8 files changed, 111 insertions, 73 deletions

diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 3057357fc..7cd7ea42e 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2021 VyOS maintainers and contributors
+# Copyright (C) 2019-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -29,6 +29,8 @@ from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.util import call
+from vyos.util import check_port_availability
+from vyos.util import is_listen_port_bind_service
 from vyos.util import write_file
 
 from vyos import airbag
@@ -107,6 +109,31 @@ def verify(https):
                 raise ConfigError("At least one 'virtual-host <id> server-name' "
                               "matching the 'certbot domain-name' is required.")
 
+    server_block_list = []
+
+    # organize by vhosts
+    vhost_dict = https.get('virtual-host', {})
+
+    if not vhost_dict:
+        # no specified virtual hosts (server blocks); use default
+        server_block_list.append(default_server_block)
+    else:
+        for vhost in list(vhost_dict):
+            server_block = deepcopy(default_server_block)
+            data = vhost_dict.get(vhost, {})
+            server_block['address'] = data.get('listen-address', '*')
+            server_block['port'] = data.get('listen-port', '443')
+            server_block_list.append(server_block)
+
+    for entry in server_block_list:
+        _address = entry.get('address')
+        _address = '0.0.0.0' if _address == '*' else _address
+        _port = entry.get('port')
+        proto = 'tcp'
+        if check_port_availability(_address, int(_port), proto) is not True and \
+                not is_listen_port_bind_service(int(_port), 'nginx'):
+            raise ConfigError(f'"{proto}" port "{_port}" is used by another service')
+
     verify_vrf(https)
     return None
 
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 870049a88..649ea8d50 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -67,7 +67,7 @@ def get_config(config=None):
         macsec.update({'shutdown_required': {}})
 
     if 'source_interface' in macsec:
-        tmp = is_source_interface(conf, macsec['source_interface'], 'macsec')
+        tmp = is_source_interface(conf, macsec['source_interface'], ['macsec', 'pseudo-ethernet'])
         if tmp and tmp != ifname: macsec.update({'is_source_interface' : tmp})
 
     return macsec
@@ -102,12 +102,6 @@ def verify(macsec):
             # gcm-aes-128 requires a 128bit long key - 64 characters (string) = 32byte = 256bit
             raise ConfigError('gcm-aes-128 requires a 256bit long key!')
 
-    if 'is_source_interface' in macsec:
-        tmp = macsec['is_source_interface']
-        src_ifname = macsec['source_interface']
-        raise ConfigError(f'Can not use source-interface "{src_ifname}", it already ' \
-                          f'belongs to interface "{tmp}"!')
-
     if 'source_interface' in macsec:
         # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad
         # and 802.1q) - we need to check the underlaying MTU if our configured
diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py
index f26a50a0e..20f2b1975 100755
--- a/src/conf_mode/interfaces-pseudo-ethernet.py
+++ b/src/conf_mode/interfaces-pseudo-ethernet.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -19,6 +19,7 @@ from sys import exit
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
+from vyos.configdict import is_source_interface
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
@@ -51,6 +52,10 @@ def get_config(config=None):
     if 'source_interface' in peth:
         _, peth['parent'] = get_interface_dict(conf, ['interfaces', 'ethernet'],
                                                peth['source_interface'])
+        # test if source-interface is maybe already used by another interface
+        tmp = is_source_interface(conf, peth['source_interface'], ['macsec'])
+        if tmp and tmp != ifname: peth.update({'is_source_interface' : tmp})
+
     return peth
 
 def verify(peth):
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py
index 5490a794d..0ecb4d736 100755
--- a/src/conf_mode/ntp.py
+++ b/src/conf_mode/ntp.py
@@ -17,6 +17,7 @@
 import os
 
 from vyos.config import Config
+from vyos.configdict import is_node_changed
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_interface_exists
 from vyos.util import call
@@ -40,6 +41,10 @@ def get_config(config=None):
 
     ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
     ntp['config_file'] = config_file
+
+    tmp = is_node_changed(conf, base + ['vrf'])
+    if tmp: ntp.update({'restart_required': {}})
+
     return ntp
 
 def verify(ntp):
@@ -78,19 +83,25 @@ def generate(ntp):
     return None
 
 def apply(ntp):
+    systemd_service = 'ntp.service'
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
+
     if not ntp:
         # NTP support is removed in the commit
-        call('systemctl stop ntp.service')
+        call(f'systemctl stop {systemd_service}')
         if os.path.exists(config_file):
             os.unlink(config_file)
         if os.path.isfile(systemd_override):
             os.unlink(systemd_override)
+        return
 
-    # Reload systemd manager configuration
-    call('systemctl daemon-reload')
-    if ntp:
-        call('systemctl restart ntp.service')
+    # we need to restart the service if e.g. the VRF name changed
+    systemd_action = 'reload-or-restart'
+    if 'restart_required' in ntp:
+        systemd_action = 'restart'
 
+    call(f'systemctl {systemd_action} {systemd_service}')
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/service_monitoring_telegraf.py b/src/conf_mode/service_monitoring_telegraf.py
index 62f5e1ddf..53df006a4 100755
--- a/src/conf_mode/service_monitoring_telegraf.py
+++ b/src/conf_mode/service_monitoring_telegraf.py
@@ -22,6 +22,8 @@ from shutil import rmtree
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
+from vyos.configdict import is_node_changed
+from vyos.configverify import verify_vrf
 from vyos.ifconfig import Section
 from vyos.template import render
 from vyos.util import call
@@ -32,39 +34,14 @@ from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
-
-base_dir = '/run/telegraf'
 cache_dir = f'/etc/telegraf/.cache'
-config_telegraf = f'{base_dir}/vyos-telegraf.conf'
+config_telegraf = f'/run/telegraf/telegraf.conf'
 custom_scripts_dir = '/etc/telegraf/custom_scripts'
 syslog_telegraf = '/etc/rsyslog.d/50-telegraf.conf'
-systemd_telegraf_service = '/etc/systemd/system/vyos-telegraf.service'
-systemd_telegraf_override_dir = '/etc/systemd/system/vyos-telegraf.service.d'
-systemd_override = f'{systemd_telegraf_override_dir}/10-override.conf'
-
-
-def get_interfaces(type='', vlan=True):
-    """
-    Get interfaces
-    get_interfaces()
-    ['dum0', 'eth0', 'eth1', 'eth1.5', 'lo', 'tun0']
-
-    get_interfaces("dummy")
-    ['dum0']
-    """
-    interfaces = []
-    ifaces = Section.interfaces(type)
-    for iface in ifaces:
-        if vlan == False and '.' in iface:
-            continue
-        interfaces.append(iface)
-
-    return interfaces
+systemd_override = '/etc/systemd/system/telegraf.service.d/10-override.conf'
 
 def get_nft_filter_chains():
-    """
-    Get nft chains for table filter
-    """
+    """ Get nft chains for table filter """
     nft = cmd('nft --json list table ip filter')
     nft = json.loads(nft)
     chain_list = []
@@ -76,9 +53,7 @@ def get_nft_filter_chains():
 
     return chain_list
 
-
 def get_config(config=None):
-
     if config:
         conf = config
     else:
@@ -87,8 +62,12 @@ def get_config(config=None):
     if not conf.exists(base):
         return None
 
-    monitoring = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True,
-                                    no_tag_node_value_mangle=True)
+    monitoring = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                      get_first_key=True,
+                                      no_tag_node_value_mangle=True)
+
+    tmp = is_node_changed(conf, base + ['vrf'])
+    if tmp: monitoring.update({'restart_required': {}})
 
     # We have gathered the dict representation of the CLI, but there are default
     # options which we need to update into the dictionary retrived.
@@ -96,7 +75,7 @@ def get_config(config=None):
     monitoring = dict_merge(default_values, monitoring)
 
     monitoring['custom_scripts_dir'] = custom_scripts_dir
-    monitoring['interfaces_ethernet'] = get_interfaces('ethernet', vlan=False)
+    monitoring['interfaces_ethernet'] = Section.interfaces('ethernet', vlan=False)
     monitoring['nft_chains'] = get_nft_filter_chains()
 
     # Redefine azure group-metrics 'single-table' and 'table-per-metric'
@@ -131,6 +110,8 @@ def verify(monitoring):
     if not monitoring:
         return None
 
+    verify_vrf(monitoring)
+
     # Verify influxdb
     if 'influxdb' in monitoring:
         if 'authentication' not in monitoring['influxdb'] or \
@@ -173,7 +154,7 @@ def verify(monitoring):
 def generate(monitoring):
     if not monitoring:
         # Delete config and systemd files
-        config_files = [config_telegraf, systemd_telegraf_service, systemd_override, syslog_telegraf]
+        config_files = [config_telegraf, systemd_override, syslog_telegraf]
         for file in config_files:
             if os.path.isfile(file):
                 os.unlink(file)
@@ -190,33 +171,34 @@ def generate(monitoring):
 
     chown(cache_dir, 'telegraf', 'telegraf')
 
-    # Create systemd override dir
-    if not os.path.exists(systemd_telegraf_override_dir):
-        os.mkdir(systemd_telegraf_override_dir)
-
     # Create custome scripts dir
     if not os.path.exists(custom_scripts_dir):
         os.mkdir(custom_scripts_dir)
 
     # Render telegraf configuration and systemd override
-    render(config_telegraf, 'monitoring/telegraf.j2', monitoring)
-    render(systemd_telegraf_service, 'monitoring/systemd_vyos_telegraf_service.j2', monitoring)
-    render(systemd_override, 'monitoring/override.conf.j2', monitoring, permission=0o640)
-    render(syslog_telegraf, 'monitoring/syslog_telegraf.j2', monitoring)
-
-    chown(base_dir, 'telegraf', 'telegraf')
+    render(config_telegraf, 'telegraf/telegraf.j2', monitoring, user='telegraf', group='telegraf')
+    render(systemd_override, 'telegraf/override.conf.j2', monitoring)
+    render(syslog_telegraf, 'telegraf/syslog_telegraf.j2', monitoring)
 
     return None
 
 def apply(monitoring):
     # Reload systemd manager configuration
+    systemd_service = 'telegraf.service'
     call('systemctl daemon-reload')
-    if monitoring:
-        call('systemctl restart vyos-telegraf.service')
-    else:
-        call('systemctl stop vyos-telegraf.service')
+    if not monitoring:
+        call(f'systemctl stop {systemd_service}')
+        return
+
+    # we need to restart the service if e.g. the VRF name changed
+    systemd_action = 'reload-or-restart'
+    if 'restart_required' in monitoring:
+        systemd_action = 'restart'
+
+    call(f'systemctl {systemd_action} {systemd_service}')
+
     # Telegraf include custom rsyslog config changes
-    call('systemctl restart rsyslog')
+    call('systemctl reload-or-restart rsyslog')
 
 if __name__ == '__main__':
     try:
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index 28669694b..2bbd7142a 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -22,6 +22,7 @@ from syslog import LOG_INFO
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
+from vyos.configdict import is_node_changed
 from vyos.configverify import verify_vrf
 from vyos.util import call
 from vyos.template import render
@@ -50,6 +51,10 @@ def get_config(config=None):
         return None
 
     ssh = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+
+    tmp = is_node_changed(conf, base + ['vrf'])
+    if tmp: ssh.update({'restart_required': {}})
+
     # We have gathered the dict representation of the CLI, but there are default
     # options which we need to update into the dictionary retrived.
     default_values = defaults(base)
@@ -104,17 +109,25 @@ def generate(ssh):
     return None
 
 def apply(ssh):
+    systemd_service_ssh = 'ssh.service'
+    systemd_service_sshguard = 'sshguard.service'
     if not ssh:
         # SSH access is removed in the commit
-        call('systemctl stop ssh.service')
-        call('systemctl stop sshguard.service')
+        call(f'systemctl stop {systemd_service_ssh}')
+        call(f'systemctl stop {systemd_service_sshguard}')
         return None
+
     if 'dynamic_protection' not in ssh:
-        call('systemctl stop sshguard.service')
+        call(f'systemctl stop {systemd_service_sshguard}')
     else:
-        call('systemctl restart sshguard.service')
+        call(f'systemctl reload-or-restart {systemd_service_sshguard}')
+
+    # we need to restart the service if e.g. the VRF name changed
+    systemd_action = 'reload-or-restart'
+    if 'restart_required' in ssh:
+        systemd_action = 'restart'
 
-    call('systemctl restart ssh.service')
+    call(f'systemctl {systemd_action} {systemd_service_ssh}')
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index bad9cfbd8..5ca32d23e 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -595,13 +595,11 @@ def wait_for_vici_socket(timeout=5, sleep_interval=0.1):
         sleep(sleep_interval)
 
 def apply(ipsec):
+    systemd_service = 'strongswan-starter.service'
     if not ipsec:
-        call('sudo ipsec stop')
+        call(f'systemctl stop {systemd_service}')
     else:
-        call('sudo ipsec restart')
-        call('sudo ipsec rereadall')
-        call('sudo ipsec reload')
-
+        call(f'systemctl reload-or-restart {systemd_service}')
         if wait_for_vici_socket():
             call('sudo swanctl -q')
 
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 23e5162ba..2949ab290 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -26,7 +26,9 @@ from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.util import call
+from vyos.util import check_port_availability
 from vyos.util import dict_search
+from vyos.util import is_listen_port_bind_service
 from vyos.util import write_file
 from vyos import ConfigError
 from vyos import airbag
@@ -62,6 +64,12 @@ def verify(sstp):
     if not sstp:
         return None
 
+    port = sstp.get('port')
+    proto = 'tcp'
+    if check_port_availability('0.0.0.0', int(port), proto) is not True and \
+            not is_listen_port_bind_service(int(port), 'accel-pppd'):
+        raise ConfigError(f'"{proto}" port "{port}" is used by another service')
+
     verify_accel_ppp_base_service(sstp)
 
     if 'client_ip_pool' not in sstp and 'client_ipv6_pool' not in sstp: