Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
…into 202205
  • Loading branch information
mssonicbld committed Sep 9, 2023
2 parents 52928ca + 2b302e8 commit 87d9be3
Show file tree
Hide file tree
Showing 10 changed files with 43 additions and 41 deletions.
2 changes: 1 addition & 1 deletion dockers/docker-macsec/cli-plugin-tests/config_db.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"MACSEC_PROFILE|macsec_profile": {
"cipher_suite": "GCM-AES-XPN-256",
"policy": "security",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
"primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
"priority": "0",
"rekey_period": "900",
Expand Down
10 changes: 5 additions & 5 deletions dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@


profile_name = "test"
primary_cak = "01234567890123456789012345678912"
primary_cak = "2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541"
primary_ckn = "01234567890123456789012345678912"


Expand Down Expand Up @@ -48,7 +48,7 @@ def test_macsec_valid_profile(self, mock_cfgdb):

profile_name = "test"
profile_map = {
"primary_cak": "0123456789012345678901234567891201234567890123456789012345678912",
"primary_cak": "3946080a0407070303530256560a04504650530352565e731f1a5c4f524f4b5a5e547b79777c6663754b5e465253050d0d0503565a48470b0b030604020c520a54",
"primary_ckn": "01234567890123456789012345678912",
"priority": 64,
"cipher_suite": "GCM-AES-XPN-256",
Expand Down Expand Up @@ -109,7 +109,7 @@ def test_macsec_port(self, mock_cfgdb):
runner = CliRunner()

result = runner.invoke(macsec.macsec, ["profile", "add", "test",
"--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"],
"--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"],
obj=cfgdb)
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
result = runner.invoke(macsec.macsec, ["port", "add", "Ethernet0", "test"], obj=cfgdb)
Expand Down Expand Up @@ -141,8 +141,8 @@ def test_macsec_invalid_operation(self, mock_cfgdb):
result = runner.invoke(macsec.macsec, ["profile", "del", "test"], obj=cfgdb)
assert result.exit_code != 0

result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
# Repeat add profile
result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
assert result.exit_code != 0
8 changes: 4 additions & 4 deletions dockers/docker-macsec/cli/config/plugins/macsec.py
Original file line number Diff line number Diff line change
Expand Up @@ -137,11 +137,11 @@ def add_profile(profile, priority, cipher_suite, primary_cak, primary_ckn, polic
profile_table["cipher_suite"] = cipher_suite

if "128" in cipher_suite:
if len(primary_cak) != 32:
ctx.fail("Expect the length of CAK is 32, but got {}".format(len(primary_cak)))
if len(primary_cak) != 66:
ctx.fail("Expect the length of CAK is 66, but got {}".format(len(primary_cak)))
elif "256" in cipher_suite:
if len(primary_cak) != 64:
ctx.fail("Expect the length of CAK is 64, but got {}".format(len(primary_cak)))
if len(primary_cak) != 130:
ctx.fail("Expect the length of CAK is 130, but got {}".format(len(primary_cak)))
if not is_hexstring(primary_cak):
ctx.fail("Expect the primary_cak is valid hex string")
if not is_hexstring(primary_ckn):
Expand Down
18 changes: 12 additions & 6 deletions files/scripts/arp_update
Original file line number Diff line number Diff line change
Expand Up @@ -25,29 +25,35 @@ while /bin/true; do
for i in ${!STATIC_ROUTE_NEXTHOPS[@]}; do
nexthop="${STATIC_ROUTE_NEXTHOPS[i]}"
if [[ $nexthop == *"."* ]]; then
neigh_state=( $(ip -4 neigh show | grep -w $nexthop | tr -s ' ' | cut -d ' ' -f 3,4) )
neigh_state=$(ip -4 neigh show | grep -w $nexthop | tr -s ' ')
ping_prefix=ping
elif [[ $nexthop == *":"* ]] ; then
neigh_state=( $(ip -6 neigh show | grep -w $nexthop | tr -s ' ' | cut -d ' ' -f 3,4) )
neigh_state=$(ip -6 neigh show | grep -w $nexthop | tr -s ' ')
ping_prefix=ping6
fi
if [[ -z "${neigh_state}" ]] || [[ "${neigh_state[1]}" == "INCOMPLETE" ]] || [[ "${neigh_state[1]}" == "FAILED" ]]; then
# Check if there is an INCOMPLETE, FAILED, or STALE entry and try to resolve it again.
# STALE entries may be present if there is no traffic on a path. A far-end down event may not
# clear the STALE entry. Refresh the STALE entry to clear the table.
if [[ -z "${neigh_state}" ]] || [[ -n $(echo ${neigh_state} | grep 'INCOMPLETE\|FAILED\|STALE') ]]; then
interface="${STATIC_ROUTE_IFNAMES[i]}"
if [[ -z "$interface" ]]; then
# should never be here, handling just in case
logger "ERR: arp_update: missing interface entry for static route $nexthop"
interface=${neigh_state[0]}
continue
fi
intf_up=$(ip link show $interface | grep "state UP")
if [[ -n "$intf_up" ]]; then
pingcmd="timeout 0.2 $ping_prefix -I ${interface} -n -q -i 0 -c 1 -W 1 $nexthop >/dev/null"
eval $pingcmd
logger "arp_update: static route nexthop not resolved, pinging $nexthop on ${neigh_state[0]}"
# STALE entries may appear more often, not logging to prevent periodic syslogs
if [[ -z $(echo ${neigh_state} | grep 'STALE') ]]; then
logger "arp_update: static route nexthop not resolved ($neigh_state), pinging $nexthop on $interface"
fi
fi
fi
done

sleep 300
sleep 150
continue
fi
# find L3 interfaces which are UP, send ipv6 multicast pings
Expand Down
2 changes: 1 addition & 1 deletion platform/broadcom/sonic-platform-modules-nokia
8 changes: 4 additions & 4 deletions src/sonic-config-engine/tests/macsec_profile.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,18 @@
"MACSEC_PROFILE":{
"macsec-profile": {
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
"primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
"priority": "0",
"rekey_period": "60"
},
"macsec-profile2": {
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
"primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
"priority": "0",
"rekey_period": "60"
Expand Down
2 changes: 1 addition & 1 deletion src/sonic-swss
4 changes: 2 additions & 2 deletions src/sonic-yang-models/tests/files/sample_config_db.json
Original file line number Diff line number Diff line change
Expand Up @@ -1943,9 +1943,9 @@
"test": {
"priority": "64",
"cipher_suite": "GCM-AES-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "00000000000000000000000000000000",
"fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "11111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@
"name": "test32",
"priority": 64,
"cipher_suite": "GCM-AES-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "00000000000000000000000000000000",
"fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "11111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
Expand All @@ -21,9 +21,9 @@
"name": "test64",
"priority": 64,
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
"primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
Expand Down Expand Up @@ -61,7 +61,7 @@
{
"name": "test",
"cipher_suite": "gcm-aes-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70"
}
]
Expand All @@ -74,9 +74,9 @@
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0123456789ABCDEF0123456789ABCDEF",
"fallback_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"fallback_ckn": "6162636465666768696A6B6C6D6E6F70"
}
]
Expand All @@ -89,7 +89,7 @@
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEFA",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d7",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70A"
}
]
Expand All @@ -115,9 +115,9 @@
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111"
}
]
Expand All @@ -130,7 +130,7 @@
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"replay_window": 64
}
Expand Down
8 changes: 2 additions & 6 deletions src/sonic-yang-models/yang-models/sonic-macsec.yang
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ module sonic-macsec {

leaf primary_cak {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}";
}
mandatory true;
}
Expand All @@ -60,7 +60,7 @@ module sonic-macsec {

leaf fallback_cak {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}";
}
}

Expand All @@ -70,10 +70,6 @@ module sonic-macsec {
}
}

must "string-length(primary_cak) = string-length(primary_ckn)";

must "string-length(fallback_cak) = string-length(fallback_ckn)";

must "string-length(fallback_cak) = string-length(primary_cak)";

must "primary_ckn != fallback_ckn";
Expand Down

0 comments on commit 87d9be3

Please sign in to comment.