From 42af97586fe446783996721058be8fb1404de30b Mon Sep 17 00:00:00 2001 From: Ze Gan Date: Fri, 29 Apr 2022 18:38:17 +0800 Subject: [PATCH] [vslib]: Update packet number of MACsec SA at runtime (#1007) --- unittest/vslib/TestMACsecManager.cpp | 21 +++++++++++++++ unittest/vslib/TestSwitchStateBaseMACsec.cpp | 16 ++++++++++++ vslib/MACsecManager.cpp | 27 ++++++++++++++++++++ vslib/MACsecManager.h | 4 +++ vslib/SwitchStateBase.cpp | 7 +++++ vslib/SwitchStateBase.h | 4 +++ vslib/SwitchStateBaseMACsec.cpp | 24 +++++++++++++++++ 7 files changed, 103 insertions(+) diff --git a/unittest/vslib/TestMACsecManager.cpp b/unittest/vslib/TestMACsecManager.cpp index b1d8264b1646..049f3fecb4b9 100644 --- a/unittest/vslib/TestMACsecManager.cpp +++ b/unittest/vslib/TestMACsecManager.cpp @@ -27,3 +27,24 @@ TEST(MACsecManager, create_macsec_ingress_sa) attr.m_sak = ""; manager.create_macsec_ingress_sa(attr); } + +TEST(MACsecManager, update_macsec_sa_pn) +{ + // This is a system call that may not be valid in the test environment, + // So, this case is just for the testing coverage checking. + + MACsecManager manager; + + MACsecAttr attr; + attr.m_vethName = "eth0"; + attr.m_macsecName = "macsec_eth0"; + attr.m_sci = "02:42:ac:11:00:03"; + attr.m_an = 0; + attr.m_pn = 1; + attr.m_cipher = MACsecAttr::CIPHER_NAME_GCM_AES_XPN_128; + attr.m_ssci = 0x1; + attr.m_salt = ""; + attr.m_authKey = ""; + attr.m_sak = ""; + manager.update_macsec_sa_pn(attr, 2); +} diff --git a/unittest/vslib/TestSwitchStateBaseMACsec.cpp b/unittest/vslib/TestSwitchStateBaseMACsec.cpp index 623119cde0c2..5a55bc3d7ae1 100644 --- a/unittest/vslib/TestSwitchStateBaseMACsec.cpp +++ b/unittest/vslib/TestSwitchStateBaseMACsec.cpp @@ -110,3 +110,19 @@ TEST(SwitchStateBase, removeMACsecPort) EXPECT_EQ(1, ss.m_macsecFlowPortMap.size()); EXPECT_EQ(1, ss.m_uncreatedIngressMACsecSAs.size()); } + +TEST(SwitchStateBase, setMACsecSA) +{ + // Due to this function highly depends on system environment which cannot be tested directly, + // Just create this Test block for passing coverage + auto sc = std::make_shared(0, ""); + auto scc = std::make_shared(); + + SwitchStateBase ss( + 0x2100000000, + std::make_shared(0, scc), + sc); + + ss.setMACsecSA(0, nullptr); +} + diff --git a/vslib/MACsecManager.cpp b/vslib/MACsecManager.cpp index 0d3809c10161..389f9f293069 100644 --- a/vslib/MACsecManager.cpp +++ b/vslib/MACsecManager.cpp @@ -292,6 +292,33 @@ bool MACsecManager::enable_macsec_filter( return true; } +bool MACsecManager::update_macsec_sa_pn( + _In_ const MACsecAttr &attr, + _In_ sai_uint64_t pn) +{ + SWSS_LOG_ENTER(); + + std::ostringstream ostream; + ostream + << "/sbin/ip macsec set " + << shellquote(attr.m_macsecName); + + if (attr.m_direction == SAI_MACSEC_DIRECTION_EGRESS) + { + ostream << " tx"; + } + else + { + ostream << " rx sci " << attr.m_sci; + } + + ostream << " sa " << attr.m_an << " pn " << pn; + + SWSS_LOG_NOTICE("%s", ostream.str().c_str()); + + return exec(ostream.str()); +} + bool MACsecManager::get_macsec_sa_pn( _In_ const MACsecAttr &attr, _Out_ sai_uint64_t &pn) const diff --git a/vslib/MACsecManager.h b/vslib/MACsecManager.h index 5ff0d9dc1273..8825edef80cd 100644 --- a/vslib/MACsecManager.h +++ b/vslib/MACsecManager.h @@ -36,6 +36,10 @@ namespace saivs _In_ const std::string &macsecInterface, _In_ bool enable); + bool update_macsec_sa_pn( + _In_ const MACsecAttr &attr, + _In_ sai_uint64_t pn); + bool get_macsec_sa_pn( _In_ const MACsecAttr &attr, _Out_ sai_uint64_t &pn) const; diff --git a/vslib/SwitchStateBase.cpp b/vslib/SwitchStateBase.cpp index e9539ae80d08..e977c0335bec 100644 --- a/vslib/SwitchStateBase.cpp +++ b/vslib/SwitchStateBase.cpp @@ -520,6 +520,13 @@ sai_status_t SwitchStateBase::set( return setAclEntry(objectId, attr); } + if (objectType == SAI_OBJECT_TYPE_MACSEC_SA) + { + sai_object_id_t objectId; + sai_deserialize_object_id(serializedObjectId, objectId); + return setMACsecSA(objectId, attr); + } + return set_internal(objectType, serializedObjectId, attr); } diff --git a/vslib/SwitchStateBase.h b/vslib/SwitchStateBase.h index dd53e0310858..76f2527c88e1 100644 --- a/vslib/SwitchStateBase.h +++ b/vslib/SwitchStateBase.h @@ -521,6 +521,10 @@ namespace saivs _In_ sai_object_id_t entry_id, _In_ const sai_attribute_t* attr); + sai_status_t setMACsecSA( + _In_ sai_object_id_t macsec_sa_id, + _In_ const sai_attribute_t* attr); + sai_status_t createMACsecPort( _In_ sai_object_id_t macsec_sa_id, _In_ sai_object_id_t switch_id, diff --git a/vslib/SwitchStateBaseMACsec.cpp b/vslib/SwitchStateBaseMACsec.cpp index e34b5dd9b60c..bdc43395101b 100644 --- a/vslib/SwitchStateBaseMACsec.cpp +++ b/vslib/SwitchStateBaseMACsec.cpp @@ -138,6 +138,30 @@ sai_status_t SwitchStateBase::setAclEntryMACsecFlowActive( return SAI_STATUS_SUCCESS; } +sai_status_t SwitchStateBase::setMACsecSA( + _In_ sai_object_id_t macsec_sa_id, + _In_ const sai_attribute_t* attr) +{ + SWSS_LOG_ENTER(); + + MACsecAttr macsecAttr; + + CHECK_STATUS(loadMACsecAttr(SAI_OBJECT_TYPE_MACSEC_SA, macsec_sa_id, macsecAttr)); + + if (attr->id == SAI_MACSEC_SA_ATTR_MINIMUM_INGRESS_XPN || attr->id == SAI_MACSEC_SA_ATTR_CONFIGURED_EGRESS_XPN) + { + if (!m_macsecManager.update_macsec_sa_pn(macsecAttr, attr->value.u64)) + { + SWSS_LOG_WARN("Fail to update PN (%" PRIu64 ") of MACsec SA %s", attr->value.u64, sai_serialize_object_id(macsec_sa_id).c_str()); + + return SAI_STATUS_FAILURE; + } + } + + auto sid = sai_serialize_object_id(macsec_sa_id); + return set_internal(SAI_OBJECT_TYPE_MACSEC_SA, sid, attr); +} + sai_status_t SwitchStateBase::createMACsecPort( _In_ sai_object_id_t macsecSaId, _In_ sai_object_id_t switchId,