diff --git a/dockers/docker-macsec/cli-plugin-tests/config_db.json b/dockers/docker-macsec/cli-plugin-tests/config_db.json index 8c6b6893e560..9f4c266d4284 100644 --- a/dockers/docker-macsec/cli-plugin-tests/config_db.json +++ b/dockers/docker-macsec/cli-plugin-tests/config_db.json @@ -2,7 +2,7 @@ "MACSEC_PROFILE|macsec_profile": { "cipher_suite": "GCM-AES-XPN-256", "policy": "security", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", "priority": "0", "rekey_period": "900", diff --git a/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py b/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py index 45ab80c7ed12..3a279bd61272 100644 --- a/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py +++ b/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py @@ -8,7 +8,7 @@ profile_name = "test" -primary_cak = "01234567890123456789012345678912" +primary_cak = "2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541" primary_ckn = "01234567890123456789012345678912" @@ -48,7 +48,7 @@ def test_macsec_valid_profile(self, mock_cfgdb): profile_name = "test" profile_map = { - "primary_cak": "0123456789012345678901234567891201234567890123456789012345678912", + "primary_cak": "3946080a0407070303530256560a04504650530352565e731f1a5c4f524f4b5a5e547b79777c6663754b5e465253050d0d0503565a48470b0b030604020c520a54", "primary_ckn": "01234567890123456789012345678912", "priority": 64, "cipher_suite": "GCM-AES-XPN-256", @@ -109,7 +109,7 @@ def test_macsec_port(self, mock_cfgdb): runner = CliRunner() result = runner.invoke(macsec.macsec, ["profile", "add", "test", - "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], + "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info) result = runner.invoke(macsec.macsec, ["port", "add", "Ethernet0", "test"], obj=cfgdb) @@ -141,8 +141,8 @@ def test_macsec_invalid_operation(self, mock_cfgdb): result = runner.invoke(macsec.macsec, ["profile", "del", "test"], obj=cfgdb) assert result.exit_code != 0 - result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) + result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info) # Repeat add profile - result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) + result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code != 0 diff --git a/dockers/docker-macsec/cli/config/plugins/macsec.py b/dockers/docker-macsec/cli/config/plugins/macsec.py index 1b820dfd0e99..9f5ac5bd7bc4 100644 --- a/dockers/docker-macsec/cli/config/plugins/macsec.py +++ b/dockers/docker-macsec/cli/config/plugins/macsec.py @@ -137,11 +137,11 @@ def add_profile(profile, priority, cipher_suite, primary_cak, primary_ckn, polic profile_table["cipher_suite"] = cipher_suite if "128" in cipher_suite: - if len(primary_cak) != 32: - ctx.fail("Expect the length of CAK is 32, but got {}".format(len(primary_cak))) + if len(primary_cak) != 66: + ctx.fail("Expect the length of CAK is 66, but got {}".format(len(primary_cak))) elif "256" in cipher_suite: - if len(primary_cak) != 64: - ctx.fail("Expect the length of CAK is 64, but got {}".format(len(primary_cak))) + if len(primary_cak) != 130: + ctx.fail("Expect the length of CAK is 130, but got {}".format(len(primary_cak))) if not is_hexstring(primary_cak): ctx.fail("Expect the primary_cak is valid hex string") if not is_hexstring(primary_ckn): diff --git a/files/scripts/arp_update b/files/scripts/arp_update index f267e05a54cc..14a82ebe4da3 100755 --- a/files/scripts/arp_update +++ b/files/scripts/arp_update @@ -25,29 +25,35 @@ while /bin/true; do for i in ${!STATIC_ROUTE_NEXTHOPS[@]}; do nexthop="${STATIC_ROUTE_NEXTHOPS[i]}" if [[ $nexthop == *"."* ]]; then - neigh_state=( $(ip -4 neigh show | grep -w $nexthop | tr -s ' ' | cut -d ' ' -f 3,4) ) + neigh_state=$(ip -4 neigh show | grep -w $nexthop | tr -s ' ') ping_prefix=ping elif [[ $nexthop == *":"* ]] ; then - neigh_state=( $(ip -6 neigh show | grep -w $nexthop | tr -s ' ' | cut -d ' ' -f 3,4) ) + neigh_state=$(ip -6 neigh show | grep -w $nexthop | tr -s ' ') ping_prefix=ping6 fi - if [[ -z "${neigh_state}" ]] || [[ "${neigh_state[1]}" == "INCOMPLETE" ]] || [[ "${neigh_state[1]}" == "FAILED" ]]; then + # Check if there is an INCOMPLETE, FAILED, or STALE entry and try to resolve it again. + # STALE entries may be present if there is no traffic on a path. A far-end down event may not + # clear the STALE entry. Refresh the STALE entry to clear the table. + if [[ -z "${neigh_state}" ]] || [[ -n $(echo ${neigh_state} | grep 'INCOMPLETE\|FAILED\|STALE') ]]; then interface="${STATIC_ROUTE_IFNAMES[i]}" if [[ -z "$interface" ]]; then # should never be here, handling just in case logger "ERR: arp_update: missing interface entry for static route $nexthop" - interface=${neigh_state[0]} + continue fi intf_up=$(ip link show $interface | grep "state UP") if [[ -n "$intf_up" ]]; then pingcmd="timeout 0.2 $ping_prefix -I ${interface} -n -q -i 0 -c 1 -W 1 $nexthop >/dev/null" eval $pingcmd - logger "arp_update: static route nexthop not resolved, pinging $nexthop on ${neigh_state[0]}" + # STALE entries may appear more often, not logging to prevent periodic syslogs + if [[ -z $(echo ${neigh_state} | grep 'STALE') ]]; then + logger "arp_update: static route nexthop not resolved ($neigh_state), pinging $nexthop on $interface" + fi fi fi done - sleep 300 + sleep 150 continue fi # find L3 interfaces which are UP, send ipv6 multicast pings diff --git a/platform/broadcom/sonic-platform-modules-nokia b/platform/broadcom/sonic-platform-modules-nokia index c976714e3f39..af640254883f 160000 --- a/platform/broadcom/sonic-platform-modules-nokia +++ b/platform/broadcom/sonic-platform-modules-nokia @@ -1 +1 @@ -Subproject commit c976714e3f39fc22b5c616ae0f4aadbd2bd4360f +Subproject commit af640254883fd39489e32cc1a13908d82da3833a diff --git a/src/sonic-config-engine/tests/macsec_profile.json b/src/sonic-config-engine/tests/macsec_profile.json index b70f1a052128..87e633e49b9d 100644 --- a/src/sonic-config-engine/tests/macsec_profile.json +++ b/src/sonic-config-engine/tests/macsec_profile.json @@ -2,18 +2,18 @@ "MACSEC_PROFILE":{ "macsec-profile": { "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "priority": "0", "rekey_period": "60" }, "macsec-profile2": { "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "priority": "0", "rekey_period": "60" diff --git a/src/sonic-swss b/src/sonic-swss index d787d50d9fcb..33d81e7feaeb 160000 --- a/src/sonic-swss +++ b/src/sonic-swss @@ -1 +1 @@ -Subproject commit d787d50d9fcbb050c6a87a40faede655f7e95f0e +Subproject commit 33d81e7feaeb8e016d3a4cb3434da8d5506dc3a4 diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 01758961cbcd..93fe09c0ca59 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -1943,9 +1943,9 @@ "test": { "priority": "64", "cipher_suite": "GCM-AES-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "00000000000000000000000000000000", + "fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "11111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json index cfd7c512a67a..5c748606eed9 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json @@ -7,9 +7,9 @@ "name": "test32", "priority": 64, "cipher_suite": "GCM-AES-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "00000000000000000000000000000000", + "fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "11111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", @@ -21,9 +21,9 @@ "name": "test64", "priority": 64, "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", @@ -61,7 +61,7 @@ { "name": "test", "cipher_suite": "gcm-aes-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70" } ] @@ -74,9 +74,9 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0123456789ABCDEF0123456789ABCDEF", + "fallback_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "fallback_ckn": "6162636465666768696A6B6C6D6E6F70" } ] @@ -89,7 +89,7 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEFA", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d7", "primary_ckn": "6162636465666768696A6B6C6D6E6F70A" } ] @@ -115,9 +115,9 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111" } ] @@ -130,7 +130,7 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", "replay_window": 64 } diff --git a/src/sonic-yang-models/yang-models/sonic-macsec.yang b/src/sonic-yang-models/yang-models/sonic-macsec.yang index 4e3412f86a3d..f4ce318822bf 100644 --- a/src/sonic-yang-models/yang-models/sonic-macsec.yang +++ b/src/sonic-yang-models/yang-models/sonic-macsec.yang @@ -46,7 +46,7 @@ module sonic-macsec { leaf primary_cak { type string { - pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}"; } mandatory true; } @@ -60,7 +60,7 @@ module sonic-macsec { leaf fallback_cak { type string { - pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}"; } } @@ -70,10 +70,6 @@ module sonic-macsec { } } - must "string-length(primary_cak) = string-length(primary_ckn)"; - - must "string-length(fallback_cak) = string-length(fallback_ckn)"; - must "string-length(fallback_cak) = string-length(primary_cak)"; must "primary_ckn != fallback_ckn";