Docker 28.x Not Forwarding Broadcast UDP to Containers

General
, , ,
1

In Docker 28.0.4, containers attached to the default bridge network are no longer receiving broadcast UDP packets (e.g., to 255.255.255.255), even though the same setup works perfectly on Docker 27.3.1. This appears to be a change in behavior — possibly a regression — and I’m looking to confirm if others are experiencing the same.

:white_check_mark: Working Setup (Docker 27.3.1)

  • Docker forwards broadcast UDP packets from the host to the container.
  • Verified using tcpdump:
    • Packet received on eno1
    • Forwarded through br-xxxx and vethxxxx to container
15:27:02.251511 eno1  B   IP 10.121.162.29.d-fence > 255.255.255.255.d-fence: UDP, length 94
        0x0000:  4500 007a 15b6 4000 4011 7827 0a79 a21d  E..z..@.@.x'.y..
        0x0010:  ffff ffff 216b 216b 0066 4617 0602 0302  ....!k!k.fF.....
        0x0020:  bfea dd47 6d76 750b 2c8f 94e8 2fb4 466d  ...Gmvu.,.../.Fm
        0x0030:  0001 0457 0035 0101 0010 436c 7573 7465  ...W.5....Cluste
        0x0040:  7233 5f50 5253 5465 7374 0000 0000 2b01  r3_PRSTest....+.
        0x0050:  02bf eadd 476d 7675 0b2c 8f94 e82f b446  ....Gmvu.,.../.F
        0x0060:  6d00 0100 0b50 3230 3231 3034 3038 3031  m....P2021040801
        0x0070:  1004 0a79 a21d b216 ffff                 ...y......
15:27:02.251666 br-7ec4705f8462 Out IP localhost.localdomain.39722 > 172.20.0.3.d-fence: UDP, length 94
        0x0000:  4500 007a f34b 4000 4011 eefa ac14 0001  E..z.K@.@.......
        0x0010:  ac14 0003 9b2a 216b 0066 58a4 0602 0302  .....*!k.fX.....
        0x0020:  bfea dd47 6d76 750b 2c8f 94e8 2fb4 466d  ...Gmvu.,.../.Fm
        0x0030:  0001 0457 0035 0101 0010 436c 7573 7465  ...W.5....Cluste
        0x0040:  7233 5f50 5253 5465 7374 0000 0000 2b01  r3_PRSTest....+.
        0x0050:  02bf eadd 476d 7675 0b2c 8f94 e82f b446  ....Gmvu.,.../.F
        0x0060:  6d00 0100 0b50 3230 3231 3034 3038 3031  m....P2021040801
        0x0070:  1004 0a79 a21d b216 ffff                 ...y......
15:27:02.251670 veth5938307 Out IP localhost.localdomain.39722 > 172.20.0.3.d-fence: UDP, length 94
        0x0000:  4500 007a f34b 4000 4011 eefa ac14 0001  E..z.K@.@.......
        0x0010:  ac14 0003 9b2a 216b 0066 58a4 0602 0302  .....*!k.fX.....
        0x0020:  bfea dd47 6d76 750b 2c8f 94e8 2fb4 466d  ...Gmvu.,.../.Fm
        0x0030:  0001 0457 0035 0101 0010 436c 7573 7465  ...W.5....Cluste
        0x0040:  7233 5f50 5253 5465 7374 0000 0000 2b01  r3_PRSTest....+.
        0x0050:  02bf eadd 476d 7675 0b2c 8f94 e82f b446  ....Gmvu.,.../.F
        0x0060:  6d00 0100 0b50 3230 3231 3034 3038 3031  m....P2021040801
        0x0070:  1004 0a79 a21d b216 ffff                 ...y......

:cross_mark: Broken Setup (Docker 28.0.4)

  • Same container and network config
  • Broadcast packet is received on host interface (enp0s31f6)
  • But NOT forwarded to Docker bridge or container
  • No changes in docker network inspect bridge output
15:26:54.653541 enp0s31f6 B   IP 10.121.163.53.d-fence > 255.255.255.255.d-fence: UDP, length 90
        0x0000:  4500 0076 97fd 4000 4011 f4cb 0a79 a335  E..v..@.@....y.5
        0x0010:  ffff ffff 216b 216b 0062 b335 0602 0302  ....!k!k.b.5....
        0x0020:  8ce4 a8f8 d0a8 ec70 8ac1 bb0a 1494 4190  .......p......A.
        0x0030:  0001 0457 0035 0101 000d 436c 7573 7465  ...W.5....Cluste
        0x0040:  7233 5f63 6c2d 3500 0000 002a 0102 8ce4  r3_cl-5....*....
        0x0050:  a8f8 d0a8 ec70 8ac1 bb0a 1494 4190 0001  .....p......A...
        0x0060:  000a 5032 3430 3630 3330 3035 1004 0a79  ..P240603005...y
        0x0070:  a335 b216 ffff                           .5....
15:26:55.451645 enp0s31f6 B   IP 10.121.162.8.d-fence > 255.255.255.255.d-fence: UDP, length 102
        0x0000:  4500 0082 15a5 0000 8011 7845 0a79 a208  E.........xE.y..
        0x0010:  ffff ffff 216b 216b 006e c2b5 0602 0300  ....!k!k.n......
        0x0020:  3101 a698 24e5 4476 4c13 278d 16cb 4b77  1...$.DvL.'...Kw
        0x0030:  4029 0001 0457 0035 0101 0015 436c 7573  @)...W.5....Clus
        0x0040:  7465 7233 5f43 6c75 7374 6572 392d 314d  ter3_Cluster9-1M
        0x0050:  5400 0000 002c 0100 3101 a698 24e5 4476  T....,..1...$.Dv
        0x0060:  4c13 278d 16cb 4b77 4029 0001 000a 5032  L.'...Kw@)....P2
        0x0070:  3430 3630 3330 3034 1004 0a79 a208 b216  40603004...y....
        0x0080:  ffff                                     ..
15:26:55.451995 enp0s31f6 B   IP 10.121.162.8.d-fence > 255.255.255.255.d-fence: UDP, length 102
        0x0000:  4500 0082 15a6 0000 8011 7844 0a79 a208  E.........xD.y..
        0x0010:  ffff ffff 216b 216b 006e c2b5 0602 0300  ....!k!k.n......
        0x0020:  3101 a698 24e5 4476 4c13 278d 16cb 4b77  1...$.DvL.'...Kw
        0x0030:  4029 0001 0457 0035 0101 0015 436c 7573  @)...W.5....Clus
        0x0040:  7465 7233 5f43 6c75 7374 6572 392d 314d  ter3_Cluster9-1M
        0x0050:  5400 0000 002c 0100 3101 a698 24e5 4476  T....,..1...$.Dv
        0x0060:  4c13 278d 16cb 4b77 4029 0001 000a 5032  L.'...Kw@)....P2
        0x0070:  3430 3630 3330 3034 1004 0a79 a208 b216  40603004...y....
        0x0080:  ffff

Observations

  • Both setups use the default bridge network
  • No difference in bridge options or firewall rules
  • Only major difference: Docker version