Merge branch 'macsec-t2023' of github.com:c-po/vyos-1x into current

* 'macsec-t2023' of github.com:c-po/vyos-1x:
  macsec: T2023: cleanup wpa_supplicant config file name
  macsec: T2023: improve verify() when encryption is enabled
  macsec: T2023: support MACsec Key Agreement protocol actor priority
  macsec: T2023: rename "security key" node to "security mka"
  macsec: T2023: use wpa_supplicant for key management
  macsec: T2023: cli: move "cipher" and "encryption" under new "secutiry" node
  macsec: T2023: extend key generator for CAK and CKN in operation mode
  macsec: T2023: remove gcm-aes-256 cipher type
  macsec: T2023: cipher suite is mandatory
  macsec: T2023: use list when working with Config()
  macsec: T2023: add 'show interfaces macsec' op-mode tree
  macsec: T2023: add optional encryption command
  macsec: T2023: generate secure channel keys in operation mode
  macsec: T2023: add initial XML and Python interfaces
  ifconfig: T2023: add initial MACsec abstraction
  interface: T2023: adopt _delete() to common style
  interface: T2023: remove superfluous at end of list
  macvlan: T2023: prepare common source interface include file

3 files changed, 76 insertions, 2 deletions

diff --git a/python/vyos/ifconfig/__init__.py b/python/vyos/ifconfig/__init__.py
index 4d98901b7..1757adf26 100644
--- a/python/vyos/ifconfig/__init__.py
+++ b/python/vyos/ifconfig/__init__.py
@@ -42,3 +42,4 @@ from vyos.ifconfig.tunnel import SitIf
 from vyos.ifconfig.tunnel import Sit6RDIf
 from vyos.ifconfig.wireless import WiFiIf
 from vyos.ifconfig.l2tpv3 import L2TPv3If
+from vyos.ifconfig.macsec import MACsecIf
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 61f2c6482..07efc6d97 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -51,7 +51,7 @@ class Interface(Control):
     # WireGuard to modify their display behaviour
     OperationalClass = Operational
 
-    options = ['debug', 'create',]
+    options = ['debug', 'create']
     required = []
     default = {
         'type': '',
@@ -265,7 +265,7 @@ class Interface(Control):
         # NOTE (Improvement):
         # after interface removal no other commands should be allowed
         # to be called and instead should raise an Exception:
-        cmd = 'ip link del dev {}'.format(self.config['ifname'])
+        cmd = 'ip link del dev {ifname}'.format(**self.config)
         return self._cmd(cmd)
 
     def get_mtu(self):
diff --git a/python/vyos/ifconfig/macsec.py b/python/vyos/ifconfig/macsec.py
new file mode 100644
index 000000000..ea8c9807e
--- /dev/null
+++ b/python/vyos/ifconfig/macsec.py
@@ -0,0 +1,73 @@
+# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.ifconfig.interface import Interface
+
+@Interface.register
+class MACsecIf(Interface):
+    """
+    MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in
+    2006. It defines a way to establish a protocol independent connection
+    between two hosts with data confidentiality, authenticity and/or integrity,
+    using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a
+    layer 2 protocol, which means it's designed to secure traffic within a
+    layer 2 network, including DHCP or ARP requests. It does not compete with
+    other security solutions such as IPsec (layer 3) or TLS (layer 4), as all
+    those solutions are used for their own specific use cases.
+    """
+
+    default = {
+        'type': 'macsec',
+        'security_cipher': '',
+        'source_interface': ''
+    }
+    definition = {
+        **Interface.definition,
+        **{
+            'section': 'macsec',
+            'prefixes': ['macsec', ],
+        },
+    }
+    options = Interface.options + \
+        ['security_cipher', 'source_interface']
+
+    def _create(self):
+        """
+        Create MACsec interface in OS kernel. Interface is administrative
+        down by default.
+        """
+        # create tunnel interface
+        cmd  = 'ip link add link {source_interface} {ifname} type {type}'
+        cmd += ' cipher {security_cipher}'
+        self._cmd(cmd.format(**self.config))
+
+        # interface is always A/D down. It needs to be enabled explicitly
+        self.set_admin_state('down')
+
+    @staticmethod
+    def get_config():
+        """
+        MACsec interfaces require a configuration when they are added using
+        iproute2. This static method will provide the configuration dictionary
+        used by this class.
+
+        Example:
+        >> dict = MACsecIf().get_config()
+        """
+        config = {
+            'security_cipher': '',
+            'source_interface': '',
+        }
+        return config