ip rule show format is "PREF:\tfrom ... lookup TABLE", not "... pref PREF".
The awk was looking for a "pref"/"priority" field that doesn't exist, so
old rules were never removed and new prefs were never applied.

Also fix grep -c/-q "lookup TABLE" to use -w (word boundary) to prevent
"lookup 2" from matching "lookup 200".
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Pref was calculated as table_number × 10, meaning moving a .list between
groups didn't change its priority. Now pref is assigned sequentially by
group/list processing order (base=1000, group_step=100, list_step=10).

Also improves cleanup_state to detect .list files moved between groups —
only removes old state dir without flushing the shared routing table.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Replace group_monitor_tag (first gateway only) with eval_group_health
that checks all gateways. Group is healthy if any gateway is healthy,
dead only if all are dead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Replace monitor file requirement with group_monitor_tag() that
derives InfluxDB tag from gateway's PTR record via find_gw_monitor.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- Add gw_monitor_tag(): derives InfluxDB tag from gateway PTR record
  (NAME.egw.etersoft.ru → NAME, with .v6 suffix for IPv6)
- find_gw_monitor: fallback to PTR-based tag when no monitor file
- Fix find_gw_monitor: use parse_gw_line instead of resolve_gw to
  handle "IP metric N" format in gateway files
- Fix build_route_via and load_list_routes multipath: use
  parse_gw_line loop instead of resolve_gw with raw gateway lines
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Duplicate .list basenames in different groups would share a routing
table with conflicting gateways. Detect this early and abort.
Also add BIRD2 BGP integration section to --help.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

generate_bird_config() creates /etc/bird/route-tables.conf with
protocol kernel blocks for each per-list routing table, tagged with
BGP community (AS:table_num). Each kernel syncer gets its own BIRD
table with a pipe to master4/master6. Uses 'learn' to import routes
from external programs. Only runs if birdc is installed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

alloc_table vlog was captured by $() into _table variable, breaking
route loading for newly allocated tables. Redirect vlog to stderr.

Also pre-create resolved.new.tmp to avoid "file not found" on empty resolve.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

has_option returns false when options file is absent, making
read_group_config return 1 and skip the entire group.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Per-list names like "egw/blocked" contain / which breaks sed s/// delimiter.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Per-list tables: each .list file gets its own routing table (auto-allocated
200-250) instead of one table per group. Enables BGP redistribution per list.

Gateway metric: "IP metric N" syntax in gateway file. Multiple gateways with
metric get separate route entries (preference-based) instead of ECMP multipath.

Per-gateway failover: route-health.sh removes routes only via dead gateway
in metric groups, keeping fallback routes alive.

Refactored process_routes() into check_list_changed(), resolve_list_file(),
load_list_routes() subfunctions for readability.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- CT 677 (ikev2.hetzner.egw): IPv6 via IPsec with NETMAP 2a03:5a00:c:20::/118 <-> ::c00/118
- CT 693 (ikev2.vdska.egw): IPv6 via IPsec with NETMAP, MASQUERADE on VDS (shared /47)
- Add IPv6/NAT66 reference table with all NETMAP-enabled containers
- Add vdska VDS section (Ubuntu 24.04, IPv6 forwarding, swanctl path)
- Add swanctl IPv6 traffic selector config example
- Update egw client IPs, add 10.20.30.x addresses to routers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- CT 671 (amneziawg.sprintbox.egw) is actually running, moved from stopped
- CT 690 (bydpi.ogw) is stopped, moved to stopped section
- CT 694 (dgw, .12) added as baseline gateway (direct, no tunnel)
- Updated mermaid diagram and telegraf monitoring accordingly
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Port 443 on hetzner is now multiplexed via nginx stream ssl_preread:
- SNI chatgpt.com → ck-server (Cloak) on :1443
- other SNI → nginx http on 127.0.0.1:9443
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Replace broken sed JSON fallback with epm assure jq. Add fatal()
helper to shared functions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

vlog output was captured by command substitution table=$(lookup_table ...),
corrupting the table number with log text. Redirect to stderr.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Only re-resolve list files that actually changed (detected by mtime
vs saved hash file). Unchanged files reuse cached resolved IPs from
resolved_parts/ directory. Log message now shows which files triggered
the re-resolve.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

antifilter lists contain IPs with /32 suffix, other lists without.
This caused duplicates in resolved file (1.1.1.1 vs 1.1.1.1/32).
Strip /32 before sort -u to properly deduplicate.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ip route show omits /32 suffix for host routes, but resolved lists
from antifilter contain explicit /32. This mismatch caused comm to
mark all host routes as stale and delete them immediately after loading.

Normalize both sides by stripping /32 before comparison.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Same issue as vlog() — [ -n "$EXTRA_DNS" ] && cmd returns exit
code 1 when EXTRA_DNS is empty, which can affect callers.
Add || true to all four occurrences.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

vlog() { [ -n "$VERBOSE" ] && log "..." } returns exit code 1
when VERBOSE is empty, causing &&/|| chains to take wrong branch.
This made "Extra DNS unreachable" message appear even when DNS works.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- Add new container bydpi.ogw (CT 690, .129) with byedpi DPI bypass
- Add ovpn.vdska.egw (CT 688, .128) to documentation
- Update ikev2.beget.ogw IP from .12 to .130
- Update mermaid diagram with all new containers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- Mark CT 670 (cloak.ovpn.sprintbox) and CT 672 (nfqws.ovpn.sprintbox) as running
- Rename CT 677 from ikev2.egw to ikev2.hetzner.egw, move to hetzner group
- Rename beget.egw.eterhost.ru to beget.ogw.eterhost.ru
- Add DPI blocking note for CT 673 (amneziawg.hetzner.egw)
- Update mermaid diagram connections
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Move from "Остановленные" to "Работающие" section, update mermaid
diagram (remove ⏸, add connections to hetzner and igw routing).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Minimal script that only configures interface IP (IPv4+IPv6)
without touching routing tables. Used by openconnect-egw.service.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Use grep '^[^[:space:]]' instead of wc -l for consistent counting
when routes have multipath nexthop lines (3 lines per route).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

The routes/rules existence check only ran when the hash matched.
When the hash changed (e.g. DNS availability) but resolved IPs
were unchanged, routes were not reloaded even if empty in kernel.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

IPv6 addresses like 2a03:5a00:c:20::122 contain hex letters (a-f),
matching the *[a-zA-Z]* hostname pattern. Check for colon first to
handle IPv6 as literal addresses.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

grep '\t' in bracket expression matches literal backslash+t, not tab.
Use [^[:space:]] which works correctly with multipath nexthop lines.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add check_extra_dns() to probe external DNS (8.8.8.8) reachability.
Skip it when unreachable to avoid timeouts. Include availability
in route-update.sh hash so routes re-resolve when DNS comes back.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Timeout errors from adnshost (especially via 8.8.8.8) should not
trigger dig fallback — retrying will also timeout. This was causing
10+ minute delays on hosts where 8.8.8.8 is unreachable.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Remove duplicated log/has_option, use read_value, ipcmd_for,
table_by_name, resolve_default_gw from shared functions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Replace inline definitions with shared functions: log, has_option,
rule_pref, resolve_gw, resolve_default_gw. Use read_value/read_values
instead of grep -v '^#' | grep -m1, ipcmd_for instead of manual
detection, table_by_name inside lookup_table.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>