From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <d.tschlatscher@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 826228C93F
 for <pve-devel@lists.proxmox.com>; Thu,  3 Nov 2022 16:41:32 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 6302632295
 for <pve-devel@lists.proxmox.com>; Thu,  3 Nov 2022 16:41:32 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Thu,  3 Nov 2022 16:41:30 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A4ADF44D38
 for <pve-devel@lists.proxmox.com>; Thu,  3 Nov 2022 16:41:30 +0100 (CET)
From: Daniel Tschlatscher <d.tschlatscher@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu,  3 Nov 2022 16:38:10 +0100
Message-Id: <20221103153810.690086-3-d.tschlatscher@proxmox.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20221103153810.690086-1-d.tschlatscher@proxmox.com>
References: <20221103153810.690086-1-d.tschlatscher@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.163 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH container v2] better parsing for lxc networking
 mtu setting
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2022 15:41:32 -0000

This patch reworks some mtu settings for LXC containers in the backend
Namely, introducing an absolute maximum for the MTU field of 65535 and
asserting that the MTU setting isn't bigger than the bridge's MTU size

Signed-off-by: Daniel Tschlatscher <d.tschlatscher@proxmox.com>
---
Changes from v1:
* New patch

The functionality of checking whether the config option for 'mtu' is
valid is implemented somewhat redundant here. This is due to
'update_lxc_config' handling the VM start check and 'update_pct_config'
handling the general configuration check.
As far as I can tell, there is no location in the code, that could
handle both cases centrally and elegantly (at least not without major
restructuring, which seem very overkill for this feature)
Of course, open for suggestions though

 src/PVE/LXC.pm        | 10 +++++++++-
 src/PVE/LXC/Config.pm |  9 +++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 333286a..ac45fc6 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -730,7 +730,15 @@ sub update_lxc_config {
 	$raw .= "lxc.net.$ind.veth.pair = veth${vmid}i${ind}\n";
 	$raw .= "lxc.net.$ind.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
 	$raw .= "lxc.net.$ind.name = $d->{name}\n" if defined($d->{name});
-	$raw .= "lxc.net.$ind.mtu = $d->{mtu}\n" if defined($d->{mtu});
+
+	# Keep container from starting with invalid mtu configuration
+	if (my $mtu = $d->{mtu}) {
+	    my $bridge_mtu = PVE::Network::read_bridge_mtu($d->{bridge});
+	    die "$k: MTU size '$mtu' is bigger than bridge MTU '$bridge_mtu'\n"
+		if ($mtu > $bridge_mtu);
+
+	    $raw .= "lxc.net.$ind.mtu = $mtu\n";
+	}
 
 	# Starting with lxc 4.0, we do not patch lxc to execute our up-scripts.
 	if ($lxc_major >= 4) {
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index d1fdd50..4bb27ff 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -755,6 +755,7 @@ our $netconf_desc = {
 	type => 'integer',
 	description => 'Maximum transfer unit of the interface. (lxc.network.mtu)',
 	minimum => 64, # minimum ethernet frame is 64 bytes
+	maximum => 65535,
 	optional => 1,
     },
     ip => {
@@ -1110,6 +1111,14 @@ sub update_pct_config {
 	    $value = PVE::LXC::verify_searchdomain_list($value);
 	} elsif ($opt eq 'unprivileged') {
 	    die "unable to modify read-only option: '$opt'\n";
+	} elsif ($opt =~ m/^net(\d+)$/) {
+	    my $res = PVE::JSONSchema::parse_property_string($netconf_desc, $value);
+
+	    if (my $mtu = $res->{mtu}) {
+		my $bridge_mtu = PVE::Network::read_bridge_mtu($res->{bridge});
+		die "$opt: MTU size '$mtu' is bigger than bridge MTU '$bridge_mtu'\n"
+		    if ($mtu > $bridge_mtu);
+	    }
 	}
 	$conf->{pending}->{$opt} = $value;
 	$class->remove_from_pending_delete($conf, $opt);
-- 
2.30.2