UDP connection tracker broken in 4.16.1, MAC

[lowerpower]

• [x ] I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID:

Expected behavior

Sending multiple UDP endpoints from a single socket (source UDP port) should arrive at multiple endpoints.

Actual behavior

Sending mutiple UDP endpoints from a single socket (source UDP port) all go to the first endpoint sent to, thus ignoring target endpoint and using source UDP port to route (likely in connection tracker) .

Information

• macOS Version:
• Intel chip or Apple chip: Intel
• Docker Desktop Version: 4.16.1

Output of /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check

Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0038: is the connection to Docker working?
[PASS] DD0014: are the backend processes running?
[PASS] DD0007: is the backend responding?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0033: does the host have Internet access?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0032: do Docker networks overlap with host IPs?
No fatal errors detected.

Steps to reproduce the behavior

1. On the intel mac host, run tcpdump as so:

sudo tcpdump udp port 7

2. Enter container create a UDP connection to a UDP echo server with netcat, specify a source port, send data, in the example port 9999

nc -u -p 9999 192.168.2.7 7
echo
echo
ctrl-c

3. still in container create another UDP connection to a any other UDP endpoint using the same source port, send data:

nc -u -p 9999 192.168.2.7 8
echo
ctrl-c

4. Examine output of TCP dump on mac host:

ops@ops-mac-mini ~ % sudo tcpdump udp port 7
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
00:09:09.163566 IP 10.60.0.3.54044 > 192.168.2.7.echo: UDP, length 8
00:09:09.168005 IP 192.168.2.7.echo > 10.60.0.3.54044: UDP, length 8
00:09:13.053249 IP 10.60.0.3.54044 > 192.168.2.7.echo: UDP, length 9
00:09:13.056539 IP 192.168.2.7.echo > 10.60.0.3.54044: UDP, length 9

5. Notice that all packets sent from udp source port inside the container goto only the first endponint talked to by docker container, all other packets sent from this source port to any destination host:port will all goto the original host:port.

6. Also notice that this works correctly on all earlier versions of docker desktop, and works on ARM version, just not Intel.

This is a serious problem please fix ASAP

[lowerpower]

Retested on 4.16.2 still broken.

[djs55]

@lowerpower thanks for the bug report. I've got a developer build with a proposed fix -- if you'd like to try it the builds are:

• Intel
• Apple Silicon

[SgtSilvio]

mac arm build is fine

This issues also happens for me with the macOS arm build.
It worked on 4.15 and stopped working after updating to 4.16.
@djs55 your developer build worked for me.
@lowerpower can you remove "Intel Only" and "mac arm build is fine" from the title so that the issue is easier to find. I searched so many other issues and did not look into this one because of the "intel only".

[djs55]

@SgtSilvio thanks for the information. I suspect whether the bug manifests or not on Mac depends on whether you're using virtualization.framework or qemu/hyperkit, which can be hard to spot at first glance.

[lowerpower]

@lowerpower thanks for the bug report. I've got a developer build with a proposed fix -- if you'd like to try it the builds are:

* [Intel](https://desktop-stage.docker.com/mac/main/amd64/96145/Docker.dmg)

* [Apple Silicon](https://desktop-stage.docker.com/mac/main/arm64/96145/Docker.dmg)

Tried the Intel version, seems to work now. thanks.

[pawelrosada]

@lowerpower thanks for the bug report. I've got a developer build with a proposed fix -- if you'd like to try it the builds are:

* [Intel](https://desktop-stage.docker.com/mac/main/amd64/96145/Docker.dmg)

* [Apple Silicon](https://desktop-stage.docker.com/mac/main/arm64/96145/Docker.dmg)

Tried the Intel version, seems to work now. thanks.

I tried the Apple Silicone version, seems everything starts to work now

[neerfri]

@djs55 thanks for the fix.
Is that fix going to make it to the next release?

[djs55]

@neerfri yes, it's merged and ready for 4.17!

[chaizeg]

Closing this issue because a fix has been released in Docker Desktop 4.17.0 . See the release notes for more details.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked