Vouch request: mesutoezdil

[mesutoezdil]

What do you want to work on?

I am a member/contributor of HAMi project and a contributor of kagent.

I opened PR #1023 against crates/openshell-core/src/net.rs.
Reading through is_always_blocked_net, I noticed the IPv6 branch only checked half of it, whether the network address of a CIDR fell inside a blocked range. It didn't check whether the range itself covered a blocked address.
Take ::ffff:168.0.0.0/103. The network address is 168.0.0.0, which is public, so the old code let it through. But the range extends all the way to 169.255.255.255 and includes ::ffff:169.254.0.0, link-local. So a sandbox could end up reaching link-local through a CIDR that looked fine.
The fix was small: three extra v6net.contains() calls, one each for loopback, link-local, and unspecified. Added 5 new tests. All 38 tests in the file pass.
PR got auto-closed by the vouch system, but the diff is there if anyone wants to look.

Why this change?

The whole point of is_always_blocked_net is to catch bad CIDRs early, when the policy loads, so the user doesn't hit a silent failure at runtime. With this gap, that guarantee didn't actually hold for some IPv6 prefixes, the policy would load without complaint, the connection wouldn't work, and there'd be no explanation anywhere. The fix is small. it just makes the function do what it should already be doing.

Checklist

• I wrote this request myself (not AI-generated)
• I have read CONTRIBUTING.md

[johntmyers]

/vouch

[github-actions[bot]]

@mesutoezdil has been vouched by @johntmyers.

You can now submit pull requests to OpenShell. Welcome aboard.

Please read CONTRIBUTING.md before submitting.

[mesutoezdil]

Thank you @johntmyers. Opened a new PR since the old one was auto-closed: #1032.