net-allow: support * in port position for any-port wildcard#37
Merged
congwang-mk merged 2 commits intomainfrom May 5, 2026
Merged
net-allow: support * in port position for any-port wildcard#37congwang-mk merged 2 commits intomainfrom
* in port position for any-port wildcard#37congwang-mk merged 2 commits intomainfrom
Conversation
Issue #32 asked for a way to allow unrestricted outbound network access without enumerating every port. This adds a `*` wildcard in the port position of `--net-allow` specs, with three useful forms: *:* / :* any host, any port (fully unrestricted egress) host:* any port to host (other hosts still blocked) host:80,* rejected (no mixing wildcard with concrete ports) NetAllow gains an `all_ports: bool` field; the parser sets it when it sees the `*` token and rejects mixed specs. ResolvedNetAllow exposes `per_ip_all_ports` (IPs from `host:*` rules after DNS resolution) and `any_ip_all_ports` (true when any rule is `:*`). Signed-off-by: Cong Wang <cwang@multikernel.io>
…param Signed-off-by: Cong Wang <cwang@multikernel.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
*wildcard in port position of--net-allowspecs::*/*:*(any host, any port),host:*(any port to host)*with concrete ports (host:80,*) is rejected with a clear errorCONNECT_TCPfromhandled_access_net(kernel cannot express "every port" without enumerating 65535 rules); the on-behalf seccomp path becomes the sole enforcer, and for:*it short-circuits to allow-allPolicyreference commentIssue #32 (closed) follow-up — the reporter asked for "a simple command-line option to allow unrestricted network access."
--net-allow :*is the answer;--allow-udpis still required separately for UDP egress to keep the syscall surface explicit.Test plan
NetAllow::parseunit tests covering:port,*:port,host:*,:*,*:*, mixed-rejection, port-zero rejection, no-colon rejection, repeated-wildcard idempotenceany_ip_all_ports,host:*populatesper_ip_all_ports, mixed wildcard + concrete:*end-to-end (sandbox connects to a localhost listener on a random port nothing else mentions);host:*permits localhost, denies1.1.1.1:80sandlock run --net-allow ':*' -- echoruns;sandlock run --net-allow 'host:80,*' --errors with "cannot mix"🤖 Generated with Claude Code