diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-09-21 22:24:25 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-09-21 22:24:56 +0200 |
commit | e31dfd9f5542b0572e3ece89bdc347679b08aa72 (patch) | |
tree | 91d7c3e1c3367f2a21ffdf636f3c023eff650111 | |
parent | 79b1ab8dc67c9011a3d5e5397ad4d73a6c537d80 (diff) | |
download | vyos-1x-e31dfd9f5542b0572e3ece89bdc347679b08aa72.tar.gz vyos-1x-e31dfd9f5542b0572e3ece89bdc347679b08aa72.zip |
macsec: T2788: source-interface must not be member of a bridge
Add verify() step to ensure the macsec source-interface is not already part
of a bridge interface. This should probably also be checked for bond interfaces.
-rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index abf8b05c3..73b62dcf1 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -28,6 +28,7 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_source_interface +from vyos.validate import is_member from vyos import ConfigError from vyos import airbag airbag.enable() @@ -61,6 +62,11 @@ def get_config(config=None): base + ['source-interface']) macsec.update({'source_interface': source_interface}) + if 'source_interface' in macsec: + # Check if source interface is used by another bridge + tmp = is_member(conf, macsec['source_interface'], 'bridge') + if tmp: macsec.update({'is_bridge_member_source_interface' : tmp}) + return macsec @@ -88,6 +94,10 @@ def verify(macsec): raise ConfigError('Missing mandatory MACsec security ' 'keys as encryption is enabled!') + if 'is_bridge_member_source_interface' in macsec: + raise ConfigError('source-interface is already member of bridge ' \ + '{is_bridge_member_source_interface}!'.format(**macsec)) + if 'source_interface' in macsec: # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad # and 802.1q) - we need to check the underlaying MTU if our configured |