Filter VPN transport from the getActiveNetwork() seed in DefaultNetworkMonitor

start() seeds defaultNetwork from getActiveNetwork(), which returns the
per-app default and may be the app's own VPN when the tun is already up.
LocalResolver then queries DNS through the tun (auto_route) and loops, so
apps under the VPN fail to resolve names.

The async DefaultNetworkListener callback overwrites the seed with the
NOT_VPN-filtered network shortly after, but the synchronous seed is used
for the first resolutions; on ROMs where the tun is up at start() it is the
VPN until the callback corrects it. The request's NOT_VPN capability does
not apply to the direct getActiveNetwork() getter, so filter the VPN
transport from the seed explicitly.

Author: Leadaxe

app/src/main/java/io/nekohasekai/sfa/bg/DefaultNetworkMonitor.kt

@@ -1,6 +1,7 @@
 package io.nekohasekai.sfa.bg
 
 import android.net.Network
+import android.net.NetworkCapabilities
 import android.os.Build
 import io.nekohasekai.libbox.InterfaceUpdateListener
 import io.nekohasekai.sfa.Application
@@ -17,12 +18,22 @@ object DefaultNetworkMonitor {
             checkDefaultInterfaceUpdate(it)
         }
         defaultNetwork = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
-            Application.connectivity.activeNetwork
+            // getActiveNetwork() returns the per-app default, which may be the VPN
+            // that applies to this app. If the tun is already up when start() runs,
+            // seeding defaultNetwork with our own VPN makes LocalResolver query DNS
+            // back through the tun (auto_route) and loop. The NetworkRequest carries
+            // NET_CAPABILITY_NOT_VPN, but that does not apply to this direct getter,
+            // so filter the VPN transport out explicitly.
+            Application.connectivity.activeNetwork?.takeUnless(::isVpn)
         } else {
             DefaultNetworkListener.get()
         }
     }
 
+    private fun isVpn(network: Network): Boolean =
+        Application.connectivity.getNetworkCapabilities(network)
+            ?.hasTransport(NetworkCapabilities.TRANSPORT_VPN) == true
+
     suspend fun stop() {
         DefaultNetworkListener.stop(this)
     }