summaryrefslogtreecommitdiff
path: root/src/etc/systemd/system
diff options
context:
space:
mode:
authorLee Clements <lclements0@gmail.com>2026-04-03 16:46:58 -0400
committerChristian Breunig <christian@breunig.cc>2026-05-27 22:15:40 +0200
commit18e14cf71b3597112357b58e24fbe7aa9a7d7f4c (patch)
treedc0b4ff831ecf16cb2a5b191029c3cf0a092915f /src/etc/systemd/system
parent7b19c149d4edd39bfe441f1d38d602c707fa7ae2 (diff)
downloadvyos-1x-18e14cf71b3597112357b58e24fbe7aa9a7d7f4c.tar.gz
vyos-1x-18e14cf71b3597112357b58e24fbe7aa9a7d7f4c.zip
T8454: fix VRF-bind port availability check in service_https
When service https is configured with a listen-address on a VRF interface, adding or changing the vrf option causes the commit to fail with "TCP port 443 is used by another service!" even though no conflict exists. Root cause: check_port_availability() performs a socket.bind() in the default network namespace. When the listen-address belongs to a VRF interface the address is unreachable from the default namespace, so the bind fails with OSError which is misinterpreted as "port in use". The secondary check via is_listen_port_bind_service() also fails because psutil cannot see sockets bound inside a VRF. Fix: add an optional vrf parameter to check_port_availability(). When set, the test socket is bound to the VRF master device via SO_BINDTODEVICE before the bind() call, so that the address is resolved in the correct L3 domain. This is done in-process (no subprocess) and works for both IPv4 and IPv6. service_https verify() now passes the configured VRF (if any) to check_port_availability(). Non-VRF configurations are unaffected. Add smoke test for HTTPS with listen-address inside a VRF. Co-authored-by: Christian Breunig <christian@breunig.cc>
Diffstat (limited to 'src/etc/systemd/system')
0 files changed, 0 insertions, 0 deletions