Public bug reported: Although I've filed this as a docker bug, it is far more likely to be a kernel (bridge) bug. I have enabled nothing extra in terms of docker networking. Both of these two
ubuntu72:~/monitor/src/cma $ uname -a Linux ubuntu72 3.13.0-27-generic #50-Ubuntu SMP Thu May 15 18:06:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ubuntu72:~/monitor/src/cma $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04 LTS Release: 14.04 Codename: trusty ubuntu72:~/monitor/src/cma $ brctl show docker0 bridge name bridge id STP enabled interfaces docker0 8000.d6b7b71c12ab no veth3d9d vetha7dd vethade0 I have a couple of docker instances. One is a client with IP address 172.17.0.4, and one a server with address 172.17.0.3. The client sends out a multicast UDP packet to a certain address (224.0.2.5) reserved for the use of this software. The server dutifully listens for the packet, and it receives it. HOWEVER, the source address of the packet is 172.17.42.1 - which is the address of the docker interface on the host (and of course, not the proper source address). The tcpdump trace of this packet being sent is below: 20:28:39.474887 IP 172.17.42.1.bb > 224.0.2.5.bb: UDP, length 713 Needless to say, this is extraordinarily confusing to my software - and when it attempts to reply, nothing good happens... You can see that it gets 'port unreachable' for that attempt to reply (as it should). The subsequent packet sent to the (correct) 0.4 address happens because that address is in the _content_ of initial multicast packet, and by then the software is operating on the contents of the packet, not the (incorrect) origination address.. Below is the full tcpdump trace of what's going on here from the server perspective: # tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:28:35.933507 IP 7db9eb0e89ee > igmp.mcast.net: igmp v3 report, 1 group record(s) 20:28:35.934144 IP 7db9eb0e89ee.42650 > 10.10.10.20.domain: 18534+ PTR? 22.0.0.224.in-addr.arpa. (41) 20:28:35.960407 IP 10.10.10.20.domain > 7db9eb0e89ee.42650: 18534 1/6/0 PTR igmp.mcast.net. (181) 20:28:35.960737 IP 7db9eb0e89ee.47869 > 10.10.10.20.domain: 19922+ PTR? 20.10.10.10.in-addr.arpa. (42) 20:28:35.986002 IP 10.10.10.20.domain > 7db9eb0e89ee.47869: 19922 0/1/0 (101) 20:28:36.113623 IP 7db9eb0e89ee > igmp.mcast.net: igmp v3 report, 1 group record(s) 20:28:39.474887 IP 172.17.42.1.bb > 224.0.2.5.bb: UDP, length 713 20:28:39.475003 IP 7db9eb0e89ee.33748 > 10.10.10.20.domain: 3617+ PTR? 5.2.0.224.in-addr.arpa. (40) 20:28:39.525434 IP 7db9eb0e89ee.bb > 172.17.42.1.bb: UDP, length 1091 20:28:39.525488 IP 172.17.42.1 > 7db9eb0e89ee: ICMP 172.17.42.1 udp port bb unreachable, length 556 20:28:39.529629 IP 7db9eb0e89ee.bb > 172.17.0.4.bb: UDP, length 924 20:28:39.545780 IP 172.17.0.4.bb > 7db9eb0e89ee.bb: UDP, length 70 20:28:39.568680 IP 10.10.10.20.domain > 7db9eb0e89ee.33748: 3617 NXDomain 0/1/0 (97) 20:28:39.568878 IP 7db9eb0e89ee.44605 > 10.10.10.20.domain: 47116+ PTR? 1.42.17.172.in-addr.arpa. (42) 20:28:39.593858 IP 10.10.10.20.domain > 7db9eb0e89ee.44605: 47116 0/1/0 (101) 20:28:39.594120 IP 7db9eb0e89ee.36687 > 10.10.10.20.domain: 20755+ PTR? 4.0.17.172.in-addr.arpa. (41) 20:28:39.620179 IP 10.10.10.20.domain > 7db9eb0e89ee.36687: 20755 0/1/0 (100) 20:28:40.941627 ARP, Request who-has 172.17.42.1 tell 7db9eb0e89ee, length 28 20:28:40.941687 ARP, Reply 172.17.42.1 is-at d6:b7:b7:1c:12:ab (oui Unknown), length 28 20:28:41.638772 IP 7db9eb0e89ee.bb > 172.17.42.1.bb: UDP, length 1091 20:28:41.638811 IP 172.17.42.1 > 7db9eb0e89ee: ICMP 172.17.42.1 udp port bb unreachable, length 556 20:28:43.639166 IP 7db9eb0e89ee.bb > 172.17.42.1.bb: UDP, length 1091 20:28:43.639193 IP 172.17.42.1 > 7db9eb0e89ee: ICMP 172.17.42.1 udp port bb unreachable, length 556 On the client side, the packet was sent correctly (according to tcpdump): 20:48:13.277353 IP 172.17.0.4.bb > 224.0.2.5.bb: UDP, length 713 So, somebody somewhere is screwing over my source IP addresses... This could _conceivably_ be considered a security bug I suppose because information being misrouted might be security-sensitive, and would be visible to the wrong party. Below is some misc networking configuration for the host and the two containers: ubuntu72:~/monitor/src/cma $ uname -n; ifconfig; route -n ubuntu72 docker0 Link encap:Ethernet HWaddr d6:b7:b7:1c:12:ab inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::e8cd:69ff:feb7:d419/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:786010 errors:0 dropped:0 overruns:0 frame:0 TX packets:1180631 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:105085367 (105.0 MB) TX bytes:2250516781 (2.2 GB) eth0 Link encap:Ethernet HWaddr c8:0a:a9:88:1d:52 inet addr:10.10.10.130 Bcast:10.10.10.255 Mask:255.255.255.0 inet6 addr: fe80::ca0a:a9ff:fe88:1d52/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4815140 errors:0 dropped:0 overruns:0 frame:0 TX packets:2191451 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3251437443 (3.2 GB) TX bytes:1056667612 (1.0 GB) Memory:c0200000-c0220000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:57028 errors:0 dropped:0 overruns:0 frame:0 TX packets:57028 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:24424492 (24.4 MB) TX bytes:24424492 (24.4 MB) veth3d9d Link encap:Ethernet HWaddr f6:07:59:52:b1:10 inet6 addr: fe80::f407:59ff:fe52:b110/64 Scope:Link UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:1090 errors:0 dropped:0 overruns:0 frame:0 TX packets:732 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:348151 (348.1 KB) TX bytes:614189 (614.1 KB) vetha7dd Link encap:Ethernet HWaddr fe:62:b7:5f:81:a4 inet6 addr: fe80::fc62:b7ff:fe5f:81a4/64 Scope:Link UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:1436 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3150 (3.1 KB) TX bytes:575046 (575.0 KB) vethade0 Link encap:Ethernet HWaddr d6:b7:b7:1c:12:ab inet6 addr: fe80::d4b7:b7ff:fe1c:12ab/64 Scope:Link UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:1348 errors:0 dropped:0 overruns:0 frame:0 TX packets:1552 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:749408 (749.4 KB) TX bytes:1032549 (1.0 MB) virbr0 Link encap:Ethernet HWaddr 2a:a4:04:36:cc:cd inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.10.10.254 0.0.0.0 UG 0 0 0 eth0 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 ubuntu72:~/monitor/src/cma $ bash-4.1# uname -n; ifconfig; route -n 7db9eb0e89ee eth0 Link encap:Ethernet HWaddr AE:1C:7A:5B:4B:82 inet addr:172.17.0.3 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::ac1c:7aff:fe5b:4b82/64 Scope:Link UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:1552 errors:0 dropped:0 overruns:0 frame:0 TX packets:1348 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1032549 (1008.3 KiB) TX bytes:749408 (731.8 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:1500 Metric:1 RX packets:13698 errors:0 dropped:0 overruns:0 frame:0 TX packets:13698 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4892109 (4.6 MiB) TX bytes:4892109 (4.6 MiB) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.42.1 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 bash-4.1# bash-4.1# uname -n; ifconfig; route -n a12695567871 eth0 Link encap:Ethernet HWaddr C2:87:7B:6D:FD:DF inet addr:172.17.0.4 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::c087:7bff:fe6d:fddf/64 Scope:Link UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:732 errors:0 dropped:0 overruns:0 frame:0 TX packets:1090 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:614189 (599.7 KiB) TX bytes:348151 (339.9 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.42.1 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: docker.io 0.9.1~dfsg1-2 ProcVersionSignature: Ubuntu 3.13.0-27.50-generic 3.13.11 Uname: Linux 3.13.0-27-generic x86_64 ApportVersion: 2.14.1-0ubuntu2 Architecture: amd64 Date: Fri Jun 6 16:28:52 2014 InstallationDate: Installed on 2014-04-03 (64 days ago) InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Beta amd64 (20140326) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: docker.io UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: docker.io (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1327442 Title: docker multicast packets origination addresses are mangled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1327442/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs