From ff4aee61ab758aa8ebb7253e8bf8548a7b53b374 Mon Sep 17 00:00:00 2001
From: Russell Bryant <russell.bryant@gmail.com>
Date: Wed, 13 May 2026 11:01:57 -0400
Subject: [PATCH] refactor(base): add nftables package for bypass detection

The sandbox supervisor is migrating from iptables to nftables for
bypass detection rules (NVIDIA/OpenShell#1335). Install nftables
alongside iptables during the transition period; iptables can be
removed in a future release.
---
 sandboxes/base/Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sandboxes/base/Dockerfile b/sandboxes/base/Dockerfile
index 40d492f..723d248 100644
--- a/sandboxes/base/Dockerfile
+++ b/sandboxes/base/Dockerfile
@@ -21,7 +21,8 @@ WORKDIR /sandbox
 
 # Core system dependencies
 # iproute2: network namespace management (ip netns, veth pairs)
-# iptables: bypass detection — LOG + REJECT rules for direct connection diagnostics
+# iptables: legacy bypass detection (kept for transition)
+# nftables: bypass detection — log + reject rules for direct connection diagnostics
 # dnsutils: dig, nslookup
 # Python is managed entirely by uv (see devtools stage).
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -30,6 +31,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         dnsutils \
         iproute2 \
         iptables \
+        nftables \
         iputils-ping \
         net-tools \
         netcat-openbsd \