sonic-net · Pterosaur · Apr 29, 2022 · Feb 21, 2022 · Apr 11, 2022 · Apr 11, 2022
diff --git a/unittest/vslib/TestMACsecManager.cpp b/unittest/vslib/TestMACsecManager.cpp
@@ -27,3 +27,24 @@ TEST(MACsecManager, create_macsec_ingress_sa)
     attr.m_sak = "";
     manager.create_macsec_ingress_sa(attr);
 }
+
+TEST(MACsecManager, update_macsec_sa_pn)
+{
+    // This is a system call that may not be valid in the test environment,
+    // So, this case is just for the testing coverage checking.
+
+    MACsecManager manager;
+
+    MACsecAttr attr;
+    attr.m_vethName = "eth0";
+    attr.m_macsecName = "macsec_eth0";
+    attr.m_sci = "02:42:ac:11:00:03";
+    attr.m_an = 0;
+    attr.m_pn = 1;
+    attr.m_cipher = MACsecAttr::CIPHER_NAME_GCM_AES_XPN_128;
+    attr.m_ssci = 0x1;
+    attr.m_salt = "";
+    attr.m_authKey = "";
+    attr.m_sak = "";
+    manager.update_macsec_sa_pn(attr, 2);
+}
diff --git a/unittest/vslib/TestSwitchStateBaseMACsec.cpp b/unittest/vslib/TestSwitchStateBaseMACsec.cpp
@@ -110,3 +110,19 @@ TEST(SwitchStateBase, removeMACsecPort)
     EXPECT_EQ(1, ss.m_macsecFlowPortMap.size());
     EXPECT_EQ(1, ss.m_uncreatedIngressMACsecSAs.size());
 }
+
+TEST(SwitchStateBase, setMACsecSA)
+{
+    // Due to this function highly depends on system environment which cannot be tested directly,
+    // Just create this Test block for passing coverage
+    auto sc = std::make_shared<SwitchConfig>(0, "");
+    auto scc = std::make_shared<SwitchConfigContainer>();
+
+    SwitchStateBase ss(
+            0x2100000000,
+            std::make_shared<RealObjectIdManager>(0, scc),
+            sc);
+
+    ss.setMACsecSA(0, nullptr);
+}
+
diff --git a/vslib/MACsecManager.cpp b/vslib/MACsecManager.cpp
@@ -292,6 +292,33 @@ bool MACsecManager::enable_macsec_filter(
     return true;
 }
 
+bool MACsecManager::update_macsec_sa_pn(
+        _In_ const MACsecAttr &attr,
+        _In_ sai_uint64_t pn)
+{
+    SWSS_LOG_ENTER();
+
+    std::ostringstream ostream;
+    ostream
+        << "/sbin/ip macsec set "
+        << shellquote(attr.m_macsecName);
+
+    if (attr.m_direction == SAI_MACSEC_DIRECTION_EGRESS)
+    {
+        ostream << " tx";
+    }
+    else
+    {
+        ostream << " rx sci " << attr.m_sci;
+    }
+
+    ostream << " sa " << attr.m_an << " pn " << pn;
+
+    SWSS_LOG_NOTICE("%s", ostream.str().c_str());
+
+    return exec(ostream.str());
+}
+
 bool MACsecManager::get_macsec_sa_pn(
         _In_ const MACsecAttr &attr,
         _Out_ sai_uint64_t &pn) const

diff --git a/vslib/MACsecManager.h b/vslib/MACsecManager.h
@@ -36,6 +36,10 @@ namespace saivs
                     _In_ const std::string &macsecInterface,
                     _In_ bool enable);
 
+            bool update_macsec_sa_pn(
+                    _In_ const MACsecAttr &attr,
+                    _In_ sai_uint64_t pn);
+
             bool get_macsec_sa_pn(
                     _In_ const MACsecAttr &attr,
                     _Out_ sai_uint64_t &pn) const;

diff --git a/vslib/SwitchStateBase.cpp b/vslib/SwitchStateBase.cpp
@@ -520,6 +520,13 @@ sai_status_t SwitchStateBase::set(
         return setAclEntry(objectId, attr);
     }
 
+    if (objectType == SAI_OBJECT_TYPE_MACSEC_SA)
+    {
+        sai_object_id_t objectId;
+        sai_deserialize_object_id(serializedObjectId, objectId);
+        return setMACsecSA(objectId, attr);
+    }
+
     return set_internal(objectType, serializedObjectId, attr);
 }
 

diff --git a/vslib/SwitchStateBase.h b/vslib/SwitchStateBase.h
@@ -521,6 +521,10 @@ namespace saivs
                     _In_ sai_object_id_t entry_id,
                     _In_ const sai_attribute_t* attr);
 
+            sai_status_t setMACsecSA(
+                    _In_ sai_object_id_t macsec_sa_id,
+                    _In_ const sai_attribute_t* attr);
+
             sai_status_t createMACsecPort(
                     _In_ sai_object_id_t macsec_sa_id,
                     _In_ sai_object_id_t switch_id,

diff --git a/vslib/SwitchStateBaseMACsec.cpp b/vslib/SwitchStateBaseMACsec.cpp
@@ -138,6 +138,30 @@ sai_status_t SwitchStateBase::setAclEntryMACsecFlowActive(
     return SAI_STATUS_SUCCESS;
 }
 
+sai_status_t SwitchStateBase::setMACsecSA(
+        _In_ sai_object_id_t macsec_sa_id,
+        _In_ const sai_attribute_t* attr)
+{
+    SWSS_LOG_ENTER();
+
+    MACsecAttr macsecAttr;
+
+    CHECK_STATUS(loadMACsecAttr(SAI_OBJECT_TYPE_MACSEC_SA, macsec_sa_id, macsecAttr));
+
+    if (attr->id == SAI_MACSEC_SA_ATTR_MINIMUM_INGRESS_XPN || attr->id == SAI_MACSEC_SA_ATTR_CONFIGURED_EGRESS_XPN)
+    {
+        if (!m_macsecManager.update_macsec_sa_pn(macsecAttr, attr->value.u64))
+        {
+            SWSS_LOG_WARN("Fail to update PN (%" PRIu64 ") of MACsec SA %s", attr->value.u64, sai_serialize_object_id(macsec_sa_id).c_str());
+
+            return SAI_STATUS_FAILURE;
+        }
+    }
+
+    auto sid = sai_serialize_object_id(macsec_sa_id);
+    return set_internal(SAI_OBJECT_TYPE_MACSEC_SA, sid, attr);
+}
+
 sai_status_t SwitchStateBase::createMACsecPort(
         _In_ sai_object_id_t macsecSaId,
         _In_ sai_object_id_t switchId,