network/macsec: IFLA_MACSEC_PORT attribute cannot be changed

Also, though currently not supported by networkd,
  IFLA_MACSEC_CIPHER_SUITE, IFLA_MACSEC_ICV_LEN, IFLA_MACSEC_SCI
cannot be updated.

diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index 15d79906f7737776dd1dbb7769a52628a246f735..6dd434f8037805fba052c5b9a4e820eae399309b 100644 (file)
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -509,12 +509,6 @@ static int netdev_macsec_fill_message_create(NetDev *netdev, Link *link, sd_netl
         MACsec *v = MACSEC(netdev);
         int r;
 
-        if (v->port > 0) {
-                r = sd_netlink_message_append_u16(m, IFLA_MACSEC_PORT, v->port);
-                if (r < 0)
-                        return r;
-        }
-
         if (v->encrypt >= 0) {
                 r = sd_netlink_message_append_u8(m, IFLA_MACSEC_ENCRYPT, v->encrypt);
                 if (r < 0)
@@ -525,6 +519,20 @@ static int netdev_macsec_fill_message_create(NetDev *netdev, Link *link, sd_netl
         if (r < 0)
                 return r;
 
+        /* The properties below cannot be updated, and the kernel refuses the whole request if one of the
+         * following attributes is set for an existing interface. */
+        if (netdev->ifindex > 0)
+                return 0;
+
+        if (v->port > 0) {
+                r = sd_netlink_message_append_u16(m, IFLA_MACSEC_PORT, v->port);
+                if (r < 0)
+                        return r;
+        }
+
+        /* Currently not supported by networkd, but IFLA_MACSEC_CIPHER_SUITE, IFLA_MACSEC_ICV_LEN, and
+         * IFLA_MACSEC_SCI can neither set for an existing interface. */
+
         return 0;
 }