Merge pull request moby#49969 from robmry/firewaller_wsl2_param

Make WSL2Mirrored into a Firewaller param

Author: robmry

libnetwork/drivers/bridge/bridge_linux.go

@@ -514,6 +514,7 @@ func (d *driver) configure(option map[string]interface{}) error {
 		IPv6:               config.EnableIP6Tables,
 		Hairpin:            !config.EnableUserlandProxy || config.UserlandProxyPath == "",
 		AllowDirectRouting: config.AllowDirectRouting,
+		WSL2Mirrored:       isRunningUnderWSL2MirroredMode(context.Background()),
 	})
 	if err != nil {
 		return err

libnetwork/drivers/bridge/internal/firewaller/firewaller.go

@@ -29,6 +29,8 @@ type Config struct {
 	// AllowDirectRouting means packets addressed directly to a container's IP address will be
 	// accepted, regardless of which network interface they are from.
 	AllowDirectRouting bool
+	// WSL2Mirrored is true if running under WSL2 with mirrored networking enabled.
+	WSL2Mirrored bool
 }
 
 // NetworkConfig contains settings for a single bridge network.

libnetwork/drivers/bridge/internal/iptabler/iptabler.go

@@ -45,14 +45,14 @@ func NewIptabler(ctx context.Context, config firewaller.Config) (firewaller.Fire
 	if ipt.config.IPv4 {
 		removeIPChains(ctx, iptables.IPv4)
 
-		if err := setupIPChains(ctx, iptables.IPv4, ipt.config.Hairpin); err != nil {
+		if err := setupIPChains(ctx, iptables.IPv4, ipt.config); err != nil {
 			return nil, err
 		}
 
 		// Make sure on firewall reload, first thing being re-played is chains creation
 		iptables.OnReloaded(func() {
 			log.G(ctx).Debugf("Recreating iptables chains on firewall reload")
-			if err := setupIPChains(ctx, iptables.IPv4, ipt.config.Hairpin); err != nil {
+			if err := setupIPChains(ctx, iptables.IPv4, ipt.config); err != nil {
 				log.G(ctx).WithError(err).Error("Error reloading iptables chains")
 			}
 		})
@@ -69,7 +69,7 @@ func NewIptabler(ctx context.Context, config firewaller.Config) (firewaller.Fire
 
 		removeIPChains(ctx, iptables.IPv6)
 
-		err := setupIPChains(ctx, iptables.IPv6, ipt.config.Hairpin)
+		err := setupIPChains(ctx, iptables.IPv6, ipt.config)
 		if err != nil {
 			// If the chains couldn't be set up, it's probably because the kernel has no IPv6
 			// support, or it doesn't have module ip6_tables loaded. It won't be possible to
@@ -81,7 +81,7 @@ func NewIptabler(ctx context.Context, config firewaller.Config) (firewaller.Fire
 			// Make sure on firewall reload, first thing being re-played is chains creation
 			iptables.OnReloaded(func() {
 				log.G(ctx).Debugf("Recreating ip6tables chains on firewall reload")
-				if err := setupIPChains(ctx, iptables.IPv6, ipt.config.Hairpin); err != nil {
+				if err := setupIPChains(ctx, iptables.IPv6, ipt.config); err != nil {
 					log.G(ctx).WithError(err).Error("Error reloading ip6tables chains")
 				}
 			})
@@ -117,7 +117,7 @@ func (ipt *iptabler) FilterForwardDrop(ctx context.Context, ipv firewaller.IPVer
 	return nil
 }
 
-func setupIPChains(ctx context.Context, version iptables.IPVersion, hairpin bool) (retErr error) {
+func setupIPChains(ctx context.Context, version iptables.IPVersion, iptCfg firewaller.Config) (retErr error) {
 	iptable := iptables.GetIptable(version)
 
 	_, err := iptable.NewChain(dockerChain, iptables.Nat)
@@ -204,12 +204,12 @@ func setupIPChains(ctx context.Context, version iptables.IPVersion, hairpin bool
 		}
 	}()
 
-	if err := addNATJumpRules(version, hairpin, true); err != nil {
+	if err := addNATJumpRules(version, iptCfg.Hairpin, true); err != nil {
 		return fmt.Errorf("failed to add jump rules to %s NAT table: %w", version, err)
 	}
 	defer func() {
 		if retErr != nil {
-			if err := addNATJumpRules(version, hairpin, false); err != nil {
+			if err := addNATJumpRules(version, iptCfg.Hairpin, false); err != nil {
 				log.G(ctx).Warnf("failed on removing jump rules from %s NAT table: %v", version, err)
 			}
 		}
@@ -231,7 +231,7 @@ func setupIPChains(ctx context.Context, version iptables.IPVersion, hairpin bool
 		return err
 	}
 
-	if err := mirroredWSL2Workaround(ctx, version, hairpin); err != nil {
+	if err := mirroredWSL2Workaround(version, !iptCfg.Hairpin && iptCfg.WSL2Mirrored); err != nil {
 		return err
 	}
 

libnetwork/drivers/bridge/internal/iptabler/iptabler_test.go

@@ -50,7 +50,7 @@ func TestCleanupIptableRules(t *testing.T) {
 	ipVersions := []iptables.IPVersion{iptables.IPv4, iptables.IPv6}
 
 	for _, version := range ipVersions {
-		err := setupIPChains(context.Background(), version, true)
+		err := setupIPChains(context.Background(), version, firewaller.Config{Hairpin: true})
 		assert.NilError(t, err, "version:%s", version)
 
 		iptable := iptables.GetIptable(version)
@@ -95,15 +95,17 @@ func TestIptabler(t *testing.T) {
 		masq
 		snat
 		bindLocalhost
+		wsl2Mirrored
 		numBoolParams
 	)
 	for i := range 1 << numBoolParams {
 		p := func(n int64) bool { return (i & (1 << n)) != 0 }
 		for _, gwmode := range []string{"nat", "nat-unprotected", "routed"} {
 			config := firewaller.Config{
-				IPv4:    p(ipv4),
-				IPv6:    p(ipv6),
-				Hairpin: p(hairpin),
+				IPv4:         p(ipv4),
+				IPv6:         p(ipv6),
+				Hairpin:      p(hairpin),
+				WSL2Mirrored: p(wsl2Mirrored),
 			}
 			netConfig := firewaller.NetworkConfig{
 				IfName:     "br-dummy",
@@ -128,8 +130,8 @@ func TestIptabler(t *testing.T) {
 				netConfig.Config6.HostIP = netip.MustParseAddr("fd34:d0d4:672f::123")
 			}
 			tn := t.Name()
-			t.Run(fmt.Sprintf("ipv4=%v/ipv6=%v/hairpin=%v/internal=%v/icc=%v/masq=%v/snat=%v/gwm=%v/bindlh=%v",
-				p(ipv4), p(ipv6), p(hairpin), p(internal), p(icc), p(masq), p(snat), gwmode, p(bindLocalhost)), func(t *testing.T) {
+			t.Run(fmt.Sprintf("ipv4=%v/ipv6=%v/hairpin=%v/internal=%v/icc=%v/masq=%v/snat=%v/gwm=%v/bindlh=%v/wsl2mirrored=%v",
+				p(ipv4), p(ipv6), p(hairpin), p(internal), p(icc), p(masq), p(snat), gwmode, p(bindLocalhost), p(wsl2Mirrored)), func(t *testing.T) {
 				// Run in parallel, unless updating results (because tests share golden results files, so
 				// they trample each other's output).
 				if !golden.FlagUpdate() {
@@ -190,11 +192,20 @@ func testIptabler(t *testing.T, tn string, config firewaller.Config, netConfig f
 		}
 	}
 
+	// WSL2Mirrored should only affect IPv4 results, and only if there's a port binding
+	// to a loopback address or docker-proxy is disabled. Share other results files.
+	rnWSL2Mirrored := func(resName string) string {
+		if config.IPv4 && config.WSL2Mirrored && (bindLocalhost || !config.Hairpin) {
+			return resName + ",wsl2mirrored=true"
+		}
+		return resName
+	}
+
 	// Initialise iptables, check the iptables config looks like it should look at the
 	// end of the test (after deleting per-network and per-port rules).
 	fw, err := NewIptabler(context.Background(), config)
 	assert.NilError(t, err)
-	checkResults("iptables", fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin), config.IPv4)
+	checkResults("iptables", rnWSL2Mirrored(fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin)), config.IPv4)
 	checkResults("ip6tables", fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin), config.IPv6)
 
 	// Add the network.
@@ -220,7 +231,7 @@ func testIptabler(t *testing.T, tn string, config firewaller.Config, netConfig f
 	assert.NilError(t, err)
 
 	// Check the resulting iptables config.
-	checkResults("iptables", resName, config.IPv4)
+	checkResults("iptables", rnWSL2Mirrored(resName), config.IPv4)
 	checkResults("ip6tables", resName, config.IPv6)
 
 	// Remove the port mappings and the network, and check the result.
@@ -230,6 +241,6 @@ func testIptabler(t *testing.T, tn string, config firewaller.Config, netConfig f
 	assert.NilError(t, err)
 	err = nw.DelNetworkLevelRules(context.Background())
 	assert.NilError(t, err)
-	checkResults("iptables", fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin), config.IPv4)
+	checkResults("iptables", rnWSL2Mirrored(fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin)), config.IPv4)
 	checkResults("ip6tables", fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin), config.IPv6)
 }

libnetwork/drivers/bridge/internal/iptabler/port.go

@@ -47,7 +47,7 @@ func (n *network) setPerPortIptables(ctx context.Context, b types.PortBinding, e
 		return nil
 	}
 
-	if err := filterPortMappedOnLoopback(ctx, b, b.HostIP, enable); err != nil {
+	if err := filterPortMappedOnLoopback(ctx, b, b.HostIP, n.ipt.config.WSL2Mirrored, enable); err != nil {
 		return err
 	}
 
@@ -169,7 +169,7 @@ func setPerPortForwarding(b types.PortBinding, ipv iptables.IPVersion, bridgeNam
 // This is a no-op if the portBinding is for IPv6 (IPv6 loopback address is
 // non-routable), or over a network with gw_mode=routed (PBs in routed mode
 // don't map ports on the host).
-func filterPortMappedOnLoopback(ctx context.Context, b types.PortBinding, hostIP net.IP, enable bool) error {
+func filterPortMappedOnLoopback(ctx context.Context, b types.PortBinding, hostIP net.IP, wsl2Mirrored, enable bool) error {
 	if rawRulesDisabled(ctx) {
 		return nil
 	}
@@ -184,7 +184,7 @@ func filterPortMappedOnLoopback(ctx context.Context, b types.PortBinding, hostIP
 		"-i", "loopback0",
 		"-j", "ACCEPT",
 	}}
-	enableMirrored := enable && isRunningUnderWSL2MirroredMode(ctx)
+	enableMirrored := enable && wsl2Mirrored
 	if err := appendOrDelChainRule(acceptMirrored, "LOOPBACK FILTERING - ACCEPT MIRRORED", enableMirrored); err != nil {
 		return err
 	}

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false,wsl2mirrored=true__iptables.golden

@@ -0,0 +1,29 @@
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER - [0:0]
+:DOCKER-BRIDGE - [0:0]
+:DOCKER-CT - [0:0]
+:DOCKER-FORWARD - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+-A FORWARD -j DOCKER-FORWARD
+-A DOCKER-FORWARD -j DOCKER-CT
+-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-BRIDGE
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
+COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true,wsl2mirrored=true__iptables.golden

@@ -0,0 +1,28 @@
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER - [0:0]
+:DOCKER-BRIDGE - [0:0]
+:DOCKER-CT - [0:0]
+:DOCKER-FORWARD - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+-A FORWARD -j DOCKER-FORWARD
+-A DOCKER-FORWARD -j DOCKER-CT
+-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-BRIDGE
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
+COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -0,0 +1,39 @@
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A PREROUTING -d 192.168.0.2/32 ! -i br-dummy -j DROP
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER - [0:0]
+:DOCKER-BRIDGE - [0:0]
+:DOCKER-CT - [0:0]
+:DOCKER-FORWARD - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+-A FORWARD -j DOCKER-FORWARD
+-A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
+-A DOCKER ! -i br-dummy -o br-dummy -j DROP
+-A DOCKER-BRIDGE -o br-dummy -j DOCKER
+-A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A DOCKER-FORWARD -j DOCKER-CT
+-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-BRIDGE
+-A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
+-A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
+-A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
+-A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
+COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -0,0 +1,41 @@
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A PREROUTING -d 192.168.0.2/32 ! -i br-dummy -j DROP
+-A PREROUTING -d 127.0.0.1/32 -i loopback0 -p tcp -m tcp --dport 8080 -j ACCEPT
+-A PREROUTING -d 127.0.0.1/32 ! -i lo -p tcp -m tcp --dport 8080 -j DROP
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER - [0:0]
+:DOCKER-BRIDGE - [0:0]
+:DOCKER-CT - [0:0]
+:DOCKER-FORWARD - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+-A FORWARD -j DOCKER-FORWARD
+-A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
+-A DOCKER ! -i br-dummy -o br-dummy -j DROP
+-A DOCKER-BRIDGE -o br-dummy -j DOCKER
+-A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A DOCKER-FORWARD -j DOCKER-CT
+-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-BRIDGE
+-A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
+-A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
+-A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
+-A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
+COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -0,0 +1,37 @@
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER - [0:0]
+:DOCKER-BRIDGE - [0:0]
+:DOCKER-CT - [0:0]
+:DOCKER-FORWARD - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+-A FORWARD -j DOCKER-FORWARD
+-A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
+-A DOCKER-BRIDGE -o br-dummy -j DOCKER
+-A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A DOCKER-FORWARD -j DOCKER-CT
+-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-BRIDGE
+-A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
+-A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
+-A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
+-A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
+COMMIT