From 11ca517a672447021c7040ba5df2e1b01eec517e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Jun 2026 15:59:36 +0000 Subject: [PATCH 1/2] Initial plan From 0c7178b70447a56aa643c2e34c96506eb50f423d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Jun 2026 16:15:31 +0000 Subject: [PATCH 2/2] test: refactor host access invalid-port assertions --- src/host-iptables-host-access.test.ts | 61 +++++++++++---------------- 1 file changed, 24 insertions(+), 37 deletions(-) diff --git a/src/host-iptables-host-access.test.ts b/src/host-iptables-host-access.test.ts index e492fc74c..a1ac42f8e 100644 --- a/src/host-iptables-host-access.test.ts +++ b/src/host-iptables-host-access.test.ts @@ -7,6 +7,25 @@ describe('host-iptables (host access)', () => { setupHostIptablesTestSuite(iptablesSharedTestHelpers.resetIpv6State); describe('setupHostIptables with host access', () => { + const invalidHostServicePorts = ['abc', '99999', '-1']; + + const setupHostAccessWithServicePorts = async (allowHostServicePorts: string) => { + setupDefaultIptablesMocks(); + + setupDockerBridgeMock(); + + const hostAccess: HostAccessConfig = { enabled: true, allowHostServicePorts }; + await setupHostIptables('172.30.0.10', 3128, ['8.8.8.8', '8.8.4.4'], undefined, undefined, hostAccess); + }; + + const expectInvalidHostServicePortsSkipped = (ports: string[]) => { + for (const port of ports) { + expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining([ + '--dport', port, + ])); + } + }; + it('should add gateway ACCEPT rules when hostAccess is enabled', async () => { setupDefaultIptablesMocks(); @@ -137,30 +156,12 @@ describe('host-iptables (host access)', () => { }); it('should skip invalid ports in allowHostServicePorts', async () => { - setupDefaultIptablesMocks(); - - setupDockerBridgeMock(); + await setupHostAccessWithServicePorts(invalidHostServicePorts.join(',')); - const hostAccess: HostAccessConfig = { enabled: true, allowHostServicePorts: 'abc,99999,-1' }; - await setupHostIptables('172.30.0.10', 3128, ['8.8.8.8', '8.8.4.4'], undefined, undefined, hostAccess); - - // Verify invalid service ports are NOT added - expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining([ - '--dport', 'abc', - ])); - expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining([ - '--dport', '99999', - ])); - expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining([ - '--dport', '-1', - ])); + expectInvalidHostServicePortsSkipped(invalidHostServicePorts); // Default ports should still be present - expect(mockedExeca).toHaveBeenCalledWith('iptables', [ - '-t', 'filter', '-A', 'FW_WRAPPER', - '-p', 'tcp', '-d', '172.30.0.1', '--dport', '80', - '-j', 'ACCEPT', - ]); + expectGatewayHttpAcceptRules(mockedExeca, '172.30.0.1'); }); it('should skip invalid ports in allowHostPorts', async () => { @@ -247,23 +248,9 @@ describe('host-iptables (host access)', () => { }); it('should skip invalid service ports in allowHostServicePorts', async () => { - setupDefaultIptablesMocks(); + await setupHostAccessWithServicePorts(`${invalidHostServicePorts.join(',')},5432`); - setupDockerBridgeMock(); - - const hostAccess: HostAccessConfig = { enabled: true, allowHostServicePorts: 'abc,99999,-1,5432' }; - await setupHostIptables('172.30.0.10', 3128, ['8.8.8.8', '8.8.4.4'], undefined, undefined, hostAccess); - - // Verify invalid service ports are NOT added - expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining([ - '--dport', 'abc', - ])); - expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining([ - '--dport', '99999', - ])); - expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining([ - '--dport', '-1', - ])); + expectInvalidHostServicePortsSkipped(invalidHostServicePorts); // Valid service port should be present expect(mockedExeca).toHaveBeenCalledWith('iptables', [