2
* Copyright (C) 1997 Angelos D. Keromytis.
3
* Copyright (C) 1998-2002 D. Hugh Redelmeier.
5
* This program is free software; you can redistribute it and/or modify it
6
* under the terms of the GNU General Public License as published by the
7
* Free Software Foundation; either version 2 of the License, or (at your
8
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10
* This program is distributed in the hope that it will be useful, but
11
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15
* RCSID $Id: pluto_constants.h,v 1.22.2.1 2005/01/01 00:04:10 ken Exp $
18
/* Control and lock pathnames */
20
#ifndef DEFAULT_CTLBASE
21
# define DEFAULT_CTLBASE "/var/run/pluto"
24
#define CTL_SUFFIX ".ctl" /* for UNIX domain socket pathname */
25
#define LOCK_SUFFIX ".pid" /* for pluto's lock */
26
#define INFO_SUFFIX ".info" /* for UNIX domain socket for apps */
28
extern enum_names dpd_action_names;
30
/* RFC 3706 Dead Peer Detection */
40
extern enum_names timer_event_names;
43
EVENT_NULL, /* non-event */
44
EVENT_REINIT_SECRET, /* Refresh cookie secret */
46
EVENT_SHUNT_SCAN, /* scan shunt eroutes known to kernel */
48
EVENT_SO_DISCARD, /* discard unfinished state object */
49
EVENT_RETRANSMIT, /* Retransmit packet */
50
EVENT_SA_REPLACE, /* SA replacement event */
51
EVENT_SA_REPLACE_IF_USED, /* SA replacement event */
52
EVENT_SA_EXPIRE, /* SA expiration event */
53
EVENT_NAT_T_KEEPALIVE, /* NAT Traversal Keepalive */
54
EVENT_DPD, /* dead peer detection */
55
EVENT_DPD_TIMEOUT, /* dead peer detection timeout */
57
EVENT_LOG_DAILY, /* reset certain log events/stats */
58
EVENT_CRYPTO_FAILED /* after some time, give up on crypto helper */
61
#define EVENT_REINIT_SECRET_DELAY 3600 /* 1 hour */
62
#define EVENT_CRYPTO_FAILED_DELAY 300
63
#define EVENT_RETRANSMIT_DELAY_0 10 /* 10 seconds */
66
* cryptographic helper operations.
68
enum pluto_crypto_requests {
69
pcr_build_kenonce = 1,
72
pcr_x509cert_fetch = 4,
73
pcr_x509crl_fetch = 5,
77
extern enum_names pluto_cryptoop_names;
80
* operational importance of this cryptographic operation.
81
* this determines if the operation will be dropped (because the other
82
* end will retransmit, if they are legit), if it pertains to an on-going
83
* connection, or if it is something that we initiated, and therefore
84
* we should do it all costs.
86
enum crypto_importance {
87
pcim_stranger_crypto = 1,
88
pcim_known_crypto = 2,
89
pcim_ongoing_crypto = 3,
90
pcim_local_crypto = 4,
91
pcim_demand_crypto = 5
94
/* status for state-transition-function
95
* Note: STF_FAIL + notification_t means fail with that notification
99
STF_IGNORE, /* don't respond */
100
STF_SUSPEND, /* unfinished -- don't release resources */
101
STF_OK, /* success */
102
STF_INTERNAL_ERROR, /* discard everything, we failed */
103
STF_FAIL, /* discard everything, something failed. notification_t added. */
104
STF_FATAL, /* just stop. we can't continue */
106
extern enum_names stfstatus_name;
110
#define MAXIMUM_RETRANSMISSIONS 2
111
#define MAXIMUM_RETRANSMISSIONS_INITIAL 20
112
#define MAXIMUM_RETRANSMISSIONS_QUICK_R1 20
114
#define MAXIMUM_MALFORMED_NOTIFY 16
116
#define MAX_INPUT_UDP_SIZE 65536
117
#define MAX_OUTPUT_UDP_SIZE 65536
119
/* debugging settings: a set of selections for reporting
120
* These would be more naturally situated in log.h,
121
* but they are shared with whack.
122
* IMPAIR_* actually change behaviour, usually badly,
123
* to aid in testing. Naturally, these are not included in ALL.
125
* NOTE: changes here must be done in concert with changes to DBGOPT_*
126
* in whack.c. A change to WHACK_MAGIC in whack.h will be required too.
128
#if !defined(NO_DEBUG)
129
extern const char *const debug_bit_names[];
131
#define DBG_RAW LELEM(0) /* raw packet I/O */
132
#define DBG_CRYPT LELEM(1) /* encryption/decryption of messages */
133
#define DBG_PARSING LELEM(2) /* show decoding of messages */
134
#define DBG_EMITTING LELEM(3) /* show encoding of messages */
135
#define DBG_CONTROL LELEM(4) /* control flow within Pluto */
136
#define DBG_LIFECYCLE LELEM(5) /* SA lifecycle */
137
#define DBG_KLIPS LELEM(6) /* messages to KLIPS */
138
#define DBG_DNS LELEM(7) /* DNS activity */
139
#define DBG_OPPO LELEM(8) /* opportunism */
140
#define DBG_CONTROLMORE LELEM(9) /* more detailed debugging */
142
#define DBG_PFKEY LELEM(10) /*turn on the pfkey library debugging*/
143
#define DBG_NATT LELEM(11) /* debugging of NAT-traversal */
144
#define DBG_X509 LELEM(12) /* X.509/pkix verify, cert retrival */
145
#define DBG_DPD LELEM(13) /* DPD items */
146
#define DBG_PRIVATE LELEM(20) /* private information: DANGER! */
148
#define IMPAIR0 21 /* first bit for IMPAIR_* */
150
#define IMPAIR_DELAY_ADNS_KEY_ANSWER LELEM(IMPAIR0+0) /* sleep before answering */
151
#define IMPAIR_DELAY_ADNS_TXT_ANSWER LELEM(IMPAIR0+1) /* sleep before answering */
152
#define IMPAIR_BUST_MI2 LELEM(IMPAIR0+2) /* make MI2 really large */
153
#define IMPAIR_BUST_MR2 LELEM(IMPAIR0+3) /* make MR2 really large */
154
#define IMPAIR_SA_CREATION LELEM(IMPAIR0+4) /* fail all SA creation */
155
#define IMPAIR_DIE_ONINFO LELEM(IMPAIR0+5) /* cause state to be deleted upon receipt of information payload */
157
#define DBG_NONE 0 /* no options on, including impairments */
158
#define DBG_ALL LRANGES(DBG_RAW, DBG_X509) /* all logging options on EXCEPT DBG_PRIVATE */
161
/* State of exchanges
163
* The name of the state describes the last message sent, not the
164
* message currently being input or output (except during retry).
165
* In effect, the state represents the last completed action.
167
* Messages are named [MQ][IR]n where
168
* - M stands for Main Mode (Phase 1);
169
* Q stands for Quick Mode (Phase 2)
170
* - I stands for Initiator;
171
* R stands for Responder
172
* - n, a digit, stands for the number of the message
174
* It would be more convenient if each state accepted a message
175
* and produced one. This is the case for states at the start
176
* or end of an exchange. To fix this, we pretend that there are
177
* MR0 and QR0 messages before the MI1 and QR1 messages. Similarly,
178
* we pretend that there are MR4 and QR2 messages.
180
* STATE_MAIN_R0 and STATE_QUICK_R0 are intermediate states (not
181
* retained between messages) representing the state that accepts the
182
* first message of an exchange has been read but not processed.
184
* state_microcode state_microcode_table in demux.c describes
185
* other important details.
188
extern enum_names state_names;
189
extern const char *const state_story[];
192
STATE_UNDEFINED=0, /* 0 -- most likely accident */
194
/* Opportunism states: see "Opportunistic Encryption" 2.2 */
196
OPPO_ACQUIRE, /* got an ACQUIRE message for this pair */
197
OPPO_GW_DISCOVERED, /* got TXT specifying gateway */
223
STATE_INFO_PROTECTED,
226
STATE_XAUTH_R0, /* server state has sent request, awaiting reply */
227
STATE_XAUTH_R1, /* server state has sent success/fail, awaiting reply */
228
STATE_MODE_CFG_R0, /* these states are used on the responder */
232
STATE_MODE_CFG_I1, /* this is used on the initiator */
234
STATE_XAUTH_I0, /* client state is awaiting request */
235
STATE_XAUTH_I1, /* client state is awaiting result code */
240
extern enum_names state_names;
241
extern enum_names state_stories;
244
#define STATE_IKE_FLOOR STATE_MAIN_R0
246
#define PHASE1_INITIATOR_STATES (LELEM(STATE_MAIN_I1) | LELEM(STATE_MAIN_I2) \
247
|LELEM(STATE_MAIN_I3) | LELEM(STATE_MAIN_I4)\
248
|LELEM(STATE_AGGR_I1) | LELEM(STATE_AGGR_I2))
249
#define ISAKMP_SA_ESTABLISHED_STATES (LELEM(STATE_MAIN_R3) | \
250
LELEM(STATE_MAIN_I4) | \
251
LELEM(STATE_AGGR_I2))
253
#define IS_PHASE1_INIT(s) ((s) == STATE_MAIN_I1 \
254
|| (s) == STATE_MAIN_I2 \
255
|| (s) == STATE_MAIN_I3 \
256
|| (s) == STATE_MAIN_I4 \
257
|| (s) == STATE_AGGR_I1 \
258
|| (s) == STATE_AGGR_I2 \
259
|| (s) == STATE_AGGR_R2)
260
#define IS_PHASE1(s) (STATE_MAIN_R0 <= (s) && (s) <= STATE_AGGR_R2)
261
#define IS_PHASE15(s) (STATE_XAUTH_R0 <= (s) && (s) <= STATE_XAUTH_I1)
262
#define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
263
#define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_R2 <= (s) && STATE_AGGR_R0!=(s) && STATE_AGGR_I1 != (s))
264
#define IS_ISAKMP_AUTHENTICATED(s) (STATE_MAIN_R3 <= (s))
265
#define IS_ISAKMP_SA_ESTABLISHED(s) ((s) == STATE_MAIN_R3 || (s) == STATE_MAIN_I4 \
266
|| (s) == STATE_AGGR_I2 || (s) == STATE_AGGR_R2 \
267
|| (s) == STATE_XAUTH_R0 || (s) == STATE_XAUTH_R1 \
268
|| (s) == STATE_MODE_CFG_R0 || (s) == STATE_MODE_CFG_R1 \
269
|| (s) == STATE_MODE_CFG_R2 \
270
|| (s) == STATE_XAUTH_I0 || (s) == STATE_XAUTH_I1)
271
#define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
272
#define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1)
274
#define IS_MODE_CFG_ESTABLISHED(s) ((s) == STATE_MODE_CFG_R2)
277
/* kind of struct connection
278
* Ordered (mostly) by concreteness. Order is exploited.
281
extern enum_names connection_kind_names;
283
enum connection_kind {
284
CK_GROUP, /* policy group: instantiates to template */
285
CK_TEMPLATE, /* abstract connection, with wildcard */
286
CK_PERMANENT, /* normal connection */
287
CK_INSTANCE, /* instance of template, created for a particular attempt */
288
CK_GOING_AWAY /* instance being deleted -- don't delete again */
293
* Note: routing ignores source address, but erouting does not!
294
* Note: a connection can only be routed if it is NEVER_NEGOTIATE
295
* or HAS_IPSEC_POLICY.
298
extern enum_names routing_story;
300
/* note that this is assumed to be ordered! */
302
RT_UNROUTED, /* unrouted */
303
RT_UNROUTED_HOLD, /* unrouted, but HOLD shunt installed */
304
RT_ROUTED_ECLIPSED, /* RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
305
RT_ROUTED_PROSPECTIVE, /* routed, and prospective shunt installed */
306
RT_ROUTED_HOLD, /* routed, and HOLD shunt installed */
307
RT_ROUTED_FAILURE, /* routed, and failure-context shunt installed */
308
RT_ROUTED_TUNNEL, /* routed, and erouted to an IPSEC SA group */
309
RT_UNROUTED_KEYED /* keyed, but not routed, on purpose */
312
#define routed(rs) ((rs) > RT_UNROUTED_HOLD)
313
#define erouted(rs) ((rs) != RT_UNROUTED)
314
#define shunt_erouted(rs) (erouted(rs) && (rs) != RT_ROUTED_TUNNEL)
316
extern enum_names certpolicy_type_names;
320
cert_sendifasked = 2, /* the default */
322
cert_forcedtype = 4, /* send a Cert payload with given type */
325
/* this is the default setting. */
326
#define cert_defaultcertpolicy cert_alwayssend
329
/* Policies for establishing an SA
331
* These are used to specify attributes (eg. encryption) and techniques
332
* (eg PFS) for an SA.
333
* Note: certain CD_ definitions in whack.c parallel these -- keep them
337
extern const char *const sa_policy_bit_names[];
338
extern const char *prettypolicy(lset_t policy);
340
/* ISAKMP auth techniques (none means never negotiate) */
341
#define POLICY_PSK LELEM(0)
342
#define POLICY_RSASIG LELEM(1)
344
#define POLICY_ISAKMP_SHIFT 0 /* log2(POLICY_PSK) */
346
/* policies that affect ID types that are acceptable - RSA, PSK, XAUTH */
347
#define POLICY_ID_AUTH_MASK LRANGES(POLICY_PSK, POLICY_RSASIG)
349
/* policies that affect choices of proposal, note, does not include XAUTH */
350
#define POLICY_ISAKMP(x,xs,xc) (((x) & LRANGES(POLICY_PSK, POLICY_RSASIG)) + \
353
/* Quick Mode (IPSEC) attributes */
354
#define POLICY_ENCRYPT LELEM(2) /* must be first of IPSEC policies */
355
#define POLICY_AUTHENTICATE LELEM(3) /* must be second */
356
#define POLICY_COMPRESS LELEM(4) /* must be third */
357
#define POLICY_TUNNEL LELEM(5)
358
#define POLICY_PFS LELEM(6)
359
#define POLICY_DISABLEARRIVALCHECK LELEM(7) /* supress tunnel egress address checking */
361
#define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */
362
#define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
364
/* shunt attributes: what to do when routed without tunnel (2 bits) */
365
#define POLICY_SHUNT_SHIFT 8 /* log2(POLICY_SHUNT_PASS) */
366
#define POLICY_SHUNT_MASK (03ul << POLICY_SHUNT_SHIFT)
368
#define POLICY_SHUNT_TRAP (0ul << POLICY_SHUNT_SHIFT) /* default: negotiate */
369
#define POLICY_SHUNT_PASS (1ul << POLICY_SHUNT_SHIFT)
370
#define POLICY_SHUNT_DROP (2ul << POLICY_SHUNT_SHIFT)
371
#define POLICY_SHUNT_REJECT (3ul << POLICY_SHUNT_SHIFT)
373
/* fail attributes: what to do with failed negotiation (2 bits) */
375
#define POLICY_FAIL_SHIFT 10 /* log2(POLICY_FAIL_PASS) */
376
#define POLICY_FAIL_MASK (03ul << POLICY_FAIL_SHIFT)
378
#define POLICY_FAIL_NONE (0ul << POLICY_FAIL_SHIFT) /* default */
379
#define POLICY_FAIL_PASS (1ul << POLICY_FAIL_SHIFT)
380
#define POLICY_FAIL_DROP (2ul << POLICY_FAIL_SHIFT)
381
#define POLICY_FAIL_REJECT (3ul << POLICY_FAIL_SHIFT)
384
* Other policies could vary per state object. These live in connection.
386
#define POLICY_DONT_REKEY LELEM(12) /* don't rekey state either Phase */
387
#define POLICY_OPPO LELEM(13) /* is this opportunistic? */
388
#define POLICY_GROUP LELEM(14) /* is this a group template? */
389
#define POLICY_GROUTED LELEM(15) /* do we want this group routed? */
390
#define POLICY_UP LELEM(16) /* do we want this up? */
391
#define POLICY_XAUTH LELEM(17) /* do we offer XAUTH? */
392
#define POLICY_MODECFG_PULL LELEM(18) /* is modecfg pulled by client? */
393
#define POLICY_AGGRESSIVE LELEM(19) /* do we do aggressive mode? */
396
/* Any IPsec policy? If not, a connection description
397
* is only for ISAKMP SA, not IPSEC SA. (A pun, I admit.)
398
* Note: a connection can only be routed if it is NEVER_NEGOTIATE
399
* or HAS_IPSEC_POLICY.
401
#define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
403
/* Don't allow negotiation? */
404
#define NEVER_NEGOTIATE(p) (LDISJOINT((p), POLICY_PSK | POLICY_RSASIG | POLICY_AGGRESSIVE))
407
/* Oakley transform attributes
408
* draft-ietf-ipsec-ike-01.txt appendix A
411
extern enum_names oakley_attr_names;
412
extern const char *const oakley_attr_bit_names[];
414
#define OAKLEY_ENCRYPTION_ALGORITHM 1
415
#define OAKLEY_HASH_ALGORITHM 2
416
#define OAKLEY_AUTHENTICATION_METHOD 3
417
#define OAKLEY_GROUP_DESCRIPTION 4
418
#define OAKLEY_GROUP_TYPE 5
419
#define OAKLEY_GROUP_PRIME 6 /* B/V */
420
#define OAKLEY_GROUP_GENERATOR_ONE 7 /* B/V */
421
#define OAKLEY_GROUP_GENERATOR_TWO 8 /* B/V */
422
#define OAKLEY_GROUP_CURVE_A 9 /* B/V */
423
#define OAKLEY_GROUP_CURVE_B 10 /* B/V */
424
#define OAKLEY_LIFE_TYPE 11
425
#define OAKLEY_LIFE_DURATION 12 /* B/V */
426
#define OAKLEY_PRF 13
427
#define OAKLEY_KEY_LENGTH 14
428
#define OAKLEY_FIELD_SIZE 15
429
#define OAKLEY_GROUP_ORDER 16 /* B/V */
430
#define OAKLEY_BLOCK_SIZE 17
432
/* for each Oakley attribute, which enum_names describes its values? */
433
extern enum_names *oakley_attr_val_descs[];
435
/* IPsec DOI attributes
436
* RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
439
extern enum_names ipsec_attr_names;
441
#define SA_LIFE_TYPE 1
442
#define SA_LIFE_DURATION 2 /* B/V */
443
#define GROUP_DESCRIPTION 3
444
#define ENCAPSULATION_MODE 4
445
#define AUTH_ALGORITHM 5
448
#define COMPRESS_DICT_SIZE 8
449
#define COMPRESS_PRIVATE_ALG 9 /* B/V */
451
/* for each IPsec attribute, which enum_names describes its values? */
452
extern enum_names *ipsec_attr_val_descs[];
454
/* SA Lifetime Type attribute
455
* RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
456
* Default time specified in 4.5
458
* There are two defaults for IPSEC SA lifetime, SA_LIFE_DURATION_DEFAULT,
459
* and PLUTO_SA_LIFE_DURATION_DEFAULT.
460
* SA_LIFE_DURATION_DEFAULT is specified in RFC2407 "The Internet IP
461
* Security Domain of Interpretation for ISAKMP" 4.5. It applies when
462
* an ISAKMP negotiation does not explicitly specify a life duration.
463
* PLUTO_SA_LIFE_DURATION_DEFAULT is specified in pluto(8). It applies
464
* when a connection description does not specify --ipseclifetime.
465
* The value of SA_LIFE_DURATION_MAXIMUM is our local policy.
468
extern enum_names sa_lifetime_names;
470
#define SA_LIFE_TYPE_SECONDS 1
471
#define SA_LIFE_TYPE_KBYTES 2
473
#define SA_LIFE_DURATION_DEFAULT 28800 /* eight hours (RFC2407 4.5) */
474
#define PLUTO_SA_LIFE_DURATION_DEFAULT 28800 /* eight hours (pluto(8)) */
475
#define SA_LIFE_DURATION_MAXIMUM 86400 /* one day */
477
#define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* (IPSEC & IKE) nine minutes */
478
#define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* (IPSEC & IKE) 100% of MARGIN */
479
#define SA_REPLACEMENT_RETRIES_DEFAULT 3 /* (IPSEC & IKE) */
481
#define SA_LIFE_DURATION_K_DEFAULT 0xFFFFFFFFlu
483
/* Encapsulation Mode attribute */
485
extern enum_names enc_mode_names;
487
#define ENCAPSULATION_MODE_UNSPECIFIED 0 /* not legal -- used internally */
488
#define ENCAPSULATION_MODE_TUNNEL 1
489
#define ENCAPSULATION_MODE_TRANSPORT 2
491
#define ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS 61443
492
#define ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS 61444
493
#define ENCAPSULATION_MODE_UDP_TUNNEL_RFC 3
494
#define ENCAPSULATION_MODE_UDP_TRANSPORT_RFC 4
497
#define ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS 61443
498
#define ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS 61444
499
#define ENCAPSULATION_MODE_UDP_TUNNEL_RFC 3
500
#define ENCAPSULATION_MODE_UDP_TRANSPORT_RFC 4
503
/* Auth Algorithm attribute */
505
extern enum_names auth_alg_names, extended_auth_alg_names;
507
#define AUTH_ALGORITHM_NONE 0 /* our private designation */
508
#define AUTH_ALGORITHM_HMAC_MD5 1
509
#define AUTH_ALGORITHM_HMAC_SHA1 2
510
#define AUTH_ALGORITHM_DES_MAC 3
511
#define AUTH_ALGORITHM_KPDK 4
512
#define AUTH_ALGORITHM_HMAC_SHA2_256 5
513
#define AUTH_ALGORITHM_HMAC_SHA2_384 6
514
#define AUTH_ALGORITHM_HMAC_SHA2_512 7
515
#define AUTH_ALGORITHM_HMAC_RIPEMD 8
518
/* Oakley Lifetime Type attribute
519
* draft-ietf-ipsec-ike-01.txt appendix A
520
* As far as I can see, there is not specification for
521
* OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT. This could lead to interop problems!
522
* For no particular reason, we chose one hour.
523
* The value of OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM is our local policy.
525
extern enum_names oakley_lifetime_names;
527
#define OAKLEY_LIFE_SECONDS 1
528
#define OAKLEY_LIFE_KILOBYTES 2
530
#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600 /* one hour */
531
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* 1 day */
537
PUBKEY_DNSONDEMAND = 2,
538
PUBKEY_PREEXCHANGED = LOOSE_ENUM_OTHER,
541
/* values for right=/left= */
550
KH_IPADDR = LOOSE_ENUM_OTHER,
554
/* socket address family info */
563
u_int8_t id_addr, id_subnet, id_range;
564
const ip_address *any;
565
const ip_subnet *none; /* 0.0.0.0/32 or IPv6 equivalent */
566
const ip_subnet *all; /* 0.0.0.0/0 or IPv6 equivalent */
569
extern const struct af_info
573
extern const struct af_info *aftoinfo(int af);
575
extern enum_names af_names;
577
#define subnetisaddr(sn, a) (subnetishost(sn) && addrinsubnet((a), (sn)))
578
extern bool subnetisnone(const ip_subnet *sn);
580
/* BIND enumerated types */
587
/* How authenticated is info that might have come from DNS?
588
* In order of increasing confidence.
590
enum dns_auth_level {
591
DAL_UNSIGNED, /* AD in response, but no signature: no authentication */
592
DAL_NOTSEC, /* no AD in response: authentication impossible */
593
DAL_SIGNED, /* AD and signature in response: authentic */
594
DAL_LOCAL /* locally provided (pretty good) */
598
* define a macro for use in error messages
602
#define RRNAME "TXT or KEY"
608
* private key types for keys.h
610
enum PrivateKeyKind {
612
/* PPK_DSS, */ /* not implemented */
616
extern enum_names ppk_names;
618
/* natt traversal types */
619
extern const char *const natt_type_bitnames[];