summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-21 10:43:44 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-21 11:59:08 +0200
commit04d03f5bdd262bbf95f09e6ba3f211ab1d459573 (patch)
tree72ab35b2d9aa5df32711a99948df0937a13ad66f
parent5038eb5856b809f339e14dd932dd64fb1204eefc (diff)
downloadvyos-1x-04d03f5bdd262bbf95f09e6ba3f211ab1d459573.tar.gz
vyos-1x-04d03f5bdd262bbf95f09e6ba3f211ab1d459573.zip
macsec: T2023: add optional encryption command
By default MACsec only authenticates traffic but has support for optional encryption. Encryption can now be enabled using: set interfaces macsec <interface> encrypt
-rw-r--r--interface-definitions/interfaces-macsec.xml.in6
-rw-r--r--python/vyos/ifconfig/macsec.py7
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py14
3 files changed, 22 insertions, 5 deletions
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index 79837dfb5..13448e758 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -36,6 +36,12 @@
</constraint>
</properties>
</leafNode>
+ <leafNode name="encrypt">
+ <properties>
+ <help>Enable optional MACsec encryption</help>
+ <valueless/>
+ </properties>
+ </leafNode>
#include <include/interface-description.xml.i>
#include <include/interface-disable.xml.i>
#include <include/interface-vrf.xml.i>
diff --git a/python/vyos/ifconfig/macsec.py b/python/vyos/ifconfig/macsec.py
index cea3f8d13..1829df4ab 100644
--- a/python/vyos/ifconfig/macsec.py
+++ b/python/vyos/ifconfig/macsec.py
@@ -50,12 +50,17 @@ class MACsecIf(Interface):
"""
# create tunnel interface
cmd = 'ip link add link {source_interface} {ifname} type {type}'
- cmd += ' cipher {cipher} encrypt on'
+ cmd += ' cipher {cipher}'
self._cmd(cmd.format(**self.config))
# interface is always A/D down. It needs to be enabled explicitly
self.set_admin_state('down')
+ def set_encryption(self, on_off):
+ ifname = self.config['ifname']
+ cmd = f'ip link set {ifname} type macsec encrypt {on_off}'
+ return self._cmd(cmd)
+
@staticmethod
def get_config():
"""
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index db605295e..fcf23ed0f 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -33,6 +33,7 @@ default_config_data = {
'deleted': False,
'description': '',
'disable': False,
+ 'encrypt': 'off',
'intf': '',
'source_interface': '',
'is_bridge_member': False,
@@ -76,6 +77,10 @@ def get_config():
if conf.exists('disable'):
macsec['disable'] = True
+ # Enable optional MACsec encryption
+ if conf.exists('encrypt'):
+ macsec['encrypt'] = 'on'
+
# Physical interface
if conf.exists(['source-interface']):
macsec['source_interface'] = conf.return_value(['source-interface'])
@@ -143,6 +148,9 @@ def apply(macsec):
# that the interface will only be create if its non existent
i = MACsecIf(macsec['intf'], **conf)
+ # Configure optional encryption
+ i.set_encryption(macsec['encrypt'])
+
# update interface description used e.g. within SNMP
i.set_alias(macsec['description'])
@@ -159,10 +167,8 @@ def apply(macsec):
if not macsec['is_bridge_member']:
i.set_vrf(macsec['vrf'])
- # disable interface on demand
- if macsec['disable']:
- i.set_admin_state('down')
- else:
+ # Interface is administratively down by default, enable if desired
+ if not macsec['disable']:
i.set_admin_state('up')
return None