diff options
| author | Lee Clements <lclements0@gmail.com> | 2026-04-03 16:46:58 -0400 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2026-05-27 22:15:40 +0200 |
| commit | 18e14cf71b3597112357b58e24fbe7aa9a7d7f4c (patch) | |
| tree | dc0b4ff831ecf16cb2a5b191029c3cf0a092915f /src | |
| parent | 7b19c149d4edd39bfe441f1d38d602c707fa7ae2 (diff) | |
| download | vyos-1x-18e14cf71b3597112357b58e24fbe7aa9a7d7f4c.tar.gz vyos-1x-18e14cf71b3597112357b58e24fbe7aa9a7d7f4c.zip | |
T8454: fix VRF-bind port availability check in service_https
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/service_https.py | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/src/conf_mode/service_https.py b/src/conf_mode/service_https.py index 59fb90bd1..13a4930fd 100755 --- a/src/conf_mode/service_https.py +++ b/src/conf_mode/service_https.py @@ -113,12 +113,18 @@ def verify(https): if 'listen_address' in https: listen_address = https['listen_address'] - for address in listen_address: - if not check_port_availability(address, port, 'tcp') and not is_listen_port_bind_service(port, 'nginx'): - raise ConfigError(f'TCP port "{port}" is used by another service!') - verify_vrf(https) + vrf = https.get('vrf', None) + for address in listen_address: + if (not check_port_availability(address, port, 'tcp', vrf=vrf) + and not is_listen_port_bind_service(port, 'nginx')): + vrf_error_msg = '' + if vrf: + vrf_error_msg = f' in vrf "{vrf}"' + raise ConfigError(f'TCP port "{port}"{vrf_error_msg} is already ' \ + 'used by another service!') + # Verify API server settings, if present if 'api' in https: keys = dict_search('api.keys.id', https) |
