split-tunnel exception documentation addition

[pmelse]

Issue report

Operating system: Debian GNU/Linux 12

App version: 2023.3

Issue description

https://mullvad.net/en/help/split-tunneling-with-linux-advanced/ could use one more addition for allowing incoming connections from specific source networks, rather than to specific ports

define EXCLUDED_IPs = {
    192.168.0.1/24,
    10.10.0.0,16,
    172.16.0.2
}

table inet excludeTraffic {
  chain allowOutgoing {
    type route hook output priority -100; policy accept;
    ip daddr $EXCLUDED_IPS ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }

  chain allowIncoming {
    type filter hook input priority -100; policy accept;
    ip saddr $EXCLUDED_IPS ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
}

In addition, something about automatically adding/reloading tables / chains on connection/re-connection would be useful.

[pinkisemils]

If you add your own table, it shouldn't be removed when our tables are reloaded - and these rules should have no practical impact on traffic when our tables are removed. Furthermore, these subnets are excluded by default, as long as LAN traffic is allowed, unless you want to harden your setup to have an allowlist instead of allowing all local area networks to reach your host.