summaryrefslogtreecommitdiff
path: root/src/conf_mode/service_https.py
diff options
context:
space:
mode:
authorLee Clements <lclements0@gmail.com>2026-04-03 16:46:58 -0400
committerChristian Breunig <christian@breunig.cc>2026-05-27 22:15:40 +0200
commit18e14cf71b3597112357b58e24fbe7aa9a7d7f4c (patch)
treedc0b4ff831ecf16cb2a5b191029c3cf0a092915f /src/conf_mode/service_https.py
parent7b19c149d4edd39bfe441f1d38d602c707fa7ae2 (diff)
downloadvyos-1x-18e14cf71b3597112357b58e24fbe7aa9a7d7f4c.tar.gz
vyos-1x-18e14cf71b3597112357b58e24fbe7aa9a7d7f4c.zip
T8454: fix VRF-bind port availability check in service_https
When service https is configured with a listen-address on a VRF interface, adding or changing the vrf option causes the commit to fail with "TCP port 443 is used by another service!" even though no conflict exists. Root cause: check_port_availability() performs a socket.bind() in the default network namespace. When the listen-address belongs to a VRF interface the address is unreachable from the default namespace, so the bind fails with OSError which is misinterpreted as "port in use". The secondary check via is_listen_port_bind_service() also fails because psutil cannot see sockets bound inside a VRF. Fix: add an optional vrf parameter to check_port_availability(). When set, the test socket is bound to the VRF master device via SO_BINDTODEVICE before the bind() call, so that the address is resolved in the correct L3 domain. This is done in-process (no subprocess) and works for both IPv4 and IPv6. service_https verify() now passes the configured VRF (if any) to check_port_availability(). Non-VRF configurations are unaffected. Add smoke test for HTTPS with listen-address inside a VRF. Co-authored-by: Christian Breunig <christian@breunig.cc>
Diffstat (limited to 'src/conf_mode/service_https.py')
-rwxr-xr-xsrc/conf_mode/service_https.py14
1 files changed, 10 insertions, 4 deletions
diff --git a/src/conf_mode/service_https.py b/src/conf_mode/service_https.py
index 59fb90bd1..13a4930fd 100755
--- a/src/conf_mode/service_https.py
+++ b/src/conf_mode/service_https.py
@@ -113,12 +113,18 @@ def verify(https):
if 'listen_address' in https:
listen_address = https['listen_address']
- for address in listen_address:
- if not check_port_availability(address, port, 'tcp') and not is_listen_port_bind_service(port, 'nginx'):
- raise ConfigError(f'TCP port "{port}" is used by another service!')
-
verify_vrf(https)
+ vrf = https.get('vrf', None)
+ for address in listen_address:
+ if (not check_port_availability(address, port, 'tcp', vrf=vrf)
+ and not is_listen_port_bind_service(port, 'nginx')):
+ vrf_error_msg = ''
+ if vrf:
+ vrf_error_msg = f' in vrf "{vrf}"'
+ raise ConfigError(f'TCP port "{port}"{vrf_error_msg} is already ' \
+ 'used by another service!')
+
# Verify API server settings, if present
if 'api' in https:
keys = dict_search('api.keys.id', https)