I have been having an on-going issue with several docker hosts and using the ‘network_mode=host’ option. I’ve tried grafolean and mediamtx which both require this mode in order to receive UDP packets without them going through the Docker NAT. On three different hosts, the inbound UDP traffic never appears to get where it needs to go. Tcpdumps are showing that UDP traffic is actually hitting the host yet none of it seems to get to any of the containers. I’m not nearly as familiar with iptables as I wish I was however after doing some reading, I feel the issue lies there. I can provide details in all of my instances however I feel there is a more general issue I’m having since the same UDP issue is appearing on multiple hosts with multiple docker images.

I believe this relates to iptables not properly getting establishes in this case. I am not an IPTables expert however, intermittently, when disabling them and attempting to run the containers in questions, things have actually worked.

Any thoughts?

It is crucial for us to understand, if this problem is experienced with docker-ce (vanilla docker from dockers official repositories) on an officially supported platform, a different docker package (as in from the distro repos), a snap package, or Docker Desktop.

In docker-ce network=host will result in the absence of network namespace isolation. Such a container will use the host network interfaces behaves network-wise like any native process on the host (same MAC, same network configuration). So if traffic reaches the host it also reaches such containers, regardless whether the tcp/udp packages are unicast, mutlicast or broadcast packages.

The described behavior for docker-ce will not work for any Docker Desktop version, as it always runs in a utility vm (true for Windows, macOS and Linux!). The host network interfaces can not be the same like the network interfaces of the utility vm. Using network=host would use the network interfaces of the utility vm, and not the network interface of the host itself.

If it’s an unsupported platform, or a package from a different repo, then you should ask their maintainer for support, as we can not know how their distribution differs from supported distributions on supported cpu architectures, or whether and how their package differs from vanilla Docker package.

I have attempted this on several Ubuntu 22 systems as well as photon from VMware. Same result in both.

From my understanding these are both supported platforms

Ubuntu 22 indeed is. photon is not listed in the supported platform matrix (I shared the link in my last post).

If your container uses network=host, it already uses the hosts network namespace, as such tcpdump will show the exact same traces, like it would if the process would be running directly on the host.