So I often have to install and test different programs. I do not want programs to access the Internet immediately. After a while I might want to allow it, so it should be easy to allow or disallow internet access at the application level....
A brand new network namespace doesn’t have any network interfaces. When you start a process in a namespace, all its child processes will start there too. It’s like a little network jail, and the functionality is baked into the kernel / is kernel enforced.
I use this to keep certain processes on a vpn, with no need for interface-binding support from the process, or a vpn-killswitch.
Another fun fact, this is the functionality that enables containerization, like docker/podman
How to block applications from accessing the Internet
So I often have to install and test different programs. I do not want programs to access the Internet immediately. After a while I might want to allow it, so it should be easy to allow or disallow internet access at the application level....