macsec: T2023: add missing mtu CLI option

Base MTU for MACsec is 1468 bytes (encryption headers), but we leave room for
802.1ad and 802.1q VLAN tags, thus the limit is lowered to 1460 bytes to not
make the user juggle with the MTU bytes if he enables VLAN support later on,
which is yet to come.

2 files changed, 20 insertions, 1 deletions

diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index dfef387d2..9384726cc 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -107,8 +107,9 @@
           </node>
           #include <include/interface-description.xml.i>
           #include <include/interface-disable.xml.i>
-          #include <include/interface-vrf.xml.i>
+          #include <include/interface-mtu-68-9000.xml.i>
           #include <include/source-interface-ethernet.xml.i>
+          #include <include/interface-vrf.xml.i>
         </children>
       </tagNode>
     </children>
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 73c80866a..abf8b05c3 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -21,6 +21,7 @@ from sys import exit
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.ifconfig import MACsecIf
+from vyos.ifconfig import Interface
 from vyos.template import render
 from vyos.util import call
 from vyos.configverify import verify_vrf
@@ -46,6 +47,14 @@ def get_config(config=None):
     base = ['interfaces', 'macsec']
     macsec = get_interface_dict(conf, base)
 
+    # MACsec is "special" the default MTU is 1460 - update accordingly
+    # as the config_level is already st in get_interface_dict() - we can use []
+    tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+    if 'mtu' not in tmp:
+        # base MTU for MACsec is 1468 bytes, but we leave room for 802.1ad and
+        # 802.1q VLAN tags, thus the limit is 1460 bytes.
+        macsec['mtu'] = '1460'
+
     # Check if interface has been removed
     if 'deleted' in macsec:
         source_interface = conf.return_effective_value(
@@ -79,6 +88,15 @@ def verify(macsec):
             raise ConfigError('Missing mandatory MACsec security '
                               'keys as encryption is enabled!')
 
+    if 'source_interface' in macsec:
+        # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad
+        # and 802.1q) - we need to check the underlaying MTU if our configured
+        # MTU is at least 40 bytes less then the MTU of our physical interface.
+        underlay_mtu = int(Interface(macsec['source_interface']).get_mtu())
+        if underlay_mtu < (int(macsec['mtu']) + 40):
+            raise ConfigError('MACsec overhead does not fit into underlaying device MTU,\n' \
+                              f'{underlay_mtu} bytes is too small!')
+
     return None