From d3fed6f4870dd788fbafd3dbc2eaee599474ce14 Mon Sep 17 00:00:00 2001
From: Yevhenii Shcherbina <yevhenii@coder.com>
Date: Wed, 18 Feb 2026 22:00:15 +0000
Subject: [PATCH] fix: make ip-forward best-effort

---
 nsjail_manager/nsjail/networking_host.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/nsjail_manager/nsjail/networking_host.go b/nsjail_manager/nsjail/networking_host.go
index ee248709..e697ee45 100644
--- a/nsjail_manager/nsjail/networking_host.go
+++ b/nsjail_manager/nsjail/networking_host.go
@@ -61,11 +61,13 @@ func (l *LinuxJail) configureIptables() error {
 		// Enable IPv4 packet forwarding so the host can route packets between
 		// the jail's veth interface and the outside network. Without this,
 		// NAT and forwarding rules would have no effect because the kernel
-		// would drop transit packets.
-		newCommand(
+		// would drop transit packets. Best-effort: in restricted environments
+		// (e.g. read-only sysctl) we continue; TCP through the proxy may still work.
+		newCommandWithIgnoreErr(
 			"enable IP forwarding",
 			exec.Command("sysctl", "-w", "net.ipv4.ip_forward=1"),
 			[]uintptr{},
+			"*",
 		),
 		// Apply source NAT (MASQUERADE) for all traffic leaving the jail’s
 		// private subnet. This rewrites the source IP of packets originating