Add enforcement-only egress mode and live egress policy updates#300
Add enforcement-only egress mode and live egress policy updates#300hiroTamada wants to merge 1 commit into
Conversation
Decouple host-side egress enforcement from the MITM proxy so an instance
can get TAP-level egress blocking without the proxy process, guest env
injection, or CA install:
- network.egress.proxy: mitm (default, existing behavior) or none
(enforcement only). Credentials still require mitm.
- network.egress.enforcement.mode gains all_traffic, which also rejects
direct UDP egress (QUIC, direct DNS).
- PATCH /instances/{id} accepts egress for enforcement-only policies,
applying or removing iptables rules live on running instances so
policy can change without a recreate. mitm policies stay create-only
since their guest-visible config is fixed at boot.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
✱ Stainless preview builds for hypemanThis PR will update the Edit this comment to update it. It will appear in the SDK's changelogs. ✅ hypeman-typescript studio · code · diff
✅ hypeman-openapi studio · code · diff
✅ hypeman-go studio · code · diff
This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Want fixes drafted automatically? Bugbot Autofix can create code changes for findings. A team admin can enable Autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 67806b6. Configure here.
| return err | ||
| } | ||
| req.NetworkEgress.EnforcementMode = mode | ||
| proxyMode, err := normalizeEgressProxyMode(req.NetworkEgress.Proxy) |
There was a problem hiding this comment.
Enforcement-only create rollback leak
High Severity
With network.egress.proxy=none, maybeRegisterEgressProxy installs host iptables rules but returns a nil guest config, preventing cleanup registration. If instance creation or startup fails, these rules are not removed, leaving stale FORWARD rules on the host's TAP interface.
Reviewed by Cursor Bugbot for commit 67806b6. Configure here.


Summary
Decouples host-side egress enforcement from the MITM proxy, so an instance can get TAP-level egress blocking while pointing its workload at an external proxy reachable at the network gateway (e.g. a host-side forward proxy on the bridge gateway).
network.egress.proxy:mitm(default, existing behavior) ornone. Withnone, hypeman applies the iptables FORWARD rules on the instance TAP but skips proxy registration,HTTP_PROXY/HTTPS_PROXYenv injection, and guest CA install. Credentials still requiremitm.network.egress.enforcement.mode: all_traffic: new mode that also rejects direct UDP egress (blocks QUIC and direct DNS; guests must resolve through their proxy). Existingall/http_https_onlysemantics unchanged.PATCH /instances/{id}acceptsegress: enforcement-only policies can be set, changed, or cleared per instance at runtime — iptables rules are applied/removed live on running instances (with rollback if the metadata save fails), or picked up on next start/restore for stopped/standby instances.mitmpolicies remain create-only since their guest-visible config (env, CA) is fixed at boot.mitm; the defaultallmode still permits any traffic to the gateway IP, so existing behavior is unchanged.Test plan
go build ./...go test ./lib/egressproxy/...create_egress_proxy_test.go,update_test.go)make oapi-generate(pinned v2.5.1; regen is deterministic — theHealthCheckHTTPSchemeconst rename is codegen collision-resolution churn from the new enum, and nothing references the old names)TestEgressProxyRewritesHTTPSHeaders,TestCreateInstanceWithNetwork) could not run in this environment — verified they fail identically onmainhere (VM boot / Docker Hub rate limits), so not regressions. Should run on a KVM-capable host before merge.egress: {enabled: true, proxy: none, enforcement: {mode: all_traffic}}, verify direct TCP/UDP egress rejected, gateway-destined traffic allowed, PATCH toggling applies/removes rules live.🤖 Generated with Claude Code
Note
High Risk
Changes host iptables egress enforcement and instance network policy APIs on security-sensitive paths; misconfiguration could block guest egress or leave rules inconsistent until rollback.
Overview
Adds
network.egress.proxy(mitmdefault,nonefor TAP iptables enforcement only—no MITM process, guest proxy env, or CA) andenforcement.mode: all_traffic(blocks direct TCP and UDP, including QUIC/DNS). Host enforcement is refactored aroundApplyEnforcement/RemoveEnforcementwith optional UDP rules;proxy=noneinstances get rules without registering the proxy service, and teardown still clears iptables when the proxy never started.PATCH /instances/{id}can replaceegressforproxy=noneonly: validation rejectsmitmcreate-time policies and switching tomitmon update; running instances apply or remove enforcement immediately with rollback if metadata save fails. Create/update validation normalizes proxy mode and requires credentials to usemitm.OpenAPI and API mapping (
toDomainNetworkEgress) wire create and update; docs describe the new modes and live update behavior.Reviewed by Cursor Bugbot for commit 67806b6. Bugbot is set up for automated code reviews on this repo. Configure here.