[27.x backport] Do not DNAT packets from WSL2's loopback0 #48514
+162
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When running WSL2 with mirrored mode networking, add an iptables rule to skip DNAT for packets arriving on interface loopback0 that are addressed to a localhost address - they're from the Windows host. Signed-off-by: Rob Murray <rob.murray@docker.com> (cherry picked from commit f9c0103) Signed-off-by: Rob Murray <rob.murray@docker.com>
robmry
added
kind/feature
|
For future reference; we don't need the follow-up fix from #48515, as we decided to not (yet) backport the |
1 task
renovate bot
added a commit
to earthly/dind
that referenced
this pull request
Sep 23, 2024
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/docker](https://redirect.github.com/docker/docker) | minor | `27.2.1` -> `27.3.1` | --- ### Release Notes <details> <summary>docker/docker (docker/docker)</summary> ### [`v27.3.1`](https://redirect.github.com/moby/moby/releases/tag/v27.3.1) [Compare Source](https://redirect.github.com/docker/docker/compare/v27.3.0-rc.1...v27.3.1) #### 27.3.1 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 27.3.1 milestone](https://redirect.github.com/docker/cli/issues?q=sort%3Aupdated-desc+is%3Aclosed+milestone%3A27.3.1) - [moby/moby, 27.3.1 milestone](https://redirect.github.com/moby/moby/issues?q=sort%3Aupdated-desc+is%3Aclosed+milestone%3A27.3.1) ##### Bug fixes and enhancements - CLI: Fix issue with command execution metrics not being exported due to the CLI MeterProvider being shutdown too early. [docker/cli#5457](https://redirect.github.com/docker/cli/pull/5457) ##### Packaging updates - Update `Compose` to [v2.29.7](https://redirect.github.com/docker/compose/releases/tag/v2.29.7) ### [`v27.3.0`](https://redirect.github.com/moby/moby/releases/tag/v27.3.0) [Compare Source](https://redirect.github.com/docker/docker/compare/v27.2.1...v27.3.0-rc.1) #### 27.3.0 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 27.3.0 milestone](https://redirect.github.com/docker/cli/issues?q=sort%3Aupdated-desc+is%3Aclosed+milestone%3A27.3.0) - [moby/moby, 27.3.0 milestone](https://redirect.github.com/moby/moby/issues?q=sort%3Aupdated-desc+is%3Aclosed+milestone%3A27.3.0) ##### Bug fixes and enhancements - containerd image store: Fix `docker image prune -a` untagging images used by containers started from images referenced by a digested reference. [moby/moby#48488](https://redirect.github.com/moby/moby/pull/48488) - Add a `--feature` flag to the daemon options. [moby/moby#48487](https://redirect.github.com/moby/moby/pull/48487) - Updated the handling of the `--gpus=0` flag to be consistent with the NVIDIA Container Runtime. [moby/moby#48483](https://redirect.github.com/moby/moby/pull/48483) [https://github.com/docker/cli/pull/5432](https://redirect.github.com/docker/cli/pull/5432)5432) - Support WSL2 mirrored-mode networking's use of interface `loopback0` for packets from the Windows host. [moby/moby#48514](https://redirect.github.com/moby/moby/pull/48514) - Fix an issue that prevented communication between containers on an IPv4 bridge network when running with `--iptables=false`, `--ip6tables=true` (the default), a firewall with a DROP rule for forwarded packets on hosts where the `br_netfilter` kernel module was not normally loaded. [moby/moby#48511](https://redirect.github.com/moby/moby/pull/48511) - CLI: Fix issue where `docker volume update` command would cause the CLI to panic if no argument/volume was passed. [docker/cli#5426](https://redirect.github.com/docker/cli/pull/5426) - CLI: Properly report metrics when run in WSL environment on Windows. \[[docker/cli#5432](https://redirect.github.com/docker/cli/issues/5432)] ##### Packaging updates - Update `containerd` (static binaries only) to [v1.7.22](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.22) [moby/moby#48468](https://redirect.github.com/moby/moby/pull/48468) - Updated `Buildkit` to [v0.16.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.16.0) - Update `Compose` to [v2.29.6](https://redirect.github.com/docker/compose/releases/tag/v2.29.6) - Update `Buildx` to [v0.17.1](https://redirect.github.com/docker/buildx/releases/tag/v0.17.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/earthly/dind). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
When running WSL2 with mirrored mode networking, add an iptables rule to skip DNAT for packets arriving on interface loopback0 that are addressed to a localhost address - they're from the Windows host.
networkingMode=mirroredmakes Docker unable to forward ports microsoft/WSL#10494WSL2's mirrored mode networking is outlined here.
- How I did it
Detect WSL2 mirrored mode by the presence of interface
loopback0, and (inspired by this workaround linked from the WSL ticket)/usr/bin/wslinfo --networking-modereportingmirrored, see wslinfo release note.If needed, create a rule in the nat-DOCKER chain to return early for packets arriving on
loopback0for127.0.0.0/8.There's no IPv6 rule, because WSL2 mirrored mode doesn't support it.
- How to verify it
As described on the ticket, with docker-ce installed in an instance of Linux (Ubuntu) running under WSL2 with
networkingMode=mirrored- run an nginx container with-p 8080:80, check that the Windows host can connect to it viahttp://localhost:8080.Also checked that the new iptables rule is not created unless it's needed.
Access from Linux to a service running on the Windows localhost address worked before and after this change.
(
--userland-proxy=true, the default, is required for this to work.)New unit test, just to check the conditions for adding the rule.
- Description for the changelog