diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-20 21:09:59 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-21 11:58:57 +0200 |
commit | fe9d399a4e78a1637cb3a693e0470eaec1dd5de5 (patch) | |
tree | 6b4648430e8092ae2109ebff116692601819b18b | |
parent | 2e8bd0ced8967644b0ad361df9b375075276593a (diff) | |
download | vyos-1x-fe9d399a4e78a1637cb3a693e0470eaec1dd5de5.tar.gz vyos-1x-fe9d399a4e78a1637cb3a693e0470eaec1dd5de5.zip |
macsec: T2023: add initial XML and Python interfaces
-rw-r--r-- | interface-definitions/interfaces-macsec.xml.in | 47 | ||||
-rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 178 |
2 files changed, 225 insertions, 0 deletions
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in new file mode 100644 index 000000000..79837dfb5 --- /dev/null +++ b/interface-definitions/interfaces-macsec.xml.in @@ -0,0 +1,47 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="interfaces"> + <children> + <tagNode name="macsec" owner="${vyos_conf_scripts_dir}/interfaces-macsec.py"> + <properties> + <help>MACsec Interface (802.1ae)</help> + <priority>319</priority> + <constraint> + <regex>^macsec[0-9]+$</regex> + </constraint> + <constraintErrorMessage>MACsec interface must be named macsecN</constraintErrorMessage> + <valueHelp> + <format>macsecN</format> + <description>MACsec interface name</description> + </valueHelp> + </properties> + <children> + #include <include/address-ipv4-ipv6.xml.i> + <leafNode name="cipher"> + <properties> + <help>Cipher suite used (default: gcm-aes-128)</help> + <completionHelp> + <list>gcm-aes-128 gcm-aes-256</list> + </completionHelp> + <valueHelp> + <format>gcm-aes-128</format> + <description>Galois/Counter Mode of AES cipher with 128-bit key (default)</description> + </valueHelp> + <valueHelp> + <format>gcm-aes-256</format> + <description>Galois/Counter Mode of AES cipher with 256-bit key</description> + </valueHelp> + <constraint> + <regex>(gcm-aes-128|gcm-aes-256)</regex> + </constraint> + </properties> + </leafNode> + #include <include/interface-description.xml.i> + #include <include/interface-disable.xml.i> + #include <include/interface-vrf.xml.i> + #include <include/source-interface-ethernet.xml.i> + </children> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py new file mode 100755 index 000000000..db605295e --- /dev/null +++ b/src/conf_mode/interfaces-macsec.py @@ -0,0 +1,178 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from copy import deepcopy +from sys import exit +from netifaces import interfaces + +from vyos.ifconfig import MACsecIf +from vyos.configdict import list_diff +from vyos.config import Config +from vyos.validate import is_member +from vyos import ConfigError + +default_config_data = { + 'address': [], + 'address_remove': [], + 'cipher': 'gcm-aes-128', + 'deleted': False, + 'description': '', + 'disable': False, + 'intf': '', + 'source_interface': '', + 'is_bridge_member': False, + 'vrf': '' +} + +def get_config(): + macsec = deepcopy(default_config_data) + conf = Config() + + # determine tagNode instance + if 'VYOS_TAGNODE_VALUE' not in os.environ: + raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') + + macsec['intf'] = os.environ['VYOS_TAGNODE_VALUE'] + + # check if we are a member of any bridge + macsec['is_bridge_member'] = is_member(conf, macsec['intf'], 'bridge') + + # Check if interface has been removed + if not conf.exists('interfaces macsec ' + macsec['intf']): + macsec['deleted'] = True + return macsec + + # set new configuration level + conf.set_level('interfaces macsec ' + macsec['intf']) + + # retrieve configured interface addresses + if conf.exists('address'): + macsec['address'] = conf.return_values('address') + + # retrieve interface cipher + if conf.exists('cipher'): + macsec['cipher'] = conf.return_value('cipher') + + # retrieve interface description + if conf.exists('description'): + macsec['description'] = conf.return_value('description') + + # Disable this interface + if conf.exists('disable'): + macsec['disable'] = True + + # Physical interface + if conf.exists(['source-interface']): + macsec['source_interface'] = conf.return_value(['source-interface']) + + # Determine interface addresses (currently effective) - to determine which + # address is no longer valid and needs to be removed from the interface + eff_addr = conf.return_effective_values('address') + act_addr = conf.return_values('address') + macsec['address_remove'] = list_diff(eff_addr, act_addr) + + # retrieve VRF instance + if conf.exists('vrf'): + macsec['vrf'] = conf.return_value('vrf') + + return macsec + +def verify(macsec): + if macsec['deleted']: + if macsec['is_bridge_member']: + raise ConfigError(( + f'Interface "{macsec["intf"]}" cannot be deleted as it is a ' + f'member of bridge "{macsec["is_bridge_member"]}"!')) + + return None + + if not macsec['source_interface']: + raise ConfigError(( + f'Physical source interface must be set for MACsec "{macsec["intf"]}"')) + + if macsec['vrf']: + if macsec['vrf'] not in interfaces(): + raise ConfigError(f'VRF "{macsec["vrf"]}" does not exist') + + if macsec['is_bridge_member']: + raise ConfigError(( + f'Interface "{macsec["intf"]}" cannot be member of VRF ' + f'"{macsec["vrf"]}" and bridge "{macsec["is_bridge_member"]}" ' + f'at the same time!')) + + if macsec['is_bridge_member'] and macsec['address']: + raise ConfigError(( + f'Cannot assign address to interface "{macsec["intf"]}" ' + f'as it is a member of bridge "{macsec["is_bridge_member"]}"!')) + + return None + +def generate(macsec): + return None + +def apply(macsec): + # Remove macsec interface + if macsec['deleted']: + MACsecIf(macsec['intf']).remove() + else: + # MACsec interfaces require a configuration when they are added using + # iproute2. This static method will provide the configuration + # dictionary used by this class. + conf = deepcopy(MACsecIf.get_config()) + + # Assign MACsec instance configuration parameters to config dict + conf['source_interface'] = macsec['source_interface'] + conf['cipher'] = macsec['cipher'] + + # It is safe to "re-create" the interface always, there is a sanity check + # that the interface will only be create if its non existent + i = MACsecIf(macsec['intf'], **conf) + + # update interface description used e.g. within SNMP + i.set_alias(macsec['description']) + + # Configure interface address(es) + # - not longer required addresses get removed first + # - newly addresses will be added second + for addr in macsec['address_remove']: + i.del_addr(addr) + for addr in macsec['address']: + i.add_addr(addr) + + # assign/remove VRF (ONLY when not a member of a bridge, + # otherwise 'nomaster' removes it from it) + if not macsec['is_bridge_member']: + i.set_vrf(macsec['vrf']) + + # disable interface on demand + if macsec['disable']: + i.set_admin_state('down') + else: + i.set_admin_state('up') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) |