From e31dfd9f5542b0572e3ece89bdc347679b08aa72 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 21 Sep 2020 22:24:25 +0200 Subject: macsec: T2788: source-interface must not be member of a bridge Add verify() step to ensure the macsec source-interface is not already part of a bridge interface. This should probably also be checked for bond interfaces. --- src/conf_mode/interfaces-macsec.py | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src') diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index abf8b05c3..73b62dcf1 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -28,6 +28,7 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_source_interface +from vyos.validate import is_member from vyos import ConfigError from vyos import airbag airbag.enable() @@ -61,6 +62,11 @@ def get_config(config=None): base + ['source-interface']) macsec.update({'source_interface': source_interface}) + if 'source_interface' in macsec: + # Check if source interface is used by another bridge + tmp = is_member(conf, macsec['source_interface'], 'bridge') + if tmp: macsec.update({'is_bridge_member_source_interface' : tmp}) + return macsec @@ -88,6 +94,10 @@ def verify(macsec): raise ConfigError('Missing mandatory MACsec security ' 'keys as encryption is enabled!') + if 'is_bridge_member_source_interface' in macsec: + raise ConfigError('source-interface is already member of bridge ' \ + '{is_bridge_member_source_interface}!'.format(**macsec)) + if 'source_interface' in macsec: # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad # and 802.1q) - we need to check the underlaying MTU if our configured -- cgit v1.2.3