network: xfrm: refuse zero interface ID

Since kernel 5.17-rc1, 5.16.3, and 5.15.17 (more specifically,
8dce439195)
the kernel refuses to create an xfrm interface with zero ID.

man/systemd.netdev.xml

@@ -1994,7 +1994,7 @@
         <term><varname>InterfaceId=</varname></term>
         <listitem>
           <para>Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy.
-          Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0.</para>
+          Can be decimal or hexadecimal, valid range is 1-0xffffffff. This is mandatory.</para>
         </listitem>
       </varlistentry>
       <varlistentry>

src/network/netdev/xfrm.c

@@ -14,6 +14,7 @@ static int xfrm_fill_message_create(NetDev *netdev, Link *link, sd_netlink_messa
 
         x = XFRM(netdev);
 
+        assert(x);
         assert(link || x->independent);
 
         r = sd_netlink_message_append_u32(message, IFLA_XFRM_LINK, link ? link->ifindex : LOOPBACK_IFINDEX);
@@ -27,10 +28,28 @@ static int xfrm_fill_message_create(NetDev *netdev, Link *link, sd_netlink_messa
         return 0;
 }
 
+static int xfrm_verify(NetDev *netdev, const char *filename) {
+        Xfrm *x;
+
+        assert(netdev);
+        assert(filename);
+
+        x = XFRM(netdev);
+
+        assert(x);
+
+        if (x->if_id == 0)
+                return log_netdev_warning_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
+                                                "%s: Xfrm interface ID cannot be zero.", filename);
+
+        return 0;
+}
+
 const NetDevVTable xfrm_vtable = {
         .object_size = sizeof(Xfrm),
         .sections = NETDEV_COMMON_SECTIONS "Xfrm\0",
         .fill_message_create = xfrm_fill_message_create,
+        .config_verify = xfrm_verify,
         .create_type = NETDEV_CREATE_STACKED,
         .iftype = ARPHRD_NONE,
 };