L7 networkpolicy error

[chinazj]

Agent Diagnostic

I followed the example from this link:
https://github.com/NVIDIA/OpenShell/tree/main/examples/sandbox-policy-quickstart
but it has not been working successfully. The logs show the following.

Description

I configured a policy like this:

network_policies:
  code_hub:
    name: code_read_write
    endpoints:
      - host: 218.11.11.225
        port: 80
        protocol: rest
        enforcement: enforce
        access: read-only
    binaries:
      - { path: /usr/bin/curl }

Then I ran:

sandbox@demo:~$ curl -v 218.11.11.225:80
* Uses proxy env variable no_proxy == '127.0.0.1,localhost,::1'
* Uses proxy env variable http_proxy == 'http://10.200.0.1:3128'
*   Trying 10.200.0.1:3128...
* Connected to 10.200.0.1 (10.200.0.1) port 3128
> GET http://218.11.11.225/ HTTP/1.1
> Host: 218.11.11.225
> User-Agent: curl/8.5.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection

The logs are as follows:

[1774352985.070] [sandbox] [INFO ] [openshell_sandbox::proxy] FORWARD action=deny binary=/usr/bin/curl dst_host=218.11.11.225 dst_port=80 method=GET path=/ policy=code_hub reason=endpoint has L7 rules; use CONNECT

I guess I’m using it incorrectly. How should I use the L7 policy?

Reproduction Steps

1. openshell sandbox create --name demo
2. vim policy
3. openshell policy set demo --policy policy.yaml --wait
4. openshell sandbox connect demo
5. curl -v 218.11.11.225:80

* Uses proxy env variable no_proxy == '127.0.0.1,localhost,::1'
* Uses proxy env variable http_proxy == 'http://10.200.0.1:3128'
*   Trying 10.200.0.1:3128...
* Connected to 10.200.0.1 (10.200.0.1) port 3128
> GET http://218.11.11.225/ HTTP/1.1
> Host: 218.11.11.225
> User-Agent: curl/8.5.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection

Environment

• linux

Logs

Agent-First Checklist

• I pointed my agent at the repo and had it investigate this issue
• I loaded relevant skills (e.g., debug-openshell-cluster, debug-inference, openshell-cli)
• My agent could not resolve this — the diagnostic above explains why

[chinazj]

use connect

curl --proxytunnel https://api.github.com

log

[1774359821.511] [sandbox] [INFO ] [openshell_sandbox::proxy] event crates/openshell-sandbox/src/proxy.rs:512 action=allow ancestors=/usr/bin/bash -> /opt/openshell/bin/openshell-sandbox binary=/usr/bin/curl binary_pid=281 cmdline=/bin/bash connect_msg=CONNECT_L7 dst_host=api.github.com dst_port=443 engine=opa policy=github_api proxy_addr=10.200.0.1:3128 reason= src_addr=10.200.0.2 src_port=58004
[1774359821.514] [sandbox] [WARN ] [openshell_sandbox::proxy] Expected REST protocol but received non-matching bytes. Connection rejected. host=api.github.com policy=github_api port=443
[1774359821.514] [sandbox] [WARN ] [openshell_sandbox::proxy] Proxy connection error error=Protocol mismatch: expected HTTP but received non-HTTP bytes

[timosur]

I am experiencing the same issue.

Have this policy here in place:

network_policies:
  ollama:
    name: ollama
    endpoints:
      - { host: 192.168.2.47, port: 11434 }

getting following error when doing a curl:

sandbox@grand-pinniped:~$ curl -v http://192.168.2.47:11434/api/tags
* Uses proxy env variable no_proxy == '127.0.0.1,localhost,::1'
* Uses proxy env variable http_proxy == 'http://10.200.0.1:3128'
*   Trying 10.200.0.1:3128...
* Connected to 10.200.0.1 (10.200.0.1) port 3128
> GET http://192.168.2.47:11434/api/tags HTTP/1.1
> Host: 192.168.2.47:11434
> User-Agent: curl/8.5.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 403 Forbidden
* no chunk, no close, no size. Assume close to signal end
< 
* Closing connection

[johntmyers]

Since you are both using using IP addresses directly, try doing this for your policies:

endpoints:
  - host: 218.11.11.225
    port: 80
    allowed_ips:
      - 218.11.11.225
    
# ... OR ...

endpoints:
  - host: 192.168.2.47
    port: 11434
    allowed_ips:
      - 192.168.2.47

[johntmyers]

I've created #570 which will remove the need to add a redundant allowed_ips section in the policy.

[timosur]

@johntmyers Thank you for this quick fix, worked for me! :-) Also great idea to remove this redundant allowed_ips!