Control network-traffic for Android Apps

I am searching for a way to control (allow/forbid) network traffic for
single apps. Is this possible to do?

In “normal” Android-phones it used for example AFWall for this, an iptables
based firewall. There you can manage traffic for Wifi/data/VPN for every app.

Sailfish OS 4.1.0.24 - XA2 - aosp_h3113

First things first; what is the actual use case?
Why would you want to have poorly behaved apps on your phone?
Wouldn’t the app be useless if it normally needs internet access, and you then go and disable it?
And if it doesn’t, apart from being really iffy, couldn’t you revoke the permission?
If it uses unwanted background data, then just keep background services off.

Since AFWall uses iptables, all that you’d need to figure out is how it is able to correlate traffic to a certain app. If that is still doable in SFOS (at least Android app names show up in top), then you should be able to do the same.

how and where could i do this for an Android app?

for example:
root@Sail02:~# netstat -napt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.222:56580 209.97.157.92:443 ESTABLISHED 28614/org.gnu.iceca
tcp 0 0 192.168.1.222:55406 172.217.19.74:443 ESTABLISHED 28614/org.gnu.iceca

if i would deny here the network for icecat, sure, i could write something with iptables.
My question was more, if somebody else thought about this and maybe there are some kind of solution for this. Maybe not.

From my point of view; you are asking for a tool that has no (obvious) reasonable use - so chances that others have thought about it sounds slim. Knowing what the actual use cases are would hopefully enable better answers (e.g. solving the problem some other way).

Hmm, seems that permission is not revocable, even from the console: android.permission.INTERNET requested by com.spotify.music is not a changeable permission type. Background data usage is available though - but better just kill background services.

You need a rooted-phone to use AFWall. So, it is not that popular, but on playstore it has 500.000 downloads. On the other side, a non-root-“firewall” (NetGuard) has 5.000.000+ downloads on playstore. Doesnt seem so useless for a lot of users.

In my case and only for me, yes, i can deal with iptables for myself. I thought, there is maybe a little more generic thing for this. A few people were asking me in the past for that feature in Sailfish/Android.

That is not an argument! It is a schoolbook example of an ad populum fallacy.
Heck, they might even have realised it was not useful and uninstalled it for all we know.

Since you still haven’t said what the use case is, i’ll just assume there is none.
(Beyond shadow-revoking internet permissions for apps that shouldn’t have it in the first place - which are probably terrible in more ways anyway)

This functionality should be built-in into Sailfish Android layer!

They say SFOS is about privacy, then why the heck Android layer is less private that a standard Android phone (with proper apps)?

SFOS must have built-in functionality to provide fake data to Android apps and to disallow internet access on per-app basis.

When any VPN app is launched it does not change the AlienDalvik VPN settings… Why is this?

It seems important for you to have a use case, so I will give you one, or two of tons.
I am using ColorNote for my personal notes, and I dont want, that this has network
access ever. There is TitaniumBackup, which makes local backups and for this I
only want allow LAN-access. Or my mediaplayer shouldnt be going online, because
I only want to see local files. And so on.