From 63a3110298e5f3f6d24d5ed57eff0a8abf27f6ac Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Thu, 21 May 2020 12:48:09 +0200
Subject: macsec: T2023: cli: move "cipher" and "encryption" under new
 "secutiry" node

This is best suited as a key is required, too.
---
 interface-definitions/interfaces-macsec.xml.in | 45 +++++++++++++++-----------
 src/conf_mode/interfaces-macsec.py             | 15 +++++----
 2 files changed, 34 insertions(+), 26 deletions(-)

diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index f16760112..53a347f11 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -17,27 +17,34 @@
         </properties>
         <children>
           #include <include/address-ipv4-ipv6.xml.i>
-          <leafNode name="cipher">
+          <node name="security">
             <properties>
-              <help>Cipher suite used</help>
-              <completionHelp>
-                <list>gcm-aes-128</list>
-              </completionHelp>
-              <valueHelp>
-                <format>gcm-aes-128</format>
-                <description>Galois/Counter Mode of AES cipher with 128-bit key (default)</description>
-              </valueHelp>
-              <constraint>
-                <regex>(gcm-aes-128)</regex>
-              </constraint>
+              <help>Security/Encryption Settings</help>
             </properties>
-          </leafNode>
-          <leafNode name="encrypt">
-            <properties>
-              <help>Enable optional MACsec encryption</help>
-              <valueless/>
-            </properties>
-          </leafNode>
+            <children>
+              <leafNode name="cipher">
+                <properties>
+                  <help>Cipher suite used</help>
+                  <completionHelp>
+                    <list>gcm-aes-128</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>gcm-aes-128</format>
+                    <description>Galois/Counter Mode of AES cipher with 128-bit key (default)</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(gcm-aes-128)</regex>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="encrypt">
+                <properties>
+                  <help>Enable optional MACsec encryption</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
           #include <include/interface-description.xml.i>
           #include <include/interface-disable.xml.i>
           #include <include/interface-vrf.xml.i>
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 867df3eb6..fefc50d99 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -20,9 +20,10 @@ from copy import deepcopy
 from sys import exit
 from netifaces import interfaces
 
-from vyos.ifconfig import MACsecIf
-from vyos.configdict import list_diff
 from vyos.config import Config
+from vyos.configdict import list_diff
+from vyos.ifconfig import MACsecIf
+from vyos.template import render
 from vyos.validate import is_member
 from vyos import ConfigError
 
@@ -66,10 +67,6 @@ def get_config():
     if conf.exists(['address']):
         macsec['address'] = conf.return_values(['address'])
 
-    # retrieve interface cipher
-    if conf.exists(['cipher']):
-        macsec['cipher'] = conf.return_value(['cipher'])
-
     # retrieve interface description
     if conf.exists(['description']):
         macsec['description'] = conf.return_value(['description'])
@@ -78,8 +75,12 @@ def get_config():
     if conf.exists(['disable']):
         macsec['disable'] = True
 
+    # retrieve interface cipher
+    if conf.exists(['security', 'cipher']):
+        macsec['cipher'] = conf.return_value(['security', 'cipher'])
+
     # Enable optional MACsec encryption
-    if conf.exists(['encrypt']):
+    if conf.exists(['security', 'encrypt']):
         macsec['encrypt'] = 'on'
 
     # Physical interface
-- 
cgit v1.2.3