Outcall
GitHub →

Egress control · agent containers

Decide what your containers can reach.
Then prove it.

Outcall is a host-level firewall daemon for Docker agent containers. One bridge, one rule set, one place to say what an agent may talk to — enforced by nftables, DNS, and an HTTP proxy your container can't bypass.

Get started →Read the docsSource on GitHub
/etc/outcall/rules.d/agent.yaml
# /etc/outcall/rules.d/agent.yaml
# Default-block is implicit. Write only what the agent may do.
# HTTPS is matched by hostname (SNI). Method/path are visible
# only for plaintext HTTP — no TLS interception.
version: "1"
rules:
  - id: allow-openai
    description: "agent may call the OpenAI API over HTTPS"
    condition: 'http.host == "api.openai.com"'
    action: allow
    egress:
      mode: proxy

  - id: allow-github-clone
    condition: |
      dns.query == "github.com" ||
      http.host == "github.com"
    action: allow

What's in the box

One daemon. Six surfaces. Same source of truth.

Outcall ships the network plumbing, the policy plane, and the operator UX as a single binary. You don't stand up six tools to enforce egress — you stand up one.

Bridge + nftables

An isolated L2 segment per host. Default-deny in the kernel. Allow rules compile to nftables verdicts you can read with `nft list table`.

DNS filter

The bridge gateway runs a DNS resolver that only answers for hosts in the rule set. Blocked queries return NXDOMAIN — agents fail at name lookup, not after a TCP timeout.

HTTP proxy

A forward proxy on the bridge gateway. Plaintext HTTP is matched on host, method, and path. HTTPS is matched on the CONNECT host and the TLS SNI — no decryption by default. An optional, per-rule intercept mode (S011) lets you decrypt with a CA you provision, when L7 enforcement of HTTPS method/path/body is worth the trade-offs.

Agent API

A Unix socket inside each container. The agent shim asks "may I reach X?" before egress, and submits rule requests to the operator for review. No agent ever touches the host policy directly.

Dynamic rules

Drop YAML into /etc/outcall/rules.d and reload. Rules survive daemon restarts; networks and containers outlive the daemon, so you can ship rule changes without rolling agents.

CLI + dashboard

One outcall CLI talks to the host socket — bridge, DNS, proxy, networks, containers. A web dashboard renders the same data for operators who prefer panes over panes.

How it fits together

One bridge. One source of truth.

The daemon is the only thing on the host that can change policy. Operators talk to the host socket. Containers talk to the agent socket. Neither side reaches the other.

Operatoroutcall CLI · UIAgent containeroutcall-agent shimhost.sockagent.sockoutcalldrule enginebridgenftablesDNS filterHTTP proxyagent APIdocker manageroutcall0 bridgeInternet (filtered)

Stop trusting agents.
Start enforcing them.

Outcall is open source. Spec-first, default-deny, and Linux-native. If you run agents that touch the network, you owe yourself a look.

Quickstart →Star on GitHub