Skip to content

feat(devcontainer): enhance firewall with hybrid static/dynamic IP management #5609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(devcontainer): enhance firewall with hybrid static/dynamic IP management #5609

wants to merge 1 commit into from
+55 −16

Conversation

sakumoto-shota
Copy link

@sakumoto-shota sakumoto-shota commented Aug 12, 2025
edited
Loading

Summary

This PR enhances the DevContainer firewall configuration to better handle modern CDN
and load-balanced services by implementing a hybrid approach for IP management.

Changes

  • Hybrid IP Management:

    • GitHub continues using Meta API for comprehensive CIDR ranges (static IPSet)
    • Other services use dynamic DNS resolution with TTL support (dynamic IPSet)

  • Automatic Updates:

    • IPs expire after 600 seconds (configurable)
    • Automatic refresh script runs every 5 minutes via cron
    • Domain list passed as arguments to refresh script (no duplication)

  • Improved Maintainability:

    • Domain list managed as shell array in single location
    • Clear separation between static and dynamic IP management
    • Reduced verbose logging while keeping essential error messages

Testing

Tested in Docker container with the following results:

  • GitHub API: ✅ Accessible (47 CIDR ranges loaded)
  • NPM Registry: ✅ Accessible
  • Anthropic API: ✅ Accessible
  • External sites (Google, Example.com): ✅ Properly blocked
  • Dynamic IP refresh: ✅ Working with domain arguments
  • TTL expiry: ✅ IPs auto-expire after 600s

Backward Compatibility

  • Fully backward compatible
  • Cleans up legacy allowed-domains IPSet if exists
  • Error handling remains the same
  • All existing functionality preserved

@sakumoto-shota
feat(devcontainer): enhance firewall with hybrid static/dynamic IP ma…
8a5f410 
…nagement

- Implement dual IPSet approach (static for GitHub, dynamic for others)
- Add automatic DNS refresh with TTL support (600s default)
- Improve maintainability with single domain array configuration
- Pass domains as arguments to refresh script (avoid duplication)
- Reduce verbose logging while keeping error messages
MarkS-AL
MarkS-AL reviewed Aug 29, 2025
View reviewed changes
.devcontainer/init-firewall.sh
IFS=$'\n\t' # Stricter word splitting

# Configuration - Domain list as shell array for easy maintenance
declare -a DYNAMIC_DOMAINS=(
Copy link

@MarkS-AL MarkS-AL Aug 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allow additional domains, eg "pypi.org" to be passed in externally, eg via WHITELIST_DOMAINS env var?
Concat the user whitelist with this list of domain names?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@MarkS-AL MarkS-AL MarkS-AL left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sakumoto-shota @MarkS-AL