[docker/cli] bug: docker sandbox networking fails to route TCP traffic to host.docker.internal despite --allow-host configuration

### ROOT CAUSE The Docker Sandbox networking enforces a policy that all traffic must go through the proxy, including allowed host TCP connections, which should be bypassed. The `--allow-host` configuration is not properly handled to exclude these connections from proxy interception. ### CODE FIX Modify the container's networking code to mark allowed host connections and route them directly without going through the proxy. Specifically, update the proxy configuration to ignore connections to the allowed host IPs and ports, and ensure the container's network stack routes these connections directly. This can be achieved by: 1. Adding iptables rules to bypass the proxy for allowed host IPs/ports. 2. Modifying the proxy configuration to exclude allowed host rules from interception. Example fix snippet (hypothetical): ```go // In container's networking setup func setupNetworking(allowedHosts []string) { for _, host := range allowedHosts { // Parse host.docker.internal:3306 into IP:port bypassProxy(host) } } func bypassProxy(host string) { // Add iptables rule to drop proxy interception for this host exec.Command("iptables", "-A", "DOCKER-USER", "-d", host, "-j", "ACCEPT").Run() } ``` This ensures allowed host traffic is not routed through the proxy, allowing direct connections to the host's services.