On Sat, Feb 15, 2020 at 10:30:52PM +0000, Jason McIntyre wrote:
> from a practical point of view, is there a reason to say when expansion
> happens? by this i mean, what (if any) difference does it have for the
> user - they will specify this in the conf file anyway, no?
Macros are expanded by the parser at parse time, whereas variables are
read as ordinary strings and left unmodified; hence, quoted `"$domain"'
gets passed to the daemon as is, which substitutes proper values before
passing it to the kernel. `$domain' without quotes never makes it to
the daemon, that is with `domain = foo' somewhere else "foo" is being
eventually passed unmodified to the kernel.
Macro:
$ echo 'ike esp from ::1 to ::2 tag $domain' | ipsecctl -vnf- | grep
PF-Tag
stdin: 1: macro 'domain' not defined
stdin: 1: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
$ echo 'ike esp from ::1 to ::2 tag $domain' | ipsecctl -Ddomain=foo
-vnf- | grep PF-Tag
C set [from-::1-to-::2]:PF-Tag=foo force
Variable:
$ echo 'ike esp from ::1 to ::2 tag "$domain"' | ipsecctl -vnf- | grep
PF-Tag
C set [from-::1-to-::2]:PF-Tag=$domain force
$ echo 'ike esp from ::1 to ::2 tag "$domain"' | ipsecctl -Ddomain=foo
-vnf- | grep PF-Tag
C set [from-::1-to-::2]:PF-Tag=$domain force
> if it doesn;t have to be said, we could knock out the whole runtime
> sentence.
>
> if it does have to be said (i realise i may be overlooking something
> obvious here) could we be smarter about making the text shorter?
It briefly outlines the above mentioned, so I'd like to retain it.
Strictly speaking, it must only be quoted if the tag string _starts_
with a dollar sign, but that is parser specific and I explicitly want
to advise general quoting of variables:
$ echo 'ike esp from ::1 to ::2 tag ipsec-$domain' | ipsecctl -vnf- |
grep PF-Tag
C set [from-::1-to-::2]:PF-Tag=ipsec-$domain force
> The variable expansion for the
> .Ar tag
> directive only occurs at runtime (not when the file is parsed)
> and must be quoted, or it will be interpreted as a macro.
That reads fine, I incorporated your wording, thanks.
OK?
Index: sbin/iked/iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.61
diff -u -p -r1.61 iked.conf.5
--- sbin/iked/iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61
+++ sbin/iked/iked.conf.5 15 Feb 2020 23:19:20 -0000
@@ -64,7 +64,7 @@ for more information about manual keying
is divided into three main sections:
.Bl -tag -width xxxx
.It Sy Macros
-User-defined variables may be defined and used later, simplifying the
+User-defined macros may be defined and used later, simplifying the
configuration file.
.It Sy Global Configuration
Global settings for
@@ -643,7 +643,8 @@ expands to
.Dq ipsec-example.com .
The variable expansion for the
.Ar tag
-directive occurs only at runtime, not during configuration file parse time.
+directive occurs only at runtime (not when the file is parsed)
+and must be quoted, or it will be interpreted as a macro.
.It Ic tap Ar interface
Send the decapsulated IPsec traffic to the specified
.Xr enc 4 @@ -766,7 +767,7 @@ configuration and also sets an alternati
device:
.Bd -literal -offset indent
ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
- tag ipsec-$domain tap "enc1"
+ tag "ipsec-$domain" tap "enc1"
.Ed
.Sh OUTGOING NETWORK ADDRESS TRANSLATION
In some network topologies it is desirable to perform NAT on traffic leaving
Index: sbin/ipsecctl/ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.158
diff -u -p -r1.158 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158
+++ sbin/ipsecctl/ipsec.conf.5 15 Feb 2020 23:19:43 -0000
@@ -466,7 +466,8 @@ expands to
.Dq ipsec-bar.org .
The variable expansion for the
.Ar tag
-directive occurs only at runtime, not during configuration file parse time.
+directive occurs only at runtime (not when the file is parsed)
+and must be quoted, or it will be interpreted as a macro.
.El
.Sh PACKET FILTERING
IPsec traffic appears unencrypted on the
@@ -575,7 +576,7 @@ The tags will be assigned by the followi
example:
.Bd -literal -offset indent
ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
- tag ipsec-$domain
+ tag "ipsec-$domain"
.Ed
.Sh OUTGOING NETWORK ADDRESS TRANSLATION
In some network topologies it is desirable to perform NAT on traffic leaving
