[WIP] feat(net): optional allow_net filtering for UDP

[G4614]

⚠️ [WIP — decision logic tested; live forwarder NOT integration-verified]
Part of a source-level security audit. The UDP policy (udpAllowed) is unit
tested; the live forwarder is gated behind BOXLITE_UDP_FILTER=true (OFF by
default) because its interaction with gvproxy's embedded DNS resolver and the
datagram relay path could not be validated without a network-stack harness.

Problem

allow_net only filtered TCP. UDP used gvproxy's default NAT forwarder, so a
restricted box could exfiltrate to any host over UDP/QUIC (DNS-over-UDP to an
attacker on :53, HTTP/3 on :443, custom UDP channels). The DNS sinkhole governs
only name resolution, not datagram destinations.

Change

• udpAllowed(destIP, destPort, filter) — drops UDP to destinations not permitted
  by the AllowNet filter; reuses TCPFilter.MatchesIP, so gateway/internal IPs
  (incl. the DNS resolver) and allowlisted hosts pass. No filter → all UDP allowed.
• OverrideUDPHandler installs a filtered udp.NewForwarder (mirrors the TCP
  override). Wired in main.go behind BOXLITE_UDP_FILTER=true, OFF by
  default so the live path is unchanged.

Test (two-sided) — policy, runs locally

TestUDPAllowed: attacker :53/:443 and unlisted hosts blocked; allowlisted +
gateway DNS pass. Reverting udpAllowed to "always allow" (pre-fix) makes the
blocked cases pass and the test fails. Full bridge suite + go vet green.

What needs a resource to verify (before enabling by default)

• A gvisor netstack integration harness (the repo has none — forked_network_test
  only reflect-checks the stack field) to drive real UDP/DNS packets and confirm:
  (a) non-allowlisted UDP is dropped end to end, (b) DNS still resolves (i.e.
  overriding the UDP handler does not bypass the embedded resolver endpoint), and
  (c) the datagram relay/idle-timeout works for allowed flows.

Audit finding #2 (high).

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c7a5a110-7ad5-43b1-9a73-a69aec81f63d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

boxlite security fixes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

boxlite security fixes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}