summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-09-20 21:05:03 +0200
committerChristian Poessinger <christian@poessinger.com>2020-09-20 21:07:17 +0200
commita420f7637f80a9ad16160efcac8c2095fa52382b (patch)
tree097d8aedaab7cd80a54f4b4da04bdd57fb71b4a7
parent103e8404cdea70dad486940f209b9683f1c7b936 (diff)
downloadvyos-1x-a420f7637f80a9ad16160efcac8c2095fa52382b.tar.gz
vyos-1x-a420f7637f80a9ad16160efcac8c2095fa52382b.zip
macsec: T2023: add missing mtu CLI option
Base MTU for MACsec is 1468 bytes (encryption headers), but we leave room for 802.1ad and 802.1q VLAN tags, thus the limit is lowered to 1460 bytes to not make the user juggle with the MTU bytes if he enables VLAN support later on, which is yet to come.
-rw-r--r--interface-definitions/interfaces-macsec.xml.in3
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py18
2 files changed, 20 insertions, 1 deletions
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index dfef387d2..9384726cc 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -107,8 +107,9 @@
</node>
#include <include/interface-description.xml.i>
#include <include/interface-disable.xml.i>
- #include <include/interface-vrf.xml.i>
+ #include <include/interface-mtu-68-9000.xml.i>
#include <include/source-interface-ethernet.xml.i>
+ #include <include/interface-vrf.xml.i>
</children>
</tagNode>
</children>
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 73c80866a..abf8b05c3 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -21,6 +21,7 @@ from sys import exit
from vyos.config import Config
from vyos.configdict import get_interface_dict
from vyos.ifconfig import MACsecIf
+from vyos.ifconfig import Interface
from vyos.template import render
from vyos.util import call
from vyos.configverify import verify_vrf
@@ -46,6 +47,14 @@ def get_config(config=None):
base = ['interfaces', 'macsec']
macsec = get_interface_dict(conf, base)
+ # MACsec is "special" the default MTU is 1460 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ # base MTU for MACsec is 1468 bytes, but we leave room for 802.1ad and
+ # 802.1q VLAN tags, thus the limit is 1460 bytes.
+ macsec['mtu'] = '1460'
+
# Check if interface has been removed
if 'deleted' in macsec:
source_interface = conf.return_effective_value(
@@ -79,6 +88,15 @@ def verify(macsec):
raise ConfigError('Missing mandatory MACsec security '
'keys as encryption is enabled!')
+ if 'source_interface' in macsec:
+ # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad
+ # and 802.1q) - we need to check the underlaying MTU if our configured
+ # MTU is at least 40 bytes less then the MTU of our physical interface.
+ underlay_mtu = int(Interface(macsec['source_interface']).get_mtu())
+ if underlay_mtu < (int(macsec['mtu']) + 40):
+ raise ConfigError('MACsec overhead does not fit into underlaying device MTU,\n' \
+ f'{underlay_mtu} bytes is too small!')
+
return None