macsec: enable send-sci by default and make the option configurable

It is safer to enable send-sci by default because, at the cost of
8-byte overhead, it makes MACsec work over bridges (note that kernel
also enables it by default). While at it, also make the option
configurable.

https://bugzilla.redhat.com/show_bug.cgi?id=1588041

clients/common/nm-meta-setting-desc.c

@@ -6224,6 +6224,9 @@ static const NMMetaPropertyInfo *const property_infos_MACSEC[] = {
 			                            | NM_META_PROPERTY_TYP_FLAG_ENUM_GET_PRETTY_TEXT,
 		),
 	),
+	PROPERTY_INFO_WITH_DESC (NM_SETTING_MACSEC_SEND_SCI,
+		.property_type =                &_pt_gobject_bool,
+	),
 	NULL
 };
 

clients/common/settings-docs.h.in

@@ -261,6 +261,7 @@
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_NAME N_("The setting's name, which uniquely identifies the setting within the connection.  Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".")
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_PARENT N_("If given, specifies the parent interface name or parent connection UUID from which this MACSEC interface should be created.  If this property is not specified, the connection must contain an \"802-3-ethernet\" setting with a \"mac-address\" property.")
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_PORT N_("The port component of the SCI (Secure Channel Identifier), between 1 and 65534.")
+#define DESCRIBE_DOC_NM_SETTING_MACSEC_SEND_SCI N_("Specifies whether the SCI (Secure Channel Identifier) is included in every packet.")
 #define DESCRIBE_DOC_NM_SETTING_MACSEC_VALIDATION N_("Specifies the validation mode for incoming frames.")
 #define DESCRIBE_DOC_NM_SETTING_MACVLAN_MODE N_("The macvlan mode, which specifies the communication mechanism between multiple macvlans on the same lower device.")
 #define DESCRIBE_DOC_NM_SETTING_MACVLAN_NAME N_("The setting's name, which uniquely identifies the setting within the connection.  Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".")

libnm-core/nm-setting-macsec.c

@@ -49,7 +49,8 @@ NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_MACSEC)
 typedef struct {
 	char *parent;
 	NMSettingMacsecMode mode;
-	gboolean encrypt;
+	bool encrypt:1;
+	bool send_sci:1;
 	char *mka_cak;
 	NMSettingSecretFlags mka_cak_flags;
 	char *mka_ckn;
@@ -66,6 +67,7 @@ NM_GOBJECT_PROPERTIES_DEFINE_BASE (
 	PROP_MKA_CKN,
 	PROP_PORT,
 	PROP_VALIDATION,
+	PROP_SEND_SCI,
 );
 
 /**
@@ -204,6 +206,21 @@ nm_setting_macsec_get_validation (NMSettingMacsec *setting)
 	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->validation;
 }
 
+/**
+ * nm_setting_macsec_get_send_sci:
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingMacsec:send-sci property of the setting
+ *
+ * Since: 1.12
+ **/
+gboolean
+nm_setting_macsec_get_send_sci (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), TRUE);
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->send_sci;
+}
+
 static GPtrArray *
 need_secrets (NMSetting *setting)
 {
@@ -390,6 +407,9 @@ set_property (GObject *object, guint prop_id,
 	case PROP_VALIDATION:
 		priv->validation = g_value_get_int (value);
 		break;
+	case PROP_SEND_SCI:
+		priv->send_sci = g_value_get_boolean (value);
+		break;
 	default:
 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 		break;
@@ -428,6 +448,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_VALIDATION:
 		g_value_set_int (value, priv->validation);
 		break;
+	case PROP_SEND_SCI:
+		g_value_set_boolean (value, priv->send_sci);
+		break;
 	default:
 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 		break;
@@ -588,5 +611,20 @@ nm_setting_macsec_class_init (NMSettingMacsecClass *setting_class)
 	                      NM_SETTING_PARAM_INFERRABLE |
 	                      G_PARAM_STATIC_STRINGS);
 
+	/**
+	 * NMSettingMacsec:send-sci:
+	 *
+	 * Specifies whether the SCI (Secure Channel Identifier) is included
+	 * in every packet.
+	 *
+	 * Since: 1.12
+	 **/
+	obj_properties[PROP_SEND_SCI] =
+	    g_param_spec_boolean (NM_SETTING_MACSEC_SEND_SCI, "", "",
+	                          TRUE,
+	                          G_PARAM_READWRITE |
+	                          G_PARAM_CONSTRUCT |
+	                          G_PARAM_STATIC_STRINGS);
+
 	g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
 }

libnm-core/nm-setting-macsec.h

@@ -47,6 +47,7 @@ G_BEGIN_DECLS
 #define NM_SETTING_MACSEC_MKA_CKN              "mka-ckn"
 #define NM_SETTING_MACSEC_PORT                 "port"
 #define NM_SETTING_MACSEC_VALIDATION           "validation"
+#define NM_SETTING_MACSEC_SEND_SCI             "send-sci"
 
 /**
  * NMSettingMacsec:
@@ -122,6 +123,8 @@ NM_AVAILABLE_IN_1_6
 int         nm_setting_macsec_get_port           (NMSettingMacsec *setting);
 NM_AVAILABLE_IN_1_6
 NMSettingMacsecValidation nm_setting_macsec_get_validation (NMSettingMacsec *setting);
+NM_AVAILABLE_IN_1_12
+gboolean nm_setting_macsec_get_send_sci          (NMSettingMacsec *setting);
 
 G_END_DECLS
 

libnm/libnm.ver

@@ -1358,6 +1358,7 @@ global:
 	nm_setting_connection_mdns_get_type;
 	nm_setting_ip_tunnel_get_flags;
 	nm_setting_ip6_config_get_dhcp_duid;
+	nm_setting_macsec_get_send_sci;
 	nm_setting_vpn_get_data_keys;
 	nm_setting_vpn_get_secret_keys;
 	nm_setting_wireless_security_get_fils;

src/devices/nm-device-macsec.c

@@ -704,6 +704,7 @@ create_and_realize (NMDevice *device,
 	sci.s.port = htons (nm_setting_macsec_get_port (s_macsec));
 	lnk.sci = be64toh (sci.u);
 	lnk.validation = nm_setting_macsec_get_validation (s_macsec);
+	lnk.include_sci = nm_setting_macsec_get_send_sci (s_macsec);
 
 	parent_ifindex = nm_device_get_ifindex (parent);
 	g_warn_if_fail (parent_ifindex > 0);