Fix mirrored networking loopback endpoint creation failure #14081
Conversation
## Problem
After installing KB5074109 (January 2026), WSL mirrored networking fails to
create the loopback endpoint, causing localhost (127.0.0.1) TCP/UDP connections
to fail. Users see the loopback0 interface in state DOWN with NO-CARRIER.
## Root Cause Analysis
HNS loopback networks no longer accept firewall policies when creating
endpoints. Direct HCN API testing confirms:
- Test 1: Endpoint WITH firewall policy -> 0x803B001B (FAIL)
Error: 'Invalid JSON document string. {{Policies.VmCreatorId,UnknownField}}'
- Test 2: Endpoint with VirtualNetwork field -> 0x803B001B (FAIL)
Error: 'Invalid JSON document string. {{VirtualNetwork,UnknownField}}'
- Test 3: Endpoint with HostComputeNetwork only -> 0x00000000 (SUCCESS)
The current code in MirroredNetworking::AddNetworkEndpoint() creates all
endpoints with firewall policies when m_config.FirewallConfig.Enabled() is
true (the default), causing loopback endpoint creation to fail silently.
## Solution
- Add IsLoopback field to HNSNetwork struct to detect loopback networks
- Skip firewall policies when creating endpoints on loopback networks
- Use HostComputeNetwork instead of VirtualNetwork for loopback endpoints
## Testing
Verified on Windows Build 26220.7535:
1. HCN API tests confirm endpoint creation succeeds without firewall policies
2. WSL localhost TCP connectivity works when loopback0 is properly configured
Fixes microsoft#14080
Related: microsoft#14063
benm-dev
requested review from
Brian-Perkins,
OneBlue,
benhillis,
Copilot and
craigloewen-msft
|
@microsoft-github-policy-service agree |
There was a problem hiding this comment.
Pull request overview
This PR fixes a critical bug in mirrored networking mode where loopback endpoint creation fails after Windows update KB5074109. The fix detects loopback networks and uses simplified endpoint settings without firewall policies to avoid HCN error 0x803B001B.
Changes:
- Added loopback network detection logic to skip firewall policy application
- Created separate endpoint configuration path for loopback networks using HostComputeNetwork
- Extended HNSNetwork schema to include IsLoopback property for network type detection
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/windows/service/exe/MirroredNetworking.cpp | Added conditional logic to detect loopback networks and configure endpoints without firewall policies, using HostComputeNetwork instead of VirtualNetwork |
| src/shared/inc/hns_schema.h | Added IsLoopback boolean field to HNSNetwork struct with JSON serialization support |
|
lgtm |
|
Is this the same as issue #13454 |
|
Doesn't look like it, that is more generic and solvable by resetting the adapter as the reply here |
|
@keith-horton - does this look reasonable to you? Do you have any context on the Windows change that recently broke this? |
The fix referred to in that KB article was not in WSL - it was in other parts of the TCPIP / vswitch stack - where we addressed a perf issue, but the NBL (kernel structure representing one or more packets) could have fields that some VPN vendors did not expect (though was perfectly legal) -- which was exercised in the WSL path. So we had to revert that and fix it in a way that did not break some VPNs. So I don't know what would have changed that would have affected the above. The author of this PR is correct: Hyper-V Firewall rules do not affect the loopback path. |
keith-horton
left a comment
keith-horton
left a comment
There was a problem hiding this comment.
Thank you for doing this investigation and testing.
WSL supports older versions of Windows that does not support Hyper-V Firewall. This looks correct to me - minus the change I noted below.
| hnsEndpoint.Policies.emplace_back(std::move(endpointFirewallPolicy)); | ||
| endpointSettings = ToJsonW(hnsEndpoint); | ||
| } | ||
| else if (isLoopbackNetwork) |
There was a problem hiding this comment.
can you make this to be:
else if (m_config.FirewallConfig.Enabled() && isLoopbackNetwork)
?
The else block exists when !m_config.FirewallConfig -- i.e., versions of Windows that does not have support for Hyper-V Firewall.
There was a problem hiding this comment.
Sorry, I don't see how this is resolved.
| // Loopback networks require HostComputeNetwork (not VirtualNetwork) and don't support policies | ||
| hns::HostComputeEndpoint hnsEndpoint{}; | ||
| hnsEndpoint.HostComputeNetwork = NetworkId; | ||
| hnsEndpoint.SchemaVersion.Major = 2; |
There was a problem hiding this comment.
nit: assuming these version numbers are hardcoded elsewhere too. Would be good to declare named constant that can be repeatedly used
There was a problem hiding this comment.
yeah I worry a little bit about this schema version, do we know everywhere that supports mirrored networking supports 2.16?
| hnsEndpoint.Policies.emplace_back(std::move(endpointFirewallPolicy)); | ||
| endpointSettings = ToJsonW(hnsEndpoint); | ||
| } | ||
| else if (isLoopbackNetwork) |
There was a problem hiding this comment.
Sorry, I don't see how this is resolved.
|
Hi @keith-horton , I updated this in commit c61ba69 - the condition now reads: else if (m_config.FirewallConfig.Enabled() && isLoopbackNetwork)The diff you're viewing is marked "Outdated" which shows the old code. Let me know if there's anything else needed! |
keith-horton
left a comment
keith-horton
left a comment
There was a problem hiding this comment.
Great. Thanks for doing this!
| // HostComputeNetwork instead of VirtualNetwork in the endpoint settings. | ||
| // See: https://github.com/microsoft/WSL/issues/14080 | ||
| const bool isLoopbackNetwork = properties.IsLoopback; | ||
| if (isLoopbackNetwork) |
There was a problem hiding this comment.
@benm-dev - should this be moved into the else if below?
6 participants
Summary of the Pull Request
Fix loopback endpoint creation failure in mirrored networking mode after KB5074109.
PR Checklist
Detailed Description
After KB5074109, HNS loopback networks reject firewall policies when creating endpoints, returning error 0x803B001B. This fix detects loopback networks via
IsLoopbackproperty and uses simplified endpoint settings without policies.Validation Steps Performed