firejail : only let a program access localhost

I have this local network service and this client program needing to access it. I am running them both as an unprivileged user. I am looking for a way to sandbox the client using firejail, in a way that it cannot access network, except for localhost (or even better, except for that service). first thing I tried was of course firejail --net=lo program But it didn’t work. Error: cannot attach to lo device I think I could work around it by creating a virtual network interface, for example veth0 and veth1, moving veth1 to a new network namespace in which I’d run the service and using firejail to restrain the client to veth0 Is there a way to actually automate this setting in a firejail profile, so that all of these interfaces are created and veth1 is moved when I type firejail server (without having to run anything as root)? Or is there a simpler way solve this problem? (I cannot run both the client and the service in the same namespace, because the service needs to access the network)