diff options
| author | Lee Clements <lclements0@gmail.com> | 2026-04-03 16:46:58 -0400 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2026-05-27 22:15:40 +0200 |
| commit | 18e14cf71b3597112357b58e24fbe7aa9a7d7f4c (patch) | |
| tree | dc0b4ff831ecf16cb2a5b191029c3cf0a092915f /src/migration-scripts | |
| parent | 7b19c149d4edd39bfe441f1d38d602c707fa7ae2 (diff) | |
| download | vyos-1x-18e14cf71b3597112357b58e24fbe7aa9a7d7f4c.tar.gz vyos-1x-18e14cf71b3597112357b58e24fbe7aa9a7d7f4c.zip | |
T8454: fix VRF-bind port availability check in service_https
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
Diffstat (limited to 'src/migration-scripts')
0 files changed, 0 insertions, 0 deletions
