diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-21 10:43:44 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-21 11:59:08 +0200 |
commit | 04d03f5bdd262bbf95f09e6ba3f211ab1d459573 (patch) | |
tree | 72ab35b2d9aa5df32711a99948df0937a13ad66f | |
parent | 5038eb5856b809f339e14dd932dd64fb1204eefc (diff) | |
download | vyos-1x-04d03f5bdd262bbf95f09e6ba3f211ab1d459573.tar.gz vyos-1x-04d03f5bdd262bbf95f09e6ba3f211ab1d459573.zip |
macsec: T2023: add optional encryption command
By default MACsec only authenticates traffic but has support for optional
encryption. Encryption can now be enabled using:
set interfaces macsec <interface> encrypt
-rw-r--r-- | interface-definitions/interfaces-macsec.xml.in | 6 | ||||
-rw-r--r-- | python/vyos/ifconfig/macsec.py | 7 | ||||
-rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 14 |
3 files changed, 22 insertions, 5 deletions
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 79837dfb5..13448e758 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -36,6 +36,12 @@ </constraint> </properties> </leafNode> + <leafNode name="encrypt"> + <properties> + <help>Enable optional MACsec encryption</help> + <valueless/> + </properties> + </leafNode> #include <include/interface-description.xml.i> #include <include/interface-disable.xml.i> #include <include/interface-vrf.xml.i> diff --git a/python/vyos/ifconfig/macsec.py b/python/vyos/ifconfig/macsec.py index cea3f8d13..1829df4ab 100644 --- a/python/vyos/ifconfig/macsec.py +++ b/python/vyos/ifconfig/macsec.py @@ -50,12 +50,17 @@ class MACsecIf(Interface): """ # create tunnel interface cmd = 'ip link add link {source_interface} {ifname} type {type}' - cmd += ' cipher {cipher} encrypt on' + cmd += ' cipher {cipher}' self._cmd(cmd.format(**self.config)) # interface is always A/D down. It needs to be enabled explicitly self.set_admin_state('down') + def set_encryption(self, on_off): + ifname = self.config['ifname'] + cmd = f'ip link set {ifname} type macsec encrypt {on_off}' + return self._cmd(cmd) + @staticmethod def get_config(): """ diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index db605295e..fcf23ed0f 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -33,6 +33,7 @@ default_config_data = { 'deleted': False, 'description': '', 'disable': False, + 'encrypt': 'off', 'intf': '', 'source_interface': '', 'is_bridge_member': False, @@ -76,6 +77,10 @@ def get_config(): if conf.exists('disable'): macsec['disable'] = True + # Enable optional MACsec encryption + if conf.exists('encrypt'): + macsec['encrypt'] = 'on' + # Physical interface if conf.exists(['source-interface']): macsec['source_interface'] = conf.return_value(['source-interface']) @@ -143,6 +148,9 @@ def apply(macsec): # that the interface will only be create if its non existent i = MACsecIf(macsec['intf'], **conf) + # Configure optional encryption + i.set_encryption(macsec['encrypt']) + # update interface description used e.g. within SNMP i.set_alias(macsec['description']) @@ -159,10 +167,8 @@ def apply(macsec): if not macsec['is_bridge_member']: i.set_vrf(macsec['vrf']) - # disable interface on demand - if macsec['disable']: - i.set_admin_state('down') - else: + # Interface is administratively down by default, enable if desired + if not macsec['disable']: i.set_admin_state('up') return None |