Summary
network.enforcementMode: "firewall" under the Bubblewrap backend resolves allowedHosts to IPv4 + IPv6 records, then injects each resolved address into the host's IPv4 iptables chain. iptables rejects the IPv6 addresses because it only accepts IPv4 syntax, and the sandbox refuses to start.
Repro
Config (minimal — fingerprints just the allowedHosts shape):
{
"version": "0.6.0-alpha",
"containerId": "repro-fw-ipv6",
"containment": "bubblewrap",
"platform": "linux",
"process": { "commandLine": "echo ok" },
"filesystem": {
"readonlyPaths": ["/usr","/lib","/lib64","/etc/ssl/certs"],
"readwritePaths": ["/tmp"]
},
"network": {
"defaultPolicy": "block",
"enforcementMode": "firewall",
"allowedHosts": ["api.anthropic.com", "127.0.0.1"]
}
}Driver (Node + the SDK from a fresh build of microsoft/mxc HEAD):
import fs from 'node:fs';
import { spawnSandboxFromConfig } from '@microsoft/mxc-sdk';
const cfg = JSON.parse(fs.readFileSync('cfg.json', 'utf8'));
const child = spawnSandboxFromConfig(cfg, { usePty: false });
child.stderr.on('data', d => process.stderr.write(d));
child.on('close', code => console.log('exit', code));Run as root (firewall mode requires it for iptables): sudo node driver.mjs.
Observed
Bubblewrap: network policy error: iptables -A MXC-enclawed-bubblewrap- -d 2607:6bc0::10 -j ACCEPT failed: iptables v1.8.10 (nf_tables): host/network '2607:6bc0::10' not found
Try `iptables -h' or `iptables --help' for more information.
exit=255
2607:6bc0::10 is one of the IPv6 records for api.anthropic.com. iptables (the IPv4 tool) cannot accept IPv6 addresses; the same rule for an IPv6 destination needs ip6tables.
Expected
One of:
- Resolve allowedHosts to IPv4 only when
enforcementMode: "firewall" is using iptables, and document that the firewall mode is IPv4-only.
- Issue parallel
ip6tables rules for IPv6 records when they appear.
- Skip IPv6 addresses with a single warn line and continue, so the sandbox still launches.
Workarounds discovered
enforcementMode: "proxy" (HTTP proxy mode) is unaffected — it doesn't touch iptables. That's the path we currently document operators take when they can't run under sudo or when the upstream hosts have IPv6 records. But that gives up the iptables-level posture for cases that genuinely want it.
defaultPolicy: "allow" also avoids the failure, but defeats the firewall intent.
Context
Found while live-validating the enclawed/mxc-enclawed-sandbox deployment repo (referenced from issue #478) against MXC HEAD on Linux with bubblewrap 0.9.0. Reproduces on a vanilla configuration; not enclawed-specific.
Environment
- MXC: microsoft/mxc HEAD as of 2026-06-02
- bubblewrap: 0.9.0
- iptables: v1.8.10 (nf_tables)
- Host: Debian Trixie on WSL2 (the failure is iptables-side, kernel-agnostic — should reproduce on bare Linux too)
- Tested allowedHost:
api.anthropic.com (any host with AAAA records reproduces)
Summary
network.enforcementMode: "firewall"under the Bubblewrap backend resolvesallowedHoststo IPv4 + IPv6 records, then injects each resolved address into the host's IPv4 iptables chain. iptables rejects the IPv6 addresses because it only accepts IPv4 syntax, and the sandbox refuses to start.Repro
Config (minimal — fingerprints just the allowedHosts shape):
{ "version": "0.6.0-alpha", "containerId": "repro-fw-ipv6", "containment": "bubblewrap", "platform": "linux", "process": { "commandLine": "echo ok" }, "filesystem": { "readonlyPaths": ["/usr","/lib","/lib64","/etc/ssl/certs"], "readwritePaths": ["/tmp"] }, "network": { "defaultPolicy": "block", "enforcementMode": "firewall", "allowedHosts": ["api.anthropic.com", "127.0.0.1"] } }Driver (Node + the SDK from a fresh build of microsoft/mxc HEAD):
Run as root (firewall mode requires it for iptables):
sudo node driver.mjs.Observed
2607:6bc0::10is one of the IPv6 records forapi.anthropic.com.iptables(the IPv4 tool) cannot accept IPv6 addresses; the same rule for an IPv6 destination needsip6tables.Expected
One of:
enforcementMode: "firewall"is usingiptables, and document that the firewall mode is IPv4-only.ip6tablesrules for IPv6 records when they appear.Workarounds discovered
enforcementMode: "proxy"(HTTP proxy mode) is unaffected — it doesn't touch iptables. That's the path we currently document operators take when they can't run under sudo or when the upstream hosts have IPv6 records. But that gives up the iptables-level posture for cases that genuinely want it.defaultPolicy: "allow"also avoids the failure, but defeats the firewall intent.Context
Found while live-validating the
enclawed/mxc-enclawed-sandboxdeployment repo (referenced from issue #478) against MXC HEAD on Linux with bubblewrap 0.9.0. Reproduces on a vanilla configuration; not enclawed-specific.Environment
api.anthropic.com(any host with AAAA records reproduces)