change firewall to network, save config in db

Author: dobrac

packages/api/internal/api/spec.gen.go

@@ -13,9 +13,9 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/e2b-dev/infra/packages/api/internal/api"
-	"github.com/e2b-dev/infra/packages/api/internal/db/types"
-	"github.com/e2b-dev/infra/packages/api/internal/utils"
+	typesteam "github.com/e2b-dev/infra/packages/api/internal/db/types"
 	"github.com/e2b-dev/infra/packages/db/queries"
+	"github.com/e2b-dev/infra/packages/db/types"
 	sbxlogger "github.com/e2b-dev/infra/packages/shared/pkg/logger/sandbox"
 	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
 )
@@ -29,7 +29,7 @@ func (a *APIStore) startSandbox(
 	envVars map[string]string,
 	metadata map[string]string,
 	alias string,
-	team *types.Team,
+	team *typesteam.Team,
 	build queries.EnvBuild,
 	requestHeader *http.Header,
 	isResume bool,
@@ -38,15 +38,12 @@ func (a *APIStore) startSandbox(
 	autoPause bool,
 	envdAccessToken *string,
 	allowInternetAccess *bool,
-	firewall *api.SandboxFirewallConfig,
+	network *types.SandboxNetworkConfig,
 	mcp api.Mcp,
 ) (*api.Sandbox, *api.APIError) {
 	startTime := time.Now()
 	endTime := startTime.Add(timeout)
 
-	// Convert API firewall config to orchestrator firewall config
-	orchFirewall := utils.APIToOrchestratorFirewall(firewall)
-
 	// Unique ID for the execution (from start/resume to stop/pause)
 	executionID := uuid.New().String()
 	sandbox, instanceErr := a.orchestrator.CreateSandbox(
@@ -67,7 +64,7 @@ func (a *APIStore) startSandbox(
 		autoPause,
 		envdAccessToken,
 		allowInternetAccess,
-		orchFirewall,
+		network,
 	)
 	if instanceErr != nil {
 		telemetry.ReportError(ctx, "error when creating instance", instanceErr.Err)

packages/api/internal/api/types.gen.go

@@ -154,8 +154,8 @@ func (a *APIStore) PostSandboxesSandboxIDConnect(c *gin.Context, sandboxID api.S
 		autoPause,
 		envdAccessToken,
 		snap.AllowInternetAccess,
-		utils.DBToAPIFirewall(&snap.Firewall), // firewall config from snapshot
-		nil,                                   // mcp
+		snap.Config.Network,
+		nil, // mcp
 	)
 	if createErr != nil {
 		zap.L().Error("Failed to resume sandbox", zap.Error(createErr.Err))

packages/api/internal/handlers/sandbox.go

@@ -13,10 +13,11 @@ import (
 
 	"github.com/e2b-dev/infra/packages/api/internal/api"
 	"github.com/e2b-dev/infra/packages/api/internal/auth"
-	"github.com/e2b-dev/infra/packages/api/internal/db/types"
+	typesteam "github.com/e2b-dev/infra/packages/api/internal/db/types"
 	"github.com/e2b-dev/infra/packages/api/internal/middleware/otel/metrics"
 	"github.com/e2b-dev/infra/packages/api/internal/sandbox"
 	"github.com/e2b-dev/infra/packages/api/internal/utils"
+	"github.com/e2b-dev/infra/packages/db/types"
 	"github.com/e2b-dev/infra/packages/shared/pkg/id"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
 	sbxlogger "github.com/e2b-dev/infra/packages/shared/pkg/logger/sandbox"
@@ -43,7 +44,7 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 	ctx := c.Request.Context()
 
 	// Get team from context, use TeamContextKey
-	teamInfo := c.Value(auth.TeamContextKey).(*types.Team)
+	teamInfo := c.Value(auth.TeamContextKey).(*typesteam.Team)
 
 	c.Set("teamID", teamInfo.Team.ID.String())
 
@@ -156,7 +157,16 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 	}
 
 	allowInternetAccess := body.AllowInternetAccess
-	firewall := body.Firewall
+
+	var network *types.SandboxNetworkConfig
+	if body.Network != nil {
+		network = &types.SandboxNetworkConfig{
+			Egress: &types.SandboxNetworkEgressConfig{
+				AllowedAddresses: sharedUtils.DerefOrDefault(body.Network.AllowOut, nil),
+				BlockedAddresses: sharedUtils.DerefOrDefault(body.Network.BlockOut, nil),
+			},
+		}
+	}
 
 	sbx, createErr := a.startSandbox(
 		ctx,
@@ -174,7 +184,7 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 		autoPause,
 		envdAccessToken,
 		allowInternetAccess,
-		firewall,
+		network,
 		mcp,
 	)
 	if createErr != nil {

packages/api/internal/handlers/sandbox_connect.go

@@ -153,8 +153,8 @@ func (a *APIStore) PostSandboxesSandboxIDResume(c *gin.Context, sandboxID api.Sa
 		autoPause,
 		envdAccessToken,
 		snap.AllowInternetAccess,
-		utils.DBToAPIFirewall(&snap.Firewall), // firewall config from snapshot
-		nil,                                   // mcp
+		snap.Config.Network,
+		nil, // mcp
 	)
 	if createErr != nil {
 		zap.L().Error("Failed to resume sandbox", zap.Error(createErr.Err))

packages/api/internal/handlers/sandbox_create.go

@@ -13,25 +13,52 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/e2b-dev/infra/packages/api/internal/api"
-	"github.com/e2b-dev/infra/packages/api/internal/db/types"
+	teamtypes "github.com/e2b-dev/infra/packages/api/internal/db/types"
 	"github.com/e2b-dev/infra/packages/api/internal/orchestrator/nodemanager"
 	"github.com/e2b-dev/infra/packages/api/internal/orchestrator/placement"
 	"github.com/e2b-dev/infra/packages/api/internal/sandbox"
 	"github.com/e2b-dev/infra/packages/api/internal/utils"
 	"github.com/e2b-dev/infra/packages/db/queries"
+	"github.com/e2b-dev/infra/packages/db/types"
 	"github.com/e2b-dev/infra/packages/shared/pkg/consts"
 	"github.com/e2b-dev/infra/packages/shared/pkg/grpc/orchestrator"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
 	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
 	ut "github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
 
+// buildNetworkConfig constructs the orchestrator network configuration from the input parameters
+func buildNetworkConfig(network *types.SandboxNetworkConfig, allowInternetAccess *bool) *orchestrator.SandboxNetworkConfig {
+	orchNetwork := &orchestrator.SandboxNetworkConfig{
+		Egress: &orchestrator.SandboxNetworkEgressConfig{},
+	}
+
+	// Copy network configuration if provided
+	if network != nil && network.Egress != nil {
+		if len(network.Egress.AllowedAddresses) > 0 {
+			orchNetwork.Egress.AllowedAddresses = network.Egress.AllowedAddresses
+		}
+		if len(network.Egress.BlockedAddresses) > 0 {
+			orchNetwork.Egress.BlockedAddresses = network.Egress.BlockedAddresses
+		}
+	}
+
+	// Handle the case where internet access is explicitly disabled
+	// This should be applied after copying the network config to preserve allowed addresses
+	if allowInternetAccess != nil && !*allowInternetAccess {
+		// Block all internet access - this overrides any other blocked addresses
+		orchNetwork.Egress.BlockedAddresses = []string{"0.0.0.0/0"}
+	}
+
+	return orchNetwork
+}
+
 func (o *Orchestrator) CreateSandbox(
 	ctx context.Context,
 	sandboxID,
 	executionID,
 	alias string,
-	team *types.Team,
+	team *teamtypes.Team,
 	build queries.EnvBuild,
 	metadata map[string]string,
 	envVars map[string]string,
@@ -44,7 +71,7 @@ func (o *Orchestrator) CreateSandbox(
 	autoPause bool,
 	envdAuthToken *string,
 	allowInternetAccess *bool,
-	firewall *orchestrator.SandboxFirewallConfig,
+	network *types.SandboxNetworkConfig,
 ) (sbx sandbox.Sandbox, apiErr *api.APIError) {
 	ctx, childSpan := tracer.Start(ctx, "create-sandbox")
 	defer childSpan.End()
@@ -139,10 +166,7 @@ func (o *Orchestrator) CreateSandbox(
 		sbxDomain = cluster.SandboxDomain
 	}
 
-	if allowInternetAccess != nil && !*allowInternetAccess {
-		firewall.Egress = firewall.GetEgress()
-		firewall.Egress.BlockedCidrs = []string{"0.0.0.0/0"}
-	}
+	orchNetwork := buildNetworkConfig(network, allowInternetAccess)
 
 	sbxRequest := &orchestrator.SandboxCreateRequest{
 		Sandbox: &orchestrator.SandboxConfig{
@@ -166,7 +190,7 @@ func (o *Orchestrator) CreateSandbox(
 			Snapshot:            isResume,
 			AutoPause:           autoPause,
 			AllowInternetAccess: allowInternetAccess,
-			Firewall:            firewall,
+			Network:             orchNetwork,
 			TotalDiskSizeMb:     ut.FromPtr(build.TotalDiskSizeMb),
 		},
 		StartTime: timestamppb.New(startTime),
@@ -244,7 +268,7 @@ func (o *Orchestrator) CreateSandbox(
 		allowInternetAccess,
 		baseTemplateID,
 		sbxDomain,
-		utils.OrchestratorToDBFirewall(firewall),
+		network,
 	)
 
 	o.sandboxStore.Add(ctx, sbx, true)

packages/api/internal/handlers/sandbox_resume.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/e2b-dev/infra/packages/api/internal/sandbox"
 	"github.com/e2b-dev/infra/packages/api/internal/utils"
+	"github.com/e2b-dev/infra/packages/db/types"
 	"github.com/e2b-dev/infra/packages/shared/pkg/consts"
 )
 
@@ -46,6 +47,13 @@ func (n *Node) GetSandboxes(ctx context.Context) ([]sandbox.Sandbox, error) {
 			return nil, fmt.Errorf("failed to parse build ID '%s' for job: %w", config.GetBuildId(), parseErr)
 		}
 
+		network := &types.SandboxNetworkConfig{
+			Egress: &types.SandboxNetworkEgressConfig{
+				AllowedAddresses: config.GetNetwork().GetEgress().GetAllowedAddresses(),
+				BlockedAddresses: config.GetNetwork().GetEgress().GetBlockedAddresses(),
+			},
+		}
+
 		sandboxesInfo = append(
 			sandboxesInfo,
 			sandbox.NewSandbox(
@@ -73,7 +81,7 @@ func (n *Node) GetSandboxes(ctx context.Context) ([]sandbox.Sandbox, error) {
 				config.AllowInternetAccess, //nolint:protogetter // we need the nil check too
 				config.GetBaseTemplateId(),
 				n.SandboxDomain,
-				utils.OrchestratorToDBFirewall(config.GetFirewall()),
+				network,
 			),
 		)
 	}

packages/api/internal/orchestrator/create_instance.go

@@ -43,7 +43,10 @@ func (o *Orchestrator) pauseSandbox(ctx context.Context, node *nodemanager.Node,
 		EnvdSecured:         sbx.EnvdAccessToken != nil,
 		AllowInternetAccess: sbx.AllowInternetAccess,
 		AutoPause:           sbx.AutoPause,
-		Firewall:            sbx.Firewall,
+		Config: &types.PausedSandboxConfig{
+			Version: types.PausedSandboxConfigVersion,
+			Network: sbx.Network,
+		},
 	}
 
 	envBuild, err := o.dbClient.NewSnapshotBuild(

packages/api/internal/orchestrator/nodemanager/sandboxes.go

@@ -35,7 +35,7 @@ func NewSandbox(
 	allowInternetAccess *bool,
 	baseTemplateID string,
 	domain *string,
-	firewall *types.SandboxFirewallConfig,
+	network *types.SandboxNetworkConfig,
 ) Sandbox {
 	return Sandbox{
 		SandboxID:  sandboxID,
@@ -64,7 +64,7 @@ func NewSandbox(
 		AutoPause:           autoPause,
 		State:               StateRunning,
 		BaseTemplateID:      baseTemplateID,
-		Firewall:            firewall,
+		Network:             network,
 	}
 }
 
@@ -94,7 +94,7 @@ type Sandbox struct {
 	NodeID              string
 	ClusterID           uuid.UUID
 	AutoPause           bool
-	Firewall            *types.SandboxFirewallConfig
+	Network             *types.SandboxNetworkConfig
 
 	State State
 }