External hosts not reachable over UDP with hostnet

I’m using Docker for Mac on a machine with a complex VPN setup, and hostnet seems to work well.

However, the only address reachable over UDP is the host. All others swallow packets whole.

➜ pinata diagnose -u
OS X: version 10.11.3 (build: 15D21)
Docker.app: version v1.11.0-beta6
Running diagnostic tests:
[OK]      docker-cli
[OK]      Moby booted
[OK]      driver.amd64-linux
[OK]      vmnetd
[OK]      osxfs
[OK]      db
[OK]      slirp
[OK]      menubar
[OK]      environment
[OK]      Docker
[OK]      VT-x
Docker logs are being collected into /tmp/20160407-141156.tar.gz.
Your unique id in bugsnag is: EA6641F7-AC78-49A7-9047-9899171D78BD
Please quote this in all correspondence.

➜ docker run -it debian /bin/bash
root@b4b3bb61941b:/# cat /etc/resolv.conf
search local
nameserver 192.168.64.1

root@b4b3bb61941b:/# dig @192.168.64.1 filippo.io

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @192.168.64.1 filippo.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39716
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;filippo.io.			IN	A

;; ANSWER SECTION:
filippo.io.		300	IN	A	104.20.68.137
filippo.io.		300	IN	A	104.20.69.137

;; Query time: 150 msec
;; SERVER: 192.168.64.1#53(192.168.64.1)
;; WHEN: Thu Apr 07 13:25:48 UTC 2016
;; MSG SIZE  rcvd: 60

root@b4b3bb61941b:/# dig @8.8.8.8 google.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

root@b4b3bb61941b:/# tcptraceroute 8.8.8.8 53
Selected device eth0, address 172.17.0.2, port 40332 for outgoing packets
Tracing the path to 8.8.8.8 on TCP port 53 (domain), 30 hops max
 1  172.17.0.1  0.080 ms  0.115 ms  0.062 ms
 2  google-public-dns-a.google.com (8.8.8.8) [open]  51.755 ms  35.229 ms  42.058 ms

This obviously means that any image that doesn’t set the host as the DNS server is not functioning.

Hi Filippo,

Thanks for the report. We’re currently wrongly accepting all DNS traffic in hostnet; we’ll fix this as soon as we can. Do you see the same behavior with UDP traffic on other ports as well? I was able to reproduce your DNS issue, but a test with nc -u on an arbitrary port seems to be working as expected.

Thanks,
Mindy

Is this related to UDP port mappings broken for all but localhost? where I cannot send using udp from outside a container to inside, using a non-localhost IP?

edit: fixed the link