Actively deny non-allowlisted egress at the kernel.
In enforce mode, cgroup/connect4 + cgroup/connect6 programs return -EPERM before the syscall completes. Callers see a normal connection failure, not a novel one.
Executable docs ship with the install
The full reference for this topic — configuration files, code samples, CLI flags, API endpoints — ships inside every dpndncY installation so it always matches your installed version. This public-preview page lists what the in-product docs cover.
In the in-product docs
- allowlist.yaml schema (CIDR, hostname, port-range)
- learn mode — auto-derive an allowlist across N jobs
- Bypass: how to permit a single connect from a specific workflow step
- Audit trail: every deny is logged and signed
- Performance: per-packet overhead < 200 ns