What version of Go are you using (go version)?

go version go1.7.3 linux/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build464810642=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

Created two UDP connections. Sent a packet from conn A to conn B and from conn B to conn A, in separate goroutines.

Repo with details and steps to reproduce: https://github.com/vcabbage/go-net-repro

What did you expect to see?

No errors.

What did you see instead?

On most runs this would work. Occasionally one send operation fails with:
write udp4 0.0.0.0:60315->127.0.0.1:36289: sendto: operation not permitted

I have only seen the failure when running within Docker. I have tried running Docker with --privileged, --net=host, --set-cap=ALL and the error still occurs. I have also disabled the Docker host's firewall, as there are some references online to sendto returning EPERM when nf_conntack limit is hit.

excerpt from strace output:

[pid  5642] sendto(5, "", 0, 0, {sa_family=AF_INET, sin_port=htons(60315), sin_addr=inet_addr("127.0.0.1")}, 16 <unfinished ...>
[pid  5646] sendto(3, "", 0, 0, {sa_family=AF_INET, sin_port=htons(36289), sin_addr=inet_addr("127.0.0.1")}, 16 <unfinished ...>
[pid  5642] <... sendto resumed> )      = 0
[pid  5646] <... sendto resumed> )      = -1 EPERM (Operation not permitted)

(full output log in linked repo)