** Tags added: kernel-daily-bug -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-signed-hwe-5.19 in Ubuntu. https://bugs.launchpad.net/bugs/2022053
Title: docker container cannot reach host with firewall enabled after kernel upgrade Status in linux-signed-hwe-5.19 package in Ubuntu: Confirmed Bug description: $ lsb_release -rd Description: Ubuntu 22.04.2 LTS Release: 22.04 I have the following kernels installed: $ apt list --installed | grep linux-image linux-image-5.19.0-41-generic/jammy-updates,jammy-security,now 5.19.0-41.42~22.04.1 amd64 [installed,auto-removable] linux-image-5.19.0-42-generic/jammy-updates,jammy-security,now 5.19.0-42.43~22.04.1 amd64 [installed,automatic] linux-image-5.19.0-43-generic/jammy-updates,jammy-security,now 5.19.0-43.44~22.04.1 amd64 [installed,automatic] linux-image-generic-hwe-22.04/jammy-updates,jammy-security,now 5.19.0.43.44~22.04.17 amd64 [installed,automatic] The following setup worked with 41 (and still works when I just boot using that kernel) but broke with 42 (and does not work in 43 either). I have docker installed (tried both version 23 and recently released 24). I have ufw installed with the following extra setup: $ sudo cat /etc/ufw/after.rules # # rules.input-after # # Rules that should be run after the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-after-input # ufw-after-output # ufw-after-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw-after-input - [0:0] :ufw-after-output - [0:0] :ufw-after-forward - [0:0] # End required lines # Allow containers to access host -A ufw-after-input -p tcp -m physdev --physdev-in veth+ -j ACCEPT -m comment --comment 'Allow_docker_tcp' -A ufw-after-input -p udp -m physdev --physdev-in veth+ -j ACCEPT -m comment --comment 'Allow_docker_udp' -A ufw-after-input -p icmp -m physdev --physdev-in veth+ -j ACCEPT -m comment --comment 'Allow_docker_icmp' # don't log noisy services by default -A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input # don't log noisy broadcast -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input # don't delete the 'COMMIT' line or these rules won't be processed COMMIT Note those three rules for docker; these work in 41 but stop working afterwards. How to reproduce: $ docker run --rm curlimages/curl http://172.17.0.1 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:02:10 --:--:-- 0 curl: (28) Failed to connect to 172.17.0.1 port 80 after 130429 ms: Couldn't connect to server It times out after a long time. dmesg contains the following message: [ 872.069093] [UFW BLOCK] IN=docker0 OUT= MAC=02:42:55:c9:a5:6e:02:42:ac:11:00:03:08:00 SRC=172.17.0.3 DST=172.17.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27268 DF PROTO=TCP SPT=56862 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 To explain docker networking: $ ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 34:48:ed:08:e1:f5 brd ff:ff:ff:ff:ff:ff altname enp0s31f6 3: gpd0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 500 link/none 4: wlp59s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 24:41:8c:c3:1d:01 brd ff:ff:ff:ff:ff:ff inet 192.168.0.138/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp59s0 valid_lft 2519sec preferred_lft 2519sec inet6 fe80::cb8e:fe0e:6131:d3fc/64 scope link noprefixroute valid_lft forever preferred_lft forever 6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:55:c9:a5:6e brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:55ff:fec9:a56e/64 scope link valid_lft forever preferred_lft forever 8: veth17e77be@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 72:cd:15:f8:84:2d brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::70cd:15ff:fef8:842d/64 scope link valid_lft forever preferred_lft forever $ brctl show bridge name bridge id STP enabled interfaces docker0 8000.024255c9a56e no veth17e77be $ docker network inspect bridge [ { "Name": "bridge", "Id": "f17a627c3397d0aaf496b7cac59a23a902fe66e14f2e820cd097f313680ccb88", "Created": "2023-06-01T12:33:14.87479534+02:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "ddf92f77dbd1d50f798bc2a2eda9e813635a2382dd2b5d4f0d664e40d2e660c7": { "Name": "sad_cannon", "EndpointID": "3c646e4021de9cc824c5f2c88487be52c8694e5a3f0975ba13a2d55944391688", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] I tried: * (works) remove the predicate -m physdev --physdev-in veth+ * (works) negate the predicate -m physdev ! --physdev-in veth+ * (does not work) replace the predicate with -m physdev --physdev-is-in * (works) disabling ufw completely I am a noob when it comes to networking, so I don't know how else to debug this. I can provide any extra information; I just need to be told what to execute. Since this works with one kernel and does not work with its next version, I assume this is the right place to report it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed-hwe-5.19/+bug/2022053/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
