fix: bypass Squid for network gateway to fix MCP SSE crash (#553)

Mossaka · claude · web-flow · commit eec2739c7b4b · 2026-02-06T00:33:40.000-08:00
* fix: bypass Squid for network gateway to fix MCP SSE crash

Squid crashes with a segfault (comm.cc:1583 assertion failure) when
proxying concurrent MCP Streamable HTTP (SSE) connections from Codex
to the MCP gateway.

Root cause: Codex resolves host.docker.internal to 172.30.0.1 (the AWF
network gateway) instead of 172.17.0.1 (Docker bridge). The existing
iptables bypass only covers 172.17.0.1, so traffic to 172.30.0.1:80
gets DNAT-redirected to Squid, which crashes on concurrent SSE streams.

Fix: Dynamically detect the container's default network gateway via
`route -n` and add it to the iptables bypass list alongside
host.docker.internal, so MCP gateway traffic goes directly to the host.

Locally reproduced: before fix Squid crashes with the exact CI error;
after fix all SSE+POST traffic bypasses Squid and Squid stays alive.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* fix: restrict network gateway bypass to TCP port 80 only

Address security review: narrow the OUTPUT ACCEPT rule from all
ports/protocols to only TCP port 80 (where MCP gateway runs).
The NAT RETURN rule remains broad since DNAT only catches 80/443.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/containers/agent/setup-iptables.sh b/containers/agent/setup-iptables.sh
@@ -133,6 +133,17 @@ if [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then
   else
     echo "[iptables] WARNING: host.docker.internal could not be resolved, skipping host gateway bypass"
   fi
+
+  # Also bypass Squid for the container's default network gateway.
+  # Codex resolves host.docker.internal to this IP (172.30.0.1 on the AWF network)
+  # instead of the Docker bridge gateway (172.17.0.1). Without this bypass,
+  # MCP Streamable HTTP traffic goes through Squid, which crashes on SSE connections.
+  NETWORK_GATEWAY_IP=$(route -n | awk '/^0\.0\.0\.0/ { print $2; exit }')
+  if [ -n "$NETWORK_GATEWAY_IP" ] && [ "$NETWORK_GATEWAY_IP" != "$HOST_GATEWAY_IP" ]; then
+    echo "[iptables] Allow direct traffic to network gateway (${NETWORK_GATEWAY_IP}) - bypassing Squid..."
+    iptables -t nat -A OUTPUT -d "$NETWORK_GATEWAY_IP" -j RETURN
+    iptables -A OUTPUT -p tcp -d "$NETWORK_GATEWAY_IP" --dport 80 -j ACCEPT
+  fi
 fi
 
 # Block dangerous ports at NAT level (defense-in-depth with Squid ACL filtering)
