summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-09-21 22:24:25 +0200
committerChristian Poessinger <christian@poessinger.com>2020-09-21 22:24:56 +0200
commite31dfd9f5542b0572e3ece89bdc347679b08aa72 (patch)
tree91d7c3e1c3367f2a21ffdf636f3c023eff650111
parent79b1ab8dc67c9011a3d5e5397ad4d73a6c537d80 (diff)
downloadvyos-1x-e31dfd9f5542b0572e3ece89bdc347679b08aa72.tar.gz
vyos-1x-e31dfd9f5542b0572e3ece89bdc347679b08aa72.zip
macsec: T2788: source-interface must not be member of a bridge
Add verify() step to ensure the macsec source-interface is not already part of a bridge interface. This should probably also be checked for bond interfaces.
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index abf8b05c3..73b62dcf1 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -28,6 +28,7 @@ from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_source_interface
+from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -61,6 +62,11 @@ def get_config(config=None):
base + ['source-interface'])
macsec.update({'source_interface': source_interface})
+ if 'source_interface' in macsec:
+ # Check if source interface is used by another bridge
+ tmp = is_member(conf, macsec['source_interface'], 'bridge')
+ if tmp: macsec.update({'is_bridge_member_source_interface' : tmp})
+
return macsec
@@ -88,6 +94,10 @@ def verify(macsec):
raise ConfigError('Missing mandatory MACsec security '
'keys as encryption is enabled!')
+ if 'is_bridge_member_source_interface' in macsec:
+ raise ConfigError('source-interface is already member of bridge ' \
+ '{is_bridge_member_source_interface}!'.format(**macsec))
+
if 'source_interface' in macsec:
# MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad
# and 802.1q) - we need to check the underlaying MTU if our configured