From ac885f3e0912acebf0e3bc62582cc767dc9d5a6d Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Thu, 25 Aug 2022 10:18:08 +0000
Subject: sstp: T4644: Check SSTP bind port before commit

By default SSTP bind port '443' and this port can be used by
another service like 'service https' or 'vpn openconnect'
Check if port bound to another service
---
 src/conf_mode/vpn_sstp.py | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src')

diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 23e5162ba..2949ab290 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -26,7 +26,9 @@ from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.util import call
+from vyos.util import check_port_availability
 from vyos.util import dict_search
+from vyos.util import is_listen_port_bind_service
 from vyos.util import write_file
 from vyos import ConfigError
 from vyos import airbag
@@ -62,6 +64,12 @@ def verify(sstp):
     if not sstp:
         return None
 
+    port = sstp.get('port')
+    proto = 'tcp'
+    if check_port_availability('0.0.0.0', int(port), proto) is not True and \
+            not is_listen_port_bind_service(int(port), 'accel-pppd'):
+        raise ConfigError(f'"{proto}" port "{port}" is used by another service')
+
     verify_accel_ppp_base_service(sstp)
 
     if 'client_ip_pool' not in sstp and 'client_ipv6_pool' not in sstp:
-- 
cgit v1.2.3