From 4edc6d6c6af2af97448c367eb1012de209cb198f Mon Sep 17 00:00:00 2001
From: Saikrishna Arcot <sarcot@microsoft.com>
Date: Mon, 1 Apr 2024 23:33:46 -0700
Subject: [PATCH 1/2] Update ip commands for MACsec for Bookworm

Bookworm's iproute2 has built-in support for configuring MACsec with XPN
ciphers. Unfortunately, the syntax is slightly different, which means
changes are needed for this to work on Bookworm.

Update the iproute2 commands run for Bookworm. This does mean
compatibility with Bullseye will break.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---
 vslib/MACsecManager.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/vslib/MACsecManager.cpp b/vslib/MACsecManager.cpp
index d6ff15637..b776c1c68 100644
--- a/vslib/MACsecManager.cpp
+++ b/vslib/MACsecManager.cpp
@@ -319,7 +319,7 @@ bool MACsecManager::update_macsec_sa_pn(
         ostream << " ssci " << attr.m_ssci;
     }
 
-    ostream << " pn " << pn;
+    ostream << ( attr.is_xpn() ? " xpn " : " pn " ) << pn;
 
     SWSS_LOG_NOTICE("%s", ostream.str().c_str());
 
@@ -447,7 +447,7 @@ bool MACsecManager::create_macsec_egress_sa(
         << shellquote(attr.m_macsecName)
         << " tx sa "
         << attr.m_an
-        << " pn "
+        << ( attr.is_xpn() ? " xpn " : " pn ")
         << attr.m_pn
         << ( attr.is_xpn() ? " ssci " : "" )
         << ( attr.is_xpn() ? std::to_string(attr.m_ssci) : "" )
@@ -484,7 +484,7 @@ bool MACsecManager::create_macsec_ingress_sa(
         << attr.m_sci
         << " sa "
         << attr.m_an
-        << " pn "
+        << ( attr.is_xpn() ? " xpn " : " pn " )
         << attr.m_pn
         << ( attr.is_xpn() ? " ssci " : "" )
         << ( attr.is_xpn() ? std::to_string(attr.m_ssci) : "" )

From 8e224b3400f8acbae893542844e4a1897018b56e Mon Sep 17 00:00:00 2001
From: Ze Gan <ganze718@gmail.com>
Date: Wed, 3 Apr 2024 14:02:08 +0800
Subject: [PATCH 2/2] Add more test

Signed-off-by: Ze Gan <ganze718@gmail.com>
---
 unittest/vslib/TestMACsecManager.cpp | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/unittest/vslib/TestMACsecManager.cpp b/unittest/vslib/TestMACsecManager.cpp
index bc1468b45..13135f145 100644
--- a/unittest/vslib/TestMACsecManager.cpp
+++ b/unittest/vslib/TestMACsecManager.cpp
@@ -30,6 +30,27 @@ TEST(MACsecManager, create_macsec_ingress_sa)
     manager.create_macsec_ingress_sa(attr);
 }
 
+TEST(MACsecManager, create_macsec_egress_sa)
+{
+    // This is a system call that may not be valid in the test environment,
+    // So, this case is just for the testing coverage checking.
+
+    MACsecManager manager;
+
+    MACsecAttr attr;
+    attr.m_vethName = "eth0";
+    attr.m_macsecName = "macsec_eth0";
+    attr.m_sci = "02:42:ac:11:00:03";
+    attr.m_an = 0;
+    attr.m_pn = 1;
+    attr.m_cipher = MACsecAttr::CIPHER_NAME_GCM_AES_XPN_128;
+    attr.m_ssci = 0x1;
+    attr.m_salt = "";
+    attr.m_authKey = "";
+    attr.m_sak = "";
+    manager.create_macsec_egress_sa(attr);
+}
+
 TEST(MACsecManager, update_macsec_sa_pn)
 {
     // This is a system call that may not be valid in the test environment,