Add Android VPN socket protection support

When the `__android_vpn` plugin option is set, protect outbound UDP
socket fds by sending them to the Android VPN service via a Unix
domain socket at `protect_path` using SCM_RIGHTS. This prevents
routing loops when running under shadowsocks-android's VPN mode.

- Add `protect.rs` module (Android-only) implementing the fd
  protection protocol (mirrors v2ray-plugin's utils_android.go)
- Extract `create_udp_socket()` helper that binds and protects
  the QUIC endpoint socket
- Use `Endpoint::new()` with pre-created socket instead of
  `Endpoint::client()` so the fd can be protected before use
- Also protect sockets created during timeout rebind

Co-Authored-By: Claude (claude-opus-4-6) <noreply@anthropic.com>

Author: 2 people

Cargo.toml

@@ -34,5 +34,8 @@ env_logger = "0.11"
 dirs = "6"
 rustls-native-certs = "0.8"
 
+[target.'cfg(target_os = "android")'.dependencies]
+libc = "0.2"
+
 [dev-dependencies]
 serial_test = "3"

src/client.rs

@@ -16,6 +16,8 @@ use log::LevelFilter;
 
 mod args;
 mod common;
+#[cfg(target_os = "android")]
+mod protect;
 
 #[derive(Parser, Debug)]
 #[command(name = "qtun-client")]
@@ -31,6 +33,28 @@ struct Opt {
     host: String,
 }
 
+/// Create a UDP socket and optionally protect it for Android VPN mode.
+fn create_udp_socket(vpn_mode: bool) -> Result<std::net::UdpSocket> {
+    let socket = if cfg!(target_os = "windows") {
+        std::net::UdpSocket::bind("0.0.0.0:0")?
+    } else {
+        std::net::UdpSocket::bind("[::]:0")?
+    };
+
+    #[cfg(target_os = "android")]
+    if vpn_mode {
+        use std::os::unix::io::AsRawFd;
+        let fd = socket.as_raw_fd();
+        protect::protect(fd).map_err(|e| anyhow!("failed to protect socket: {:?}", e))?;
+        info!("socket fd {} protected", fd);
+    }
+
+    #[cfg(not(target_os = "android"))]
+    let _ = vpn_mode;
+
+    Ok(socket)
+}
+
 #[tokio::main]
 async fn main() -> Result<()> {
     // setup log
@@ -46,6 +70,7 @@ async fn main() -> Result<()> {
     let mut listen_addr = options.listen;
     let mut relay_addr = options.relay;
     let mut host = options.host;
+    let mut vpn_mode = false;
 
     // parse environment variables
     if let Ok((ss_local_addr, ss_remote_addr)) = args::parse_env_addr() {
@@ -57,6 +82,10 @@ async fn main() -> Result<()> {
         if let Some(h) = ss_plugin_opts.get("host") {
             host = h.clone();
         }
+        if ss_plugin_opts.contains_key("__android_vpn") {
+            vpn_mode = true;
+            info!("VPN mode enabled");
+        }
     }
 
     let mut roots = rustls::RootCertStore {
@@ -73,12 +102,13 @@ async fn main() -> Result<()> {
 
     client_crypto.alpn_protocols = common::ALPN_QUIC_HTTP.iter().map(|&x| x.into()).collect();
 
-    // WAR for Windows endpoint
-    let mut endpoint = if cfg!(target_os = "windows") {
-        Endpoint::client("0.0.0.0:0".parse().unwrap())
-    } else {
-        Endpoint::client("[::]:0".parse().unwrap())
-    }?;
+    let socket = create_udp_socket(vpn_mode)?;
+    let mut endpoint = Endpoint::new(
+        quinn::EndpointConfig::default(),
+        None,
+        socket,
+        Arc::new(quinn::TokioRuntime),
+    )?;
     let client_config =
         quinn::ClientConfig::new(Arc::new(QuicClientConfig::try_from(client_crypto)?));
 
@@ -99,7 +129,7 @@ async fn main() -> Result<()> {
         let host = Arc::clone(&host);
         let endpoint = Arc::clone(&endpoint);
 
-        let transfer = transfer(remote, host, endpoint, inbound);
+        let transfer = transfer(remote, host, endpoint, inbound, vpn_mode);
         tokio::spawn(transfer);
     }
 
@@ -111,25 +141,28 @@ async fn transfer(
     host: Arc<String>,
     endpoint: Arc<Endpoint>,
     mut inbound: TcpStream,
+    vpn_mode: bool,
 ) -> Result<()> {
     let new_conn = endpoint
         .connect(*remote, &host)?
         .await
         .map_err(|e| {
             if e == ConnectionError::TimedOut {
-                let socket = if cfg!(target_os = "windows") {
-                    std::net::UdpSocket::bind("0.0.0.0:0").unwrap()
-                } else {
-                    std::net::UdpSocket::bind("[::]:0").unwrap()
-                };
-                let addr = socket.local_addr().unwrap();
-                let ret = endpoint.rebind(socket);
-                match ret {
-                    Ok(_) => {
-                        info!("rebinding to: {}", addr);
+                match create_udp_socket(vpn_mode) {
+                    Ok(socket) => {
+                        let addr = socket.local_addr().unwrap();
+                        let ret = endpoint.rebind(socket);
+                        match ret {
+                            Ok(_) => {
+                                info!("rebinding to: {}", addr);
+                            }
+                            Err(e) => {
+                                error!("rebind fail: {:?}", e);
+                            }
+                        }
                     }
                     Err(e) => {
-                        error!("rebind fail: {:?}", e);
+                        error!("failed to create socket for rebind: {:?}", e);
                     }
                 }
             }

src/lib.rs

@@ -1,2 +1,4 @@
 pub mod args;
 pub mod common;
+#[cfg(target_os = "android")]
+pub mod protect;

src/protect.rs

@@ -0,0 +1,76 @@
+use std::io;
+use std::os::unix::io::RawFd;
+use std::os::unix::net::UnixStream;
+use std::io::{Read, Write};
+use std::os::unix::io::AsRawFd;
+use std::time::Duration;
+
+/// Protect a socket fd by sending it to the Android VPN service via
+/// a Unix domain socket at "protect_path".
+///
+/// The protocol:
+/// 1. Connect to abstract Unix domain socket "protect_path"
+/// 2. Send the fd as SCM_RIGHTS ancillary data with a 1-byte dummy payload
+/// 3. Read a 1-byte acknowledgment from the VPN service
+///
+/// This mirrors the behavior of v2ray-plugin's utils_android.go.
+pub fn protect(fd: RawFd) -> io::Result<()> {
+    let stream = UnixStream::connect("protect_path")?;
+    stream.set_read_timeout(Some(Duration::from_secs(3)))?;
+    stream.set_write_timeout(Some(Duration::from_secs(3)))?;
+
+    send_fd(&stream, fd)?;
+
+    // Wait for 1-byte acknowledgment
+    let mut buf = [0u8; 1];
+    (&stream).read_exact(&mut buf)?;
+
+    Ok(())
+}
+
+/// Send a file descriptor over a Unix domain socket using SCM_RIGHTS.
+fn send_fd(stream: &UnixStream, fd: RawFd) -> io::Result<()> {
+    use libc::{
+        c_void, cmsghdr, iovec, msghdr, sendmsg, CMSG_DATA, CMSG_FIRSTHDR, CMSG_LEN, CMSG_SPACE,
+        SCM_RIGHTS, SOL_SOCKET,
+    };
+    use std::mem;
+    use std::ptr;
+
+    let dummy: [u8; 1] = [b'!'];
+
+    let mut iov = iovec {
+        iov_base: dummy.as_ptr() as *mut c_void,
+        iov_len: 1,
+    };
+
+    // Allocate space for the control message containing one fd
+    let cmsg_space = unsafe { CMSG_SPACE(mem::size_of::<RawFd>() as u32) } as usize;
+    let mut cmsg_buf = vec![0u8; cmsg_space];
+
+    let mut msg: msghdr = unsafe { mem::zeroed() };
+    msg.msg_iov = &mut iov;
+    msg.msg_iovlen = 1;
+    msg.msg_control = cmsg_buf.as_mut_ptr() as *mut c_void;
+    msg.msg_controllen = cmsg_space as _;
+
+    let cmsg: &mut cmsghdr = unsafe { &mut *CMSG_FIRSTHDR(&msg) };
+    cmsg.cmsg_level = SOL_SOCKET;
+    cmsg.cmsg_type = SCM_RIGHTS;
+    cmsg.cmsg_len = unsafe { CMSG_LEN(mem::size_of::<RawFd>() as u32) } as _;
+
+    unsafe {
+        ptr::copy_nonoverlapping(
+            &fd as *const RawFd as *const u8,
+            CMSG_DATA(cmsg),
+            mem::size_of::<RawFd>(),
+        );
+    }
+
+    let result = unsafe { sendmsg(stream.as_raw_fd(), &msg, 0) };
+    if result < 0 {
+        return Err(io::Error::last_os_error());
+    }
+
+    Ok(())
+}