1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
#!/usr/bin/env python3
#
# Copyright (C) 2020-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from netifaces import interfaces
from sys import exit
from vyos.config import Config
from vyos.configdict import get_interface_dict
from vyos.configdict import is_node_changed
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_mtu_ipv6
from vyos.configverify import verify_mirror_redirect
from vyos.configverify import verify_source_interface
from vyos.configverify import verify_bond_bridge_member
from vyos.ifconfig import MACsecIf
from vyos.ifconfig import Interface
from vyos.template import render
from vyos.util import call
from vyos.util import dict_search
from vyos.util import is_systemd_service_running
from vyos import ConfigError
from vyos import airbag
airbag.enable()
# XXX: wpa_supplicant works on the source interface
wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf'
def get_config(config=None):
"""
Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
interface name will be added or a deleted flag
"""
if config:
conf = config
else:
conf = Config()
base = ['interfaces', 'macsec']
ifname, macsec = get_interface_dict(conf, base)
# Check if interface has been removed
if 'deleted' in macsec:
source_interface = conf.return_effective_value(base + [ifname, 'source-interface'])
macsec.update({'source_interface': source_interface})
if is_node_changed(conf, base + [ifname, 'security']):
macsec.update({'shutdown_required': {}})
if is_node_changed(conf, base + [ifname, 'source_interface']):
macsec.update({'shutdown_required': {}})
return macsec
def verify(macsec):
if 'deleted' in macsec:
verify_bridge_delete(macsec)
return None
verify_source_interface(macsec)
verify_vrf(macsec)
verify_mtu_ipv6(macsec)
verify_address(macsec)
verify_bond_bridge_member(macsec)
verify_mirror_redirect(macsec)
if dict_search('security.cipher', macsec) == None:
raise ConfigError('Cipher suite must be set for MACsec "{ifname}"'.format(**macsec))
if dict_search('security.encrypt', macsec) != None:
if dict_search('security.mka.cak', macsec) == None or dict_search('security.mka.ckn', macsec) == None:
raise ConfigError('Missing mandatory MACsec security keys as encryption is enabled!')
cak_len = len(dict_search('security.mka.cak', macsec))
if dict_search('security.cipher', macsec) == 'gcm-aes-128' and cak_len != 32:
# gcm-aes-128 requires a 128bit long key - 32 characters (string) = 16byte = 128bit
raise ConfigError('gcm-aes-128 requires a 128bit long key!')
elif dict_search('security.cipher', macsec) == 'gcm-aes-256' and cak_len != 64:
# gcm-aes-128 requires a 128bit long key - 64 characters (string) = 32byte = 256bit
raise ConfigError('gcm-aes-128 requires a 256bit long key!')
if 'source_interface' in macsec:
# MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad
# and 802.1q) - we need to check the underlaying MTU if our configured
# MTU is at least 40 bytes less then the MTU of our physical interface.
lower_mtu = Interface(macsec['source_interface']).get_mtu()
if lower_mtu < (int(macsec['mtu']) + 40):
raise ConfigError('MACsec overhead does not fit into underlaying device MTU,\n' \
f'{lower_mtu} bytes is too small!')
return None
def generate(macsec):
render(wpa_suppl_conf.format(**macsec), 'macsec/wpa_supplicant.conf.j2', macsec)
return None
def apply(macsec):
systemd_service = 'wpa_supplicant-macsec@{source_interface}'.format(**macsec)
# Remove macsec interface on deletion or mandatory parameter change
if 'deleted' in macsec or 'shutdown_required' in macsec:
call(f'systemctl stop {systemd_service}')
if macsec['ifname'] in interfaces():
tmp = MACsecIf(macsec['ifname'])
tmp.remove()
if 'deleted' in macsec:
# delete configuration on interface removal
if os.path.isfile(wpa_suppl_conf.format(**macsec)):
os.unlink(wpa_suppl_conf.format(**macsec))
return None
# It is safe to "re-create" the interface always, there is a sanity
# check that the interface will only be create if its non existent
i = MACsecIf(**macsec)
i.update(macsec)
if not is_systemd_service_running(systemd_service) or 'shutdown_required' in macsec:
call(f'systemctl reload-or-restart {systemd_service}')
return None
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)
|