From f039693530999599837b1a41cdcf0e3f1842c7ce Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 14 Apr 2022 21:39:11 +0200 Subject: macsec: T4353: fix Jinja2 linting errors --- data/templates/macsec/wpa_supplicant.conf.j2 | 87 ++++++++++++++++++++++++++ data/templates/macsec/wpa_supplicant.conf.tmpl | 87 -------------------------- 2 files changed, 87 insertions(+), 87 deletions(-) create mode 100644 data/templates/macsec/wpa_supplicant.conf.j2 delete mode 100644 data/templates/macsec/wpa_supplicant.conf.tmpl (limited to 'data') diff --git a/data/templates/macsec/wpa_supplicant.conf.j2 b/data/templates/macsec/wpa_supplicant.conf.j2 new file mode 100644 index 000000000..0ac7cb860 --- /dev/null +++ b/data/templates/macsec/wpa_supplicant.conf.j2 @@ -0,0 +1,87 @@ +### Autogenerated by interfaces-macsec.py ### + +# see full documentation: +# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf + +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. +# /var/run/wpa_supplicant is the recommended directory for sockets and by +# default, wpa_cli will use it when trying to connect with wpa_supplicant. +ctrl_interface=/run/wpa_supplicant + +# Note: When using MACsec, eapol_version shall be set to 3, which is +# defined in IEEE Std 802.1X-2010. +eapol_version=3 + +# No need to scan for access points in MACsec mode +ap_scan=0 + +# EAP fast re-authentication +fast_reauth=1 + +network={ + key_mgmt=NONE + + # Note: When using wired authentication (including MACsec drivers), + # eapol_flags must be set to 0 for the authentication to be completed + # successfully. + eapol_flags=0 + + # macsec_policy: IEEE 802.1X/MACsec options + # This determines how sessions are secured with MACsec (only for MACsec + # drivers). + # 0: MACsec not in use (default) + # 1: MACsec enabled - Should secure, accept key server's advice to + # determine whether to use a secure session or not. + macsec_policy=1 + + # macsec_integ_only: IEEE 802.1X/MACsec transmit mode + # This setting applies only when MACsec is in use, i.e., + # - macsec_policy is enabled + # - the key server has decided to enable MACsec + # 0: Encrypt traffic (default) + # 1: Integrity only + macsec_integ_only={{ '0' if security.encrypt is vyos_defined else '1' }} + +{% if security.encrypt is vyos_defined %} + # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode + # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. + # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer + # with lower priority will become the key server and start distributing SAKs. + # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) + # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) + # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string + # (2..64 hex-digits) + mka_cak={{ security.mka.cak }} + mka_ckn={{ security.mka.ckn }} + + # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being + # default priority + mka_priority={{ security.mka.priority }} +{% endif %} + +{% if security.replay_window is vyos_defined %} + # macsec_replay_protect: IEEE 802.1X/MACsec replay protection + # This setting applies only when MACsec is in use, i.e., + # - macsec_policy is enabled + # - the key server has decided to enable MACsec + # 0: Replay protection disabled (default) + # 1: Replay protection enabled + macsec_replay_protect=1 + + # macsec_replay_window: IEEE 802.1X/MACsec replay protection window + # This determines a window in which replay is tolerated, to allow receipt + # of frames that have been misordered by the network. + # This setting applies only when MACsec replay protection active, i.e., + # - macsec_replay_protect is enabled + # - the key server has decided to enable MACsec + # 0: No replay window, strict check (default) + # 1..2^32-1: number of packets that could be misordered + macsec_replay_window={{ security.replay_window }} +{% endif %} +} + diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl deleted file mode 100644 index 0ac7cb860..000000000 --- a/data/templates/macsec/wpa_supplicant.conf.tmpl +++ /dev/null @@ -1,87 +0,0 @@ -### Autogenerated by interfaces-macsec.py ### - -# see full documentation: -# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf - -# For UNIX domain sockets (default on Linux and BSD): This is a directory that -# will be created for UNIX domain sockets for listening to requests from -# external programs (CLI/GUI, etc.) for status information and configuration. -# The socket file will be named based on the interface name, so multiple -# wpa_supplicant processes can be run at the same time if more than one -# interface is used. -# /var/run/wpa_supplicant is the recommended directory for sockets and by -# default, wpa_cli will use it when trying to connect with wpa_supplicant. -ctrl_interface=/run/wpa_supplicant - -# Note: When using MACsec, eapol_version shall be set to 3, which is -# defined in IEEE Std 802.1X-2010. -eapol_version=3 - -# No need to scan for access points in MACsec mode -ap_scan=0 - -# EAP fast re-authentication -fast_reauth=1 - -network={ - key_mgmt=NONE - - # Note: When using wired authentication (including MACsec drivers), - # eapol_flags must be set to 0 for the authentication to be completed - # successfully. - eapol_flags=0 - - # macsec_policy: IEEE 802.1X/MACsec options - # This determines how sessions are secured with MACsec (only for MACsec - # drivers). - # 0: MACsec not in use (default) - # 1: MACsec enabled - Should secure, accept key server's advice to - # determine whether to use a secure session or not. - macsec_policy=1 - - # macsec_integ_only: IEEE 802.1X/MACsec transmit mode - # This setting applies only when MACsec is in use, i.e., - # - macsec_policy is enabled - # - the key server has decided to enable MACsec - # 0: Encrypt traffic (default) - # 1: Integrity only - macsec_integ_only={{ '0' if security.encrypt is vyos_defined else '1' }} - -{% if security.encrypt is vyos_defined %} - # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode - # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. - # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer - # with lower priority will become the key server and start distributing SAKs. - # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) - # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) - # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string - # (2..64 hex-digits) - mka_cak={{ security.mka.cak }} - mka_ckn={{ security.mka.ckn }} - - # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being - # default priority - mka_priority={{ security.mka.priority }} -{% endif %} - -{% if security.replay_window is vyos_defined %} - # macsec_replay_protect: IEEE 802.1X/MACsec replay protection - # This setting applies only when MACsec is in use, i.e., - # - macsec_policy is enabled - # - the key server has decided to enable MACsec - # 0: Replay protection disabled (default) - # 1: Replay protection enabled - macsec_replay_protect=1 - - # macsec_replay_window: IEEE 802.1X/MACsec replay protection window - # This determines a window in which replay is tolerated, to allow receipt - # of frames that have been misordered by the network. - # This setting applies only when MACsec replay protection active, i.e., - # - macsec_replay_protect is enabled - # - the key server has decided to enable MACsec - # 0: No replay window, strict check (default) - # 1..2^32-1: number of packets that could be misordered - macsec_replay_window={{ security.replay_window }} -{% endif %} -} - -- cgit v1.2.3