Skip to content

Enforce network restrictions for IPv6 traffic#32

Open
Copilot wants to merge 10 commits into
mainfrom
copilot/fix-ipv6-firewall-issues
Open

Enforce network restrictions for IPv6 traffic#32
Copilot wants to merge 10 commits into
mainfrom
copilot/fix-ipv6-firewall-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 16, 2026
edited
Loading

IPv6 egress bypassed runtime network restrictions because only iptables rules were configured. Hosts with AAAA records could ignore allow.net / deny.net.

  • Runtime firewall

    • Mirrors per-execution iptables chains to ip6tables.
    • Resolves allowed/denied hosts separately with getent ahostsv4 and getent ahostsv6.
    • Applies deny, allow, default reject, OUTPUT insertion, and teardown for both stacks.

  • Lima provisioning

    • Configures the default BAND-DEFAULT lockdown chain for both IPv4 and IPv6.

  • Firewall script coverage

    • Updates unit expectations to verify IPv6 chain creation, hostname resolution, and OUTPUT routing.
const FIREWALL_TABLES = [
  { table: "iptables", resolver: "ahostsv4" },
  { table: "ip6tables", resolver: "ahostsv6" },
];

Copilot AI linked an issue May 16, 2026 that may be closed by this pull request
IPv6 traffic is not filtered #27
Open
Copilot AI changed the title [WIP] Fix IPv6 traffic filtering in firewall setup Enforce network restrictions for IPv6 traffic May 16, 2026
Copilot AI requested a review from mrjf May 16, 2026 14:18
Copilot finished work on behalf of mrjf May 16, 2026 14:18
@mrjf mrjf marked this pull request as ready for review May 16, 2026 16:42
@mrjf
Copy link
Copy Markdown
Owner

mrjf commented May 16, 2026

@copilot resolve the merge conflicts in this pull request

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 16, 2026

@copilot resolve the merge conflicts in this pull request

Resolved the merge conflicts in commit 180e39c and pushed the updated branch. I also updated the IPv6 security documentation in 3ff08b7.

Copilot finished work on behalf of mrjf May 16, 2026 16:46
@mrjf
Copy link
Copy Markdown
Owner

mrjf commented May 17, 2026

@copilot fix ci

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 17, 2026

@copilot fix ci

Fixed in ae695c9 by serializing local Lima band server health/execution access across parallel agent test processes. Local validation passed: runtime unit tests, typecheck, and build.

Copilot finished work on behalf of mrjf May 17, 2026 00:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrjf mrjf Awaiting requested review from mrjf

Assignees

@mrjf mrjf

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

IPv6 traffic is not filtered

2 participants

@mrjf