refactor: extract addDnsRules helper to eliminate duplicate DNS iptables rule pairs

[Copilot]

The UDP+TCP port-53 iptables/ip6tables rule pair was duplicated across three sites in host-iptables-rules.ts — any structural change (logging, connection tracking, comments) required synchronized edits in all three places; missing one would silently create a security inconsistency in the DNS allowlist.

Changes

• src/host-iptables-shared.ts — new addDnsRules(cmd, chain, destination) helper that atomically adds the UDP+TCP ACCEPT pair for port 53:

export async function addDnsRules(
  cmd: 'iptables' | 'ip6tables',
  chain: string,
  destination: string,
): Promise<void> {
  for (const proto of ['udp', 'tcp'] as const) {
    await execa(cmd, ['-t', 'filter', '-A', chain,
      '-p', proto, '-d', destination, '--dport', '53', '-j', 'ACCEPT']);
  }
}

• src/host-iptables-rules.ts — all three duplicate rule pairs replaced with addDnsRules calls:
  • IPv4 DNS server loop → addDnsRules('iptables', CHAIN_NAME, dnsServer)
  • IPv6 DNS server loop → addDnsRules('ip6tables', CHAIN_NAME_V6, dnsServer)
  • DoH proxy block → addDnsRules('iptables', CHAIN_NAME, dohProxyIp)

[Copilot]

Pull request overview

This PR refactors host firewall rule setup to remove duplicated DNS (port 53) allowlist rule pairs by extracting a shared helper, reducing the risk of future drift between UDP/TCP DNS rules across multiple call sites.

Changes:

• Added addDnsRules(cmd, chain, destination) helper in src/host-iptables-shared.ts to append both UDP and TCP ACCEPT rules for port 53.
• Replaced three duplicated UDP+TCP port-53 rule blocks in src/host-iptables-rules.ts with addDnsRules(...) calls.

Show a summary per file

File	Description
src/host-iptables-shared.ts	Introduces addDnsRules helper for adding UDP+TCP DNS ACCEPT rules to a chain.
src/host-iptables-rules.ts	Switches existing DNS allowlist rule additions (IPv4, IPv6, DoH proxy) to use the shared helper.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[github-actions]

🧪 Smoke Test Results

Test	Result
GitHub MCP connectivity	❌ (401 – MCP credentials not available in this context)
GitHub.com HTTP connectivity	⚠️ Pre-step data not injected (template vars unexpanded)
File write/read	⚠️ Pre-step data not injected (template vars unexpanded)

Overall: FAIL — workflow template variables (${{ steps.smoke-data.outputs.* }}) were not substituted before reaching the agent, and the GitHub MCP server returned 401 Bad Credentials.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke test FAILED: MCP missing, Connectivity failed.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test Results

• ❌ GitHub API: Failed (HTTP 401 - credentials issue)
• ✅ Playwright: Passed (GitHub homepage loads, title verified)
• ✅ File verify: Passed (smoke-test-claude-25974472687.txt exists)

Overall: 2/3 PASS — GitHub API authentication issue prevents full validation.

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP	⚠️ Template vars not expanded
File write/read	✅ smoke-test-copilot-byok-25974472683.txt exists
BYOK inference	✅ Agent responded via api-proxy → api.githubcopilot.com

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PARTIAL PASS — BYOK inference path works; GitHub MCP unauthenticated (infra issue, not product regression)

PR author: @lpcox

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: FAIL — Python and Node.js versions differ between host and chroot. Go matches.

Tested by Smoke Chroot

[github-actions]

Smoke test Codex: FAIL
PR: fix: remove unused exports from public API surface (batch 2)
PR: refactor: split src/host-env.ts into focused modules
✅ GitHub PR review; ❌ safeinputs-gh unavailable
✅ Playwright title; ❌ Tavily tools unavailable
✅ File/bash; ✅ discussion comment; ✅ npm ci && npm run build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3273 · ● 6.1M · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ TIMEOUT/FAIL
PostgreSQL pg_isready	❌ no response
PostgreSQL SELECT 1	❌ TIMEOUT/FAIL

Overall: FAIL — host.docker.internal is unreachable from this runner. Service containers are not accessible.

🔌 Service connectivity validated by Smoke Services