Skip to content

UDP connection tracker broken in 4.16.1, MAC #6699

New issue
New issue
Closed
Closed
UDP connection tracker broken in 4.16.1, MAC#6699
Labels
lifecycle/locked
@lowerpower

Description

@lowerpower
lowerpower
opened on Jan 22, 2023
  • [x ] I have tried with the latest version of Docker Desktop
  • I have tried disabling enabled experimental features
  • I have uploaded Diagnostics
  • Diagnostics ID:

Expected behavior

Sending multiple UDP endpoints from a single socket (source UDP port) should arrive at multiple endpoints.

Actual behavior

Sending mutiple UDP endpoints from a single socket (source UDP port) all go to the first endpoint sent to, thus ignoring target endpoint and using source UDP port to route (likely in connection tracker) .

Information

  • macOS Version:
  • Intel chip or Apple chip: Intel
  • Docker Desktop Version: 4.16.1

Output of /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check

Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0038: is the connection to Docker working?
[PASS] DD0014: are the backend processes running?
[PASS] DD0007: is the backend responding?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0033: does the host have Internet access?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0032: do Docker networks overlap with host IPs?
No fatal errors detected.

Steps to reproduce the behavior

  1. On the intel mac host, run tcpdump as so:
sudo tcpdump udp port 7
  1. Enter container create a UDP connection to a UDP echo server with netcat, specify a source port, send data, in the example port 9999
nc -u -p 9999 192.168.2.7 7
echo
echo
ctrl-c
  1. still in container create another UDP connection to a any other UDP endpoint using the same source port, send data:
nc -u -p 9999 192.168.2.7 8
echo
ctrl-c
  1. Examine output of TCP dump on mac host:
ops@ops-mac-mini ~ % sudo tcpdump udp port 7
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
00:09:09.163566 IP 10.60.0.3.54044 > 192.168.2.7.echo: UDP, length 8
00:09:09.168005 IP 192.168.2.7.echo > 10.60.0.3.54044: UDP, length 8
00:09:13.053249 IP 10.60.0.3.54044 > 192.168.2.7.echo: UDP, length 9
00:09:13.056539 IP 192.168.2.7.echo > 10.60.0.3.54044: UDP, length 9

  1. Notice that all packets sent from udp source port inside the container goto only the first endponint talked to by docker container, all other packets sent from this source port to any destination host:port will all goto the original host:port.

  2. Also notice that this works correctly on all earlier versions of docker desktop, and works on ARM version, just not Intel.

This is a serious problem please fix ASAP

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/locked

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions