diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-05-21 15:57:58 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-05-21 15:58:03 +0200 |
| commit | d8d3c1cb5a5aed4ecee9ea1a17dafc09c98bdfaa (patch) | |
| tree | 3fe80c32297072d2ddf60a286f7605b0eb9bf276 | |
| parent | 2417c2feedd62a59f0caa0c7a405c60e1f3be0e8 (diff) | |
| download | vyos-1x-d8d3c1cb5a5aed4ecee9ea1a17dafc09c98bdfaa.tar.gz vyos-1x-d8d3c1cb5a5aed4ecee9ea1a17dafc09c98bdfaa.zip | |
macsec: T2023: improve verify() when encryption is enabled
With enabled encryption keys must be configured.
| -rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 780ef9b5f..efac92169 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -118,34 +118,37 @@ def get_config(): def verify(macsec): if macsec['deleted']: if macsec['is_bridge_member']: - raise ConfigError(( - f'Interface "{macsec["intf"]}" cannot be deleted as it is a ' - f'member of bridge "{macsec["is_bridge_member"]}"!')) + raise ConfigError( + f'Interface "{intf}" cannot be deleted as it is a ' + f'member of bridge "{is_bridge_member}"!'.format(**macsec)) return None if not macsec['source_interface']: - raise ConfigError(( - f'Physical source interface must be set for MACsec "{macsec["intf"]}"')) + raise ConfigError( + 'Physical source interface must be set for MACsec "{intf}"'.format(**macsec)) if not macsec['security_cipher']: - raise ConfigError(( - f'Cipher suite is mandatory for MACsec "{macsec["intf"]}"')) + raise ConfigError( + 'Cipher suite must be set for MACsec "{intf}"'.format(**macsec)) + + if macsec['security_encrypt']: + if not (macsec['security_mka_cak'] and macsec['security_mka_ckn']): + raise ConfigError('MACsec security keys mandartory when encryption is enabled') if macsec['vrf']: if macsec['vrf'] not in interfaces(): - raise ConfigError(f'VRF "{macsec["vrf"]}" does not exist') + raise ConfigError('VRF "{vrf}" does not exist'.format(**macsec)) if macsec['is_bridge_member']: - raise ConfigError(( - f'Interface "{macsec["intf"]}" cannot be member of VRF ' - f'"{macsec["vrf"]}" and bridge "{macsec["is_bridge_member"]}" ' - f'at the same time!')) + raise ConfigError( + 'Interface "{intf}" cannot be member of VRF "{vrf}" and ' + 'bridge "{is_bridge_member}" at the same time!'.format(**macsec)) if macsec['is_bridge_member'] and macsec['address']: - raise ConfigError(( - f'Cannot assign address to interface "{macsec["intf"]}" ' - f'as it is a member of bridge "{macsec["is_bridge_member"]}"!')) + raise ConfigError( + 'Cannot assign address to interface "{intf}" as it is' + 'a member of bridge "{is_bridge_member}"!'.format(**macsec)) return None |