lowerpower
January 21, 2023, 5:28am
1
Will try to report this a different way, but upgrading to 4.16.1 UDP is broken, I have verified this is only a problem on Intel version on MAC not the Arm version of 4.16.1, so likely an Endian issue.
What happens:
All packets goto destination A, connection tracker is ignoring destination IP and using source port.
This is generation on Docker Container:
This is packet trace on the MAC host:
lowerpower
January 23, 2023, 6:22pm
2
Still broken in 4.16.2
Easy to reproduce with netcat and tcpdump
opened 08:20AM - 22 Jan 23 UTC
<!--
************************************************************************… ************
*READ ME FIRST*
This repository is for reporting bugs with the Docker Desktop for Mac software,
which we respond to on a best-effort basis.
Do *not* paste logfiles into github issues: upload diagnostics instead, which are
only visible to Docker engineers.
Support requests in this repository (i.e., trouble installing or using the
software) will be ignored, but personalized support is available to Docker Pro and
Team customers at https://hub.docker.com/support/desktop/, and community support is
available from the Docker community Slack (https://www.docker.com/docker-community).
Issues without sufficient detail to debug them will be closed. They generally need
a clear title and description, steps to reproduce, and a diagnostics ID. See
https://docs.docker.com/docker-for-windows/troubleshoot/#diagnose-and-feedback for
how to generate a diagnostics ID either from inside the app or from the command line.
************************************************************************************
-->
- [x ] I have tried with the latest version of Docker Desktop
- [ ] I have tried disabling enabled experimental features
- [ ] I have uploaded Diagnostics
- Diagnostics ID:
### Expected behavior
Sending multiple UDP endpoints from a single socket (source UDP port) should arrive at multiple endpoints.
### Actual behavior
Sending mutiple UDP endpoints from a single socket (source UDP port) all go to the first endpoint sent to, thus ignoring target endpoint and using source UDP port to route (likely in connection tracker) .
### Information
<!--
Please, help us understand the problem. For instance:
- Is it reproducible?
- Is the problem new?
- Did the problem appear with an update?
- A reproducible case if this is a bug, Dockerfiles FTW.
-->
- macOS Version:
- Intel chip or Apple chip: Intel
- Docker Desktop Version: 4.16.1
### Output of `/Applications/Docker.app/Contents/MacOS/com.docker.diagnose check`
Starting diagnostics
[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0038: is the connection to Docker working?
[PASS] DD0014: are the backend processes running?
[PASS] DD0007: is the backend responding?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0033: does the host have Internet access?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0032: do Docker networks overlap with host IPs?
No fatal errors detected.
### Steps to reproduce the behavior
<!--
A reproducible case, Dockerfiles FTW.
-->
1. On the intel mac host, run tcpdump as so:
```
sudo tcpdump udp port 7
```
2. Enter container create a UDP connection to a UDP echo server with netcat, specify a source port, send data, in the example port 9999
```
nc -u -p 9999 192.168.2.7 7
echo
echo
ctrl-c
```
3. still in container create another UDP connection to a any other UDP endpoint using the same source port, send data:
```
nc -u -p 9999 192.168.2.7 8
echo
ctrl-c
```
4. Examine output of TCP dump on mac host:
```
ops@ops-mac-mini ~ % sudo tcpdump udp port 7
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
00:09:09.163566 IP 10.60.0.3.54044 > 192.168.2.7.echo: UDP, length 8
00:09:09.168005 IP 192.168.2.7.echo > 10.60.0.3.54044: UDP, length 8
00:09:13.053249 IP 10.60.0.3.54044 > 192.168.2.7.echo: UDP, length 9
00:09:13.056539 IP 192.168.2.7.echo > 10.60.0.3.54044: UDP, length 9
```
5. Notice that all packets sent from udp source port inside the container goto only the first endponint talked to by docker container, all other packets sent from this source port to any destination host:port will all goto the original host:port.
6. Also notice that this works correctly on all earlier versions of docker desktop, and works on ARM version, just not Intel.
This is a serious problem please fix ASAP
