summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-21 10:43:44 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-21 11:59:08 +0200
commit04d03f5bdd262bbf95f09e6ba3f211ab1d459573 (patch)
tree72ab35b2d9aa5df32711a99948df0937a13ad66f /src/conf_mode
parent5038eb5856b809f339e14dd932dd64fb1204eefc (diff)
downloadvyos-1x-04d03f5bdd262bbf95f09e6ba3f211ab1d459573.tar.gz
vyos-1x-04d03f5bdd262bbf95f09e6ba3f211ab1d459573.zip
macsec: T2023: add optional encryption command
By default MACsec only authenticates traffic but has support for optional encryption. Encryption can now be enabled using: set interfaces macsec <interface> encrypt
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py14
1 files changed, 10 insertions, 4 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index db605295e..fcf23ed0f 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -33,6 +33,7 @@ default_config_data = {
'deleted': False,
'description': '',
'disable': False,
+ 'encrypt': 'off',
'intf': '',
'source_interface': '',
'is_bridge_member': False,
@@ -76,6 +77,10 @@ def get_config():
if conf.exists('disable'):
macsec['disable'] = True
+ # Enable optional MACsec encryption
+ if conf.exists('encrypt'):
+ macsec['encrypt'] = 'on'
+
# Physical interface
if conf.exists(['source-interface']):
macsec['source_interface'] = conf.return_value(['source-interface'])
@@ -143,6 +148,9 @@ def apply(macsec):
# that the interface will only be create if its non existent
i = MACsecIf(macsec['intf'], **conf)
+ # Configure optional encryption
+ i.set_encryption(macsec['encrypt'])
+
# update interface description used e.g. within SNMP
i.set_alias(macsec['description'])
@@ -159,10 +167,8 @@ def apply(macsec):
if not macsec['is_bridge_member']:
i.set_vrf(macsec['vrf'])
- # disable interface on demand
- if macsec['disable']:
- i.set_admin_state('down')
- else:
+ # Interface is administratively down by default, enable if desired
+ if not macsec['disable']:
i.set_admin_state('up')
return None