Docker Community Forums

Share and learn in the Docker community.

External hosts not reachable over UDP with hostnet


(Filippo Valsorda) #1

I’m using Docker for Mac on a machine with a complex VPN setup, and hostnet seems to work well.

However, the only address reachable over UDP is the host. All others swallow packets whole.

➜ pinata diagnose -u
OS X: version 10.11.3 (build: 15D21)
Docker.app: version v1.11.0-beta6
Running diagnostic tests:
[OK]      docker-cli
[OK]      Moby booted
[OK]      driver.amd64-linux
[OK]      vmnetd
[OK]      osxfs
[OK]      db
[OK]      slirp
[OK]      menubar
[OK]      environment
[OK]      Docker
[OK]      VT-x
Docker logs are being collected into /tmp/20160407-141156.tar.gz.
Your unique id in bugsnag is: EA6641F7-AC78-49A7-9047-9899171D78BD
Please quote this in all correspondence.

➜ docker run -it debian /bin/bash
root@b4b3bb61941b:/# cat /etc/resolv.conf
search local
nameserver 192.168.64.1

root@b4b3bb61941b:/# dig @192.168.64.1 filippo.io

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @192.168.64.1 filippo.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39716
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;filippo.io.			IN	A

;; ANSWER SECTION:
filippo.io.		300	IN	A	104.20.68.137
filippo.io.		300	IN	A	104.20.69.137

;; Query time: 150 msec
;; SERVER: 192.168.64.1#53(192.168.64.1)
;; WHEN: Thu Apr 07 13:25:48 UTC 2016
;; MSG SIZE  rcvd: 60

root@b4b3bb61941b:/# dig @8.8.8.8 google.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

root@b4b3bb61941b:/# tcptraceroute 8.8.8.8 53
Selected device eth0, address 172.17.0.2, port 40332 for outgoing packets
Tracing the path to 8.8.8.8 on TCP port 53 (domain), 30 hops max
 1  172.17.0.1  0.080 ms  0.115 ms  0.062 ms
 2  google-public-dns-a.google.com (8.8.8.8) [open]  51.755 ms  35.229 ms  42.058 ms

This obviously means that any image that doesn’t set the host as the DNS server is not functioning.


(Mindypreston) #2

Hi Filippo,

Thanks for the report. We’re currently wrongly accepting all DNS traffic in hostnet; we’ll fix this as soon as we can. Do you see the same behavior with UDP traffic on other ports as well? I was able to reproduce your DNS issue, but a test with nc -u on an arbitrary port seems to be working as expected.

Thanks,
Mindy


(R. Toma) #3

Is this related to UDP port mappings broken for all but localhost? where I cannot send using udp from outside a container to inside, using a non-localhost IP?

edit: fixed the link