fix PR comments

Author: dobrac

packages/orchestrator/go.mod

@@ -31,6 +31,7 @@ require (
 	github.com/gin-contrib/size v1.0.2
 	github.com/gin-gonic/gin v1.10.1
 	github.com/go-openapi/strfmt v0.23.0
+	github.com/gogo/protobuf v1.3.2
 	github.com/google/go-containerregistry v0.20.6
 	github.com/google/nftables v0.3.0
 	github.com/google/uuid v1.6.0
@@ -152,7 +153,6 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.26.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect

packages/orchestrator/internal/sandbox/network/firewall.go

@@ -2,7 +2,6 @@ package network
 
 import (
 	"fmt"
-	"net"
 	"net/netip"
 
 	"github.com/google/nftables"
@@ -207,8 +206,9 @@ func (fw *Firewall) AddAllowedIP(address string) error {
 		return nil
 	}
 
-	if isAddressInBlockedRanges(address) {
-		return fmt.Errorf("address %s is blocked by the provider and cannot be added to the allow list", address)
+	err := canAllowAddress(address)
+	if err != nil {
+		return err
 	}
 
 	data, err := set.AddressStringsToSetData([]string{address})
@@ -261,20 +261,34 @@ func (fw *Firewall) ResetBlockedCustom() error {
 
 // ResetAllowedCustom resets allow set back to original ranges.
 func (fw *Firewall) ResetAllowedCustom() error {
-	return nil
+	if err := fw.allowSet.ClearAndAddElements(fw.conn, nil); err != nil {
+		return err
+	}
+
+	return fw.conn.Flush()
 }
 
-// isAddressInBlockedRanges checks if the address is in the default blocked ranges.
-func isAddressInBlockedRanges(address string) bool {
-	for _, blockedRange := range blockedRanges {
-		_, blockedRangeNet, err := net.ParseCIDR(blockedRange)
-		if err != nil {
-			return false
-		}
-		if blockedRangeNet.Contains(net.ParseIP(address)) {
-			return true
+// canAllowAddress checks if the address is in the default blocked ranges.
+func canAllowAddress(address string) error {
+	blockedData, err := set.AddressStringsToSetData(blockedRanges)
+	if err != nil {
+		return err
+	}
+
+	addressPrefix, err := set.AddressStringsToSetData([]string{address})
+	if err != nil {
+		return err
+	}
+
+	if len(addressPrefix) == 0 {
+		return fmt.Errorf("address %s is not a valid IP address", address)
+	}
+
+	for _, blockedRange := range blockedData {
+		if blockedRange.Prefix.Overlaps(addressPrefix[0].Prefix) {
+			return fmt.Errorf("address %s is blocked by the provider and cannot be added to the allow list", address)
 		}
 	}
 
-	return false
+	return nil
 }

packages/orchestrator/internal/server/sandboxes.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/gogo/protobuf/proto"
 	"github.com/google/uuid"
 	"github.com/launchdarkly/go-sdk-common/v3/ldcontext"
 	"go.opentelemetry.io/otel"
@@ -101,7 +102,11 @@ func (s *Server) Create(ctx context.Context, req *orchestrator.SandboxCreateRequ
 		return nil, fmt.Errorf("failed to get template snapshot data: %w", err)
 	}
 
-	network := req.GetSandbox().GetNetwork()
+	// Clone the network config to avoid modifying the original request
+	network := &orchestrator.SandboxNetworkConfig{}
+	if req.GetSandbox().GetNetwork() != nil {
+		network = proto.Clone(req.GetSandbox().GetNetwork()).(*orchestrator.SandboxNetworkConfig)
+	}
 
 	// TODO: Temporarily set this based on global config, should be removed later
 	//  (it should be passed network config from API)
@@ -110,7 +115,9 @@ func (s *Server) Create(ctx context.Context, req *orchestrator.SandboxCreateRequ
 		allowInternet = req.GetSandbox().GetAllowInternetAccess()
 	}
 	if !allowInternet {
-		network.Egress = network.GetEgress()
+		if network.GetEgress() == nil {
+			network.Egress = &orchestrator.SandboxNetworkEgressConfig{}
+		}
 		network.Egress.BlockedAddresses = []string{internetBlockAddress}
 	}
 
@@ -125,7 +132,7 @@ func (s *Server) Create(ctx context.Context, req *orchestrator.SandboxCreateRequ
 			TotalDiskSizeMB: req.GetSandbox().GetTotalDiskSizeMb(),
 			HugePages:       req.GetSandbox().GetHugePages(),
 
-			Network: req.GetSandbox().GetNetwork(),
+			Network: network,
 
 			Envd: sandbox.EnvdMetadata{
 				Version:     req.GetSandbox().GetEnvdVersion(),