fix(appmarks): use nft socket cgroupv2 rules for per-app routing

selective-vpn-api/app/watchers.go

@@ -24,12 +24,14 @@ func startWatchers(ctx context.Context) {
 	autoEvery := time.Duration(envInt("SVPN_POLL_AUTOLOOP_MS", defaultPollAutoloopMs)) * time.Millisecond
 	systemdEvery := time.Duration(envInt("SVPN_POLL_SYSTEMD_MS", defaultPollSystemdMs)) * time.Millisecond
 	traceEvery := time.Duration(envInt("SVPN_POLL_TRACE_MS", defaultPollTraceMs)) * time.Millisecond
+	appMarksEvery := time.Duration(envInt("SVPN_POLL_APPMARKS_MS", defaultPollAppMarksMs)) * time.Millisecond
 
 	go watchStatusFile(ctx, statusEvery)
 	go watchLoginFile(ctx, loginEvery)
 	go watchAutoloop(ctx, autoEvery)
 	go watchFileChange(ctx, traceLogPath, "trace_changed", "full", traceEvery)
 	go watchFileChange(ctx, smartdnsLogPath, "trace_changed", "smartdns", traceEvery)
+	go watchTrafficAppMarksTTL(ctx, appMarksEvery)
 
 	go watchSystemdUnitDynamic(ctx, routesServiceUnitName, "routes_service", systemdEvery)
 	go watchSystemdUnitDynamic(ctx, routesTimerUnitName, "routes_timer", systemdEvery)
@@ -37,6 +39,17 @@ func startWatchers(ctx context.Context) {
 	go watchSystemdUnit(ctx, "smartdns-local.service", "smartdns_unit", systemdEvery)
 }
 
+func watchTrafficAppMarksTTL(ctx context.Context, every time.Duration) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(every):
+		}
+		_ = pruneExpiredAppMarks()
+	}
+}
+
 // ---------------------------------------------------------------------
 // status file watcher
 // ---------------------------------------------------------------------