Merge branch 'main' of github.com:e2b-dev/infra into lev-ingress-control

  Incorporate main commits: #2150 (validate specified IPs in egress),
  #2156 (disable request timeout), #2154 (envd init logs), #2151
  (storage cache test fix).

  Resolve conflict in sandbox_create.go by consolidating validation:

  Egress validation — matches main #2150 + port rejection:
  - validateEgressRules stays in sandbox_create.go (same location as main)
  - Uses IsSpecifiedIPOrCIDR from #2150 to reject unspecified addresses
  (0.0.0.0, ::, 0.0.0.0/24, etc.) while allowing 0.0.0.0/0
  - Uses ParseAddressesAndDomains to separate IPs from domains (same as main)
  - Adds port rejection (egress doesn't support port-specific rules)

  Ingress validation — new, added next to validateEgressRules:
  - validateIngressRules + validateIngressEntry in sandbox_create.go
  - Uses SplitHostPort to separate CIDR from port, validates each part
  - Uses IsSpecifiedIPOrCIDR for IPv4 + allows ::/0 for IPv6 block-all
  - Uses ParsePortRange for port/port-range validation
  - Rejects domains (ingress is IP/CIDR only)
  - Requires deny-all when allow rules are present

  Simplify rule.go — remove ParseRule/ParseRules:
  - Egress validation uses IsSpecifiedIPOrCIDR + ParseAddressesAndDomains directly
  - Ingress validation uses SplitHostPort + IsIPOrCIDR + ParsePortRange directly
  - Keep: Rule/ACL structs (hot-path matching), SplitHostPort, ParsePortRange (public)
make[1]: Entering directory '/home/lev/dev/infra/iac/provider-gcp'
  - Remove: ParseRule, ParseRules (tried to be one-size-fits-all, added complexity)

  Simplify orchestrator ACL building:
  - newEgressACL: uses parseCIDRs (direct net.ParseCIDR, no ParseRules)
  - newIngressACL/parseIngressRules: unchanged (builds from proto fields)

  Update create_instance.go:
  - buildEgressConfig: uses IsIPOrCIDR for domain detection (was ParseRule)
  - parseIngressRules: uses SplitHostPort + ParsePortRange (was ParseRule)

  Test updates:
  - Error messages updated to match main's IsSpecifiedIPOrCIDR style
  - Integration tests: replace ::/1/0.0.0.0/1 with ::/0/0.0.0.0/0
  (unspecified network addresses now rejected)
  - TestIsSpecifiedIPOrCIDR preserved from #2150
  - TestSplitHostPort, TestParsePortRange replace TestParseRule/TestParseRules

Author: levb

packages/api/internal/handlers/sandbox_create.go

@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"
 
@@ -31,6 +32,7 @@ import (
 	"github.com/e2b-dev/infra/packages/shared/pkg/grpc/orchestrator"
 	"github.com/e2b-dev/infra/packages/shared/pkg/id"
 	sbxlogger "github.com/e2b-dev/infra/packages/shared/pkg/logger/sandbox"
+	sandboxnetwork "github.com/e2b-dev/infra/packages/shared/pkg/sandbox-network"
 	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
 	sharedUtils "github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
@@ -514,3 +516,129 @@ func validateNetworkConfig(network *api.SandboxNetworkConfig) *api.APIError {
 
 	return validateIngressRules(allowIn, denyIn)
 }
+
+// validateEgressRules validates egress allow/deny rules:
+// - denyOut entries must be specified IPs or CIDRs (not domains, no ports)
+// - allowOut entries can be specified IPs, CIDRs, or domain names (no ports)
+// - when allowOut contains domains, denyOut must include 0.0.0.0/0
+func validateEgressRules(allowOut, denyOut []string) *api.APIError {
+	for _, entry := range denyOut {
+		host, port, _ := sandboxnetwork.SplitHostPort(entry)
+		if port != "" {
+			return &api.APIError{
+				Code:      http.StatusBadRequest,
+				Err:       fmt.Errorf("invalid deny out entry %q: port-specific rules are not supported for egress", entry),
+				ClientMsg: fmt.Sprintf("invalid deny out entry %q: port-specific rules are not supported for egress", entry),
+			}
+		}
+
+		if !sandboxnetwork.IsSpecifiedIPOrCIDR(host) {
+			return &api.APIError{
+				Code:      http.StatusBadRequest,
+				Err:       fmt.Errorf("invalid denied CIDR %s", host),
+				ClientMsg: fmt.Sprintf("invalid denied CIDR %s", host),
+			}
+		}
+	}
+
+	hasDomains := false
+	for _, entry := range allowOut {
+		host, port, _ := sandboxnetwork.SplitHostPort(entry)
+		if port != "" {
+			return &api.APIError{
+				Code:      http.StatusBadRequest,
+				Err:       fmt.Errorf("invalid allow out entry %q: port-specific rules are not supported for egress", entry),
+				ClientMsg: fmt.Sprintf("invalid allow out entry %q: port-specific rules are not supported for egress", entry),
+			}
+		}
+
+		if sandboxnetwork.IsIPOrCIDR(host) {
+			if !sandboxnetwork.IsSpecifiedIPOrCIDR(host) {
+				return &api.APIError{
+					Code:      http.StatusBadRequest,
+					Err:       fmt.Errorf("invalid allowed address %s", host),
+					ClientMsg: fmt.Sprintf("invalid allowed address %s", host),
+				}
+			}
+		} else {
+			hasDomains = true
+		}
+	}
+
+	if hasDomains {
+		hasBlockAll := slices.Contains(denyOut, sandboxnetwork.AllInternetTrafficCIDR)
+		if !hasBlockAll {
+			return &api.APIError{
+				Code:      http.StatusBadRequest,
+				Err:       fmt.Errorf("allow out contains domains but deny out is missing 0.0.0.0/0 (ALL_TRAFFIC)"),
+				ClientMsg: ErrMsgDomainsRequireBlockAll,
+			}
+		}
+	}
+
+	return nil
+}
+
+// validateIngressRules validates ingress allow/deny rules:
+// - entries must be valid IP or CIDR with optional port/port-range (no domains)
+// - IPv6 is supported (including ::/0)
+// - when allowIn is set, denyIn must include 0.0.0.0/0
+func validateIngressRules(allowIn, denyIn []string) *api.APIError {
+	for _, entry := range denyIn {
+		if err := validateIngressEntry(entry); err != nil {
+			return &api.APIError{
+				Code:      http.StatusBadRequest,
+				Err:       fmt.Errorf("invalid deny in entry %q: %w", entry, err),
+				ClientMsg: fmt.Sprintf("invalid deny in entry %q: %s", entry, err),
+			}
+		}
+	}
+
+	for _, entry := range allowIn {
+		if err := validateIngressEntry(entry); err != nil {
+			return &api.APIError{
+				Code:      http.StatusBadRequest,
+				Err:       fmt.Errorf("invalid allow in entry %q: %w", entry, err),
+				ClientMsg: fmt.Sprintf("invalid allow in entry %q: %s", entry, err),
+			}
+		}
+	}
+
+	if len(allowIn) > 0 {
+		hasBlockAll := slices.Contains(denyIn, sandboxnetwork.AllInternetTrafficCIDR)
+		if !hasBlockAll {
+			return &api.APIError{
+				Code:      http.StatusBadRequest,
+				Err:       fmt.Errorf("allow in requires deny in to include 0.0.0.0/0 (ALL_TRAFFIC)"),
+				ClientMsg: ErrMsgAllowInRequiresBlockAll,
+			}
+		}
+	}
+
+	return nil
+}
+
+// validateIngressEntry validates a single ingress rule entry (CIDR[:port]).
+func validateIngressEntry(entry string) error {
+	host, portStr, err := sandboxnetwork.SplitHostPort(entry)
+	if err != nil {
+		return err
+	}
+
+	if !sandboxnetwork.IsIPOrCIDR(host) {
+		return fmt.Errorf("domains are not supported for ingress rules")
+	}
+
+	// IsSpecifiedIPOrCIDR allows 0.0.0.0/0 but not ::/0; ingress needs both.
+	if !sandboxnetwork.IsSpecifiedIPOrCIDR(host) && host != "::/0" {
+		return fmt.Errorf("unspecified address")
+	}
+
+	if portStr != "" {
+		if _, _, err := sandboxnetwork.ParsePortRange(portStr); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

packages/api/internal/handlers/sandbox_create_test.go

@@ -104,7 +104,7 @@ func TestValidateNetworkConfig(t *testing.T) {
 			},
 			wantErr:    true,
 			wantCode:   http.StatusBadRequest,
-			wantErrMsg: `invalid deny out entry "not-a-cidr": domains are not supported in deny rules`,
+			wantErrMsg: `invalid denied CIDR not-a-cidr`,
 		},
 		// Port syntax rejected for egress
 		{
@@ -114,7 +114,7 @@ func TestValidateNetworkConfig(t *testing.T) {
 			},
 			wantErr:    true,
 			wantCode:   http.StatusBadRequest,
-			wantErrMsg: `invalid deny out entry "10.0.0.0/8": port-specific rules are not supported for egress`,
+			wantErrMsg: `invalid deny out entry "10.0.0.0/8:22": port-specific rules are not supported for egress`,
 		},
 		{
 			name: "allow_out with port is rejected",
@@ -123,7 +123,7 @@ func TestValidateNetworkConfig(t *testing.T) {
 			},
 			wantErr:    true,
 			wantCode:   http.StatusBadRequest,
-			wantErrMsg: `invalid allow out entry "8.8.8.8": port-specific rules are not supported for egress`,
+			wantErrMsg: `invalid allow out entry "8.8.8.8:80": port-specific rules are not supported for egress`,
 		},
 		// Domain validation tests
 		{
@@ -370,7 +370,7 @@ func TestValidateNetworkConfig(t *testing.T) {
 			},
 			wantErr:    true,
 			wantCode:   http.StatusBadRequest,
-			wantErrMsg: `invalid allow out entry "8.8.8.8": port-specific rules are not supported for egress`,
+			wantErrMsg: `invalid allow out entry "8.8.8.8:80": port-specific rules are not supported for egress`,
 		},
 		{
 			name: "deny_out with port is rejected",
@@ -379,7 +379,7 @@ func TestValidateNetworkConfig(t *testing.T) {
 			},
 			wantErr:    true,
 			wantCode:   http.StatusBadRequest,
-			wantErrMsg: `invalid deny out entry "10.0.0.0/8": port-specific rules are not supported for egress`,
+			wantErrMsg: `invalid deny out entry "10.0.0.0/8:22": port-specific rules are not supported for egress`,
 		},
 		{
 			name: "deny_out with domain is rejected",
@@ -388,7 +388,7 @@ func TestValidateNetworkConfig(t *testing.T) {
 			},
 			wantErr:    true,
 			wantCode:   http.StatusBadRequest,
-			wantErrMsg: `invalid deny out entry "example.com": domains are not supported in deny rules`,
+			wantErrMsg: `invalid denied CIDR example.com`,
 		},
 		{
 			name: "deny_out with invalid port is rejected",
@@ -397,7 +397,7 @@ func TestValidateNetworkConfig(t *testing.T) {
 			},
 			wantErr:    true,
 			wantCode:   http.StatusBadRequest,
-			wantErrMsg: `invalid deny out entry: invalid entry "10.0.0.0/8:abc": invalid port "abc": strconv.ParseUint: parsing "abc": invalid syntax`,
+			wantErrMsg: `invalid deny out entry "10.0.0.0/8:abc": port-specific rules are not supported for egress`,
 		},
 	}
 

packages/api/internal/handlers/sandbox_network_update.go

@@ -3,15 +3,13 @@ package handlers
 import (
 	"fmt"
 	"net/http"
-	"slices"
 
 	"github.com/gin-gonic/gin"
 
 	"github.com/e2b-dev/infra/packages/api/internal/api"
 	"github.com/e2b-dev/infra/packages/api/internal/utils"
 	"github.com/e2b-dev/infra/packages/auth/pkg/auth"
 	"github.com/e2b-dev/infra/packages/db/pkg/types"
-	sandboxnetwork "github.com/e2b-dev/infra/packages/shared/pkg/sandbox-network"
 	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
 	sharedutils "github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
@@ -72,133 +70,3 @@ func (a *APIStore) PutSandboxesSandboxIDNetwork(
 
 	c.Status(http.StatusNoContent)
 }
-
-// validateEgressRules validates egress allow/deny rules:
-// - denyOut entries must be IPs or CIDRs (not domains, no ports)
-// - allowOut entries can be IPs, CIDRs, or domain names (no ports)
-// - when allowOut contains domains, denyOut must include 0.0.0.0/0
-func validateEgressRules(allowOut, denyOut []string) *api.APIError {
-	denyRules, err := sandboxnetwork.ParseRules(denyOut)
-	if err != nil {
-		return &api.APIError{
-			Code:      http.StatusBadRequest,
-			Err:       fmt.Errorf("invalid deny out entry: %w", err),
-			ClientMsg: fmt.Sprintf("invalid deny out entry: %s", err),
-		}
-	}
-
-	for _, rule := range denyRules {
-		if rule.IsDomain {
-			return &api.APIError{
-				Code:      http.StatusBadRequest,
-				Err:       fmt.Errorf("invalid deny out entry %q: domains are not supported in deny rules", rule.Host),
-				ClientMsg: fmt.Sprintf("invalid deny out entry %q: domains are not supported in deny rules", rule.Host),
-			}
-		}
-
-		if rule.HasPort() {
-			return &api.APIError{
-				Code:      http.StatusBadRequest,
-				Err:       fmt.Errorf("invalid deny out entry %q: port-specific rules are not supported for egress", rule.Host),
-				ClientMsg: fmt.Sprintf("invalid deny out entry %q: port-specific rules are not supported for egress", rule.Host),
-			}
-		}
-	}
-
-	allowRules, err := sandboxnetwork.ParseRules(allowOut)
-	if err != nil {
-		return &api.APIError{
-			Code:      http.StatusBadRequest,
-			Err:       fmt.Errorf("invalid allow out entry: %w", err),
-			ClientMsg: fmt.Sprintf("invalid allow out entry: %s", err),
-		}
-	}
-
-	hasDomains := false
-	for _, rule := range allowRules {
-		if rule.IsDomain {
-			hasDomains = true
-		} else if rule.HasPort() {
-			return &api.APIError{
-				Code:      http.StatusBadRequest,
-				Err:       fmt.Errorf("invalid allow out entry %q: port-specific rules are not supported for egress", rule.Host),
-				ClientMsg: fmt.Sprintf("invalid allow out entry %q: port-specific rules are not supported for egress", rule.Host),
-			}
-		}
-	}
-
-	if hasDomains {
-		hasBlockAll := slices.ContainsFunc(denyRules, func(r sandboxnetwork.Rule) bool {
-			return r.Host == sandboxnetwork.AllInternetTrafficCIDR && r.AllPorts()
-		})
-
-		if !hasBlockAll {
-			return &api.APIError{
-				Code:      http.StatusBadRequest,
-				Err:       fmt.Errorf("allow out contains domains but deny out is missing 0.0.0.0/0 (ALL_TRAFFIC)"),
-				ClientMsg: ErrMsgDomainsRequireBlockAll,
-			}
-		}
-	}
-
-	return nil
-}
-
-// validateIngressRules validates ingress allow/deny rules:
-// - entries must be valid CIDR[:port] strings (no domains)
-// - when allowIn is set, denyIn must include 0.0.0.0/0
-func validateIngressRules(allowIn, denyIn []string) *api.APIError {
-	denyRules, err := sandboxnetwork.ParseRules(denyIn)
-	if err != nil {
-		return &api.APIError{
-			Code:      http.StatusBadRequest,
-			Err:       fmt.Errorf("invalid deny in entry: %w", err),
-			ClientMsg: fmt.Sprintf("invalid deny in entry: %s", err),
-		}
-	}
-
-	for _, rule := range denyRules {
-		if rule.IsDomain {
-			return &api.APIError{
-				Code:      http.StatusBadRequest,
-				Err:       fmt.Errorf("invalid deny in entry %q: domains are not supported for ingress rules", rule.Host),
-				ClientMsg: fmt.Sprintf("invalid deny in entry %q: domains are not supported for ingress rules", rule.Host),
-			}
-		}
-	}
-
-	allowRules, err := sandboxnetwork.ParseRules(allowIn)
-	if err != nil {
-		return &api.APIError{
-			Code:      http.StatusBadRequest,
-			Err:       fmt.Errorf("invalid allow in entry: %w", err),
-			ClientMsg: fmt.Sprintf("invalid allow in entry: %s", err),
-		}
-	}
-
-	for _, rule := range allowRules {
-		if rule.IsDomain {
-			return &api.APIError{
-				Code:      http.StatusBadRequest,
-				Err:       fmt.Errorf("invalid allow in entry %q: domains are not supported for ingress rules", rule.Host),
-				ClientMsg: fmt.Sprintf("invalid allow in entry %q: domains are not supported for ingress rules", rule.Host),
-			}
-		}
-	}
-
-	if len(allowRules) > 0 {
-		hasBlockAll := slices.ContainsFunc(denyRules, func(r sandboxnetwork.Rule) bool {
-			return r.Host == sandboxnetwork.AllInternetTrafficCIDR && r.AllPorts()
-		})
-
-		if !hasBlockAll {
-			return &api.APIError{
-				Code:      http.StatusBadRequest,
-				Err:       fmt.Errorf("allow in requires deny in to include 0.0.0.0/0 (ALL_TRAFFIC)"),
-				ClientMsg: ErrMsgAllowInRequiresBlockAll,
-			}
-		}
-	}
-
-	return nil
-}