migrate to golang.zx2c4.com/wireguard/wgctrl (#239)

* migrate to golang.zx2c4.com/wireguard/wgctrl

This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* vendor wgctrl

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* apply suggestions from code review

Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/*: use wireguard.Enpoint

This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.

Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/wireguard/conf_test.go: add tests for Endpoint

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kg/main.go: validate port range

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* add suggestions from review

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/mesh/mesh.go: use Equal func

Implement an Equal func for Enpoint and use it instead of comparing
strings.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kgctl/main.go: check port range

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* vendor

Signed-off-by: leonnicolas <leonloechner@gmx.de>

vendor/github.com/mdlayher/socket/LICENSE.md

@@ -0,0 +1,9 @@
+# MIT License
+
+Copyright (C) 2021 Matt Layher
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

vendor/github.com/mdlayher/socket/README.md

@@ -0,0 +1,14 @@
+# socket [![Test Status](https://github.com/mdlayher/socket/workflows/Test/badge.svg)](https://github.com/mdlayher/socket/actions) [![Go Reference](https://pkg.go.dev/badge/github.com/mdlayher/socket.svg)](https://pkg.go.dev/github.com/mdlayher/socket) [![Go Report Card](https://goreportcard.com/badge/github.com/mdlayher/socket)](https://goreportcard.com/report/github.com/mdlayher/socket)
+
+Package `socket` provides a low-level network connection type which integrates
+with Go's runtime network poller to provide asynchronous I/O and deadline
+support. MIT Licensed.
+
+This package focuses on UNIX-like operating systems which make use of BSD
+sockets system call APIs. It is meant to be used as a foundation for the
+creation of operating system-specific socket packages, for socket families such
+as Linux's `AF_NETLINK`, `AF_PACKET`, or `AF_VSOCK`. This package should not be
+used directly in end user applications.
+
+Any use of package socket should be guarded by build tags, as one would also
+use when importing the `syscall` or `golang.org/x/sys` packages.

vendor/github.com/mdlayher/socket/accept.go

@@ -0,0 +1,23 @@
+//go:build !dragonfly && !freebsd && !illumos && !linux
+// +build !dragonfly,!freebsd,!illumos,!linux
+
+package socket
+
+import (
+	"fmt"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+)
+
+const sysAccept = "accept"
+
+// accept wraps accept(2).
+func accept(fd, flags int) (int, unix.Sockaddr, error) {
+	if flags != 0 {
+		// These operating systems have no support for flags to accept(2).
+		return 0, nil, fmt.Errorf("socket: Conn.Accept flags are ineffective on %s", runtime.GOOS)
+	}
+
+	return unix.Accept(fd)
+}

vendor/github.com/mdlayher/socket/accept4.go

@@ -0,0 +1,15 @@
+//go:build dragonfly || freebsd || illumos || linux
+// +build dragonfly freebsd illumos linux
+
+package socket
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+const sysAccept = "accept4"
+
+// accept wraps accept4(2).
+func accept(fd, flags int) (int, unix.Sockaddr, error) {
+	return unix.Accept4(fd, flags)
+}

vendor/github.com/mdlayher/socket/conn.go

@@ -0,0 +1,496 @@
+package socket
+
+import (
+	"os"
+	"sync/atomic"
+	"syscall"
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+// A Conn is a low-level network connection which integrates with Go's runtime
+// network poller to provide asynchronous I/O and deadline support.
+type Conn struct {
+	// Indicates whether or not Conn.Close has been called. Must be accessed
+	// atomically. Atomics definitions must come first in the Conn struct.
+	closed uint32
+
+	// A unique name for the Conn which is also associated with derived file
+	// descriptors such as those created by accept(2).
+	name string
+
+	// Provides access to the underlying file registered with the runtime
+	// network poller, and arbitrary raw I/O calls.
+	fd *os.File
+	rc syscall.RawConn
+}
+
+// High-level methods which provide convenience over raw system calls.
+
+// Close closes the underlying file descriptor for the Conn, which also causes
+// all in-flight I/O operations to immediately unblock and return errors. Any
+// subsequent uses of Conn will result in EBADF.
+func (c *Conn) Close() error {
+	// The caller has expressed an intent to close the socket, so immediately
+	// increment s.closed to force further calls to result in EBADF before also
+	// closing the file descriptor to unblock any outstanding operations.
+	//
+	// Because other operations simply check for s.closed != 0, we will permit
+	// double Close, which would increment s.closed beyond 1.
+	if atomic.AddUint32(&c.closed, 1) != 1 {
+		// Multiple Close calls.
+		return nil
+	}
+
+	return os.NewSyscallError("close", c.fd.Close())
+}
+
+// Read implements io.Reader by reading directly from the underlying file
+// descriptor.
+func (c *Conn) Read(b []byte) (int, error) { return c.fd.Read(b) }
+
+// Write implements io.Writer by writing directly to the underlying file
+// descriptor.
+func (c *Conn) Write(b []byte) (int, error) { return c.fd.Write(b) }
+
+// SetDeadline sets both the read and write deadlines associated with the Conn.
+func (c *Conn) SetDeadline(t time.Time) error { return c.fd.SetDeadline(t) }
+
+// SetReadDeadline sets the read deadline associated with the Conn.
+func (c *Conn) SetReadDeadline(t time.Time) error { return c.fd.SetReadDeadline(t) }
+
+// SetWriteDeadline sets the write deadline associated with the Conn.
+func (c *Conn) SetWriteDeadline(t time.Time) error { return c.fd.SetWriteDeadline(t) }
+
+// ReadBuffer gets the size of the operating system's receive buffer associated
+// with the Conn.
+func (c *Conn) ReadBuffer() (int, error) {
+	return c.GetsockoptInt(unix.SOL_SOCKET, unix.SO_RCVBUF)
+}
+
+// WriteBuffer gets the size of the operating system's transmit buffer
+// associated with the Conn.
+func (c *Conn) WriteBuffer() (int, error) {
+	return c.GetsockoptInt(unix.SOL_SOCKET, unix.SO_SNDBUF)
+}
+
+// SetReadBuffer sets the size of the operating system's receive buffer
+// associated with the Conn.
+//
+// When called with elevated privileges on Linux, the SO_RCVBUFFORCE option will
+// be used to override operating system limits. Otherwise SO_RCVBUF is used
+// (which obeys operating system limits).
+func (c *Conn) SetReadBuffer(bytes int) error { return c.setReadBuffer(bytes) }
+
+// SetWriteBuffer sets the size of the operating system's transmit buffer
+// associated with the Conn.
+//
+// When called with elevated privileges on Linux, the SO_SNDBUFFORCE option will
+// be used to override operating system limits. Otherwise SO_SNDBUF is used
+// (which obeys operating system limits).
+func (c *Conn) SetWriteBuffer(bytes int) error { return c.setWriteBuffer(bytes) }
+
+// SyscallConn returns a raw network connection. This implements the
+// syscall.Conn interface.
+//
+// SyscallConn is intended for advanced use cases, such as getting and setting
+// arbitrary socket options using the socket's file descriptor. If possible,
+// those operations should be performed using methods on Conn instead.
+//
+// Once invoked, it is the caller's responsibility to ensure that operations
+// performed using Conn and the syscall.RawConn do not conflict with each other.
+func (c *Conn) SyscallConn() (syscall.RawConn, error) {
+	if atomic.LoadUint32(&c.closed) != 0 {
+		return nil, os.NewSyscallError("syscallconn", unix.EBADF)
+	}
+
+	// TODO(mdlayher): mutex or similar to enforce syscall.RawConn contract of
+	// FD remaining valid for duration of calls?
+	return c.rc, nil
+}
+
+// Socket wraps the socket(2) system call to produce a Conn. domain, typ, and
+// proto are passed directly to socket(2), and name should be a unique name for
+// the socket type such as "netlink" or "vsock".
+//
+// If the operating system supports SOCK_CLOEXEC and SOCK_NONBLOCK, they are
+// automatically applied to typ to mirror the standard library's socket flag
+// behaviors.
+func Socket(domain, typ, proto int, name string) (*Conn, error) {
+	var (
+		fd  int
+		err error
+	)
+
+	for {
+		fd, err = unix.Socket(domain, typ|socketFlags, proto)
+		switch {
+		case err == nil:
+			// Some OSes already set CLOEXEC with typ.
+			if !flagCLOEXEC {
+				unix.CloseOnExec(fd)
+			}
+
+			// No error, prepare the Conn.
+			return newConn(fd, name)
+		case !ready(err):
+			// System call interrupted or not ready, try again.
+			continue
+		case err == unix.EINVAL, err == unix.EPROTONOSUPPORT:
+			// On Linux, SOCK_NONBLOCK and SOCK_CLOEXEC were introduced in
+			// 2.6.27. On FreeBSD, both flags were introduced in FreeBSD 10.
+			// EINVAL and EPROTONOSUPPORT check for earlier versions of these
+			// OSes respectively.
+			//
+			// Mirror what the standard library does when creating file
+			// descriptors: avoid racing a fork/exec with the creation of new
+			// file descriptors, so that child processes do not inherit socket
+			// file descriptors unexpectedly.
+			//
+			// For a more thorough explanation, see similar work in the Go tree:
+			// func sysSocket in net/sock_cloexec.go, as well as the detailed
+			// comment in syscall/exec_unix.go.
+			syscall.ForkLock.RLock()
+			fd, err = unix.Socket(domain, typ, proto)
+			if err == nil {
+				unix.CloseOnExec(fd)
+			}
+			syscall.ForkLock.RUnlock()
+
+			return newConn(fd, name)
+		default:
+			// Unhandled error.
+			return nil, os.NewSyscallError("socket", err)
+		}
+	}
+}
+
+// TODO(mdlayher): consider exporting newConn as New?
+
+// newConn wraps an existing file descriptor to create a Conn. name should be a
+// unique name for the socket type such as "netlink" or "vsock".
+func newConn(fd int, name string) (*Conn, error) {
+	// All Conn I/O is nonblocking for integration with Go's runtime network
+	// poller. Depending on the OS this might already be set but it can't hurt
+	// to set it again.
+	if err := unix.SetNonblock(fd, true); err != nil {
+		return nil, os.NewSyscallError("setnonblock", err)
+	}
+
+	// os.NewFile registers the non-blocking file descriptor with the runtime
+	// poller, which is then used for most subsequent operations except those
+	// that require raw I/O via SyscallConn.
+	//
+	// See also: https://golang.org/pkg/os/#NewFile
+	f := os.NewFile(uintptr(fd), name)
+	rc, err := f.SyscallConn()
+	if err != nil {
+		return nil, err
+	}
+
+	return &Conn{
+		name: name,
+		fd:   f,
+		rc:   rc,
+	}, nil
+}
+
+// Low-level methods which provide raw system call access.
+
+// Accept wraps accept(2) or accept4(2) depending on the operating system, but
+// returns a Conn for the accepted connection rather than a raw file descriptor.
+//
+// If the operating system supports accept4(2) (which allows flags),
+// SOCK_CLOEXEC and SOCK_NONBLOCK are automatically applied to flags to mirror
+// the standard library's socket flag behaviors.
+//
+// If the operating system only supports accept(2) (which does not allow flags)
+// and flags is not zero, an error will be returned.
+func (c *Conn) Accept(flags int) (*Conn, unix.Sockaddr, error) {
+	var (
+		nfd int
+		sa  unix.Sockaddr
+		err error
+	)
+
+	doErr := c.read(sysAccept, func(fd int) error {
+		// Either accept(2) or accept4(2) depending on the OS.
+		nfd, sa, err = accept(fd, flags|socketFlags)
+		return err
+	})
+	if doErr != nil {
+		return nil, nil, doErr
+	}
+	if err != nil {
+		// sysAccept is either "accept" or "accept4" depending on the OS.
+		return nil, nil, os.NewSyscallError(sysAccept, err)
+	}
+
+	// Successfully accepted a connection, wrap it in a Conn for use by the
+	// caller.
+	ac, err := newConn(nfd, c.name)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return ac, sa, nil
+}
+
+// Bind wraps bind(2).
+func (c *Conn) Bind(sa unix.Sockaddr) error {
+	const op = "bind"
+
+	var err error
+	doErr := c.control(op, func(fd int) error {
+		err = unix.Bind(fd, sa)
+		return err
+	})
+	if doErr != nil {
+		return doErr
+	}
+
+	return os.NewSyscallError(op, err)
+}
+
+// Connect wraps connect(2).
+func (c *Conn) Connect(sa unix.Sockaddr) error {
+	const op = "connect"
+
+	var err error
+	doErr := c.write(op, func(fd int) error {
+		err = unix.Connect(fd, sa)
+		return err
+	})
+	if doErr != nil {
+		return doErr
+	}
+
+	if err == unix.EISCONN {
+		// Darwin reports EISCONN if already connected, but the socket is
+		// established and we don't need to report an error.
+		return nil
+	}
+
+	return os.NewSyscallError(op, err)
+}
+
+// Getsockname wraps getsockname(2).
+func (c *Conn) Getsockname() (unix.Sockaddr, error) {
+	const op = "getsockname"
+
+	var (
+		sa  unix.Sockaddr
+		err error
+	)
+
+	doErr := c.control(op, func(fd int) error {
+		sa, err = unix.Getsockname(fd)
+		return err
+	})
+	if doErr != nil {
+		return nil, doErr
+	}
+
+	return sa, os.NewSyscallError(op, err)
+}
+
+// GetsockoptInt wraps getsockopt(2) for integer values.
+func (c *Conn) GetsockoptInt(level, opt int) (int, error) {
+	const op = "getsockopt"
+
+	var (
+		value int
+		err   error
+	)
+
+	doErr := c.control(op, func(fd int) error {
+		value, err = unix.GetsockoptInt(fd, level, opt)
+		return err
+	})
+	if doErr != nil {
+		return 0, doErr
+	}
+
+	return value, os.NewSyscallError(op, err)
+}
+
+// Listen wraps listen(2).
+func (c *Conn) Listen(n int) error {
+	const op = "listen"
+
+	var err error
+	doErr := c.control(op, func(fd int) error {
+		err = unix.Listen(fd, n)
+		return err
+	})
+	if doErr != nil {
+		return doErr
+	}
+
+	return os.NewSyscallError(op, err)
+}
+
+// Recvmsg wraps recvmsg(2).
+func (c *Conn) Recvmsg(p, oob []byte, flags int) (int, int, int, unix.Sockaddr, error) {
+	const op = "recvmsg"
+
+	var (
+		n, oobn, recvflags int
+		from               unix.Sockaddr
+		err                error
+	)
+
+	doErr := c.read(op, func(fd int) error {
+		n, oobn, recvflags, from, err = unix.Recvmsg(fd, p, oob, flags)
+		return err
+	})
+	if doErr != nil {
+		return 0, 0, 0, nil, doErr
+	}
+
+	return n, oobn, recvflags, from, os.NewSyscallError(op, err)
+}
+
+// Recvfrom wraps recvfrom(2)
+func (c *Conn) Recvfrom(p []byte, flags int) (int, unix.Sockaddr, error) {
+	const op = "recvfrom"
+
+	var (
+		n    int
+		addr unix.Sockaddr
+		err  error
+	)
+
+	doErr := c.read(op, func(fd int) error {
+		n, addr, err = unix.Recvfrom(fd, p, flags)
+		return err
+	})
+	if doErr != nil {
+		return 0, nil, doErr
+	}
+
+	return n, addr, os.NewSyscallError(op, err)
+}
+
+// Sendmsg wraps sendmsg(2).
+func (c *Conn) Sendmsg(p, oob []byte, to unix.Sockaddr, flags int) error {
+	const op = "sendmsg"
+
+	var err error
+	doErr := c.write(op, func(fd int) error {
+		err = unix.Sendmsg(fd, p, oob, to, flags)
+		return err
+	})
+	if doErr != nil {
+		return doErr
+	}
+
+	return os.NewSyscallError(op, err)
+}
+
+// Sendto wraps Sendto(2).
+func (c *Conn) Sendto(b []byte, to unix.Sockaddr, flags int) error {
+	const op = "sendto"
+
+	var err error
+	doErr := c.write(op, func(fd int) error {
+		err = unix.Sendto(fd, b, flags, to)
+		return err
+	})
+	if doErr != nil {
+		return doErr
+	}
+
+	return os.NewSyscallError(op, err)
+}
+
+// SetsockoptInt wraps setsockopt(2) for integer values.
+func (c *Conn) SetsockoptInt(level, opt, value int) error {
+	const op = "setsockopt"
+
+	var err error
+	doErr := c.control(op, func(fd int) error {
+		err = unix.SetsockoptInt(fd, level, opt, value)
+		return err
+	})
+	if doErr != nil {
+		return doErr
+	}
+
+	return os.NewSyscallError(op, err)
+}
+
+// Conn low-level read/write/control functions. These functions mirror the
+// syscall.RawConn APIs but the input closures return errors rather than
+// booleans. Any syscalls invoked within f should return their error to allow
+// the Conn to check for readiness with the runtime network poller, or to retry
+// operations which may have been interrupted by EINTR or similar.
+//
+// Note that errors from the input closure functions are not propagated to the
+// error return values of read/write/control, and the caller is still
+// responsible for error handling.
+
+// read executes f, a read function, against the associated file descriptor.
+// op is used to create an *os.SyscallError if the file descriptor is closed.
+func (c *Conn) read(op string, f func(fd int) error) error {
+	if atomic.LoadUint32(&c.closed) != 0 {
+		return os.NewSyscallError(op, unix.EBADF)
+	}
+
+	return c.rc.Read(func(fd uintptr) bool {
+		return ready(f(int(fd)))
+	})
+}
+
+// write executes f, a write function, against the associated file descriptor.
+// op is used to create an *os.SyscallError if the file descriptor is closed.
+func (c *Conn) write(op string, f func(fd int) error) error {
+	if atomic.LoadUint32(&c.closed) != 0 {
+		return os.NewSyscallError(op, unix.EBADF)
+	}
+
+	return c.rc.Write(func(fd uintptr) bool {
+		return ready(f(int(fd)))
+	})
+}
+
+// control executes f, a control function, against the associated file
+// descriptor. op is used to create an *os.SyscallError if the file descriptor
+// is closed.
+func (c *Conn) control(op string, f func(fd int) error) error {
+	if atomic.LoadUint32(&c.closed) != 0 {
+		return os.NewSyscallError(op, unix.EBADF)
+	}
+
+	return c.rc.Control(func(fd uintptr) {
+		// Repeatedly attempt the syscall(s) invoked by f until completion is
+		// indicated by the return value of ready.
+		for {
+			if ready(f(int(fd))) {
+				return
+			}
+		}
+	})
+}
+
+// ready indicates readiness based on the value of err.
+func ready(err error) bool {
+	// When a socket is in non-blocking mode, we might see EAGAIN or
+	// EINPROGRESS. In that case, return false to let the poller wait for
+	// readiness. See the source code for internal/poll.FD.RawRead for more
+	// details.
+	//
+	// Starting in Go 1.14, goroutines are asynchronously preemptible. The 1.14
+	// release notes indicate that applications should expect to see EINTR more
+	// often on slow system calls (like recvmsg while waiting for input), so we
+	// must handle that case as well.
+	switch err {
+	case unix.EAGAIN, unix.EINTR, unix.EINPROGRESS:
+		// Not ready.
+		return false
+	default:
+		// Ready regardless of whether there was an error or no error.
+		return true
+	}
+}

vendor/github.com/mdlayher/socket/conn_linux.go

@@ -0,0 +1,88 @@
+//go:build linux
+// +build linux
+
+package socket
+
+import (
+	"os"
+	"unsafe"
+
+	"golang.org/x/net/bpf"
+	"golang.org/x/sys/unix"
+)
+
+// SetBPF attaches an assembled BPF program to a Conn.
+func (c *Conn) SetBPF(filter []bpf.RawInstruction) error {
+	// We can't point to the first instruction in the array if no instructions
+	// are present.
+	if len(filter) == 0 {
+		return os.NewSyscallError("setsockopt", unix.EINVAL)
+	}
+
+	prog := unix.SockFprog{
+		Len:    uint16(len(filter)),
+		Filter: (*unix.SockFilter)(unsafe.Pointer(&filter[0])),
+	}
+
+	return c.SetsockoptSockFprog(unix.SOL_SOCKET, unix.SO_ATTACH_FILTER, &prog)
+}
+
+// RemoveBPF removes a BPF filter from a Conn.
+func (c *Conn) RemoveBPF() error {
+	// 0 argument is ignored.
+	return c.SetsockoptInt(unix.SOL_SOCKET, unix.SO_DETACH_FILTER, 0)
+}
+
+// SetsockoptSockFprog wraps setsockopt(2) for unix.SockFprog values.
+func (c *Conn) SetsockoptSockFprog(level, opt int, fprog *unix.SockFprog) error {
+	const op = "setsockopt"
+
+	var err error
+	doErr := c.control(op, func(fd int) error {
+		err = unix.SetsockoptSockFprog(fd, level, opt, fprog)
+		return err
+	})
+	if doErr != nil {
+		return doErr
+	}
+
+	return os.NewSyscallError(op, err)
+}
+
+// GetSockoptTpacketStats wraps getsockopt(2) for getting TpacketStats
+func (c *Conn) GetSockoptTpacketStats(level, name int) (*unix.TpacketStats, error) {
+	const op = "getsockopt"
+
+	var (
+		stats *unix.TpacketStats
+		err   error
+	)
+
+	doErr := c.control(op, func(fd int) error {
+		stats, err = unix.GetsockoptTpacketStats(fd, level, name)
+		return err
+	})
+	if doErr != nil {
+		return stats, doErr
+	}
+	return stats, os.NewSyscallError(op, err)
+}
+
+// GetSockoptTpacketStatsV3 wraps getsockopt(2) for getting TpacketStatsV3
+func (c *Conn) GetSockoptTpacketStatsV3(level, name int) (*unix.TpacketStatsV3, error) {
+	const op = "getsockopt"
+
+	var (
+		stats *unix.TpacketStatsV3
+		err   error
+	)
+
+	doErr := c.control(op, func(fd int) error {
+		stats, err = unix.GetsockoptTpacketStatsV3(fd, level, name)
+		return err
+	})
+	if doErr != nil {
+		return stats, doErr
+	}
+	return stats, os.NewSyscallError(op, err)
+}

vendor/github.com/mdlayher/socket/doc.go

@@ -0,0 +1,13 @@
+// Package socket provides a low-level network connection type which integrates
+// with Go's runtime network poller to provide asynchronous I/O and deadline
+// support.
+//
+// This package focuses on UNIX-like operating systems which make use of BSD
+// sockets system call APIs. It is meant to be used as a foundation for the
+// creation of operating system-specific socket packages, for socket families
+// such as Linux's AF_NETLINK, AF_PACKET, or AF_VSOCK. This package should not
+// be used directly in end user applications.
+//
+// Any use of package socket should be guarded by build tags, as one would also
+// use when importing the syscall or golang.org/x/sys packages.
+package socket

vendor/github.com/mdlayher/socket/setbuffer_linux.go

@@ -0,0 +1,24 @@
+//go:build linux
+// +build linux
+
+package socket
+
+import "golang.org/x/sys/unix"
+
+// setReadBuffer wraps the SO_RCVBUF{,FORCE} setsockopt(2) options.
+func (c *Conn) setReadBuffer(bytes int) error {
+	err := c.SetsockoptInt(unix.SOL_SOCKET, unix.SO_RCVBUFFORCE, bytes)
+	if err != nil {
+		err = c.SetsockoptInt(unix.SOL_SOCKET, unix.SO_RCVBUF, bytes)
+	}
+	return err
+}
+
+// setWriteBuffer wraps the SO_SNDBUF{,FORCE} setsockopt(2) options.
+func (c *Conn) setWriteBuffer(bytes int) error {
+	err := c.SetsockoptInt(unix.SOL_SOCKET, unix.SO_SNDBUFFORCE, bytes)
+	if err != nil {
+		err = c.SetsockoptInt(unix.SOL_SOCKET, unix.SO_SNDBUF, bytes)
+	}
+	return err
+}

vendor/github.com/mdlayher/socket/setbuffer_others.go

@@ -0,0 +1,16 @@
+//go:build !linux
+// +build !linux
+
+package socket
+
+import "golang.org/x/sys/unix"
+
+// setReadBuffer wraps the SO_RCVBUF setsockopt(2) option.
+func (c *Conn) setReadBuffer(bytes int) error {
+	return c.SetsockoptInt(unix.SOL_SOCKET, unix.SO_RCVBUF, bytes)
+}
+
+// setWriteBuffer wraps the SO_SNDBUF setsockopt(2) option.
+func (c *Conn) setWriteBuffer(bytes int) error {
+	return c.SetsockoptInt(unix.SOL_SOCKET, unix.SO_SNDBUF, bytes)
+}

vendor/github.com/mdlayher/socket/typ_cloexec_nonblock.go

@@ -0,0 +1,12 @@
+//go:build !darwin
+// +build !darwin
+
+package socket
+
+import "golang.org/x/sys/unix"
+
+const (
+	// These operating systems support CLOEXEC and NONBLOCK socket options.
+	flagCLOEXEC = true
+	socketFlags = unix.SOCK_CLOEXEC | unix.SOCK_NONBLOCK
+)

vendor/github.com/mdlayher/socket/typ_none.go

@@ -0,0 +1,11 @@
+//go:build darwin
+// +build darwin
+
+package socket
+
+const (
+	// These operating systems do not support CLOEXEC and NONBLOCK socket
+	// options.
+	flagCLOEXEC = false
+	socketFlags = 0
+)