Developer Dan Goodman released Netfence, a daemon that injects eBPF filters into network interfaces and cgroups, mimicking Envoy's control plane model for firewalling. It enforces DNS-based rules, resolving domains locally to IPs before pushing them to the filter, blocking arbitrary outbound traffic without performance overhead.

Netfence’s architecture separates a per-host daemon from a user-implemented gRPC control plane. This allows dynamic rule management for containers and micro VMs like Firecracker. The daemon handles filter lifecycle, attaching programs to targets and syncing rules, preventing agents from tampering with host configurations by keeping enforcement in kernel space.

The project targets secure multi-tenant environments, allowing agents to only contact specified services like S3, pip, apt, or npm. By managing DNS per attachment, it solves the problem of a central DNS server lacking context for interface-specific queries. This approach offers fine-grained network control without modifying base images.