Network Isolation
About 508 wordsAbout 2 min
2026-04-26
Network Isolation blocks network access for selected apps at the kernel level. When an isolated app attempts an IPv4/IPv6 connection, the kernel returns ECONNREFUSED, achieving complete network disconnection. Default Off.
Path: Settings page top-right function button → Network Isolation
How It Works
Network Isolation is built on the KernelPatch SuperCall mechanism, intercepting outbound network requests at the kernel syscall layer by hooking:
connect(syscall 203) — intercepts TCP connection establishmentsendto(syscall 206) — intercepts UDP sends with a destination address
When an isolated UID attempts an IPv4 or IPv6 connection, the kernel returns -ECONNREFUSED and skips the original syscall. The app receives a "connection refused" error.
Unlike iptables/netfilter solutions, Network Isolation is implemented entirely through syscall hooking — it does not depend on any network stack components.
Filtering Rules
| UID Range | Blocked? | Description |
|---|---|---|
| FolkPatch itself | No | Manager always exempt for normal operation |
| System UIDs (< 10000) | No | Root, system and other system processes unaffected |
| User-selected app UIDs | Yes | Only selected apps have outbound network blocked |
| Non-selected app UIDs | No | Other apps completely unaffected |
Usage
- Toggle Network Isolation on
- Click Add Apps to select apps from the app picker
- Selected apps immediately lose IPv4/IPv6 outbound network access
Selected apps are displayed as cards with a quick remove action.
Coverage
Network Isolation only blocks outbound network requests:
| Behavior | Blocked? | Description |
|---|---|---|
| TCP connections (connect) | Yes | Isolated apps cannot establish TCP connections |
| UDP sends (sendto) | Yes | Isolated apps cannot send UDP data to addresses |
| Local sockets (AF_UNIX) | No | Local IPC unaffected |
| Bluetooth and other protocols | No | Non-network protocols unaffected |
| Inbound connections (bind/listen/accept) | No | App port listening not affected |
| Data receiving (recvfrom/recvmsg) | No | Does not block receiving data |
Note
Network Isolation is all-or-nothing per UID — it does not distinguish between target IPs, ports, or protocol versions (both IPv4 and IPv6 are blocked). For more granular network control, use additional networking tools.
Auto Apply
Network Isolation configuration is automatically read and applied by the apd daemon at boot (during the post-fs-data phase) in the following order:
- Clear kernel UID blocklist
- Add each configured UID
- Enable Network Isolation last (ensuring all configuration is in place before activation)
This ensures isolation is active before any app starts — no need to manually open the manager.
/data/adb/fp/netisolate
enabled# Enable flag file
uids# Isolated UID list (one per line)
Note
- Maximum of 256 isolated app UIDs
- Isolating critical system apps may cause device malfunctions — select carefully
- Network Isolation requires KernelPatch kernel support
- UIDs of uninstalled apps are not auto-cleaned — remove them manually
Related Features
- Path Hide: Kernel-level file and directory hiding
- Kernel Spoof: Spoof kernel version information
Copyright
Copyright Ownership:FolkPatch Team
License under:Attribution 4.0 International (CC-BY-4.0)