only now I got reminded that the “Android hosts file” /system/etc/hosts" in the SFOS native file system does not get bind mounted into the aliendalvik container.
So any efforts to get some IP blocking done are going to /dev/null for Android applications in a new SFOS install. One would need to manually edit /var/lib/lxc/aliendalvik/extra_config with
lxc.mount.entry = /etc/hosts system/etc/hosts none bind,ro 0 0
Harbour-defender relied on that modification (done so long ago by me manually I forgot about it).
And as well all other people trying to add some blocking to the Android side.