On Sun, Feb 16, 2020 at 12:23:40AM +0100, Klemens Nanni wrote: > On Sat, Feb 15, 2020 at 10:30:52PM +0000, Jason McIntyre wrote: > > from a practical point of view, is there a reason to say when expansion > > happens? by this i mean, what (if any) difference does it have for the > > user - they will specify this in the conf file anyway, no? > Macros are expanded by the parser at parse time, whereas variables are > read as ordinary strings and left unmodified; hence, quoted `"$domain"' > gets passed to the daemon as is, which substitutes proper values before > passing it to the kernel. `$domain' without quotes never makes it to > the daemon, that is with `domain = foo' somewhere else "foo" is being > eventually passed unmodified to the kernel. > > Macro: > > $ echo 'ike esp from ::1 to ::2 tag $domain' | ipsecctl -vnf- | grep > PF-Tag > stdin: 1: macro 'domain' not defined > stdin: 1: syntax error > ipsecctl: Syntax error in config file: ipsec rules not loaded > $ echo 'ike esp from ::1 to ::2 tag $domain' | ipsecctl -Ddomain=foo > -vnf- | grep PF-Tag > C set [from-::1-to-::2]:PF-Tag=foo force > > Variable: > > $ echo 'ike esp from ::1 to ::2 tag "$domain"' | ipsecctl -vnf- | grep > PF-Tag > C set [from-::1-to-::2]:PF-Tag=$domain force > $ echo 'ike esp from ::1 to ::2 tag "$domain"' | ipsecctl -Ddomain=foo > -vnf- | grep PF-Tag > C set [from-::1-to-::2]:PF-Tag=$domain force > > > > if it doesn;t have to be said, we could knock out the whole runtime > > sentence. > > > > if it does have to be said (i realise i may be overlooking something > > obvious here) could we be smarter about making the text shorter? > It briefly outlines the above mentioned, so I'd like to retain it. > > Strictly speaking, it must only be quoted if the tag string _starts_ > with a dollar sign, but that is parser specific and I explicitly want > to advise general quoting of variables: > > $ echo 'ike esp from ::1 to ::2 tag ipsec-$domain' | ipsecctl -vnf- | > grep PF-Tag > C set [from-::1-to-::2]:PF-Tag=ipsec-$domain force > > > The variable expansion for the > > .Ar tag > > directive only occurs at runtime (not when the file is parsed) > > and must be quoted, or it will be interpreted as a macro. > That reads fine, I incorporated your wording, thanks. > > OK? >
yep, ok by me. jmc > > Index: sbin/iked/iked.conf.5 > =================================================================== > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > retrieving revision 1.61 > diff -u -p -r1.61 iked.conf.5 > --- sbin/iked/iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61 > +++ sbin/iked/iked.conf.5 15 Feb 2020 23:19:20 -0000 > @@ -64,7 +64,7 @@ for more information about manual keying > is divided into three main sections: > .Bl -tag -width xxxx > .It Sy Macros > -User-defined variables may be defined and used later, simplifying the > +User-defined macros may be defined and used later, simplifying the > configuration file. > .It Sy Global Configuration > Global settings for > @@ -643,7 +643,8 @@ expands to > .Dq ipsec-example.com . > The variable expansion for the > .Ar tag > -directive occurs only at runtime, not during configuration file parse time. > +directive occurs only at runtime (not when the file is parsed) > +and must be quoted, or it will be interpreted as a macro. > .It Ic tap Ar interface > Send the decapsulated IPsec traffic to the specified > .Xr enc 4 @@ -766,7 +767,7 @@ configuration and also sets an alternati > device: > .Bd -literal -offset indent > ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e > - tag ipsec-$domain tap "enc1" > + tag "ipsec-$domain" tap "enc1" > .Ed > .Sh OUTGOING NETWORK ADDRESS TRANSLATION > In some network topologies it is desirable to perform NAT on traffic leaving > Index: sbin/ipsecctl/ipsec.conf.5 > =================================================================== > RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v > retrieving revision 1.158 > diff -u -p -r1.158 ipsec.conf.5 > --- sbin/ipsecctl/ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158 > +++ sbin/ipsecctl/ipsec.conf.5 15 Feb 2020 23:19:43 -0000 > @@ -466,7 +466,8 @@ expands to > .Dq ipsec-bar.org . > The variable expansion for the > .Ar tag > -directive occurs only at runtime, not during configuration file parse time. > +directive occurs only at runtime (not when the file is parsed) > +and must be quoted, or it will be interpreted as a macro. > .El > .Sh PACKET FILTERING > IPsec traffic appears unencrypted on the > @@ -575,7 +576,7 @@ The tags will be assigned by the followi > example: > .Bd -literal -offset indent > ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e > - tag ipsec-$domain > + tag "ipsec-$domain" > .Ed > .Sh OUTGOING NETWORK ADDRESS TRANSLATION > In some network topologies it is desirable to perform NAT on traffic leaving >
