I built a Rust-based Linux process only network sandbox command. I developed this because I sometimes needed to enforce proxies and DNS only for single binaries like Go, or to capture packets only for that process.

It use Linux namespaces, so it is Linux-only. Feature:

- affects only the target command tree, not the whole host session

- can force DNS, /etc/hosts, proxying, sandbox policy, packet capture, structured flow logging, and reusable profiles per command tree

- can force proxying without depending on HTTP_PROXY, HTTPS_PROXY, or LD_PRELOAD tricks

- can apply allow / deny CIDR policy and default-deny rules to outbound traffic

- defaults to rootless-internal

- uses --root only for features like --iface and transparent interception

Personally, I wanted to run it on a Mac as well, but I gave up on that idea because the network control mechanism on a per-process basis is now in the kernel on Macs.

I would especially appreciate feedback from people.