diff options
Diffstat (limited to 'src/conf_mode/interfaces-macsec.py')
| -rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 55 |
1 files changed, 37 insertions, 18 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 6a3bb49fe..7d6f238f3 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -22,7 +22,7 @@ from netifaces import interfaces from vyos.config import Config from vyos.configdict import list_diff -from vyos.ifconfig import MACsecIf, Interface +from vyos.ifconfig import MACsecIf from vyos.template import render from vyos.util import call from vyos.validate import is_member @@ -39,6 +39,7 @@ default_config_data = { 'security_mka_cak': '', 'security_mka_ckn': '', 'security_mka_priority': '255', + 'security_replay_window': '', 'intf': '', 'source_interface': '', 'is_bridge_member': False, @@ -48,6 +49,7 @@ default_config_data = { # XXX: wpa_supplicant works on the source interface wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf' + def get_config(): macsec = deepcopy(default_config_data) conf = Config() @@ -68,7 +70,8 @@ def get_config(): # When stopping wpa_supplicant we need to stop it via the physical # interface - thus we need to retrieve ir from the effective config if conf.exists_effective(base_path + ['source-interface']): - macsec['source_interface'] = conf.return_effective_value(base_path + ['source-interface']) + macsec['source_interface'] = conf.return_effective_value( + base_path + ['source-interface']) return macsec @@ -97,15 +100,23 @@ def get_config(): # Secure Connectivity Association Key if conf.exists(['security', 'mka', 'cak']): - macsec['security_mka_cak'] = conf.return_value(['security', 'mka', 'cak']) + macsec['security_mka_cak'] = conf.return_value( + ['security', 'mka', 'cak']) # Secure Connectivity Association Name if conf.exists(['security', 'mka', 'ckn']): - macsec['security_mka_ckn'] = conf.return_value(['security', 'mka', 'ckn']) + macsec['security_mka_ckn'] = conf.return_value( + ['security', 'mka', 'ckn']) # MACsec Key Agreement protocol (MKA) actor priority if conf.exists(['security', 'mka', 'priority']): - macsec['security_mka_priority'] = conf.return_value(['security', 'mka', 'priority']) + macsec['security_mka_priority'] = conf.return_value( + ['security', 'mka', 'priority']) + + # IEEE 802.1X/MACsec replay protection + if conf.exists(['security', 'replay-window']): + macsec['security_replay_window'] = conf.return_value( + ['security', 'replay-window']) # Physical interface if conf.exists(['source-interface']): @@ -123,18 +134,19 @@ def get_config(): return macsec + def verify(macsec): if macsec['deleted']: if macsec['is_bridge_member']: raise ConfigError( - f'Interface "{intf}" cannot be deleted as it is a ' - f'member of bridge "{is_bridge_member}"!'.format(**macsec)) + 'Interface "{intf}" cannot be deleted as it is a ' + 'member of bridge "{is_bridge_member}"!'.format(**macsec)) return None if not macsec['source_interface']: - raise ConfigError( - 'Physical source interface must be set for MACsec "{intf}"'.format(**macsec)) + raise ConfigError('Physical source interface must be set for ' + 'MACsec "{intf}"'.format(**macsec)) if not macsec['security_cipher']: raise ConfigError( @@ -142,16 +154,17 @@ def verify(macsec): if macsec['security_encrypt']: if not (macsec['security_mka_cak'] and macsec['security_mka_ckn']): - raise ConfigError('MACsec security keys mandartory when encryption is enabled') + raise ConfigError( + 'MACsec security keys mandartory when encryption is enabled') if macsec['vrf']: if macsec['vrf'] not in interfaces(): raise ConfigError('VRF "{vrf}" does not exist'.format(**macsec)) if macsec['is_bridge_member']: - raise ConfigError( - 'Interface "{intf}" cannot be member of VRF "{vrf}" and ' - 'bridge "{is_bridge_member}" at the same time!'.format(**macsec)) + raise ConfigError('Interface "{intf}" cannot be member of VRF ' + '"{vrf}" and bridge "{is_bridge_member}" at ' + 'the same time!'.format(**macsec)) if macsec['is_bridge_member'] and macsec['address']: raise ConfigError( @@ -160,14 +173,18 @@ def verify(macsec): return None + def generate(macsec): - render(wpa_suppl_conf.format(**macsec), 'macsec/wpa_supplicant.conf.tmpl', macsec, permission=0o640) + render(wpa_suppl_conf.format(**macsec), + 'macsec/wpa_supplicant.conf.tmpl', macsec, permission=0o640) return None + def apply(macsec): # Remove macsec interface if macsec['deleted']: - call('systemctl stop wpa_supplicant-macsec@{source_interface}.service'.format(**macsec)) + call('systemctl stop wpa_supplicant-macsec@{source_interface}' + .format(**macsec)) MACsecIf(macsec['intf']).remove() # delete configuration on interface removal @@ -184,8 +201,8 @@ def apply(macsec): conf['source_interface'] = macsec['source_interface'] conf['security_cipher'] = macsec['security_cipher'] - # It is safe to "re-create" the interface always, there is a sanity check - # that the interface will only be create if its non existent + # It is safe to "re-create" the interface always, there is a sanity + # check that the interface will only be create if its non existent i = MACsecIf(macsec['intf'], **conf) # update interface description used e.g. within SNMP @@ -208,10 +225,12 @@ def apply(macsec): if not macsec['disable']: i.set_admin_state('up') - call('systemctl restart wpa_supplicant-macsec@{source_interface}.service'.format(**macsec)) + call('systemctl restart wpa_supplicant-macsec@{source_interface}' + .format(**macsec)) return None + if __name__ == '__main__': try: c = get_config() |