After the TUN inbound is implemented, there is an important detail users need to handle: for every outbound, sockopt.interface must be explicitly set to a physical egress network interface. Otherwise, traffic may fall back to the TUN inbound by default, causing a routing loop.

I’d like to propose adding a new high-level option to sockopt, for example:

sockopt.excludedInterface = "utun99"

This option would specify which network interfaces should be avoided. When it is set, the system would:

1. Automatically retrieve the list of available network interfaces
2. Sort them by routing priority / hop distance
3. Exclude the specified interfaces (e.g. utun99)
4. Select the highest-priority remaining interface (e.g. en0)

The end result would be functionally equivalent to setting:

sockopt.interface = "en0"

but without requiring users to hardcode the actual egress interface name.

As an alternative design, we could continue using sockopt.interface but extend its string syntax with rules, for example:

sockopt.interface = "excluded:utun99"

This would indicate that the outbound should automatically select an interface, excluding the specified one(s).