fix: slot return on network fail and improve validation

[dobrac]

Note

Centralizes sandbox network helpers, refactors firewall to predefined/user allow/deny sets with 0.0.0.0/0 handling, validates maskRequestHost, and returns slots on network config failure with expanded integration tests and deps updates.

• API:
  • Validate network.maskRequestHost (IDNA/ASCII, optional port) and surface clear 400 errors.
  • Build network config using shared helpers; use AllInternetTrafficCIDR when allowInternetAccess=false.
  • Replace secure token error logging with telemetry.
• Orchestrator:
  • Return network slot to pool when internet configuration fails in Pool.Get.
  • Refactor firewall:
    • Separate predefined allow/deny vs user allow/deny sets; enforce rule order (allow→deny).
    • Reset functions renamed to ResetAllSets, ResetAllowedSets, ResetDeniedSets.
    • Proper handling of 0.0.0.0/0 and incremental set updates.
  • Use shared CIDR conversion and AllInternetTrafficCIDR in server create path and instance builder.
• Shared:
  • New sandbox-network package with AllInternetTrafficCIDR, default denied ranges, and address→CIDR helpers.
• Tests:
  • Add/extend egress firewall integration tests (allow/block IPs & CIDRs, precedence, persistence, 0.0.0.0/0 cases).
  • Add unit tests for CIDR helper; remove obsolete firewall allow validation test.
• Dependencies:
  • Add/update networking and logging libs (e.g., ngrok/firewall_toolkit, google/nftables, mdlayher/*, zerolog) in api/shared modules.

^{Written by Cursor Bugbot for commit 73a2bd2. This will update automatically on new commits. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[cursor]

Bug: Premature Flag Corrupts Firewall State

The firewallCustomRules flag is set to true before the firewall configuration is actually applied. If any error occurs after setting the flag (such as failing to get the network namespace or failing to add firewall rules), the function returns an error but leaves the flag set to true. When the slot is later returned to the pool and ResetInternet is called, it will attempt to reset firewall rules that were never successfully applied, potentially causing firewall state corruption or unexpected behavior.

packages/orchestrator/internal/sandbox/network/slot.go#L262-L290

infra/packages/orchestrator/internal/sandbox/network/slot.go

Lines 262 to 290 in 4338833

	s.firewallCustomRules.Store(true)
	n, err := ns.GetNS(filepath.Join(netNamespacesDir, s.NamespaceID()))
	if err != nil {
	return fmt.Errorf("failed to get slot network namespace '%s': %w", s.NamespaceID(), err)
	}
	defer n.Close()
	err = n.Do(func(_ ns.NetNS) error {
	for _, cidr := range network.GetEgress().GetAllowedCidrs() {
	err = s.Firewall.AddAllowedCIDR(cidr)
	if err != nil {
	return fmt.Errorf("error setting firewall rules: %w", err)
	}
	}
	for _, cidr := range network.GetEgress().GetDeniedCidrs() {
	err = s.Firewall.AddDeniedCIDR(cidr)
	if err != nil {
	return fmt.Errorf("error setting firewall rules: %w", err)
	}
	}
	return nil
	})
	if err != nil {
	return fmt.Errorf("failed execution in network namespace '%s': %w", s.NamespaceID(), err)
	}

 

---