Skip to content

chore(sandbox): add iptables to base image for bypass diagnostics#36

Merged
johntmyers merged 1 commit intomainfrom
chore/268-add-iptables-to-base-image/jomyers
Mar 15, 2026
Merged

chore(sandbox): add iptables to base image for bypass diagnostics#36
johntmyers merged 1 commit intomainfrom
chore/268-add-iptables-to-base-image/jomyers

Conversation

@johntmyers
Copy link
Collaborator

@johntmyers johntmyers commented Mar 15, 2026

Summary

Add iptables package to the base sandbox image. The OpenShell sandbox supervisor will use this to install LOG + REJECT rules in the network namespace for proxy bypass detection.

Related Issue

Ref: NVIDIA/OpenShell#268

Changes

  • sandboxes/base/Dockerfile: Add iptables to the core system dependencies apt-get install line

Context

When a sandbox process attempts a direct outbound connection that bypasses the HTTP CONNECT proxy (e.g., Node.js fetch() without NODE_USE_ENV_PROXY=1), the connection currently hangs silently for 30+ seconds. With iptables available, the supervisor can:

  1. REJECT bypass attempts immediately (ECONNREFUSED instead of timeout)
  2. LOG diagnostic events with destination, protocol, and process identity

The supervisor already has CAP_NET_ADMIN and runs as root — this is purely a package availability change. If iptables is not present, the feature degrades gracefully (warning logged, namespace still isolates via routing).

Same pattern as iproute2 which is already a required dependency.

Checklist

  • Follows Conventional Commits
  • No capability or security context changes required
  • Existing sandbox behavior unchanged — iptables rules are only installed by the supervisor (not yet shipped)

@johntmyers
chore(sandbox): add iptables to base image for bypass diagnostics
5261c7b 
The sandbox supervisor will use iptables to install LOG + REJECT rules
in the network namespace, providing immediate ECONNREFUSED (instead of
30s timeout) and structured diagnostic events when processes attempt
direct connections that bypass the HTTP CONNECT proxy.

Ref: NVIDIA/OpenShell#268
@johntmyers johntmyers requested a review from drew March 15, 2026 19:00
@johntmyers johntmyers merged commit 6daeacd into main Mar 15, 2026
5 checks passed
@johntmyers johntmyers deleted the chore/268-add-iptables-to-base-image/jomyers branch March 15, 2026 19:16
This was referenced Mar 15, 2026
Merged
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drew drew drew approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johntmyers @drew