rename block to deny, use CIDR in the orchestrator

Author: dobrac

packages/api/internal/api/spec.gen.go

@@ -163,7 +163,7 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 		network = &types.SandboxNetworkConfig{
 			Egress: &types.SandboxNetworkEgressConfig{
 				AllowedAddresses: sharedUtils.DerefOrDefault(body.Network.AllowOut, nil),
-				BlockedAddresses: sharedUtils.DerefOrDefault(body.Network.BlockOut, nil),
+				DeniedAddresses:  sharedUtils.DerefOrDefault(body.Network.DenyOut, nil),
 			},
 		}
 	}

packages/api/internal/api/types.gen.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"go.opentelemetry.io/otel/attribute"
@@ -27,7 +28,21 @@ import (
 	ut "github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
 
-const internetBlockAddress = "0.0.0.0/0"
+const internetBlockCIDR = "0.0.0.0/0"
+
+// Convert a list of string addresses to the SetData type
+func addressStringsToCIDRs(addressStrings []string) []string {
+	data := make([]string, 0, len(addressStrings))
+
+	for _, addressString := range addressStrings {
+		if !strings.Contains(addressString, "/") {
+			addressString = addressString + "/32"
+		}
+		data = append(data, addressString)
+	}
+
+	return data
+}
 
 // buildNetworkConfig constructs the orchestrator network configuration from the input parameters
 func buildNetworkConfig(network *types.SandboxNetworkConfig, allowInternetAccess *bool) *orchestrator.SandboxNetworkConfig {
@@ -37,15 +52,15 @@ func buildNetworkConfig(network *types.SandboxNetworkConfig, allowInternetAccess
 
 	// Copy network configuration if provided
 	if network != nil && network.Egress != nil {
-		orchNetwork.Egress.AllowedAddresses = network.Egress.AllowedAddresses
-		orchNetwork.Egress.BlockedAddresses = network.Egress.BlockedAddresses
+		orchNetwork.Egress.AllowedCidrs = addressStringsToCIDRs(network.Egress.AllowedAddresses)
+		orchNetwork.Egress.DeniedCidrs = addressStringsToCIDRs(network.Egress.DeniedAddresses)
 	}
 
 	// Handle the case where internet access is explicitly disabled
 	// This should be applied after copying the network config to preserve allowed addresses
 	if allowInternetAccess != nil && !*allowInternetAccess {
 		// Block all internet access - this overrides any other blocked addresses
-		orchNetwork.Egress.BlockedAddresses = []string{internetBlockAddress}
+		orchNetwork.Egress.DeniedCidrs = []string{internetBlockCIDR}
 	}
 
 	return orchNetwork
@@ -164,7 +179,7 @@ func (o *Orchestrator) CreateSandbox(
 		sbxDomain = cluster.SandboxDomain
 	}
 
-	orchNetwork := buildNetworkConfig(network, allowInternetAccess)
+	sbxNetwork := buildNetworkConfig(network, allowInternetAccess)
 
 	sbxRequest := &orchestrator.SandboxCreateRequest{
 		Sandbox: &orchestrator.SandboxConfig{
@@ -188,7 +203,7 @@ func (o *Orchestrator) CreateSandbox(
 			Snapshot:            isResume,
 			AutoPause:           autoPause,
 			AllowInternetAccess: allowInternetAccess,
-			Network:             orchNetwork,
+			Network:             sbxNetwork,
 			TotalDiskSizeMb:     ut.FromPtr(build.TotalDiskSizeMb),
 		},
 		StartTime: timestamppb.New(startTime),

packages/api/internal/handlers/sandbox_create.go

@@ -49,8 +49,8 @@ func (n *Node) GetSandboxes(ctx context.Context) ([]sandbox.Sandbox, error) {
 
 		network := &types.SandboxNetworkConfig{
 			Egress: &types.SandboxNetworkEgressConfig{
-				AllowedAddresses: config.GetNetwork().GetEgress().GetAllowedAddresses(),
-				BlockedAddresses: config.GetNetwork().GetEgress().GetBlockedAddresses(),
+				AllowedAddresses: config.GetNetwork().GetEgress().GetAllowedCidrs(),
+				DeniedAddresses:  config.GetNetwork().GetEgress().GetDeniedCidrs(),
 			},
 		}
 

packages/api/internal/orchestrator/create_instance.go

@@ -14,7 +14,7 @@ const PausedSandboxConfigVersion = "v1"
 
 type SandboxNetworkEgressConfig struct {
 	AllowedAddresses []string `json:"allowedAddresses,omitempty"`
-	BlockedAddresses []string `json:"blockedAddresses,omitempty"`
+	DeniedAddresses  []string `json:"deniedAddresses,omitempty"`
 }
 
 type SandboxNetworkConfig struct {

packages/api/internal/orchestrator/nodemanager/sandboxes.go

@@ -150,16 +150,16 @@ func (fw *Firewall) installRules() error {
 	return nil
 }
 
-// AddBlockedIP adds a single CIDR to the block set at runtime.
-func (fw *Firewall) AddBlockedIP(address string) error {
+// AddDeniedCIDR adds a single CIDR to the block set at runtime.
+func (fw *Firewall) AddDeniedCIDR(cidr string) error {
 	if fw.blockInternetTraffic {
 		// If internet is blocked, we don't need to add any other addresses to the block set.
 		// Because 0.0.0.0/0 is not valid IP per GoLang, we can't add new addresses to the block set.
 		return nil
 	}
 
 	// 0.0.0.0/0 is not valid IP per GoLang, so we handle it as a special case
-	if address == allInternetTrafficAddress {
+	if cidr == allInternetTrafficAddress {
 		fw.blockInternetTraffic = true
 
 		fw.conn.FlushSet(fw.blockSet.Set())
@@ -181,7 +181,7 @@ func (fw *Firewall) AddBlockedIP(address string) error {
 			return err
 		}
 
-		data, err := set.AddressStringsToSetData([]string{address})
+		data, err := set.AddressStringsToSetData([]string{cidr})
 		if err != nil {
 			return err
 		}
@@ -199,19 +199,19 @@ func (fw *Firewall) AddBlockedIP(address string) error {
 	return nil
 }
 
-// AddAllowedIP adds a single CIDR to the allow set at runtime.
-func (fw *Firewall) AddAllowedIP(address string) error {
-	if address == allInternetTrafficAddress {
+// AddAllowedCIDR adds a single CIDR to the allow set at runtime.
+func (fw *Firewall) AddAllowedCIDR(cidr string) error {
+	if cidr == allInternetTrafficAddress {
 		// Internet is enabled by default.
 		return nil
 	}
 
-	err := canAllowAddress(address)
+	err := canAllowCIDR(cidr)
 	if err != nil {
 		return err
 	}
 
-	data, err := set.AddressStringsToSetData([]string{address})
+	data, err := set.AddressStringsToSetData([]string{cidr})
 	if err != nil {
 		return err
 	}
@@ -268,34 +268,25 @@ func (fw *Firewall) ResetAllowedCustom() error {
 	return fw.conn.Flush()
 }
 
-// canAllowAddress checks if the address is in the default blocked ranges.
-func canAllowAddress(address string) error {
+// canAllowCIDR checks if the address is in the default blocked ranges.
+func canAllowCIDR(cidr string) error {
 	blockedData, err := set.AddressStringsToSetData(blockedRanges)
 	if err != nil {
 		return err
 	}
 
-	addressData, err := set.AddressStringsToSetData([]string{address})
+	addressData, err := set.AddressStringsToSetData([]string{cidr})
 	if err != nil {
 		return err
 	}
 
 	if len(addressData) == 0 {
-		return fmt.Errorf("address %s is not a valid IP address", address)
-	}
-
-	// Convert single IP address to prefix for comparison
-	var addressPrefix netip.Prefix
-	if !addressData[0].Prefix.IsValid() {
-		// If it's a single IP (not a CIDR), convert it to a /32 or /128 prefix
-		addressPrefix = netip.PrefixFrom(addressData[0].Address, addressData[0].Address.BitLen())
-	} else {
-		addressPrefix = addressData[0].Prefix
+		return fmt.Errorf("address %s is not a valid IP address", cidr)
 	}
 
 	for _, blockedRange := range blockedData {
-		if blockedRange.Prefix.Overlaps(addressPrefix) {
-			return fmt.Errorf("address %s is blocked by the provider and cannot be added to the allow list", address)
+		if blockedRange.Prefix.Overlaps(addressData[0].Prefix) {
+			return fmt.Errorf("address %s is blocked by the provider and cannot be added to the allow list", cidr)
 		}
 	}
 

packages/db/types/types.go

@@ -42,19 +42,19 @@ func TestCanAllowAddress_PrivateRangesBlocked(t *testing.T) {
 		},
 		{
 			name:      "specific_ip_in_10.0.0.0/8",
-			address:   "10.1.2.3",
+			address:   "10.1.2.3/32",
 			shouldErr: true,
 			desc:      "specific IP in 10.0.0.0/8 range should be blocked",
 		},
 		{
 			name:      "specific_ip_in_192.168.0.0/16",
-			address:   "192.168.1.1",
+			address:   "192.168.1.1/32",
 			shouldErr: true,
 			desc:      "specific IP in 192.168.0.0/16 range should be blocked",
 		},
 		{
 			name:      "specific_ip_in_172.16.0.0/12",
-			address:   "172.16.0.1",
+			address:   "172.16.0.1/32",
 			shouldErr: true,
 			desc:      "specific IP in 172.16.0.0/12 range should be blocked",
 		},
@@ -66,13 +66,13 @@ func TestCanAllowAddress_PrivateRangesBlocked(t *testing.T) {
 		},
 		{
 			name:      "public_ip_8.8.8.8",
-			address:   "8.8.8.8",
+			address:   "8.8.8.8/32",
 			shouldErr: false,
 			desc:      "public IP should be allowed",
 		},
 		{
 			name:      "public_ip_1.1.1.1",
-			address:   "1.1.1.1",
+			address:   "1.1.1.1/32",
 			shouldErr: false,
 			desc:      "public IP should be allowed",
 		},
@@ -86,7 +86,7 @@ func TestCanAllowAddress_PrivateRangesBlocked(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			err := canAllowAddress(tc.address)
+			err := canAllowCIDR(tc.address)
 			if tc.shouldErr {
 				require.Error(t, err, tc.desc)
 				require.Contains(t, err.Error(), "blocked by the provider", "Error message should indicate provider blocking")
@@ -123,7 +123,7 @@ func TestCanAllowAddress_InvalidAddresses(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			err := canAllowAddress(tc.address)
+			err := canAllowCIDR(tc.address)
 			require.Error(t, err, tc.desc)
 		})
 	}

packages/orchestrator/internal/sandbox/network/firewall.go

@@ -255,7 +255,7 @@ func (s *Slot) ConfigureInternet(ctx context.Context, network *orchestrator.Sand
 	))
 	defer span.End()
 
-	if network == nil || len(network.GetEgress().GetAllowedAddresses()) == 0 && len(network.GetEgress().GetBlockedAddresses()) == 0 {
+	if e := network.GetEgress(); len(e.GetAllowedCidrs()) == 0 && len(e.GetDeniedCidrs()) == 0 {
 		// Internet access is allowed by default.
 		return nil
 	}
@@ -269,15 +269,15 @@ func (s *Slot) ConfigureInternet(ctx context.Context, network *orchestrator.Sand
 	defer n.Close()
 
 	err = n.Do(func(_ ns.NetNS) error {
-		for _, address := range network.GetEgress().GetAllowedAddresses() {
-			err = s.Firewall.AddAllowedIP(address)
+		for _, cidr := range network.GetEgress().GetAllowedCidrs() {
+			err = s.Firewall.AddAllowedCIDR(cidr)
 			if err != nil {
 				return fmt.Errorf("error setting firewall rules: %w", err)
 			}
 		}
 
-		for _, address := range network.GetEgress().GetBlockedAddresses() {
-			err = s.Firewall.AddBlockedIP(address)
+		for _, cidr := range network.GetEgress().GetDeniedCidrs() {
+			err = s.Firewall.AddDeniedCIDR(cidr)
 			if err != nil {
 				return fmt.Errorf("error setting firewall rules: %w", err)
 			}

packages/orchestrator/internal/sandbox/network/firewall_test.go

@@ -35,7 +35,7 @@ const (
 	requestTimeout              = 60 * time.Second
 	maxStartingInstancesPerNode = 3
 
-	internetBlockAddress = "0.0.0.0/0"
+	internetBlockCIDR = "0.0.0.0/0"
 )
 
 func (s *Server) Create(ctx context.Context, req *orchestrator.SandboxCreateRequest) (*orchestrator.SandboxCreateResponse, error) {
@@ -106,6 +106,7 @@ func (s *Server) Create(ctx context.Context, req *orchestrator.SandboxCreateRequ
 	network := proto.CloneOf(req.GetSandbox().GetNetwork())
 
 	// TODO: Temporarily set this based on global config, should be removed later
+	// https://linear.app/e2b/issue/ENG-3291
 	//  (it should be passed network config from API)
 	allowInternet := s.config.AllowSandboxInternet
 	if req.GetSandbox().AllowInternetAccess != nil {
@@ -118,7 +119,7 @@ func (s *Server) Create(ctx context.Context, req *orchestrator.SandboxCreateRequ
 		if network.GetEgress() == nil {
 			network.Egress = &orchestrator.SandboxNetworkEgressConfig{}
 		}
-		network.Egress.BlockedAddresses = []string{internetBlockAddress}
+		network.Egress.DeniedCidrs = []string{internetBlockCIDR}
 	}
 
 	sbx, err := s.sandboxFactory.ResumeSandbox(