Update Network Permissions At Runtime

[cooper-grc]

Summary by cubic

Add a runtime API to update a sandbox’s network permissions without restart. Supports blocking all egress or setting an allowlist; exposed ports remain accessible.

• New Features
  • PodService: SandboxUpdateNetworkPermissions (gRPC + HTTP POST /pods/{containerId}/network/update).
  • Worker: ContainerSandboxUpdateNetworkPermissions applies new iptables/IPv6 rules in place.
  • Python SDK: sandbox.update_network_permissions(block_network, allow_list).
  • Updated OpenAPI, protos, gateway, and container client.

^{Written for commit 8ab7e1f. Summary will update automatically on new commits.}

[cubic-dev-ai]

2 issues found across 14 files

Prompt for AI agents (all 2 issues)

Understand the root cause of the following 2 issues and fix them.


<file name="pkg/worker/network.go">

<violation number="1" location="pkg/worker/network.go:831">
Rule violated: **Enforce Early Returns for Error Handling**

UpdateNetworkPermissions ignores the errors from setupAllowList/setupBlockNetwork, so it will return nil even when updating iptables fails. The &quot;Enforce Early Returns for Error Handling&quot; rule requires capturing those errors and returning immediately instead of continuing on the happy path. Please wrap each call with an early return, as is done elsewhere in this file.</violation>

<violation number="2" location="pkg/worker/network.go:839">
Rule violated: **Prevent Redundant Code Duplication**

This helper duplicates the existing removeIPTablesRules logic (iterating tables/chains, parsing rules, stripping quotes, deleting entries) instead of reusing or generalizing it. Please extract the shared code so future iptables changes stay consistent.</violation>
</file>

_{React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

No issues found across 1 file