net: expose a way to inject a function after fd created before connect/listen

[ayanamist]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.9 windows/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

set GOARCH=arm64
set GOBIN=
set GOEXE=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=android
set GOPATH=C:\Users\ayanamist\Documents\Projects\gopath
set GORACE=
set GOROOT=C:\Go
set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64
set GCCGO=gccgo
set CC=C:\Users\ayanamist\AppData\Local\Android\sdk\ndk-root\bin\aarch64-linux-android-clang.cmd
set GOGCCFLAGS=-fPIC -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\AYANAM~1\AppData\Local\Temp\go-build570635583=/tmp/go-build -gno-record-gcc-switches
set CXX=g++
set CGO_ENABLED=1
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config

What did you do?

I'm writing an Android VPN app using VPNService with golang, and want to use protect method to let socket created by golang executables bypass vpn.
I have done a bridge to pass socket fd from golang to java, but i found this can not work, because protect method using fwmark to work, and it requires protect invoked before connect/listen.
All socket fds bundles fd creation and connect/listen, so we need a method to use protect after fd create before connect/listen.
Currently, i forked golang and add a setter in net/hook_unix.go which make socketFunc settable.
Also i found another project shadowsocks-android use similar method shadowsocks@5eb4737

What did you expect to see?

Provide a method to hook between fd creation and socket connect/listen

What did you see instead?

[ianlancetaylor]

I believe you can do this by calling syscall.Socket to get a socket, doing whatever you like to the socket, then calling syscall.Connect, then os.NewFile to convert the socket descriptor into an os.File, then net.FileConn to convert the os.File into a net.Conn. Certainly awkward, but it's not clear that we want to complicate the net package by inserting hooks that can run arbitrary code.

[ayanamist]

@ianlancetaylor I have considered your solution before, but after i read all codes related to connect/listen, i found what you said is quite complicated.
For example, tcp and udp have quite different implementation after fd creation.
I have to copy nearly all net related codes to implement what you said.

Now i create a new file hook_android.go under $GOROOT/src/net with

package net

func SetSocketFunc(f func(int, int, int) (int, error)) {
	socketFunc = f
}

So i can reuse all codes, and inject my function in a init function.

Can you provide similar solution?

[ianlancetaylor]

I think that solution is more or less a non-starter. It's only going to work where you know that no init code creates a socket and where you know exactly which sockets are created.

More plausible would be code in golang.org/x/net that does what I already suggested. It only has to be written once.

[ayanamist]

where you know exactly which sockets are created

No, i don't need to distinguish this, all outgoing sockets need this "protect".

And init code creates a socket is rare.

Copy nearly all existing net code to golang.org/x/net with only one hook function different? I think it's more difficult to maintain.

[ianlancetaylor]

We don't need to copy all existing net code to golang.org/x/net. We only need the code needed to initialize a socket.

I understand that the hook can fix your specific problem. I'm questioning whether it is a general solution. And the API of the net package is already too complex.

[ayanamist]

It's a Android-specific issue, because in other situation, we can pre-configure iptables rules to apply fwmark for all new connections. Only Android non-root VPNService implementation make things complicated, so i suggest use "_android" suffix to limit this API to android only.

[mikioh]

Dup of #9661.