diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-08-24 21:43:10 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2022-09-04 20:26:56 +0200 |
| commit | 87894a2fa32933400a930783edcce74a8b4792a4 (patch) | |
| tree | a17ace9943bbf7438511f74c69b1ed9966f02567 /src | |
| parent | b9678136eac767ece3d5a5e53f9f2b9c47c7477a (diff) | |
| download | vyos-1x-87894a2fa32933400a930783edcce74a8b4792a4.tar.gz vyos-1x-87894a2fa32933400a930783edcce74a8b4792a4.zip | |
T4630: can not use same source-interface for macsec and pseudo-ethernet
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
(cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 8 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-pseudo-ethernet.py | 5 |
2 files changed, 6 insertions, 7 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 8076a27b6..8a969d90f 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -67,7 +67,7 @@ def get_config(config=None): macsec.update({'shutdown_required': {}}) if 'source_interface' in macsec: - tmp = is_source_interface(conf, macsec['source_interface'], 'macsec') + tmp = is_source_interface(conf, macsec['source_interface'], ['macsec', 'pseudo-ethernet']) if tmp and tmp != ifname: macsec.update({'is_source_interface' : tmp}) return macsec @@ -101,12 +101,6 @@ def verify(macsec): # gcm-aes-128 requires a 128bit long key - 64 characters (string) = 32byte = 256bit raise ConfigError('gcm-aes-128 requires a 256bit long key!') - if 'is_source_interface' in macsec: - tmp = macsec['is_source_interface'] - src_ifname = macsec['source_interface'] - raise ConfigError(f'Can not use source-interface "{src_ifname}", it already ' \ - f'belongs to interface "{tmp}"!') - if 'source_interface' in macsec: # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad # and 802.1q) - we need to check the underlaying MTU if our configured diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py index 4bd75f770..48e62a345 100755 --- a/src/conf_mode/interfaces-pseudo-ethernet.py +++ b/src/conf_mode/interfaces-pseudo-ethernet.py @@ -19,6 +19,7 @@ from sys import exit from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configdict import leaf_node_changed +from vyos.configdict import is_source_interface from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete @@ -49,6 +50,10 @@ def get_config(config=None): if 'source_interface' in peth: peth['parent'] = get_interface_dict(conf, ['interfaces', 'ethernet'], peth['source_interface']) + # test if source-interface is maybe already used by another interface + tmp = is_source_interface(conf, peth['source_interface'], ['macsec']) + if tmp and tmp != peth['ifname']: peth.update({'is_source_interface' : tmp}) + return peth def verify(peth): |