Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: linux-signed-hwe-5.19 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-signed-hwe-5.19 in Ubuntu.
https://bugs.launchpad.net/bugs/2022053
Title:
docker container cannot reach host with firewall enabled after kernel
upgrade
Status in linux-signed-hwe-5.19 package in Ubuntu:
Confirmed
Bug description:
$ lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
I have the following kernels installed:
$ apt list --installed | grep linux-image
linux-image-5.19.0-41-generic/jammy-updates,jammy-security,now
5.19.0-41.42~22.04.1 amd64 [installed,auto-removable]
linux-image-5.19.0-42-generic/jammy-updates,jammy-security,now
5.19.0-42.43~22.04.1 amd64 [installed,automatic]
linux-image-5.19.0-43-generic/jammy-updates,jammy-security,now
5.19.0-43.44~22.04.1 amd64 [installed,automatic]
linux-image-generic-hwe-22.04/jammy-updates,jammy-security,now
5.19.0.43.44~22.04.17 amd64 [installed,automatic]
The following setup worked with 41 (and still works when I just boot
using that kernel) but broke with 42 (and does not work in 43 either).
I have docker installed (tried both version 23 and recently released
24).
I have ufw installed with the following extra setup:
$ sudo cat /etc/ufw/after.rules
#
# rules.input-after
#
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-after-input
# ufw-after-output
# ufw-after-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
# End required lines
# Allow containers to access host
-A ufw-after-input -p tcp -m physdev --physdev-in veth+ -j ACCEPT -m comment
--comment 'Allow_docker_tcp'
-A ufw-after-input -p udp -m physdev --physdev-in veth+ -j ACCEPT -m comment
--comment 'Allow_docker_udp'
-A ufw-after-input -p icmp -m physdev --physdev-in veth+ -j ACCEPT -m comment
--comment 'Allow_docker_icmp'
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j
ufw-skip-to-policy-input
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
Note those three rules for docker; these work in 41 but stop working
afterwards.
How to reproduce:
$ docker run --rm curlimages/curl http://172.17.0.1
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:02:10 --:--:-- 0
curl: (28) Failed to connect to 172.17.0.1 port 80 after 130429 ms: Couldn't
connect to server
It times out after a long time. dmesg contains the following message:
[ 872.069093] [UFW BLOCK] IN=docker0 OUT=
MAC=02:42:55:c9:a5:6e:02:42:ac:11:00:03:08:00 SRC=172.17.0.3
DST=172.17.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27268 DF PROTO=TCP
SPT=56862 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
To explain docker networking:
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state
DOWN group default qlen 1000
link/ether 34:48:ed:08:e1:f5 brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
3: gpd0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group
default qlen 500
link/none
4: wlp59s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default qlen 1000
link/ether 24:41:8c:c3:1d:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.138/24 brd 192.168.0.255 scope global dynamic
noprefixroute wlp59s0
valid_lft 2519sec preferred_lft 2519sec
inet6 fe80::cb8e:fe0e:6131:d3fc/64 scope link noprefixroute
valid_lft forever preferred_lft forever
6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
link/ether 02:42:55:c9:a5:6e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:55ff:fec9:a56e/64 scope link
valid_lft forever preferred_lft forever
8: veth17e77be@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
master docker0 state UP group default
link/ether 72:cd:15:f8:84:2d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::70cd:15ff:fef8:842d/64 scope link
valid_lft forever preferred_lft forever
$ brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024255c9a56e no veth17e77be
$ docker network inspect bridge
[
{
"Name": "bridge",
"Id":
"f17a627c3397d0aaf496b7cac59a23a902fe66e14f2e820cd097f313680ccb88",
"Created": "2023-06-01T12:33:14.87479534+02:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"ddf92f77dbd1d50f798bc2a2eda9e813635a2382dd2b5d4f0d664e40d2e660c7": {
"Name": "sad_cannon",
"EndpointID":
"3c646e4021de9cc824c5f2c88487be52c8694e5a3f0975ba13a2d55944391688",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
I tried:
* (works) remove the predicate -m physdev --physdev-in veth+
* (works) negate the predicate -m physdev ! --physdev-in veth+
* (does not work) replace the predicate with -m physdev --physdev-is-in
* (works) disabling ufw completely
I am a noob when it comes to networking, so I don't know how else to
debug this. I can provide any extra information; I just need to be
told what to execute. Since this works with one kernel and does not
work with its next version, I assume this is the right place to report
it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-signed-hwe-5.19/+bug/2022053/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
