Docker Community Forums

Share and learn in the Docker community.

External hosts not reachable over UDP with hostnet

(Filippo Valsorda) #1

I’m using Docker for Mac on a machine with a complex VPN setup, and hostnet seems to work well.

However, the only address reachable over UDP is the host. All others swallow packets whole.

➜ pinata diagnose -u
OS X: version 10.11.3 (build: 15D21) version v1.11.0-beta6
Running diagnostic tests:
[OK]      docker-cli
[OK]      Moby booted
[OK]      driver.amd64-linux
[OK]      vmnetd
[OK]      osxfs
[OK]      db
[OK]      slirp
[OK]      menubar
[OK]      environment
[OK]      Docker
[OK]      VT-x
Docker logs are being collected into /tmp/20160407-141156.tar.gz.
Your unique id in bugsnag is: EA6641F7-AC78-49A7-9047-9899171D78BD
Please quote this in all correspondence.

➜ docker run -it debian /bin/bash
root@b4b3bb61941b:/# cat /etc/resolv.conf
search local

root@b4b3bb61941b:/# dig @

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39716
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;			IN	A

;; ANSWER SECTION:		300	IN	A		300	IN	A

;; Query time: 150 msec
;; WHEN: Thu Apr 07 13:25:48 UTC 2016
;; MSG SIZE  rcvd: 60

root@b4b3bb61941b:/# dig @

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

root@b4b3bb61941b:/# tcptraceroute 53
Selected device eth0, address, port 40332 for outgoing packets
Tracing the path to on TCP port 53 (domain), 30 hops max
 1  0.080 ms  0.115 ms  0.062 ms
 2 ( [open]  51.755 ms  35.229 ms  42.058 ms

This obviously means that any image that doesn’t set the host as the DNS server is not functioning.

(Mindypreston) #2

Hi Filippo,

Thanks for the report. We’re currently wrongly accepting all DNS traffic in hostnet; we’ll fix this as soon as we can. Do you see the same behavior with UDP traffic on other ports as well? I was able to reproduce your DNS issue, but a test with nc -u on an arbitrary port seems to be working as expected.


(R. Toma) #3

Is this related to UDP port mappings broken for all but localhost? where I cannot send using udp from outside a container to inside, using a non-localhost IP?

edit: fixed the link