iked.conf.5, ipsec.conf.5: Quote $domain in tag string

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

iked.conf.5, ipsec.conf.5: Quote $domain in tag string

Klemens Nanni-2
Otherwise it will be evaluated as macro during config parsing; `$domain`
is a special value that is bein replaced much later at runtime.

iked.conf's EXAMPLES already quotes it.

OK?

Index: ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.158
diff -u -p -r1.158 ipsec.conf.5
--- ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158
+++ ipsec.conf.5 15 Feb 2020 21:29:51 -0000
@@ -575,7 +575,7 @@ The tags will be assigned by the followi
 example:
 .Bd -literal -offset indent
 ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
- tag ipsec-$domain
+ tag "ipsec-$domain"
 .Ed
 .Sh OUTGOING NETWORK ADDRESS TRANSLATION
 In some network topologies it is desirable to perform NAT on traffic leaving
Index: iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.61
diff -u -p -r1.61 iked.conf.5
--- iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61
+++ iked.conf.5 15 Feb 2020 21:34:19 -0000
@@ -766,7 +766,7 @@ configuration and also sets an alternati
 device:
 .Bd -literal -offset indent
 ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
- tag ipsec-$domain tap "enc1"
+ tag "ipsec-$domain" tap "enc1"
 .Ed
 .Sh OUTGOING NETWORK ADDRESS TRANSLATION
 In some network topologies it is desirable to perform NAT on traffic leaving

Reply | Threaded
Open this post in threaded view
|

Re: iked.conf.5, ipsec.conf.5: Quote $domain in tag string

Tobias Heider-2
On Sat, Feb 15, 2020 at 10:38:08PM +0100, Klemens Nanni wrote:
> Otherwise it will be evaluated as macro during config parsing; `$domain`
> is a special value that is bein replaced much later at runtime.
>
> iked.conf's EXAMPLES already quotes it.
>
> OK?

ok tobhe@

Reply | Threaded
Open this post in threaded view
|

Re: iked.conf.5, ipsec.conf.5: Quote $domain in tag string

Jason McIntyre-2
In reply to this post by Klemens Nanni-2
On Sat, Feb 15, 2020 at 10:38:08PM +0100, Klemens Nanni wrote:
> Otherwise it will be evaluated as macro during config parsing; `$domain`
> is a special value that is bein replaced much later at runtime.
>
> iked.conf's EXAMPLES already quotes it.
>
> OK?
>

hi.

maybe the tag sections of these pages should say explicitly that they
need to be quoted? the current text is ambiguous:

               For example, if the ID is FQDN/foo.example.com or
               UFQDN/[hidden email], "ipsec-$domain" expands to
               "ipsec-example.com".  The variable expansion for the
               tag directive occurs only at runtime, not during
               configuration file parse time.

for the reader, it's hard to know if the text ipsec-$domain is
quoted because we are emphasising it (as we subsequently do for
ipsec-example.com) or because the actual quotes are required.

your mail states something that the document doesn't:

        Otherwise it will be evaluated as macro during config parsing;

jmc

> Index: ipsec.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
> retrieving revision 1.158
> diff -u -p -r1.158 ipsec.conf.5
> --- ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158
> +++ ipsec.conf.5 15 Feb 2020 21:29:51 -0000
> @@ -575,7 +575,7 @@ The tags will be assigned by the followi
>  example:
>  .Bd -literal -offset indent
>  ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
> - tag ipsec-$domain
> + tag "ipsec-$domain"
>  .Ed
>  .Sh OUTGOING NETWORK ADDRESS TRANSLATION
>  In some network topologies it is desirable to perform NAT on traffic leaving
> Index: iked.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> retrieving revision 1.61
> diff -u -p -r1.61 iked.conf.5
> --- iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61
> +++ iked.conf.5 15 Feb 2020 21:34:19 -0000
> @@ -766,7 +766,7 @@ configuration and also sets an alternati
>  device:
>  .Bd -literal -offset indent
>  ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
> - tag ipsec-$domain tap "enc1"
> + tag "ipsec-$domain" tap "enc1"
>  .Ed
>  .Sh OUTGOING NETWORK ADDRESS TRANSLATION
>  In some network topologies it is desirable to perform NAT on traffic leaving
>

Reply | Threaded
Open this post in threaded view
|

Re: iked.conf.5, ipsec.conf.5: Quote $domain in tag string

Klemens Nanni-2
On Sat, Feb 15, 2020 at 09:57:51PM +0000, Jason McIntyre wrote:
> for the reader, it's hard to know if the text ipsec-$domain is
> quoted because we are emphasising it (as we subsequently do for
> ipsec-example.com) or because the actual quotes are required.
>
> your mail states something that the document doesn't:
>
> Otherwise it will be evaluated as macro during config parsing;
Good point, I stated the quoting requirement and renamed "variable" to
"macro" in the Macros section for the sake of clarity.

OK?


Index: sbin/iked/iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.61
diff -u -p -r1.61 iked.conf.5
--- sbin/iked/iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61
+++ sbin/iked/iked.conf.5 15 Feb 2020 22:14:15 -0000
@@ -64,7 +64,7 @@ for more information about manual keying
 is divided into three main sections:
 .Bl -tag -width xxxx
 .It Sy Macros
-User-defined variables may be defined and used later, simplifying the
+User-defined macros may be defined and used later, simplifying the
 configuration file.
 .It Sy Global Configuration
 Global settings for
@@ -644,6 +644,7 @@ expands to
 The variable expansion for the
 .Ar tag
 directive occurs only at runtime, not during configuration file parse time.
+Strings with variables must be quoted, otherwise they are interpreted as macros.
 .It Ic tap Ar interface
 Send the decapsulated IPsec traffic to the specified
 .Xr enc 4
@@ -766,7 +767,7 @@ configuration and also sets an alternati
 device:
 .Bd -literal -offset indent
 ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
- tag ipsec-$domain tap "enc1"
+ tag "ipsec-$domain" tap "enc1"
 .Ed
 .Sh OUTGOING NETWORK ADDRESS TRANSLATION
 In some network topologies it is desirable to perform NAT on traffic leaving
Index: sbin/ipsecctl/ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.158
diff -u -p -r1.158 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158
+++ sbin/ipsecctl/ipsec.conf.5 15 Feb 2020 22:14:14 -0000
@@ -467,6 +467,7 @@ expands to
 The variable expansion for the
 .Ar tag
 directive occurs only at runtime, not during configuration file parse time.
+Strings with variables must be quoted, otherwise they are interpreted as macros.
 .El
 .Sh PACKET FILTERING
 IPsec traffic appears unencrypted on the
@@ -575,7 +576,7 @@ The tags will be assigned by the followi
 example:
 .Bd -literal -offset indent
 ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
- tag ipsec-$domain
+ tag "ipsec-$domain"
 .Ed
 .Sh OUTGOING NETWORK ADDRESS TRANSLATION
 In some network topologies it is desirable to perform NAT on traffic leaving

Reply | Threaded
Open this post in threaded view
|

Re: iked.conf.5, ipsec.conf.5: Quote $domain in tag string

Jason McIntyre-2
On Sat, Feb 15, 2020 at 11:17:36PM +0100, Klemens Nanni wrote:

> On Sat, Feb 15, 2020 at 09:57:51PM +0000, Jason McIntyre wrote:
> > for the reader, it's hard to know if the text ipsec-$domain is
> > quoted because we are emphasising it (as we subsequently do for
> > ipsec-example.com) or because the actual quotes are required.
> >
> > your mail states something that the document doesn't:
> >
> > Otherwise it will be evaluated as macro during config parsing;
> Good point, I stated the quoting requirement and renamed "variable" to
> "macro" in the Macros section for the sake of clarity.
>
> OK?
>
>
> Index: sbin/iked/iked.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> retrieving revision 1.61
> diff -u -p -r1.61 iked.conf.5
> --- sbin/iked/iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61
> +++ sbin/iked/iked.conf.5 15 Feb 2020 22:14:15 -0000
> @@ -64,7 +64,7 @@ for more information about manual keying
>  is divided into three main sections:
>  .Bl -tag -width xxxx
>  .It Sy Macros
> -User-defined variables may be defined and used later, simplifying the
> +User-defined macros may be defined and used later, simplifying the
>  configuration file.
>  .It Sy Global Configuration
>  Global settings for
> @@ -644,6 +644,7 @@ expands to
>  The variable expansion for the
>  .Ar tag
>  directive occurs only at runtime, not during configuration file parse time.
> +Strings with variables must be quoted, otherwise they are interpreted as macros.

from a practical point of view, is there a reason to say when expansion
happens? by this i mean, what (if any) difference does it have for the
user - they will specify this in the conf file anyway, no?

if it doesn;t have to be said, we could knock out the whole runtime
sentence.

if it does have to be said (i realise i may be overlooking something
obvious here) could we be smarter about making the text shorter?

        The variable expansion for the
        .Ar tag
        directive only occurs at runtime (not when the file is parsed)
        and must be quoted, or it will be interpreted as a macro.

jmc

>  .It Ic tap Ar interface
>  Send the decapsulated IPsec traffic to the specified
>  .Xr enc 4
> @@ -766,7 +767,7 @@ configuration and also sets an alternati
>  device:
>  .Bd -literal -offset indent
>  ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
> - tag ipsec-$domain tap "enc1"
> + tag "ipsec-$domain" tap "enc1"
>  .Ed
>  .Sh OUTGOING NETWORK ADDRESS TRANSLATION
>  In some network topologies it is desirable to perform NAT on traffic leaving
> Index: sbin/ipsecctl/ipsec.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
> retrieving revision 1.158
> diff -u -p -r1.158 ipsec.conf.5
> --- sbin/ipsecctl/ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158
> +++ sbin/ipsecctl/ipsec.conf.5 15 Feb 2020 22:14:14 -0000
> @@ -467,6 +467,7 @@ expands to
>  The variable expansion for the
>  .Ar tag
>  directive occurs only at runtime, not during configuration file parse time.
> +Strings with variables must be quoted, otherwise they are interpreted as macros.
>  .El
>  .Sh PACKET FILTERING
>  IPsec traffic appears unencrypted on the
> @@ -575,7 +576,7 @@ The tags will be assigned by the followi
>  example:
>  .Bd -literal -offset indent
>  ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
> - tag ipsec-$domain
> + tag "ipsec-$domain"
>  .Ed
>  .Sh OUTGOING NETWORK ADDRESS TRANSLATION
>  In some network topologies it is desirable to perform NAT on traffic leaving
>

Reply | Threaded
Open this post in threaded view
|

Re: iked.conf.5, ipsec.conf.5: Quote $domain in tag string

Klemens Nanni-2
On Sat, Feb 15, 2020 at 10:30:52PM +0000, Jason McIntyre wrote:
> from a practical point of view, is there a reason to say when expansion
> happens? by this i mean, what (if any) difference does it have for the
> user - they will specify this in the conf file anyway, no?
Macros are expanded by the parser at parse time, whereas variables are
read as ordinary strings and left unmodified;  hence, quoted `"$domain"'
gets passed to the daemon as is, which substitutes proper values before
passing it to the kernel.  `$domain' without quotes never makes it to
the daemon, that is with `domain = foo' somewhere else "foo" is being
eventually passed unmodified to the kernel.

Macro:

        $ echo 'ike esp from ::1 to ::2 tag $domain' | ipsecctl -vnf- | grep PF-Tag  
        stdin: 1: macro 'domain' not defined
        stdin: 1: syntax error
        ipsecctl: Syntax error in config file: ipsec rules not loaded
        $ echo 'ike esp from ::1 to ::2 tag $domain' | ipsecctl -Ddomain=foo -vnf- | grep PF-Tag
        C set [from-::1-to-::2]:PF-Tag=foo force

Variable:

        $ echo 'ike esp from ::1 to ::2 tag "$domain"' | ipsecctl -vnf- | grep PF-Tag
        C set [from-::1-to-::2]:PF-Tag=$domain force
        $ echo 'ike esp from ::1 to ::2 tag "$domain"' | ipsecctl -Ddomain=foo -vnf- | grep PF-Tag
        C set [from-::1-to-::2]:PF-Tag=$domain force


> if it doesn;t have to be said, we could knock out the whole runtime
> sentence.
>
> if it does have to be said (i realise i may be overlooking something
> obvious here) could we be smarter about making the text shorter?
It briefly outlines the above mentioned, so I'd like to retain it.

Strictly speaking, it must only be quoted if the tag string _starts_
with a dollar sign, but that is parser specific and I explicitly want
to advise general quoting of variables:

        $ echo 'ike esp from ::1 to ::2 tag ipsec-$domain' | ipsecctl -vnf- | grep PF-Tag            
        C set [from-::1-to-::2]:PF-Tag=ipsec-$domain force

> The variable expansion for the
> .Ar tag
> directive only occurs at runtime (not when the file is parsed)
> and must be quoted, or it will be interpreted as a macro.
That reads fine, I incorporated your wording, thanks.

OK?


Index: sbin/iked/iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.61
diff -u -p -r1.61 iked.conf.5
--- sbin/iked/iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61
+++ sbin/iked/iked.conf.5 15 Feb 2020 23:19:20 -0000
@@ -64,7 +64,7 @@ for more information about manual keying
 is divided into three main sections:
 .Bl -tag -width xxxx
 .It Sy Macros
-User-defined variables may be defined and used later, simplifying the
+User-defined macros may be defined and used later, simplifying the
 configuration file.
 .It Sy Global Configuration
 Global settings for
@@ -643,7 +643,8 @@ expands to
 .Dq ipsec-example.com .
 The variable expansion for the
 .Ar tag
-directive occurs only at runtime, not during configuration file parse time.
+directive occurs only at runtime (not when the file is parsed)
+and must be quoted, or it will be interpreted as a macro.
 .It Ic tap Ar interface
 Send the decapsulated IPsec traffic to the specified
 .Xr enc 4 @@ -766,7 +767,7 @@ configuration and also sets an alternati
 device:
 .Bd -literal -offset indent
 ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
- tag ipsec-$domain tap "enc1"
+ tag "ipsec-$domain" tap "enc1"
 .Ed
 .Sh OUTGOING NETWORK ADDRESS TRANSLATION
 In some network topologies it is desirable to perform NAT on traffic leaving
Index: sbin/ipsecctl/ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.158
diff -u -p -r1.158 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158
+++ sbin/ipsecctl/ipsec.conf.5 15 Feb 2020 23:19:43 -0000
@@ -466,7 +466,8 @@ expands to
 .Dq ipsec-bar.org .
 The variable expansion for the
 .Ar tag
-directive occurs only at runtime, not during configuration file parse time.
+directive occurs only at runtime (not when the file is parsed)
+and must be quoted, or it will be interpreted as a macro.
 .El
 .Sh PACKET FILTERING
 IPsec traffic appears unencrypted on the
@@ -575,7 +576,7 @@ The tags will be assigned by the followi
 example:
 .Bd -literal -offset indent
 ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
- tag ipsec-$domain
+ tag "ipsec-$domain"
 .Ed
 .Sh OUTGOING NETWORK ADDRESS TRANSLATION
 In some network topologies it is desirable to perform NAT on traffic leaving

Reply | Threaded
Open this post in threaded view
|

Re: iked.conf.5, ipsec.conf.5: Quote $domain in tag string

Jason McIntyre-2
On Sun, Feb 16, 2020 at 12:23:40AM +0100, Klemens Nanni wrote:

> On Sat, Feb 15, 2020 at 10:30:52PM +0000, Jason McIntyre wrote:
> > from a practical point of view, is there a reason to say when expansion
> > happens? by this i mean, what (if any) difference does it have for the
> > user - they will specify this in the conf file anyway, no?
> Macros are expanded by the parser at parse time, whereas variables are
> read as ordinary strings and left unmodified;  hence, quoted `"$domain"'
> gets passed to the daemon as is, which substitutes proper values before
> passing it to the kernel.  `$domain' without quotes never makes it to
> the daemon, that is with `domain = foo' somewhere else "foo" is being
> eventually passed unmodified to the kernel.
>
> Macro:
>
> $ echo 'ike esp from ::1 to ::2 tag $domain' | ipsecctl -vnf- | grep PF-Tag  
> stdin: 1: macro 'domain' not defined
> stdin: 1: syntax error
> ipsecctl: Syntax error in config file: ipsec rules not loaded
> $ echo 'ike esp from ::1 to ::2 tag $domain' | ipsecctl -Ddomain=foo -vnf- | grep PF-Tag
> C set [from-::1-to-::2]:PF-Tag=foo force
>
> Variable:
>
> $ echo 'ike esp from ::1 to ::2 tag "$domain"' | ipsecctl -vnf- | grep PF-Tag
> C set [from-::1-to-::2]:PF-Tag=$domain force
> $ echo 'ike esp from ::1 to ::2 tag "$domain"' | ipsecctl -Ddomain=foo -vnf- | grep PF-Tag
> C set [from-::1-to-::2]:PF-Tag=$domain force
>
>
> > if it doesn;t have to be said, we could knock out the whole runtime
> > sentence.
> >
> > if it does have to be said (i realise i may be overlooking something
> > obvious here) could we be smarter about making the text shorter?
> It briefly outlines the above mentioned, so I'd like to retain it.
>
> Strictly speaking, it must only be quoted if the tag string _starts_
> with a dollar sign, but that is parser specific and I explicitly want
> to advise general quoting of variables:
>
> $ echo 'ike esp from ::1 to ::2 tag ipsec-$domain' | ipsecctl -vnf- | grep PF-Tag            
> C set [from-::1-to-::2]:PF-Tag=ipsec-$domain force
>
> > The variable expansion for the
> > .Ar tag
> > directive only occurs at runtime (not when the file is parsed)
> > and must be quoted, or it will be interpreted as a macro.
> That reads fine, I incorporated your wording, thanks.
>
> OK?
>

yep, ok by me.
jmc

>
> Index: sbin/iked/iked.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> retrieving revision 1.61
> diff -u -p -r1.61 iked.conf.5
> --- sbin/iked/iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61
> +++ sbin/iked/iked.conf.5 15 Feb 2020 23:19:20 -0000
> @@ -64,7 +64,7 @@ for more information about manual keying
>  is divided into three main sections:
>  .Bl -tag -width xxxx
>  .It Sy Macros
> -User-defined variables may be defined and used later, simplifying the
> +User-defined macros may be defined and used later, simplifying the
>  configuration file.
>  .It Sy Global Configuration
>  Global settings for
> @@ -643,7 +643,8 @@ expands to
>  .Dq ipsec-example.com .
>  The variable expansion for the
>  .Ar tag
> -directive occurs only at runtime, not during configuration file parse time.
> +directive occurs only at runtime (not when the file is parsed)
> +and must be quoted, or it will be interpreted as a macro.
>  .It Ic tap Ar interface
>  Send the decapsulated IPsec traffic to the specified
>  .Xr enc 4 @@ -766,7 +767,7 @@ configuration and also sets an alternati
>  device:
>  .Bd -literal -offset indent
>  ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
> - tag ipsec-$domain tap "enc1"
> + tag "ipsec-$domain" tap "enc1"
>  .Ed
>  .Sh OUTGOING NETWORK ADDRESS TRANSLATION
>  In some network topologies it is desirable to perform NAT on traffic leaving
> Index: sbin/ipsecctl/ipsec.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
> retrieving revision 1.158
> diff -u -p -r1.158 ipsec.conf.5
> --- sbin/ipsecctl/ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158
> +++ sbin/ipsecctl/ipsec.conf.5 15 Feb 2020 23:19:43 -0000
> @@ -466,7 +466,8 @@ expands to
>  .Dq ipsec-bar.org .
>  The variable expansion for the
>  .Ar tag
> -directive occurs only at runtime, not during configuration file parse time.
> +directive occurs only at runtime (not when the file is parsed)
> +and must be quoted, or it will be interpreted as a macro.
>  .El
>  .Sh PACKET FILTERING
>  IPsec traffic appears unencrypted on the
> @@ -575,7 +576,7 @@ The tags will be assigned by the followi
>  example:
>  .Bd -literal -offset indent
>  ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e
> - tag ipsec-$domain
> + tag "ipsec-$domain"
>  .Ed
>  .Sh OUTGOING NETWORK ADDRESS TRANSLATION
>  In some network topologies it is desirable to perform NAT on traffic leaving
>