Deduplicate Docker bridge gateway resolution in `setupHostIptables` by Copilot · Pull Request #3821 · github/gh-aw-firewall

Copilot · 2026-05-26T00:03:57Z

setupHostIptables() was resolving the Docker bridge gateway and constructing gatewayIps twice in separate branches (cliProxyConfig and hostAccess.enabled). When both paths were active, this triggered redundant docker network inspect bridge calls for the same value.

Refactor: shared gateway resolution
- Hoisted gateway resolution to a single precomputed path:
  - compute once only when needed (cliProxyConfig || hostAccess?.enabled)
  - build one shared gatewayIps array
- Both consumers now use the same resolved values, eliminating duplicate async work and keeping behavior aligned.
Behavior guardrail
- Added focused test coverage to assert the Docker bridge gateway is queried exactly once when both cliProxyConfig and hostAccess are enabled.

const needsGatewayIps = !!cliProxyConfig || !!hostAccess?.enabled;
const dockerBridgeGateway = needsGatewayIps ? await getDockerBridgeGateway() : null;
const gatewayIps = [AWF_NETWORK_GATEWAY];
if (dockerBridgeGateway) gatewayIps.push(dockerBridgeGateway);

github-actions · 2026-05-26T00:45:56Z

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.54%	96.63%	📈 +0.09%
Statements	96.38%	96.47%	📈 +0.09%
Functions	97.99%	97.99%	➡️ +0.00%
Branches	90.78%	90.87%	📈 +0.09%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
`src/host-iptables-rules.ts`	97.0% → 98.5% (+1.46%)	97.0% → 98.5% (+1.44%)
`src/config-writer.ts`	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot

Pull request overview

Refactors setupHostIptables() to avoid redundant docker network inspect bridge calls by resolving the Docker bridge gateway once and sharing the resulting gatewayIps across both the CLI-proxy and host-access rule paths.

Changes:

Hoists Docker bridge gateway resolution behind a single needsGatewayIps guard and builds one shared gatewayIps array.
Updates both cliProxyConfig and hostAccess.enabled rule generation to reuse the shared gateway IP list.
Adds a unit test asserting the Docker bridge gateway is queried exactly once when both features are enabled.

Show a summary per file

File	Description
src/host-iptables-rules.ts	Deduplicates Docker bridge gateway lookup and shares `gatewayIps` between CLI-proxy and host-access rule branches.
src/host-iptables-setup.test.ts	Adds regression test ensuring only one Docker bridge gateway lookup occurs when both branches are active.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 2/2 changed files
Comments generated: 0

lpcox · 2026-05-26T01:13:56Z

@copilot adddress review feedback

Copilot · 2026-05-26T01:21:11Z

@copilot adddress review feedback

Added a test covering the allowHostServicePorts invalid-port-spec validation path (lines 288-289 in host-iptables-rules.ts), which was the only pre-existing coverage gap touched by this PR. Line coverage on that file improved from 96.94% → 98.47% (commit test(host-iptables): cover invalid allowHostServicePorts validation path).

github-actions · 2026-05-26T02:23:17Z

Smoke Test: Claude

✅ GitHub API: 2 recent PR entries found
✅ GitHub check: playwright_check=✅ PASS
✅ File verify: smoke-test-claude-26426891075.txt exists

Total: PASS

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-26T02:23:34Z

🔍 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	⚠️ pre-step data unavailable (template vars not expanded)
File write/read	⚠️ pre-step data unavailable (template vars not expanded)

PR: "Deduplicate Docker bridge gateway resolution in setupHostIptables"
Author: @Copilot · Assignees: @lpcox, @Copilot

Overall: PARTIAL — GitHub MCP confirmed working; pre-computed step outputs were not injected into this workflow run.

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-05-26T02:23:43Z

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	⚠️ pre-step data not resolved
File write/read	⚠️ pre-step data not resolved
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Author: @Copilot · Assignees: @lpcox, @Copilot

Overall: PASS (core BYOK inference path confirmed working)

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-26T02:24:20Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3821 · sonnet46 1.1M · ◷

github-actions · 2026-05-26T02:24:28Z

Chroot Version Comparison — Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ No
Node.js	v24.15.0	v22.22.3	❌ No
Go	go1.22.12	go1.22.12	✅ Yes

Overall: ❌ Not all runtimes matched. Python and Node.js versions differ between host and chroot environment.

Tested by Smoke Chroot

github-actions · 2026-05-26T02:24:53Z

Refactor host-access port spec parsing to remove duplicate logic
fix(api-proxy): prevent stream_options injection into OpenAI Responses API requests
GitHub PR list: ✅
Playwright GitHub title: ✅
File write/read: ✅
Discussion oracle comment: ✅
Build: ✅
Overall: PASS

🔮 The oracle has spoken through Smoke Codex

github-actions · 2026-05-26T02:25:32Z

Smoke Test: Gemini Engine - FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

github-actions · 2026-05-26T02:25:49Z

Smoke Test Results

Check	Result
Redis PING	❌ timeout
PostgreSQL pg_isready	❌ timeout
PostgreSQL SELECT 1	❌ timeout

host.docker.internal resolves to 172.17.0.1 but TCP connections to ports 6379 and 5432 timed out — service containers appear unreachable from this runner.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

Initial plan

e2e5460

Copilot AI assigned Copilot and lpcox May 26, 2026

Copilot started work on behalf of lpcox May 26, 2026 00:04 View session

Copilot AI linked an issue May 26, 2026 that may be closed by this pull request

[Duplicate Code] getDockerBridgeGateway() + gatewayIps construction duplicated in setupHostIptables #3813

Closed

refactor(host-iptables): dedupe gateway ip resolution

8b5d32b

Copilot AI changed the title ~~[WIP] Fix duplicate code in setupHostIptables~~ Deduplicate Docker bridge gateway resolution in setupHostIptables May 26, 2026

Copilot finished work on behalf of lpcox May 26, 2026 00:09

Copilot AI requested a review from lpcox May 26, 2026 00:09

lpcox marked this pull request as ready for review May 26, 2026 00:44

Copilot AI review requested due to automatic review settings May 26, 2026 00:44

Copilot started reviewing on behalf of lpcox May 26, 2026 00:44 View session

Copilot AI reviewed May 26, 2026

View reviewed changes