firewall(linux): add MarkRerouteSplitTun (0x6b7) and iptables rules

Introduces mark 1719 for split-tunnel rerouting, mirroring the existing SPN mark (1717).
Adds FILTER RETURN and NAT DNAT rules for both IPv4 and IPv6 targeting port 719.

service/firewall/interception/nfq/packet.go

@@ -18,15 +18,16 @@ import (
 // See TODO on packet.mark() on their relevance
 // and a possibility to remove most IPtables rules.
 const (
-	MarkAccept       = 1700 // 0x6a4
-	MarkBlock        = 1701 // 0x6a5
-	MarkDrop         = 1702 // 0x6a6
-	MarkAcceptFinal  = 1709 // 0x6ad Accept and finalize the decision in iptables. This should only be used for Portmaster-owned outbound connections.
-	MarkAcceptAlways = 1710 // 0x6ae
-	MarkBlockAlways  = 1711 // 0x6af
-	MarkDropAlways   = 1712 // 0x6b0
-	MarkRerouteNS    = 1799 // 0x707
-	MarkRerouteSPN   = 1717 // 0x6b5
+	MarkAccept          = 1700 // 0x6a4
+	MarkBlock           = 1701 // 0x6a5
+	MarkDrop            = 1702 // 0x6a6
+	MarkAcceptFinal     = 1709 // 0x6ad Accept and finalize the decision in iptables. This should only be used for Portmaster-owned outbound connections.
+	MarkAcceptAlways    = 1710 // 0x6ae
+	MarkBlockAlways     = 1711 // 0x6af
+	MarkDropAlways      = 1712 // 0x6b0
+	MarkRerouteNS       = 1799 // 0x707
+	MarkRerouteSPN      = 1717 // 0x6b5
+	MarkRerouteSplitTun = 1719 // 0x6b7
 )
 
 func markToString(mark int) string {
@@ -49,6 +50,8 @@ func markToString(mark int) string {
 		return "RerouteNS"
 	case MarkRerouteSPN:
 		return "RerouteSPN"
+	case MarkRerouteSplitTun:
+		return "RerouteSplitTun"
 	}
 	return "unknown"
 }
@@ -192,3 +195,7 @@ func (pkt *packet) RerouteToNameserver() error {
 func (pkt *packet) RerouteToTunnel() error {
 	return pkt.mark(MarkRerouteSPN)
 }
+
+func (pkt *packet) RerouteToSplitTun() error {
+	return pkt.mark(MarkRerouteSplitTun)
+}

service/firewall/interception/nfqueue_linux.go

@@ -85,12 +85,14 @@ func init() {
 		"filter PORTMASTER-FILTER -m mark --mark 1711 -p icmp -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1711 -j REJECT --reject-with icmp-admin-prohibited",
 		"filter PORTMASTER-FILTER -m mark --mark 1712 -j DROP",
-		"filter PORTMASTER-FILTER -m mark --mark 1717 -j RETURN",
+		"filter PORTMASTER-FILTER -m mark --mark 1717 -j RETURN", // informational (non-functional) RETURN verdicts at the end of the chain
+		"filter PORTMASTER-FILTER -m mark --mark 1719 -j RETURN", // informational (non-functional) RETURN verdicts at the end of the chain
 
 		"nat PORTMASTER-REDIRECT -m mark --mark 1799 -p udp -j DNAT --to 127.0.0.17:53",
 		"nat PORTMASTER-REDIRECT -m mark --mark 1717 -p tcp -j DNAT --to 127.0.0.17:717",
 		"nat PORTMASTER-REDIRECT -m mark --mark 1717 -p udp -j DNAT --to 127.0.0.17:717",
-		// "nat PORTMASTER-REDIRECT -m mark --mark 1717 ! -p tcp ! -p udp -j DNAT --to 127.0.0.17",
+		"nat PORTMASTER-REDIRECT -m mark --mark 1719 -p tcp -j DNAT --to 127.0.0.17:719",
+		"nat PORTMASTER-REDIRECT -m mark --mark 1719 -p udp -j DNAT --to 127.0.0.17:719",
 	}
 
 	v4once = []string{
@@ -132,12 +134,14 @@ func init() {
 		"filter PORTMASTER-FILTER -m mark --mark 1711 -p icmpv6 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1711 -j REJECT --reject-with icmp6-adm-prohibited",
 		"filter PORTMASTER-FILTER -m mark --mark 1712 -j DROP",
-		"filter PORTMASTER-FILTER -m mark --mark 1717 -j RETURN",
+		"filter PORTMASTER-FILTER -m mark --mark 1717 -j RETURN", // informational (non-functional) RETURN verdicts at the end of the chain
+		"filter PORTMASTER-FILTER -m mark --mark 1719 -j RETURN", // informational (non-functional) RETURN verdicts at the end of the chain
 
 		"nat PORTMASTER-REDIRECT -m mark --mark 1799 -p udp -j DNAT --to [::1]:53",
 		"nat PORTMASTER-REDIRECT -m mark --mark 1717 -p tcp -j DNAT --to [::1]:717",
 		"nat PORTMASTER-REDIRECT -m mark --mark 1717 -p udp -j DNAT --to [::1]:717",
-		// "nat PORTMASTER-REDIRECT -m mark --mark 1717 ! -p tcp ! -p udp -j DNAT --to [::1]",
+		"nat PORTMASTER-REDIRECT -m mark --mark 1719 -p tcp -j DNAT --to [::1]:719",
+		"nat PORTMASTER-REDIRECT -m mark --mark 1719 -p udp -j DNAT --to [::1]:719",
 	}
 
 	v6once = []string{