claude-code feature v1.0.5 bundles outdated init-firewall.sh without DNS restoration #30
Description
Summary
The claude-code devcontainer feature (v1.0.5) includes an init-firewall.sh script that is
outdated and missing critical DNS NAT rule restoration logic that was added to the
official claude-code repository on July 29, 2025.
The problem is that this outdated script overwrites the correct script during container building.
This results in issues with the firewall setup.
Impact
When using this feature with docker-compose setups with
custom networks, the bundled init-firewall.sh breaks DNS resolution after iptables flush,
causing:
- Exit code 6 errors during container initialization
- Failed GitHub API fetches during firewall setup
- Inability to connect to external services
Expected Behavior
The feature should either:
- Not bundle init-firewall.sh at all OR
- Bundle the latest version from the official claude-code repository with DNS restoration
support
Current Behavior
The feature bundles an old init-firewall.sh (119 lines, ~3843 bytes) that:
- Flushes all iptables NAT rules including Docker DNS rules
- Does NOT capture/restore Docker DNS NAT rules before flushing
- Breaks DNS resolution in docker-compose environments with custom networks
Latest official version (156 lines, ~5475 bytes):
- Captures Docker DNS NAT rules before flush
- Restores DNS NAT rules after flush
- Works correctly in all environments
Evidence
Feature contains old version:
Inside container after feature installation
$ wc -l /tmp/jb-devcontainer-features/ghcr.io-anthropics-devcontainer-features-claude-code
-1/init-firewall.sh
119
Official repo has updated version:
- Commit: "feat: Add Docker DNS protection to firewall script" (July 29, 2025)
- https://github.com/anthropics/claude-code/blob/main/.devcontainer/init-firewall.sh
Reproduction Steps
- Create docker-compose devcontainer with custom network
- Add "ghcr.io/anthropics/devcontainer-features/claude-code:1" to features
- Try to initialize firewall during postStartCommand
- Observe DNS failure with exit code 6
Environment
- Feature version: 1.0.5
- Container runtime: Docker Desktop
- Setup: docker-compose with custom bridge network
Documentation Issue
The feature's README doesn't mention that it includes or installs init-firewall.sh. Users
expect it to only install the Claude Code CLI (as stated in the description: "Installs the
Claude Code CLI globally").
Questions
- Is bundling init-firewall.sh intentional?
- If yes, can it be updated to match the latest from claude-code repo?
- If no, should it be removed from the feature package?
Workaround
We're currently using onCreateCommand to override the stale version:
"onCreateCommand": "sudo cp /workspace/.devcontainer/scripts/init-firewall.sh
/usr/local/bin/init-firewall.sh"