Missing kernel module - xt_u32

[johnbizokk]

Windows Version

Microsoft Windows [Version 10.0.19044.2604]

WSL Version

WSL version: 1.2.0.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.90.1-microsoft-standard-WSL2

Distro Version

Ubuntu 20.04

Other Software

No response

Repro Steps

Update to the latest release available on the github releases page (1.2.0.0)

Expected Behavior

Previously available kernel modules still present in the system

Actual Behavior

Missing kernel modules disrupt the availability of some iptables rules and consequently block the docker swarm overlay networking with enabled encryption.

Diagnostic Logs

Checking kernel module availability

sudo modprobe xt_u32
modprobe: FATAL: Module xt_u32 not found in directory /lib/modules/5.15.90.1-microsoft-standard-WSL2

Not working in the latest release (docker-compose.yml)

networks:
  private-network:
    name: private-network
    driver: overlay
    driver_opts:
      encrypted: true
    attachable: true
    ipam:
      config:
        - subnet: "10.2.4.0/24"

Temporary fix (docker-compose.yml)

networks:
  private-network:
    name: private-network
    driver: overlay
    attachable: true
    ipam:
      config:
        - subnet: "10.2.4.0/24"

Journalctl logs for docker daemon

dockerd[699]: time="redacted" level=error msg="fatal task error" 
error="network sandbox join failed: subnet sandbox join failed for \"10.2.4.0/24\": 2 errors occurred: 

* could not install mangle rule:  (iptables failed: iptables --wait -t mangle -A OUTPUT -p udp 
--dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048832 -j MARK |
--set-mark 13681891: iptables v1.8.4 (nf_tables): Couldn't load match u32':
No such file or directory Try iptables -h' or 'iptables --help' for more information. (exit status 2))

* could not install mangle rule:  (iptables failed: iptables --wait -t mangle -A OUTPUT -p udp 
--dport 4789 -m bpf --bytecode redacted -j MARK --set-mark 13681891: |
iptables v1.8.4 (nf_tables): Couldn't load match bpf':
No such file or directory 
Try iptables -h' or 'iptables --help' for more information. (exit status 2))" 
module=node/agent/taskmanager node.id=redacted service.id=redacted task.id=redacted

[OneBlue]

Thanks for reporting this @johnbizokk. WSL has never supported loadable kernel modules (so far), so what you're seeing is expected. Are you saying that this module was there before ? If so, can you share which WSL version had that module ?

[elsaco]

@johnbizokk WSL kernels are build with CONFIG_NETFILTER_XT_MATCH_U32 is not set. You need to build a custom kernel with all the netfiler options you'd like. See /proc/config.gz for what's available.

[microsoft-github-policy-service]

This issue has been automatically closed since it has not had any author activity for the past 7 days. If you're still experiencing this issue please re-open it.

Thank you!

[microsoft-github-policy-service]

This issue has been automatically closed since it has not had any author activity for the past 7 days. If you're still experiencing this issue please re-open it.

Thank you!

[neersighted]

This is a deficiency in WSL2 and caused by a security patch to Moby (Docker); see #10029 (comment) for more details.