Deny guest binds to host ephemeral port range in mirrored mode

[FetoiuCatalin]

Summary of the Pull Request

In mirrored mode, we pre-reserve a range for the guest to be used as guest ephemeral port range, but we don't prevent the guest from explicitly binding to the host ephemeral range
Update the wsl service to query the host ephemeral range and deny guest binds to that range

Validation Steps Performed

Manual testing of binds to non-ephemeral ports, host ephemeral port range and guest ephemeral port range.
Added new automated tests to cover the fixed scenario
Ran existing Network Tests, which include multiple port tracker/bind tests

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds enforcement in mirrored networking mode to deny guest binds to ports within the host's TCP/UDP ephemeral port ranges (except when those ports also fall in the guest's own reserved ephemeral range), preventing port conflicts with host applications.

Changes:

• Query host TCP/UDP dynamic (ephemeral) port ranges from WMI when creating the guest network service and store them on the service instance.
• Reject guest port allocation requests for ports that lie in the host ephemeral range but outside the guest's reserved range.
• Add two new mirrored-mode tests verifying that TCP and UDP binds to host-ephemeral-range ports are denied.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
src/windows/service/exe/WslCoreGuestNetworkService.h	Declares new helpers and members for storing host ephemeral port ranges.
src/windows/service/exe/WslCoreGuestNetworkService.cpp	Implements WMI-based ephemeral range lookup and new denial logic in OnPortAllocationRequest.
test/windows/NetworkTests.cpp	Adds two mirrored-mode tests for TCP and UDP host-ephemeral-port denial.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.