macsec: T2023: add optional encryption command

By default MACsec only authenticates traffic but has support for optional
encryption. Encryption can now be enabled using:

  set interfaces macsec <interface> encrypt

1 files changed, 10 insertions, 4 deletions

diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index db605295e..fcf23ed0f 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -33,6 +33,7 @@ default_config_data = {
     'deleted': False,
     'description': '',
     'disable': False,
+    'encrypt': 'off',
     'intf': '',
     'source_interface': '',
     'is_bridge_member': False,
@@ -76,6 +77,10 @@ def get_config():
     if conf.exists('disable'):
         macsec['disable'] = True
 
+    # Enable optional MACsec encryption
+    if conf.exists('encrypt'):
+        macsec['encrypt'] = 'on'
+
     # Physical interface
     if conf.exists(['source-interface']):
         macsec['source_interface'] = conf.return_value(['source-interface'])
@@ -143,6 +148,9 @@ def apply(macsec):
         # that the interface will only be create if its non existent
         i = MACsecIf(macsec['intf'], **conf)
 
+        # Configure optional encryption
+        i.set_encryption(macsec['encrypt'])
+
         # update interface description used e.g. within SNMP
         i.set_alias(macsec['description'])
 
@@ -159,10 +167,8 @@ def apply(macsec):
         if not macsec['is_bridge_member']:
             i.set_vrf(macsec['vrf'])
 
-        # disable interface on demand
-        if macsec['disable']:
-            i.set_admin_state('down')
-        else:
+        # Interface is administratively down by default, enable if desired
+        if not macsec['disable']:
             i.set_admin_state('up')
 
     return None