On Sat, Feb 15, 2020 at 09:57:51PM +0000, Jason McIntyre wrote: > for the reader, it's hard to know if the text ipsec-$domain is > quoted because we are emphasising it (as we subsequently do for > ipsec-example.com) or because the actual quotes are required. > > your mail states something that the document doesn't: > > Otherwise it will be evaluated as macro during config parsing; Good point, I stated the quoting requirement and renamed "variable" to "macro" in the Macros section for the sake of clarity.
OK? Index: sbin/iked/iked.conf.5 =================================================================== RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.61 diff -u -p -r1.61 iked.conf.5 --- sbin/iked/iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61 +++ sbin/iked/iked.conf.5 15 Feb 2020 22:14:15 -0000 @@ -64,7 +64,7 @@ for more information about manual keying is divided into three main sections: .Bl -tag -width xxxx .It Sy Macros -User-defined variables may be defined and used later, simplifying the +User-defined macros may be defined and used later, simplifying the configuration file. .It Sy Global Configuration Global settings for @@ -644,6 +644,7 @@ expands to The variable expansion for the .Ar tag directive occurs only at runtime, not during configuration file parse time. +Strings with variables must be quoted, otherwise they are interpreted as macros. .It Ic tap Ar interface Send the decapsulated IPsec traffic to the specified .Xr enc 4 @@ -766,7 +767,7 @@ configuration and also sets an alternati device: .Bd -literal -offset indent ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e - tag ipsec-$domain tap "enc1" + tag "ipsec-$domain" tap "enc1" .Ed .Sh OUTGOING NETWORK ADDRESS TRANSLATION In some network topologies it is desirable to perform NAT on traffic leaving Index: sbin/ipsecctl/ipsec.conf.5 =================================================================== RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v retrieving revision 1.158 diff -u -p -r1.158 ipsec.conf.5 --- sbin/ipsecctl/ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158 +++ sbin/ipsecctl/ipsec.conf.5 15 Feb 2020 22:14:14 -0000 @@ -467,6 +467,7 @@ expands to The variable expansion for the .Ar tag directive occurs only at runtime, not during configuration file parse time. +Strings with variables must be quoted, otherwise they are interpreted as macros. .El .Sh PACKET FILTERING IPsec traffic appears unencrypted on the @@ -575,7 +576,7 @@ The tags will be assigned by the followi example: .Bd -literal -offset indent ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e - tag ipsec-$domain + tag "ipsec-$domain" .Ed .Sh OUTGOING NETWORK ADDRESS TRANSLATION In some network topologies it is desirable to perform NAT on traffic leaving
