment is larger than 0.1 seconds,
# but only in the first three clock updates.
makestep 1.0 3
# The rtcsync directive enables a mode where the system time is periodically
# copied to the RTC and chronyd does not try to track its drift. This directive
# cannot be used with the rtcfile directive. On Linux, the RTC copy is performed
# by the kernel every 11 minutes.
rtcsync
# This directive specifies the maximum amount of memory that chronyd is allowed
# to allocate for logging of client accesses and the state that chronyd as an
# NTP server needs to support the interleaved mode for its clients.
clientloglimit 1048576
driftfile /run/chrony/drift
dumpdir /run/chrony
ntsdumpdir /run/chrony
pidfile {{ config_file | replace('.conf', '.pid') }}
# Determine when will the next leap second occur and what is the current offset
{% if leap_second is vyos_defined('timezone') %}
leapsectz right/UTC
{% elif leap_second is vyos_defined('ignore') %}
leapsecmode ignore
{% elif leap_second is vyos_defined('smear') %}
leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001024 leaponly
{% elif leap_second is vyos_defined('system') %}
leapsecmode system
{% endif %}
user {{ user }}
# NTP servers to reach out to
{% if server is vyos_defined %}
{% for server, config in server.items() %}
{% set association = 'server' %}
{% if config.pool is vyos_defined %}
{% set association = 'pool' %}
{% endif %}
{{ association }} {{ server | replace('_', '-') }} iburst {{- ' nts' if config.nts is vyos_defined }} {{- ' noselect' if config.noselect is vyos_defined }} {{- ' prefer' if config.prefer is vyos_defined }} {{- ' xleave' if config.interleave is vyos_defined }}
{% endfor %}
{% endif %}
# Allowed clients configuration
{% if allow_client.address is vyos_defined %}
{% for address in allow_client.address %}
allow {{ address }}
{% endfor %}
{% else %}
deny all
{% endif %}
{% if listen_address is vyos_defined or interface is vyos_defined %}
# NTP should listen on configured addresses only
{% if listen_address is vyos_defined %}
{% for address in listen_address %}
bindaddress {{ address }}
{% endfor %}
{% endif %}
{% if interface is vyos_defined %}
binddevice {{ interface }}
{% endif %}
{% endif %}
+
+{% if offload.timestamp.interface is vyos_defined %}
+# Enable hardware timestamping on the specified interfaces
+{% for interface, config in offload.timestamp.interface.items() %}
+hwtimestamp {{ interface }} {{- ' rxfilter ' ~ config.receive_filter if config.receive_filter is vyos_defined }}
+{% endfor %}
+{% endif %}
+{% if offload.timestamp.default_enable is vyos_defined %}
+# Enable hardware timestamping on all supported interfaces not otherwise configured
+hwtimestamp *
+{% endif %}
diff --git a/interface-definitions/service_ntp.xml.in b/interface-definitions/service_ntp.xml.in
index eca0ada63..005499abd 100644
--- a/interface-definitions/service_ntp.xml.in
+++ b/interface-definitions/service_ntp.xml.in
@@ -1,101 +1,161 @@
<?xml version="1.0"?>
<!-- NTP configuration -->
<interfaceDefinition>
<node name="service">
<children>
<node name="ntp" owner="${vyos_conf_scripts_dir}/service_ntp.py">
<properties>
<help>Network Time Protocol (NTP) configuration</help>
<priority>900</priority>
</properties>
<children>
#include <include/allow-client.xml.i>
#include <include/generic-interface.xml.i>
#include <include/listen-address.xml.i>
#include <include/interface/vrf.xml.i>
+ <node name="offload">
+ <properties>
+ <help>Configurable offload options</help>
+ </properties>
+ <children>
+ <node name="timestamp">
+ <properties>
+ <help>Enable timestamping of packets in the NIC hardware</help>
+ </properties>
+ <children>
+ <leafNode name="default-enable">
+ <properties>
+ <help>Enable timestamping on all supported interfaces</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <tagNode name="interface">
+ <properties>
+ <help>Interface to enable timestamping on</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces</script>
+ </completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Interface name</description>
+ </valueHelp>
+ <constraint>
+ #include <include/constraint/interface-name.xml.i>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="receive-filter">
+ <properties>
+ <help>Selects which inbound packets are timestamped by the NIC</help>
+ <completionHelp>
+ <list>all ntp none</list>
+ </completionHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All received packets are timestamped</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ntp</format>
+ <description>Only NTP packets are timestamped</description>
+ </valueHelp>
+ <valueHelp>
+ <format>none</format>
+ <description>No received packets are timestamped</description>
+ </valueHelp>
+ <constraint>
+ <regex>(all|ntp|none)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
<leafNode name="leap-second">
<properties>
<help>Leap second behavior</help>
<completionHelp>
<list>ignore smear system timezone</list>
</completionHelp>
<valueHelp>
<format>ignore</format>
<description>No correction is applied to the clock for the leap second</description>
</valueHelp>
<valueHelp>
<format>smear</format>
<description>Correct served time slowly be slewing instead of stepping</description>
</valueHelp>
<valueHelp>
<format>system</format>
<description>Kernel steps the system clock forward or backward</description>
</valueHelp>
<valueHelp>
<format>timezone</format>
<description>Use UTC timezone database to determine when will the next leap second occur</description>
</valueHelp>
<constraint>
<regex>(ignore|smear|system|timezone)</regex>
</constraint>
</properties>
<defaultValue>timezone</defaultValue>
</leafNode>
<tagNode name="server">
<properties>
<help>Network Time Protocol (NTP) server</help>
<valueHelp>
<format>ipv4</format>
<description>IP address of NTP server</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address of NTP server</description>
</valueHelp>
<valueHelp>
<format>hostname</format>
<description>Fully qualified domain name of NTP server</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
<validator name="fqdn"/>
</constraint>
</properties>
<children>
<leafNode name="noselect">
<properties>
<help>Marks the server as unused</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="nts">
<properties>
<help>Enable Network Time Security (NTS) for the server</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="pool">
<properties>
<help>Associate with a number of remote servers</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="prefer">
<properties>
<help>Marks the server as preferred</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="interleave">
<properties>
<help>Use the interleaved mode for the server</help>
<valueless/>
</properties>
</leafNode>
</children>
</tagNode>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_service_ntp.py b/smoketest/scripts/cli/test_service_ntp.py
index fe6b1a529..644894914 100755
--- a/smoketest/scripts/cli/test_service_ntp.py
+++ b/smoketest/scripts/cli/test_service_ntp.py
@@ -1,198 +1,228 @@
#!/usr/bin/env python3
#
# Copyright (C) 2019-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSessionError
from vyos.utils.process import cmd
from vyos.utils.process import process_named_running
PROCESS_NAME = 'chronyd'
NTP_CONF = '/run/chrony/chrony.conf'
base_path = ['service', 'ntp']
class TestSystemNTP(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
super(TestSystemNTP, cls).setUpClass()
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, base_path)
def tearDown(self):
self.assertTrue(process_named_running(PROCESS_NAME))
self.cli_delete(base_path)
self.cli_commit()
self.assertFalse(process_named_running(PROCESS_NAME))
def test_base_options(self):
# Test basic NTP support with multiple servers and their options
servers = ['192.0.2.1', '192.0.2.2']
options = ['nts', 'noselect', 'prefer']
pools = ['pool.vyos.io']
for server in servers:
for option in options:
self.cli_set(base_path + ['server', server, option])
# Test NTP pool
for pool in pools:
self.cli_set(base_path + ['server', pool, 'pool'])
# commit changes
self.cli_commit()
# Check generated configuration
# this file must be read with higher permissions
config = cmd(f'sudo cat {NTP_CONF}')
self.assertIn('driftfile /run/chrony/drift', config)
self.assertIn('dumpdir /run/chrony', config)
self.assertIn('ntsdumpdir /run/chrony', config)
self.assertIn('clientloglimit 1048576', config)
self.assertIn('rtcsync', config)
self.assertIn('makestep 1.0 3', config)
self.assertIn('leapsectz right/UTC', config)
for server in servers:
self.assertIn(f'server {server} iburst ' + ' '.join(options), config)
for pool in pools:
self.assertIn(f'pool {pool} iburst', config)
def test_clients(self):
# Test the allowed-networks statement
listen_address = ['127.0.0.1', '::1']
for listen in listen_address:
self.cli_set(base_path + ['listen-address', listen])
networks = ['192.0.2.0/24', '2001:db8:1000::/64', '100.64.0.0', '2001:db8::ffff']
for network in networks:
self.cli_set(base_path + ['allow-client', 'address', network])
# Verify "NTP server not configured" verify() statement
with self.assertRaises(ConfigSessionError):
self.cli_commit()
servers = ['192.0.2.1', '192.0.2.2']
for server in servers:
self.cli_set(base_path + ['server', server])
self.cli_commit()
# Check generated client address configuration
# this file must be read with higher permissions
config = cmd(f'sudo cat {NTP_CONF}')
for network in networks:
self.assertIn(f'allow {network}', config)
# Check listen address
for listen in listen_address:
self.assertIn(f'bindaddress {listen}', config)
def test_interface(self):
interfaces = ['eth0']
for interface in interfaces:
self.cli_set(base_path + ['interface', interface])
servers = ['time1.vyos.net', 'time2.vyos.net']
for server in servers:
self.cli_set(base_path + ['server', server])
self.cli_commit()
# Check generated client address configuration
# this file must be read with higher permissions
config = cmd(f'sudo cat {NTP_CONF}')
for interface in interfaces:
self.assertIn(f'binddevice {interface}', config)
def test_vrf(self):
vrf_name = 'vyos-mgmt'
self.cli_set(['vrf', 'name', vrf_name, 'table', '12345'])
self.cli_set(base_path + ['vrf', vrf_name])
servers = ['time1.vyos.net', 'time2.vyos.net']
for server in servers:
self.cli_set(base_path + ['server', server])
self.cli_commit()
# Check for process in VRF
tmp = cmd(f'ip vrf pids {vrf_name}')
self.assertIn(PROCESS_NAME, tmp)
self.cli_delete(['vrf', 'name', vrf_name])
def test_leap_seconds(self):
servers = ['time1.vyos.net', 'time2.vyos.net']
for server in servers:
self.cli_set(base_path + ['server', server])
self.cli_commit()
# Check generated client address configuration
# this file must be read with higher permissions
config = cmd(f'sudo cat {NTP_CONF}')
self.assertIn('leapsectz right/UTC', config) # CLI default
for mode in ['ignore', 'system', 'smear']:
self.cli_set(base_path + ['leap-second', mode])
self.cli_commit()
config = cmd(f'sudo cat {NTP_CONF}')
if mode != 'smear':
self.assertIn(f'leapsecmode {mode}', config)
else:
self.assertIn(f'leapsecmode slew', config)
self.assertIn(f'maxslewrate 1000', config)
self.assertIn(f'smoothtime 400 0.001024 leaponly', config)
def test_interleave_option(self):
# "interleave" option differs from some others in that the
# name is not a 1:1 mapping from VyOS config
servers = ['192.0.2.1', '192.0.2.2']
options = ['prefer']
offload_interface = 'eth0'
for server in servers:
for option in options:
self.cli_set(base_path + ['server', server, option])
self.cli_set(base_path + ['server', server, 'interleave'])
# commit changes
self.cli_commit()
# Check generated configuration
# this file must be read with higher permissions
config = cmd(f'sudo cat {NTP_CONF}')
self.assertIn('driftfile /run/chrony/drift', config)
self.assertIn('dumpdir /run/chrony', config)
self.assertIn('ntsdumpdir /run/chrony', config)
self.assertIn('clientloglimit 1048576', config)
self.assertIn('rtcsync', config)
self.assertIn('makestep 1.0 3', config)
self.assertIn('leapsectz right/UTC', config)
for server in servers:
self.assertIn(f'server {server} iburst ' + ' '.join(options) + ' xleave', config)
+ def test_offload_timestamp_default(self):
+ # Test offloading of NIC timestamp
+ servers = ['192.0.2.1', '192.0.2.2']
+ options = ['prefer']
+
+ for server in servers:
+ for option in options:
+ self.cli_set(base_path + ['server', server, option])
+
+ self.cli_set(base_path + ['offload', 'timestamp', 'default-enable'])
+
+ # commit changes
+ self.cli_commit()
+
+ # Check generated configuration
+ # this file must be read with higher permissions
+ config = cmd(f'sudo cat {NTP_CONF}')
+ self.assertIn('driftfile /run/chrony/drift', config)
+ self.assertIn('dumpdir /run/chrony', config)
+ self.assertIn('ntsdumpdir /run/chrony', config)
+ self.assertIn('clientloglimit 1048576', config)
+ self.assertIn('rtcsync', config)
+ self.assertIn('makestep 1.0 3', config)
+ self.assertIn('leapsectz right/UTC', config)
+
+ for server in servers:
+ self.assertIn(f'server {server} iburst ' + ' '.join(options), config)
+
+ self.assertIn('hwtimestamp *', config)
+
if __name__ == '__main__':
unittest.main(verbosity=2)