summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-macsec.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/interfaces-macsec.py')
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py208
1 files changed, 60 insertions, 148 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index a8966148f..6f4e90169 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -18,177 +18,108 @@ import os
from copy import deepcopy
from sys import exit
-from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import list_diff
+from vyos.configdict import dict_merge
from vyos.ifconfig import MACsecIf
from vyos.template import render
from vyos.util import call
from vyos.validate import is_member
+from vyos.configverify import verify_bridge_vrf
+from vyos.configverify import verify_bridge_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_source_interface
+from vyos.xml import defaults
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'address_remove': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'security_cipher': '',
- 'security_encrypt': False,
- 'security_mka_cak': '',
- 'security_mka_ckn': '',
- 'security_mka_priority': '255',
- 'security_replay_window': '',
- 'intf': '',
- 'source_interface': '',
- 'is_bridge_member': False,
- 'vrf': ''
-}
-
# XXX: wpa_supplicant works on the source interface
wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf'
-
def get_config():
- macsec = deepcopy(default_config_data)
+ """ Retrive CLI config as dictionary. Dictionary can never be empty,
+ as at least the interface name will be added or a deleted flag """
conf = Config()
# determine tagNode instance
if 'VYOS_TAGNODE_VALUE' not in os.environ:
raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
- macsec['intf'] = os.environ['VYOS_TAGNODE_VALUE']
- base_path = ['interfaces', 'macsec', macsec['intf']]
+ # retrieve interface default values
+ base = ['interfaces', 'macsec']
+ default_values = defaults(base)
- # check if we are a member of any bridge
- macsec['is_bridge_member'] = is_member(conf, macsec['intf'], 'bridge')
+ ifname = os.environ['VYOS_TAGNODE_VALUE']
+ base = base + [ifname]
+ macsec = conf.get_config_dict(base, key_mangling=('-', '_'))
# Check if interface has been removed
- if not conf.exists(base_path):
- macsec['deleted'] = True
- # When stopping wpa_supplicant we need to stop it via the physical
- # interface - thus we need to retrieve ir from the effective config
- if conf.exists_effective(base_path + ['source-interface']):
- macsec['source_interface'] = conf.return_effective_value(
- base_path + ['source-interface'])
-
- return macsec
-
- # set new configuration level
- conf.set_level(base_path)
-
- # retrieve configured interface addresses
- if conf.exists(['address']):
- macsec['address'] = conf.return_values(['address'])
-
- # retrieve interface description
- if conf.exists(['description']):
- macsec['description'] = conf.return_value(['description'])
-
- # Disable this interface
- if conf.exists(['disable']):
- macsec['disable'] = True
-
- # retrieve interface cipher
- if conf.exists(['security', 'cipher']):
- macsec['security_cipher'] = conf.return_value(['security', 'cipher'])
-
- # Enable optional MACsec encryption
- if conf.exists(['security', 'encrypt']):
- macsec['security_encrypt'] = True
-
- # Secure Connectivity Association Key
- if conf.exists(['security', 'mka', 'cak']):
- macsec['security_mka_cak'] = conf.return_value(
- ['security', 'mka', 'cak'])
-
- # Secure Connectivity Association Name
- if conf.exists(['security', 'mka', 'ckn']):
- macsec['security_mka_ckn'] = conf.return_value(
- ['security', 'mka', 'ckn'])
-
- # MACsec Key Agreement protocol (MKA) actor priority
- if conf.exists(['security', 'mka', 'priority']):
- macsec['security_mka_priority'] = conf.return_value(
- ['security', 'mka', 'priority'])
-
- # IEEE 802.1X/MACsec replay protection
- if conf.exists(['security', 'replay-window']):
- macsec['security_replay_window'] = conf.return_value(
- ['security', 'replay-window'])
-
- # Physical interface
- if conf.exists(['source-interface']):
- macsec['source_interface'] = conf.return_value(['source-interface'])
-
- # Determine interface addresses (currently effective) - to determine which
- # address is no longer valid and needs to be removed from the interface
- eff_addr = conf.return_effective_values(['address'])
- act_addr = conf.return_values(['address'])
- macsec['address_remove'] = list_diff(eff_addr, act_addr)
-
- # retrieve VRF instance
- if conf.exists(['vrf']):
- macsec['vrf'] = conf.return_value(['vrf'])
+ if macsec == {}:
+ tmp = {
+ 'deleted' : '',
+ 'source_interface' : conf.return_effective_value(
+ base + ['source-interface'])
+ }
+ macsec.update(tmp)
+
+ # We have gathered the dict representation of the CLI, but there are
+ # default options which we need to update into the dictionary
+ # retrived.
+ macsec = dict_merge(default_values, macsec)
+
+ # Add interface instance name into dictionary
+ macsec.update({'ifname': ifname})
+
+ # Check if we are a member of any bridge
+ bridge = is_member(conf, ifname, 'bridge')
+ if bridge:
+ tmp = {'is_bridge_member' : bridge}
+ macsec.update(tmp)
return macsec
def verify(macsec):
- if macsec['deleted']:
- if macsec['is_bridge_member']:
- raise ConfigError(
- 'Interface "{intf}" cannot be deleted as it is a '
- 'member of bridge "{is_bridge_member}"!'.format(**macsec))
-
+ if 'deleted' in macsec.keys():
+ verify_bridge_delete(macsec)
return None
- if not macsec['source_interface']:
- raise ConfigError('Physical source interface must be set for '
- 'MACsec "{intf}"'.format(**macsec))
+ verify_source_interface(macsec)
+ verify_bridge_vrf(macsec)
+ verify_bridge_address(macsec)
- if not macsec['security_cipher']:
+ if not (('security' in macsec.keys()) and
+ ('cipher' in macsec['security'].keys())):
raise ConfigError(
- 'Cipher suite must be set for MACsec "{intf}"'.format(**macsec))
-
- if macsec['security_encrypt']:
- if not (macsec['security_mka_cak'] and macsec['security_mka_ckn']):
- raise ConfigError(
- 'MACsec security keys mandartory when encryption is enabled')
+ 'Cipher suite must be set for MACsec "{ifname}"'.format(**macsec))
- if macsec['vrf']:
- if macsec['vrf'] not in interfaces():
- raise ConfigError('VRF "{vrf}" does not exist'.format(**macsec))
+ if (('security' in macsec.keys()) and
+ ('encrypt' in macsec['security'].keys())):
+ tmp = macsec.get('security')
- if macsec['is_bridge_member']:
- raise ConfigError('Interface "{intf}" cannot be member of VRF '
- '"{vrf}" and bridge "{is_bridge_member}" at '
- 'the same time!'.format(**macsec))
-
- if macsec['is_bridge_member'] and macsec['address']:
- raise ConfigError(
- 'Cannot assign address to interface "{intf}" as it is'
- 'a member of bridge "{is_bridge_member}"!'.format(**macsec))
+ if not (('mka' in tmp.keys()) and
+ ('cak' in tmp['mka'].keys()) and
+ ('ckn' in tmp['mka'].keys())):
+ raise ConfigError('Missing mandatory MACsec security '
+ 'keys as encryption is enabled!')
return None
def generate(macsec):
render(wpa_suppl_conf.format(**macsec),
- 'macsec/wpa_supplicant.conf.tmpl', macsec, permission=0o640)
+ 'macsec/wpa_supplicant.conf.tmpl', macsec)
return None
def apply(macsec):
# Remove macsec interface
- if macsec['deleted']:
+ if 'deleted' in macsec.keys():
call('systemctl stop wpa_supplicant-macsec@{source_interface}'
.format(**macsec))
- MACsecIf(macsec['intf']).remove()
+
+ MACsecIf(macsec['ifname']).remove()
# delete configuration on interface removal
if os.path.isfile(wpa_suppl_conf.format(**macsec)):
@@ -198,35 +129,16 @@ def apply(macsec):
# MACsec interfaces require a configuration when they are added using
# iproute2. This static method will provide the configuration
# dictionary used by this class.
- conf = deepcopy(MACsecIf.get_config())
- # Assign MACsec instance configuration parameters to config dict
+ # XXX: subject of removal after completing T2653
+ conf = deepcopy(MACsecIf.get_config())
conf['source_interface'] = macsec['source_interface']
- conf['security_cipher'] = macsec['security_cipher']
+ conf['security_cipher'] = macsec['security']['cipher']
# It is safe to "re-create" the interface always, there is a sanity
# check that the interface will only be create if its non existent
- i = MACsecIf(macsec['intf'], **conf)
-
- # update interface description used e.g. within SNMP
- i.set_alias(macsec['description'])
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in macsec['address_remove']:
- i.del_addr(addr)
- for addr in macsec['address']:
- i.add_addr(addr)
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not macsec['is_bridge_member']:
- i.set_vrf(macsec['vrf'])
-
- # Interface is administratively down by default, enable if desired
- if not macsec['disable']:
- i.set_admin_state('up')
+ i = MACsecIf(macsec['ifname'], **conf)
+ i.update(macsec)
call('systemctl restart wpa_supplicant-macsec@{source_interface}'
.format(**macsec))