Skip to content

Add MACsec support and fix test failures (#322) #1075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add MACsec support and fix test failures (#322) #1075

wants to merge 1 commit into from

Conversation

ljluestc
Copy link

Add MACsec Support and Fix Test Failures (#322)

This pull request implements MACsec (Media Access Control Security) support for the netlink library, addressing issue #322. The changes enable the creation and configuration of MACsec links, transmit and receive secure associations (SA), and receive secure channels (SC), aligning with the Linux kernel's MACsec driver and the ip macsec command.

Changes

  • New Functionality:
    • Added Macsec struct to represent MACsec link devices.
    • Implemented LinkAddMacsec to create MACsec links with attributes like SCI, cipher suite, and replay protection.
    • Added MacsecAddTxSA, MacsecAddRxSC, and MacsecAddRxSA to configure transmit/receive SAs and SCs.
    • Defined MACsec-specific Netlink attributes (IFLA_MACSEC_*, MACSEC_SA_ATTR_*, MACSEC_RXSC_ATTR_*) based on linux/if_macsec.h.
  • Tests:
    • Added TestMacsecAdd in macsec_test.go to verify MACsec link creation, SA, and SC configuration (requires root and kernel 4.6+).
    • Added TestMacsecAttributesSerialize to validate Netlink attribute serialization.
    • Fixed test serialization errors by correctly handling req.Serialize and attribute nesting.
  • Bug Fixes:
    • Corrected Netlink attribute serialization using RtAttr.Serialize() for nested attributes.
    • Ensured compatibility with the Linux kernel MACsec driver (tested with kernel 5.x).

Testing

  • Unit Tests: Verified with go test -v ./...

  • Manual Verification: Confirmed functionality with ip macsec show, producing expected output:

@ljluestc
Add MACsec support and fix test failures (vishvananda#322)
cafc788 
Implemented MACsec link creation, transmit/receive secure associations, and
secure channels. Fixed test serialization errors and ensured compatibility
with Linux kernel MACsec driver. Addresses issue vishvananda#322.
@aboch
Copy link
Collaborator

aboch commented May 9, 2025

@ljluestc this is still as draft.
I see some GH review comments about the mssing macos stubs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ljluestc @aboch