Files
wehub-resource-sync e0e362d700
Deploy Docs Pages / build (push) Waiting to run
Deploy Docs Pages / deploy (push) Blocked by required conditions
Real E2E Tests / Real E2E CI (push) Blocked by required conditions
SDK Tests / SDK CI (push) Blocked by required conditions
SDK Tests / changes (push) Successful in 2m29s
Real E2E Tests / changes (push) Successful in 2m29s
Real E2E Tests / Python E2E (docker bridge) (push) Waiting to run
Real E2E Tests / C# E2E (docker bridge) (push) Waiting to run
Real E2E Tests / Go E2E (docker bridge) (push) Waiting to run
Real E2E Tests / Java E2E (docker bridge) (push) Waiting to run
Real E2E Tests / JavaScript E2E (docker bridge) (push) Waiting to run
SDK Tests / Python SDK Tests (sandbox) (push) Waiting to run
SDK Tests / CLI Quality (push) Waiting to run
SDK Tests / CLI Tests (push) Waiting to run
SDK Tests / Python SDK Quality (code-interpreter) (push) Waiting to run
SDK Tests / Python SDK Quality (sandbox) (push) Waiting to run
SDK Tests / Python SDK Tests (code-interpreter) (push) Waiting to run
SDK Tests / JavaScript SDK Quality And Tests (code-interpreter) (push) Waiting to run
SDK Tests / JavaScript SDK Quality And Tests (sandbox) (push) Waiting to run
SDK Tests / Kotlin SDK Quality And Tests (sandbox) (push) Waiting to run
SDK Tests / Kotlin SDK Quality And Tests (code-interpreter) (push) Waiting to run
SDK Tests / C# SDK Quality And Tests (code-interpreter) (push) Waiting to run
SDK Tests / C# SDK Quality And Tests (sandbox) (push) Waiting to run
SDK Tests / Go SDK Quality And Tests (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 13:39:33 +08:00

96 lines
3.4 KiB
Go

// Copyright 2026 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"context"
"net/netip"
"os"
"strings"
"time"
"github.com/alibaba/opensandbox/egress/pkg/constants"
"github.com/alibaba/opensandbox/egress/pkg/dnsproxy"
"github.com/alibaba/opensandbox/egress/pkg/log"
"github.com/alibaba/opensandbox/egress/pkg/nftables"
"github.com/alibaba/opensandbox/egress/pkg/policy"
)
// createNftManager is non-nil only when mode includes the nft token (e.g. dns+nft).
func createNftManager(mode string) nftApplier {
if !constants.ModeUsesNft(mode) {
return nil
}
return nftables.NewManagerWithOptions(parseNftOptions())
}
// setupNft: apply static policy to nft, then wire allowed DNS answers to AddResolvedIPs (dynamic allow sets).
// nameserverIPs and always-deny/allow follow the same merge rules as the policy API (MergeAlwaysOverlay + WithExtraAllowIPs).
func setupNft(ctx context.Context, nftMgr nftApplier, initialPolicy *policy.NetworkPolicy, proxy *dnsproxy.Proxy, nameserverIPs []netip.Addr, alwaysDeny, alwaysAllow []policy.EgressRule) {
if nftMgr == nil {
log.Warnf("nftables disabled (dns-only mode)")
return
}
log.Infof("applying nftables static policy (dns+nft mode) with %d nameserver IP(s) merged into allow set", len(nameserverIPs))
merged := policy.MergeAlwaysOverlay(initialPolicy, alwaysDeny, alwaysAllow)
policyWithNS := merged.WithExtraAllowIPs(nameserverIPs)
if err := nftMgr.ApplyStatic(ctx, policyWithNS); err != nil {
log.Fatalf("nftables static apply failed: %v", err)
}
log.Infof("nftables static policy applied (table inet opensandbox); DNS-resolved IPs will be added to dynamic allow sets")
proxy.SetOnResolved(func(domain string, ips []nftables.ResolvedIP) {
addCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := nftMgr.AddResolvedIPs(addCtx, ips); err != nil {
log.Warnf("[dns] add resolved IPs to nft failed for domain %q: %v", domain, err)
}
})
}
func parseNftOptions() nftables.Options {
opts := nftables.Options{BlockDoT: true}
if constants.IsTruthy(os.Getenv(constants.EnvBlockDoH443)) {
opts.BlockDoH443 = true
}
if raw := os.Getenv(constants.EnvDoHBlocklist); strings.TrimSpace(raw) != "" {
parts := strings.Split(raw, ",")
for _, p := range parts {
target := strings.TrimSpace(p)
if target == "" {
continue
}
if addr, err := netip.ParseAddr(target); err == nil {
if addr.Is4() {
opts.DoHBlocklistV4 = append(opts.DoHBlocklistV4, target)
} else if addr.Is6() {
opts.DoHBlocklistV6 = append(opts.DoHBlocklistV6, target)
}
continue
}
if prefix, err := netip.ParsePrefix(target); err == nil {
if prefix.Addr().Is4() {
opts.DoHBlocklistV4 = append(opts.DoHBlocklistV4, target)
} else if prefix.Addr().Is6() {
opts.DoHBlocklistV6 = append(opts.DoHBlocklistV6, target)
}
continue
}
log.Warnf("ignoring invalid DoH blocklist entry: %s", target)
}
}
return opts
}