diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-08-19 18:55:24 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-08-19 18:55:24 +0200 |
commit | f92a23ef9ab8be59681e5b7ba627e399d89bce53 (patch) | |
tree | c086ecc75e99315047dcb4f3926fac3e88712288 /src/conf_mode/interfaces-ethernet.py | |
parent | 1f880973e221b91ac843a27d2e4c0b3de1880b97 (diff) | |
download | vyos-1x-f92a23ef9ab8be59681e5b7ba627e399d89bce53.tar.gz vyos-1x-f92a23ef9ab8be59681e5b7ba627e399d89bce53.zip |
ethernet: T4538: fix wrong systemd unit used for EAPoL
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
Diffstat (limited to 'src/conf_mode/interfaces-ethernet.py')
-rwxr-xr-x | src/conf_mode/interfaces-ethernet.py | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index 30e7a2af7..e02841831 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -153,11 +153,20 @@ def verify(ethernet): return None def generate(ethernet): - if 'eapol' in ethernet: - render(wpa_suppl_conf.format(**ethernet), - 'ethernet/wpa_supplicant.conf.j2', ethernet) + # render real configuration file once + wpa_supplicant_conf = wpa_suppl_conf.format(**ethernet) + + if 'deleted' in ethernet: + # delete configuration on interface removal + if os.path.isfile(wpa_supplicant_conf): + os.unlink(wpa_supplicant_conf) + return None + if 'eapol' in ethernet: ifname = ethernet['ifname'] + + render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', ethernet) + cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem') cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key') @@ -184,10 +193,6 @@ def generate(ethernet): write_file(ca_cert_file_path, '\n'.join(encode_certificate(c) for c in ca_full_chain)) - else: - # delete configuration on interface removal - if os.path.isfile(wpa_suppl_conf.format(**ethernet)): - os.unlink(wpa_suppl_conf.format(**ethernet)) return None @@ -203,9 +208,9 @@ def apply(ethernet): else: e.update(ethernet) if 'eapol' in ethernet: - eapol_action='restart' + eapol_action='reload-or-restart' - call(f'systemctl {eapol_action} wpa_supplicant-macsec@{ifname}') + call(f'systemctl {eapol_action} wpa_supplicant-wired@{ifname}') if __name__ == '__main__': try: |