platform: modularize api/gui, add docs-tests-web foundation, and refresh root config

selective-vpn-api/app/traffic_appmarks_runtime.go

@@ -0,0 +1,118 @@
+package app
+
+import (
+	"os"
+	trafficappmarkspkg "selective-vpn-api/app/trafficappmarks"
+	"strings"
+)
+
+func ensureAppMarksNft() error {
+	_ = trafficappmarkspkg.EnsureBase(appMarksNFTConfig(), runCommandTimeout)
+
+	// Remove legacy rules that relied on `meta cgroup @svpn_cg_*` (broken on some kernels).
+	_ = cleanupLegacyAppMarksRules()
+	return nil
+}
+
+func cleanupLegacyAppMarksRules() error {
+	return trafficappmarkspkg.CleanupLegacyRules(appMarksNFTConfig(), runCommandTimeout)
+}
+
+func appMarkComment(target string, id uint64) string {
+	return trafficappmarkspkg.AppMarkComment(appMarkCommentPrefix, target, id)
+}
+
+func appGuardComment(target string, id uint64) string {
+	return trafficappmarkspkg.AppGuardComment(appGuardCommentPrefix, target, id)
+}
+
+func appGuardEnabled() bool {
+	v := strings.ToLower(strings.TrimSpace(os.Getenv("SVPN_APP_GUARD")))
+	return v == "1" || v == "true" || v == "yes" || v == "on"
+}
+
+func appMarksNFTConfig() trafficappmarkspkg.NFTConfig {
+	return trafficappmarkspkg.NFTConfig{
+		Table:              appMarksTable,
+		Chain:              appMarksChain,
+		GuardChain:         appMarksGuardChain,
+		LocalBypassSet:     appMarksLocalBypassSet,
+		MarkApp:            MARK_APP,
+		MarkDirect:         MARK_DIRECT,
+		MarkCommentPrefix:  appMarkCommentPrefix,
+		GuardCommentPrefix: appGuardCommentPrefix,
+		GuardEnabled:       appGuardEnabled(),
+	}
+}
+
+func appMarkAutoBypassCIDRs(vpnIface string) []string {
+	routes := detectAutoLocalBypassRoutes(vpnIface)
+	out := make([]string, 0, len(routes))
+	for _, rt := range routes {
+		dst := strings.TrimSpace(rt.Dst)
+		if dst == "" || dst == "default" {
+			continue
+		}
+		out = append(out, dst)
+	}
+	return out
+}
+
+func updateAppMarkLocalBypassSet(vpnIface string) error {
+	_ = ensureAppMarksNft()
+	return trafficappmarkspkg.UpdateLocalBypassSet(
+		appMarksNFTConfig(),
+		strings.TrimSpace(vpnIface),
+		appMarkAutoBypassCIDRs(vpnIface),
+		runCommandTimeout,
+	)
+}
+
+func nftInsertAppMarkRule(target string, rel string, level int, id uint64, vpnIface string) error {
+	return trafficappmarkspkg.InsertAppMarkRule(
+		appMarksNFTConfig(),
+		target,
+		rel,
+		level,
+		id,
+		strings.TrimSpace(vpnIface),
+		appMarkAutoBypassCIDRs(vpnIface),
+		runCommandTimeout,
+	)
+}
+
+func nftDeleteAppMarkRule(target string, id uint64) error {
+	return trafficappmarkspkg.DeleteAppMarkRule(appMarksNFTConfig(), target, id, runCommandTimeout)
+}
+
+func nftHasAppMarkRule(target string, id uint64) bool {
+	return trafficappmarkspkg.HasAppMarkRule(appMarksNFTConfig(), target, id, runCommandTimeout)
+}
+
+func parseNftHandle(line string) int {
+	return trafficappmarkspkg.ParseNftHandle(line)
+}
+
+func resolveCgroupV2PathForNft(input string) (rel string, level int, inodeID uint64, abs string, err error) {
+	return trafficappmarkspkg.ResolveCgroupV2PathForNft(input, cgroupRootPath)
+}
+
+func normalizeCgroupRelOnly(raw string) string {
+	return trafficappmarkspkg.NormalizeCgroupRelOnly(raw)
+}
+
+func cgroupDirInode(rel string) (uint64, error) {
+	return trafficappmarkspkg.CgroupDirInode(cgroupRootPath, rel)
+}
+
+func upsertAppMarkItem(items []appMarkItem, next appMarkItem) []appMarkItem {
+	return trafficappmarkspkg.UpsertItem(items, next)
+}
+
+func clearManagedAppMarkRules(chain string) {
+	trafficappmarkspkg.ClearManagedRules(appMarksNFTConfig(), chain, runCommandTimeout)
+}
+
+func isAllDigits(s string) bool {
+	return trafficappmarkspkg.IsAllDigits(s)
+}