Separate containers using UDP get separate NAT addresses.
Both containers are allocated the same source port in the NAT. The NAT has no way to tell which container a reply packet is destined for.
the output of:
Version 1.12.0-rc2-beta17 (build: 9779)
host distribution and version ( OSX 10.10.x, OSX 10.11.x, Windows, etc )
OSX El Capitan
Steps to reproduce the behavior
- On the host network interface of the mac, run tcpdump
- In container A, run
netcat -p 8888 -u 126.96.36.199 8888
- Type a few lines to send packets
- Repeat netcat operation for container B
- In tcpdump output, note that all packet originate from the same IP and port. There is no distinction between the two containers. For bidirectional protocols, the NAT Is unable to return replies to the correct container.
14:34:54.276409 IP hostname.61990 > 188.8.131.52.ddi-udp-1: UDP, length 5
14:35:52.245710 IP hostname.61990 > 184.108.40.206.ddi-udp-1: UDP, length 5
This NAT implementation is broken for UDP. Every combination of private source address and private source port should be mapped to a unique external source address and port. (It is not necessary, and in fact not desirable, to map to a separate source port per destination address - so called “symmetric NAT” versus “full cone”. “Full cone” is greatly preferable for NAT traversal techniques.)