Skip to content

Childflow

Offensive & Pentesting

A per‑command‑tree network sandbox for Linux that isolates DNS, hosts, proxy, policy and capture controls to a single command and its children

Track releases GitHub
Rust Latest 0.8.1 · 16d ago Security brief →

Features

  • Isolates a single command tree in its own network namespace
  • Enforces custom DNS resolution, /etc/hosts overrides, and forced proxy usage for that tree only
  • Applies allow/deny CIDR policies with default‑deny semantics to outbound traffic
  • Captures and logs structured flow events (DNS, connect, policy) without full packet inspection
  • Supports reusable TOML profiles and both rootless and rootful backends

Recent releases

View all 8 releases →
No immediate action
0.8.1 Breaking risk

maintainability

Open
Review required
0.8.0 New feature
Auth RBAC

Observability + Policy + Profiles

Open
Review required
0.7.0 New feature
Auth RBAC RCE / SSRF

Rootless sandbox + profiles + logs

Open
No immediate action
0.6.0 New feature

Structured flow logging

Open
Config change
0.5.0 New feature
RBAC Breaking upgrade

Outbound policy engine

Open

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
7
Forks
0
Languages
Rust Shell Python
View on GitHub

Install & Platforms

Install via
cargo
Platforms
linux

Similar tools

Mezz, a curl-able WiFi sandbox for IoT pentesting
mitmproxy
Goshs
TTP 0.3.0
blocky

Beta — feedback welcome: [email protected]