I built a Rust-based Linux process only network sandbox command. I developed this because I sometimes needed to enforce proxies and DNS only for single binaries like Go, or to capture packets only for that process.
It use Linux namespaces, so it is Linux-only. Feature:
- affects only the target command tree, not the whole host session - can force DNS, /etc/hosts, proxying, sandbox policy, packet capture, structured flow logging, and reusable profiles per command tree - can force proxying without depending on HTTP_PROXY, HTTPS_PROXY, or LD_PRELOAD tricks - can apply allow / deny CIDR policy and default-deny rules to outbound traffic - defaults to rootless-internal - uses --root only for features like --iface and transparent interception
Personally, I wanted to run it on a Mac as well, but I gave up on that idea because the network control mechanism on a per-process basis is now in the kernel on Macs.
I would especially appreciate feedback from people.