Docker Swarm Overlay encryption is broken in WSL2 #10029
Comments
3 tasks
|
This is definitely a problem, and seemingly not docker desktop, as it also happens with docker in Ubuntu in WSL2. We now have 2 separate machines at my work experiencing this problem. We can replicate by:
|
|
I think it is related to: But this was working in older builds. |
|
This started with docker 23.0.3 i believe. Downgrading to docker 23.0.2 fixes for now. |
|
Hi all, Moby (Docker) maintainer here. This is not a bug in Moby. Or rather, users are now experiencing this because we fixed a bug in Moby. Versions >= 23.0.3, >= 20.10.24 include a security patch in order to correctly fail to created encrypted overlay networks when encountering a lack of kernel support. Previous versions of Moby were silently failing to encrypt data; you thought it 'worked' because it passed data, but that data was in fact unencrypted. Please review these CVEs for more details:
The WSL2 kernel will need to be built with the |
neersighted
added a commit
to neersighted/moby
that referenced
this issue
Jun 3, 2023
We omit xt_u32 as it's optional; since we will remove support for this module in the future, it's simpler to check for xt_bpf, which will become the new baseline. Related issues: * microsoft/WSL#10029 (comment) * docker/for-win#13450 (comment) Signed-off-by: Bjorn Neergaard <[email protected]>
neersighted
added a commit
to neersighted/moby
that referenced
this issue
Jun 3, 2023
We omit xt_u32 as it's optional; since we will remove support for this module in the future, it's simpler to check for xt_bpf, which will become the new baseline. Related issues: * microsoft/WSL#10029 (comment) * docker/for-win#13450 (comment) Signed-off-by: Bjorn Neergaard <[email protected]>
neersighted
added a commit
to neersighted/moby
that referenced
this issue
Jun 5, 2023
We omit xt_u32 as it's optional; since we will remove support for this module in the future, it's simpler to check for xt_bpf, which will become the new baseline. Related issues: * microsoft/WSL#10029 (comment) * docker/for-win#13450 (comment) Signed-off-by: Bjorn Neergaard <[email protected]> (cherry picked from commit 1910fdd) Signed-off-by: Bjorn Neergaard <[email protected]>
neersighted
added a commit
to neersighted/moby
that referenced
this issue
Jun 5, 2023
We omit xt_u32 as it's optional; since we will remove support for this module in the future, it's simpler to check for xt_bpf, which will become the new baseline. Related issues: * microsoft/WSL#10029 (comment) * docker/for-win#13450 (comment) Signed-off-by: Bjorn Neergaard <[email protected]> (cherry picked from commit 1910fdd) Signed-off-by: Bjorn Neergaard <[email protected]>
|
Will anyone on the WSL team give an indication of xt_bpf being added to the kernel by default? Are WSL interested in providing a network encryption option that is available by default? Has Docker got an internal ticket from MS on this? |
neersighted
added a commit
to neersighted/moby
that referenced
this issue
Jun 6, 2023
We omit xt_u32 as it's optional; since we will remove support for this module in the future, it's simpler to check for xt_bpf, which will become the new baseline. Related issues: * microsoft/WSL#10029 (comment) * docker/for-win#13450 (comment) Signed-off-by: Bjorn Neergaard <[email protected]> (cherry picked from commit 1910fdd) Signed-off-by: Bjorn Neergaard <[email protected]>
neersighted
added a commit
to neersighted/moby
that referenced
this issue
Jun 6, 2023
We omit xt_u32 as it's optional; since we will remove support for this module in the future, it's simpler to check for xt_bpf, which will become the new baseline. Related issues: * microsoft/WSL#10029 (comment) * docker/for-win#13450 (comment) Signed-off-by: Bjorn Neergaard <[email protected]> (cherry picked from commit 1910fdd) Signed-off-by: Bjorn Neergaard <[email protected]>
neersighted
added a commit
to neersighted/moby
that referenced
this issue
Jun 6, 2023
We omit xt_u32 as it's optional; since we will remove support for this module in the future, it's simpler to check for xt_bpf, which will become the new baseline. Related issues: * microsoft/WSL#10029 (comment) * docker/for-win#13450 (comment) Signed-off-by: Bjorn Neergaard <[email protected]> (cherry picked from commit 1910fdd) Signed-off-by: Bjorn Neergaard <[email protected]>
Jeyanthinath
pushed a commit
to Jeyanthinath/moby
that referenced
this issue
Oct 20, 2023
We omit xt_u32 as it's optional; since we will remove support for this module in the future, it's simpler to check for xt_bpf, which will become the new baseline. Related issues: * microsoft/WSL#10029 (comment) * docker/for-win#13450 (comment) Signed-off-by: Bjorn Neergaard <[email protected]>
kelsey-steele
added a commit
to microsoft/WSL2-Linux-Kernel
that referenced
this issue
Dec 19, 2023
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Dec 20, 2023
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Dec 20, 2023
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jan 1, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jan 6, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jan 11, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jan 16, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jan 21, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jan 26, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Feb 1, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Feb 5, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Feb 17, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Feb 24, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Mar 1, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Mar 1, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Mar 6, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Mar 16, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Mar 27, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Apr 3, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Apr 3, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Apr 10, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Apr 14, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Apr 18, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Apr 28, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Apr 30, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
May 3, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
May 18, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
May 25, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
|
This issue has been automatically closed since it has not had any activity for the past year. If you're still experiencing this issue please re-file this as a new issue or feature request. Thank you! |
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jun 12, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jun 16, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jun 22, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jun 27, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
Trass3r
pushed a commit
to Trass3r/WSL2-Linux-Kernel
that referenced
this issue
Jul 3, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
Trass3r
pushed a commit
to Trass3r/WSL2-Linux-Kernel
that referenced
this issue
Jul 4, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
Trass3r
pushed a commit
to Trass3r/WSL2-Linux-Kernel
that referenced
this issue
Jul 4, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
sileshn
pushed a commit
to sileshn/WSL2-Linux-Kernel
that referenced
this issue
Jul 5, 2024
NETFILTER_XT_MATCH_BPF=m NETFILTER_XT_MATCH_U32=m BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Enabling these configs as modules to support Docker Swarm overlay encryption. Link: microsoft/WSL#10029 Signed-off-by: Kelsey Steele <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Windows Version
Microsoft Windows [Version 10.0.22621.1555]
WSL Version
1.2.5.0
Are you using WSL 1 or WSL 2?
Kernel Version
5.15.90.1
Distro Version
No response
Other Software
Docker Desktop (Windows) 4.18.0 (104112)
Repro Steps
using a compose file with an encrypted overlay network like this:
version: '3.8'
services:
nginx:
image: nginx:latest
ports:
- "8081:80"
networks:
default:
driver: overlay
attachable: true
driver_opts:
encrypted: ''
in docker swarm start it as a service:
docker stack deploy -c docker-compose.yml test
Expected Behavior
This use to work in an older version of Docker Desktop.
Actual Behavior
The service is not starting and when I inspect using:
docker stack ps --no-trunc test
I am getting the following errors:
ID NAME IMAGE
NODE DESIRED STATE CURRENT STATE ERROR PORTS
e678y0f1lns28mft1bbz2ok66 test_nginx.1 nginx:latest@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94 docker-desktop Ready Rejected less than a second ago "network sandbox join failed: subnet sandbox join failed for "10.0.22.0/24": 2 errors occurred:
* could not install mangle rule: (iptables failed: iptables --wait -t mangle -A OUTPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1054208 -j MARK --set-mark 13681891: iptables v1.8.7 (legacy): Couldn't load match `u32':No such file or directory
Try
iptables -h' or 'iptables --help' for more information. (exit status 2)) * could not install mangle rule: (iptables failed: iptables --wait -t mangle -A OUTPUT -p udp --dport 4789 -m bpf --bytecode 6,177 0 0 0,64 0 0 12,84 0 0 4294967040,21 1 0 1054208,6 0 0 0,6 0 0 4294967295 -j MARK --set-mark 13681891: iptables v1.8.7 (legacy): Couldn't load matchbpf':No such file or directoryTry `iptables -h' or 'iptables --help' for more information.
(exit status 2))
"
wylyqfg2n6z5w69e49yz35ikj _ test_nginx.1 nginx:latest@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94 docker-desktop Shutdown Rejected 5 seconds ago "network sandbox join failed: subnet sandbox join failed for "10.0.22.0/24": 2 errors occurred:
* could not install mangle rule: (iptables failed: iptables --wait -t mangle -A OUTPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1054208 -j MARK --set-mark 13681891: iptables v1.8.7 (legacy): Couldn't load match `u32':No such file or directory
Try
iptables -h' or 'iptables --help' for more information. (exit status 2)) * could not install mangle rule: (iptables failed: iptables --wait -t mangle -A OUTPUT -p udp --dport 4789 -m bpf --bytecode 6,177 0 0 0,64 0 0 12,84 0 0 4294967040,21 1 0 1054208,6 0 0 0,6 0 0 4294967295 -j MARK --set-mark 13681891: iptables v1.8.7 (legacy): Couldn't load matchbpf':No such file or directoryTry `iptables -h' or 'iptables --help' for more information.
(exit status 2))
"
80gpjclyy4uryyilwyyhdspe6 _ test_nginx.1 nginx:latest@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94 docker-desktop Shutdown Rejected 5 seconds ago "network sandbox join failed: subnet sandbox join failed for "10.0.22.0/24": 2 errors occurred:
* could not install mangle rule: (iptables failed: iptables --wait -t mangle -A OUTPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1054208 -j MARK --set-mark 13681891: iptables v1.8.7 (legacy): Couldn't load match `u32':No such file or directory
Try
iptables -h' or 'iptables --help' for more information. (exit status 2)) * could not install mangle rule: (iptables failed: iptables --wait -t mangle -A OUTPUT -p udp --dport 4789 -m bpf --bytecode 6,177 0 0 0,64 0 0 12,84 0 0 4294967040,21 1 0 1054208,6 0 0 0,6 0 0 4294967295 -j MARK --set-mark 13681891: iptables v1.8.7 (legacy): Couldn't load matchbpf':No such file or directoryTry `iptables -h' or 'iptables --help' for more information.
(exit status 2))
Diagnostic Logs
No response
The text was updated successfully, but these errors were encountered: