10 files changed, 49 insertions, 0 deletions

diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 6e5ba1df0..944fc4294 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -44,6 +44,36 @@ def verify_mtu(config):
             raise ConfigError(f'Interface MTU too high, ' \
                               f'maximum supported MTU is {max_mtu}!')
 
+def verify_mtu_ipv6(config):
+    """
+    Common helper function used by interface implementations to perform
+    recurring validation if the specified MTU can be used when IPv6 is
+    configured on the interface. IPv6 requires a 1280 bytes MTU.
+    """
+    from vyos.validate import is_ipv6
+    from vyos.util import vyos_dict_search
+    # IPv6 minimum required link mtu
+    min_mtu = 1280
+
+    if int(config['mtu']) < min_mtu:
+        interface = config['ifname']
+        error_msg = f'IPv6 address will be configured on interface "{interface}" ' \
+                    f'thus the minimum MTU requirement is {min_mtu}!'
+
+        if not vyos_dict_search('ipv6.address.no_default_link_local', config):
+            raise ConfigError('link-local ' + error_msg)
+
+        for address in (vyos_dict_search('address', config) or []):
+            if address in ['dhcpv6'] or is_ipv6(address):
+                raise ConfigError(error_msg)
+
+        if vyos_dict_search('ipv6.address.autoconf', config):
+            raise ConfigError(error_msg)
+
+        if vyos_dict_search('ipv6.address.eui64', config):
+            raise ConfigError(error_msg)
+
+
 def verify_vrf(config):
     """
     Common helper function used by interface implementations to perform
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py
index aece2a04b..9763620ac 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces-bonding.py
@@ -28,6 +28,7 @@ from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_dhcpv6
 from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_vlan_config
 from vyos.configverify import verify_vrf
 from vyos.ifconfig import BondIf
@@ -141,6 +142,7 @@ def verify(bond):
             raise ConfigError('Option primary - mode dependency failed, not'
                               'supported in mode {mode}!'.format(**bond))
 
+    verify_mtu_ipv6(bond)
     verify_address(bond)
     verify_dhcpv6(bond)
     verify_vrf(bond)
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py
index 485decb17..4ac9c8963 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces-bridge.py
@@ -25,6 +25,7 @@ from vyos.configdict import node_changed
 from vyos.configdict import is_member
 from vyos.configdict import is_source_interface
 from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_vrf
 from vyos.ifconfig import BridgeIf
 from vyos.validate import has_address_configured
@@ -95,6 +96,7 @@ def verify(bridge):
     if 'deleted' in bridge:
         return None
 
+    verify_mtu_ipv6(bridge)
     verify_dhcpv6(bridge)
     verify_vrf(bridge)
 
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index 5468c7bda..1f622c003 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -24,6 +24,7 @@ from vyos.configverify import verify_address
 from vyos.configverify import verify_dhcpv6
 from vyos.configverify import verify_interface_exists
 from vyos.configverify import verify_mtu
+from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_vlan_config
 from vyos.configverify import verify_vrf
 from vyos.ifconfig import EthernetIf
@@ -42,6 +43,7 @@ def get_config(config=None):
         conf = Config()
     base = ['interfaces', 'ethernet']
     ethernet = get_interface_dict(conf, base)
+
     return ethernet
 
 def verify(ethernet):
@@ -59,6 +61,7 @@ def verify(ethernet):
             raise ConfigError('If duplex is hardcoded, speed must be hardcoded, too')
 
     verify_mtu(ethernet)
+    verify_mtu_ipv6(ethernet)
     verify_dhcpv6(ethernet)
     verify_address(ethernet)
     verify_vrf(ethernet)
diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py
index af7c121f4..979a5612e 100755
--- a/src/conf_mode/interfaces-geneve.py
+++ b/src/conf_mode/interfaces-geneve.py
@@ -22,6 +22,7 @@ from netifaces import interfaces
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configverify import verify_address
+from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_bridge_delete
 from vyos.ifconfig import GeneveIf
 from vyos import ConfigError
@@ -47,6 +48,7 @@ def verify(geneve):
         verify_bridge_delete(geneve)
         return None
 
+    verify_mtu_ipv6(geneve)
     verify_address(geneve)
 
     if 'remote' not in geneve:
diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py
index 2653ff19c..1118143e4 100755
--- a/src/conf_mode/interfaces-l2tpv3.py
+++ b/src/conf_mode/interfaces-l2tpv3.py
@@ -24,6 +24,7 @@ from vyos.configdict import get_interface_dict
 from vyos.configdict import leaf_node_changed
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_mtu_ipv6
 from vyos.ifconfig import L2TPv3If
 from vyos.util import check_kmod
 from vyos.validate import is_addr_assigned
@@ -80,6 +81,7 @@ def verify(l2tpv3):
         raise ConfigError('L2TPv3 local-ip address '
                           '"{local_ip}" is not configured!'.format(**l2tpv3))
 
+    verify_mtu_ipv6(l2tpv3)
     verify_address(l2tpv3)
     return None
 
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index a224c540e..0a20a121b 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -27,6 +27,7 @@ from vyos.util import call
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_source_interface
 from vyos import ConfigError
 from vyos import airbag
@@ -71,6 +72,7 @@ def verify(macsec):
 
     verify_source_interface(macsec)
     verify_vrf(macsec)
+    verify_mtu_ipv6(macsec)
     verify_address(macsec)
 
     if not (('security' in macsec) and
diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py
index 1b4b9e4ee..ee3b142c8 100755
--- a/src/conf_mode/interfaces-pppoe.py
+++ b/src/conf_mode/interfaces-pppoe.py
@@ -24,6 +24,7 @@ from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configverify import verify_source_interface
 from vyos.configverify import verify_vrf
+from vyos.configverify import verify_mtu_ipv6
 from vyos.template import render
 from vyos.util import call
 from vyos import ConfigError
@@ -57,6 +58,7 @@ def verify(pppoe):
 
     verify_source_interface(pppoe)
     verify_vrf(pppoe)
+    verify_mtu_ipv6(pppoe)
 
     if {'connect_on_demand', 'vrf'} <= set(pppoe):
         raise ConfigError('On-demand dialing and VRF can not be used at the same time')
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py
index 850ea28d7..002f40aef 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces-vxlan.py
@@ -23,6 +23,7 @@ from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_source_interface
 from vyos.ifconfig import VXLANIf, Interface
 from vyos import ConfigError
@@ -77,6 +78,7 @@ def verify(vxlan):
             raise ConfigError('VXLAN has a 50 byte overhead, underlaying device ' \
                               f'MTU is to small ({underlay_mtu} bytes)')
 
+    verify_mtu_ipv6(vxlan)
     verify_address(vxlan)
     return None
 
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index e7c22da1a..d5800264f 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -27,6 +27,7 @@ from vyos.configdict import leaf_node_changed
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_mtu_ipv6
 from vyos.ifconfig import WireGuardIf
 from vyos.util import check_kmod
 from vyos import ConfigError
@@ -71,6 +72,7 @@ def verify(wireguard):
         verify_bridge_delete(wireguard)
         return None
 
+    verify_mtu_ipv6(wireguard)
     verify_address(wireguard)
     verify_vrf(wireguard)