summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-20 21:09:59 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-21 11:58:57 +0200
commitfe9d399a4e78a1637cb3a693e0470eaec1dd5de5 (patch)
tree6b4648430e8092ae2109ebff116692601819b18b
parent2e8bd0ced8967644b0ad361df9b375075276593a (diff)
downloadvyos-1x-fe9d399a4e78a1637cb3a693e0470eaec1dd5de5.tar.gz
vyos-1x-fe9d399a4e78a1637cb3a693e0470eaec1dd5de5.zip
macsec: T2023: add initial XML and Python interfaces
-rw-r--r--interface-definitions/interfaces-macsec.xml.in47
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py178
2 files changed, 225 insertions, 0 deletions
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
new file mode 100644
index 000000000..79837dfb5
--- /dev/null
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="interfaces">
+ <children>
+ <tagNode name="macsec" owner="${vyos_conf_scripts_dir}/interfaces-macsec.py">
+ <properties>
+ <help>MACsec Interface (802.1ae)</help>
+ <priority>319</priority>
+ <constraint>
+ <regex>^macsec[0-9]+$</regex>
+ </constraint>
+ <constraintErrorMessage>MACsec interface must be named macsecN</constraintErrorMessage>
+ <valueHelp>
+ <format>macsecN</format>
+ <description>MACsec interface name</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/address-ipv4-ipv6.xml.i>
+ <leafNode name="cipher">
+ <properties>
+ <help>Cipher suite used (default: gcm-aes-128)</help>
+ <completionHelp>
+ <list>gcm-aes-128 gcm-aes-256</list>
+ </completionHelp>
+ <valueHelp>
+ <format>gcm-aes-128</format>
+ <description>Galois/Counter Mode of AES cipher with 128-bit key (default)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>gcm-aes-256</format>
+ <description>Galois/Counter Mode of AES cipher with 256-bit key</description>
+ </valueHelp>
+ <constraint>
+ <regex>(gcm-aes-128|gcm-aes-256)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/interface-description.xml.i>
+ #include <include/interface-disable.xml.i>
+ #include <include/interface-vrf.xml.i>
+ #include <include/source-interface-ethernet.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
new file mode 100755
index 000000000..db605295e
--- /dev/null
+++ b/src/conf_mode/interfaces-macsec.py
@@ -0,0 +1,178 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from copy import deepcopy
+from sys import exit
+from netifaces import interfaces
+
+from vyos.ifconfig import MACsecIf
+from vyos.configdict import list_diff
+from vyos.config import Config
+from vyos.validate import is_member
+from vyos import ConfigError
+
+default_config_data = {
+ 'address': [],
+ 'address_remove': [],
+ 'cipher': 'gcm-aes-128',
+ 'deleted': False,
+ 'description': '',
+ 'disable': False,
+ 'intf': '',
+ 'source_interface': '',
+ 'is_bridge_member': False,
+ 'vrf': ''
+}
+
+def get_config():
+ macsec = deepcopy(default_config_data)
+ conf = Config()
+
+ # determine tagNode instance
+ if 'VYOS_TAGNODE_VALUE' not in os.environ:
+ raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
+
+ macsec['intf'] = os.environ['VYOS_TAGNODE_VALUE']
+
+ # check if we are a member of any bridge
+ macsec['is_bridge_member'] = is_member(conf, macsec['intf'], 'bridge')
+
+ # Check if interface has been removed
+ if not conf.exists('interfaces macsec ' + macsec['intf']):
+ macsec['deleted'] = True
+ return macsec
+
+ # set new configuration level
+ conf.set_level('interfaces macsec ' + macsec['intf'])
+
+ # retrieve configured interface addresses
+ if conf.exists('address'):
+ macsec['address'] = conf.return_values('address')
+
+ # retrieve interface cipher
+ if conf.exists('cipher'):
+ macsec['cipher'] = conf.return_value('cipher')
+
+ # retrieve interface description
+ if conf.exists('description'):
+ macsec['description'] = conf.return_value('description')
+
+ # Disable this interface
+ if conf.exists('disable'):
+ macsec['disable'] = True
+
+ # Physical interface
+ if conf.exists(['source-interface']):
+ macsec['source_interface'] = conf.return_value(['source-interface'])
+
+ # Determine interface addresses (currently effective) - to determine which
+ # address is no longer valid and needs to be removed from the interface
+ eff_addr = conf.return_effective_values('address')
+ act_addr = conf.return_values('address')
+ macsec['address_remove'] = list_diff(eff_addr, act_addr)
+
+ # retrieve VRF instance
+ if conf.exists('vrf'):
+ macsec['vrf'] = conf.return_value('vrf')
+
+ return macsec
+
+def verify(macsec):
+ if macsec['deleted']:
+ if macsec['is_bridge_member']:
+ raise ConfigError((
+ f'Interface "{macsec["intf"]}" cannot be deleted as it is a '
+ f'member of bridge "{macsec["is_bridge_member"]}"!'))
+
+ return None
+
+ if not macsec['source_interface']:
+ raise ConfigError((
+ f'Physical source interface must be set for MACsec "{macsec["intf"]}"'))
+
+ if macsec['vrf']:
+ if macsec['vrf'] not in interfaces():
+ raise ConfigError(f'VRF "{macsec["vrf"]}" does not exist')
+
+ if macsec['is_bridge_member']:
+ raise ConfigError((
+ f'Interface "{macsec["intf"]}" cannot be member of VRF '
+ f'"{macsec["vrf"]}" and bridge "{macsec["is_bridge_member"]}" '
+ f'at the same time!'))
+
+ if macsec['is_bridge_member'] and macsec['address']:
+ raise ConfigError((
+ f'Cannot assign address to interface "{macsec["intf"]}" '
+ f'as it is a member of bridge "{macsec["is_bridge_member"]}"!'))
+
+ return None
+
+def generate(macsec):
+ return None
+
+def apply(macsec):
+ # Remove macsec interface
+ if macsec['deleted']:
+ MACsecIf(macsec['intf']).remove()
+ else:
+ # MACsec interfaces require a configuration when they are added using
+ # iproute2. This static method will provide the configuration
+ # dictionary used by this class.
+ conf = deepcopy(MACsecIf.get_config())
+
+ # Assign MACsec instance configuration parameters to config dict
+ conf['source_interface'] = macsec['source_interface']
+ conf['cipher'] = macsec['cipher']
+
+ # It is safe to "re-create" the interface always, there is a sanity check
+ # that the interface will only be create if its non existent
+ i = MACsecIf(macsec['intf'], **conf)
+
+ # update interface description used e.g. within SNMP
+ i.set_alias(macsec['description'])
+
+ # Configure interface address(es)
+ # - not longer required addresses get removed first
+ # - newly addresses will be added second
+ for addr in macsec['address_remove']:
+ i.del_addr(addr)
+ for addr in macsec['address']:
+ i.add_addr(addr)
+
+ # assign/remove VRF (ONLY when not a member of a bridge,
+ # otherwise 'nomaster' removes it from it)
+ if not macsec['is_bridge_member']:
+ i.set_vrf(macsec['vrf'])
+
+ # disable interface on demand
+ if macsec['disable']:
+ i.set_admin_state('down')
+ else:
+ i.set_admin_state('up')
+
+ return None
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ exit(1)