admin/elmprodvpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(appmarks): use nft socket cgroupv2 rules for per-app routing

Browse Source
This commit is contained in:
beckline
2026-02-15 14:43:13 +03:00
parent 4b99057adb
commit b77adb153a
4 changed files with 468 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
selective-vpn-api/app/routes_update.go
View File

@@ -151,14 +151,12 @@ func routesUpdate(iface string) cmdResult {
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "set", "inet", "agvpn", "agvpn4", "{", "type", "ipv4_addr", ";", "flags", "interval", ";", "}")
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "set", "inet", "agvpn", "agvpn_dyn4", "{", "type", "ipv4_addr", ";", "flags", "interval", ";", "}")
// EN: Per-app routing support (cgroup-mark sets). Output chain jumps into:
// EN: - output_apps: app-scoped marks (MARK_DIRECT / MARK_APP)
// EN: Output chain jumps into:
// EN: - output_apps: runtime per-app marks (MARK_DIRECT / MARK_APP)
// EN: - output_ips: selective domain IP sets (MARK)
// RU: Поддержка per-app (cgroup-mark sets). Output chain прыгает в:
// RU: - output_apps: per-app marks (MARK_DIRECT / MARK_APP)
// RU: Output chain прыгает в:
// RU: - output_apps: runtime per-app marks (MARK_DIRECT / MARK_APP)
// RU: - output_ips: селективные доменные IP сеты (MARK)
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "set", "inet", "agvpn", "svpn_cg_vpn", "{", "typeof", "meta", "cgroup", ";", "flags", "timeout", ";", "}")
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "set", "inet", "agvpn", "svpn_cg_direct", "{", "typeof", "meta", "cgroup", ";", "flags", "timeout", ";", "}")
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "chain", "inet", "agvpn", "output", "{", "type", "route", "hook", "output", "priority", "mangle;", "policy", "accept;", "}")
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "chain", "inet", "agvpn", "output_apps")
@@ -169,10 +167,7 @@ func routesUpdate(iface string) cmdResult {
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "rule", "inet", "agvpn", "output", "jump", "output_apps")
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "rule", "inet", "agvpn", "output", "jump", "output_ips")
// App chain: mark + accept to stop further evaluation in this base chain.
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "flush", "chain", "inet", "agvpn", "output_apps")
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "rule", "inet", "agvpn", "output_apps", "meta", "cgroup", "@svpn_cg_direct", "meta", "mark", "set", MARK_DIRECT, "accept")
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "add", "rule", "inet", "agvpn", "output_apps", "meta", "cgroup", "@svpn_cg_vpn", "meta", "mark", "set", MARK_APP, "accept")
// App chain: runtime rules are managed by traffic_appmarks.go (do not flush here).
// Domain chain: selective IP sets (resolver output).
_, _, _, _ = runCommandTimeout(5*time.Second, "nft", "flush", "chain", "inet", "agvpn", "output_ips")