From b44a15438ce28f0fc3324da714cab271c191ff36 Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Fri, 6 Feb 2026 08:03:21 +0000 Subject: [PATCH 1/2] fix: bypass Squid for network gateway to fix MCP SSE crash Squid crashes with a segfault (comm.cc:1583 assertion failure) when proxying concurrent MCP Streamable HTTP (SSE) connections from Codex to the MCP gateway. Root cause: Codex resolves host.docker.internal to 172.30.0.1 (the AWF network gateway) instead of 172.17.0.1 (Docker bridge). The existing iptables bypass only covers 172.17.0.1, so traffic to 172.30.0.1:80 gets DNAT-redirected to Squid, which crashes on concurrent SSE streams. Fix: Dynamically detect the container's default network gateway via `route -n` and add it to the iptables bypass list alongside host.docker.internal, so MCP gateway traffic goes directly to the host. Locally reproduced: before fix Squid crashes with the exact CI error; after fix all SSE+POST traffic bypasses Squid and Squid stays alive. Co-Authored-By: Claude Opus 4.6 (1M context) --- containers/agent/setup-iptables.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/containers/agent/setup-iptables.sh b/containers/agent/setup-iptables.sh index f8fd2bb9c..29c04accd 100644 --- a/containers/agent/setup-iptables.sh +++ b/containers/agent/setup-iptables.sh @@ -133,6 +133,17 @@ if [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then else echo "[iptables] WARNING: host.docker.internal could not be resolved, skipping host gateway bypass" fi + + # Also bypass Squid for the container's default network gateway. + # Codex resolves host.docker.internal to this IP (172.30.0.1 on the AWF network) + # instead of the Docker bridge gateway (172.17.0.1). Without this bypass, + # MCP Streamable HTTP traffic goes through Squid, which crashes on SSE connections. + NETWORK_GATEWAY_IP=$(route -n | awk '/^0\.0\.0\.0/ { print $2; exit }') + if [ -n "$NETWORK_GATEWAY_IP" ] && [ "$NETWORK_GATEWAY_IP" != "$HOST_GATEWAY_IP" ]; then + echo "[iptables] Allow direct traffic to network gateway (${NETWORK_GATEWAY_IP}) - bypassing Squid..." + iptables -t nat -A OUTPUT -d "$NETWORK_GATEWAY_IP" -j RETURN + iptables -A OUTPUT -d "$NETWORK_GATEWAY_IP" -j ACCEPT + fi fi # Block dangerous ports at NAT level (defense-in-depth with Squid ACL filtering) From 1e852c742e9b7b4ba7b3be4acd9f2d8a50627746 Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Fri, 6 Feb 2026 08:17:58 +0000 Subject: [PATCH 2/2] fix: restrict network gateway bypass to TCP port 80 only Address security review: narrow the OUTPUT ACCEPT rule from all ports/protocols to only TCP port 80 (where MCP gateway runs). The NAT RETURN rule remains broad since DNAT only catches 80/443. Co-Authored-By: Claude Opus 4.6 (1M context) --- containers/agent/setup-iptables.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/agent/setup-iptables.sh b/containers/agent/setup-iptables.sh index 29c04accd..47e946b48 100644 --- a/containers/agent/setup-iptables.sh +++ b/containers/agent/setup-iptables.sh @@ -142,7 +142,7 @@ if [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then if [ -n "$NETWORK_GATEWAY_IP" ] && [ "$NETWORK_GATEWAY_IP" != "$HOST_GATEWAY_IP" ]; then echo "[iptables] Allow direct traffic to network gateway (${NETWORK_GATEWAY_IP}) - bypassing Squid..." iptables -t nat -A OUTPUT -d "$NETWORK_GATEWAY_IP" -j RETURN - iptables -A OUTPUT -d "$NETWORK_GATEWAY_IP" -j ACCEPT + iptables -A OUTPUT -p tcp -d "$NETWORK_GATEWAY_IP" --dport 80 -j ACCEPT fi fi