Merge release-20211026.0-33-g23a115dae (automated)

22 files changed, 296 insertions, 291 deletions

diff --git a/pkg/sentry/fs/gofer/socket.go b/pkg/sentry/fs/gofer/socket.go
index 1fd8a0910..17932bf1a 100644
--- a/pkg/sentry/fs/gofer/socket.go
+++ b/pkg/sentry/fs/gofer/socket.go
@@ -23,6 +23,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/fs/host"
 	"gvisor.dev/gvisor/pkg/sentry/socket/unix/transport"
 	"gvisor.dev/gvisor/pkg/syserr"
+	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/waiter"
 )
 
@@ -95,7 +96,7 @@ func (e *endpoint) BidirectionalConnect(ctx context.Context, ce transport.Connec
 	}
 	if ce.Listening() {
 		ce.Unlock()
-		return syserr.ErrInvalidEndpointState
+		return tcpip.SyserrInvalidEndpointState
 	}
 
 	hostFile, err := e.file.Connect(cf)
diff --git a/pkg/sentry/fs/host/socket.go b/pkg/sentry/fs/host/socket.go
index 54c421775..17ee77af4 100644
--- a/pkg/sentry/fs/host/socket.go
+++ b/pkg/sentry/fs/host/socket.go
@@ -82,7 +82,7 @@ func (c *ConnectedEndpoint) init() *syserr.Error {
 
 	if family != unix.AF_UNIX {
 		// We only allow Unix sockets.
-		return syserr.ErrInvalidEndpointState
+		return tcpip.SyserrInvalidEndpointState
 	}
 
 	stype, err := unix.GetsockoptInt(c.file.FD(), unix.SOL_SOCKET, unix.SO_TYPE)
@@ -200,7 +200,7 @@ func (c *ConnectedEndpoint) Send(ctx context.Context, data [][]byte, controlMess
 	defer c.mu.RUnlock()
 
 	if !controlMessages.Empty() {
-		return 0, false, syserr.ErrInvalidEndpointState
+		return 0, false, tcpip.SyserrInvalidEndpointState
 	}
 
 	// Since stream sockets don't preserve message boundaries, we can write
diff --git a/pkg/sentry/fsimpl/gofer/socket.go b/pkg/sentry/fsimpl/gofer/socket.go
index 86ab70453..e29614da6 100644
--- a/pkg/sentry/fsimpl/gofer/socket.go
+++ b/pkg/sentry/fsimpl/gofer/socket.go
@@ -23,6 +23,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/fsimpl/host"
 	"gvisor.dev/gvisor/pkg/sentry/socket/unix/transport"
 	"gvisor.dev/gvisor/pkg/syserr"
+	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/waiter"
 )
 
@@ -69,7 +70,7 @@ func (e *endpoint) BidirectionalConnect(ctx context.Context, ce transport.Connec
 	}
 	if ce.Listening() {
 		ce.Unlock()
-		return syserr.ErrInvalidEndpointState
+		return tcpip.SyserrInvalidEndpointState
 	}
 
 	c, err := e.newConnectedEndpoint(ctx, ce.Type(), ce.WaiterQueue())
diff --git a/pkg/sentry/fsimpl/host/socket.go b/pkg/sentry/fsimpl/host/socket.go
index 709d5747d..9f8559d20 100644
--- a/pkg/sentry/fsimpl/host/socket.go
+++ b/pkg/sentry/fsimpl/host/socket.go
@@ -97,7 +97,7 @@ func (c *ConnectedEndpoint) initFromOptions() *syserr.Error {
 
 	if family != unix.AF_UNIX {
 		// We only allow Unix sockets.
-		return syserr.ErrInvalidEndpointState
+		return tcpip.SyserrInvalidEndpointState
 	}
 
 	stype, err := unix.GetsockoptInt(c.fd, unix.SOL_SOCKET, unix.SO_TYPE)
@@ -147,7 +147,7 @@ func (c *ConnectedEndpoint) Send(ctx context.Context, data [][]byte, controlMess
 	defer c.mu.RUnlock()
 
 	if !controlMessages.Empty() {
-		return 0, false, syserr.ErrInvalidEndpointState
+		return 0, false, tcpip.SyserrInvalidEndpointState
 	}
 
 	// Since stream sockets don't preserve message boundaries, we can write
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index 8d9e73243..01f2f8c77 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -290,7 +290,7 @@ func SetEntries(task *kernel.Task, stk *stack.Stack, optVal []byte, ipv6 bool) *
 	// - There are no chains without an unconditional final rule.
 	// - There are no chains without an unconditional underflow rule.
 
-	return syserr.TranslateNetstackError(stk.IPTables().ReplaceTable(nameToID[replace.Name.String()], table, ipv6))
+	return tcpip.TranslateNetstackError(stk.IPTables().ReplaceTable(nameToID[replace.Name.String()], table, ipv6))
 }
 
 // parseMatchers parses 0 or more matchers from optVal. optVal should contain
diff --git a/pkg/sentry/socket/netlink/provider.go b/pkg/sentry/socket/netlink/provider.go
index 31e374833..936e741f8 100644
--- a/pkg/sentry/socket/netlink/provider.go
+++ b/pkg/sentry/socket/netlink/provider.go
@@ -23,6 +23,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/socket"
 	"gvisor.dev/gvisor/pkg/syserr"
+	"gvisor.dev/gvisor/pkg/tcpip"
 )
 
 // Protocol is the implementation of a netlink socket protocol.
@@ -104,7 +105,7 @@ func (*socketProvider) Socket(t *kernel.Task, stype linux.SockType, protocol int
 // Pair implements socket.Provider.Pair by returning an error.
 func (*socketProvider) Pair(*kernel.Task, linux.SockType, int) (*fs.File, *fs.File, *syserr.Error) {
 	// Netlink sockets never supports creating socket pairs.
-	return nil, nil, syserr.ErrNotSupported
+	return nil, nil, tcpip.SyserrNotSupported
 }
 
 // LINT.ThenChange(./provider_vfs2.go)
diff --git a/pkg/sentry/socket/netlink/provider_vfs2.go b/pkg/sentry/socket/netlink/provider_vfs2.go
index f061c5d62..1cbeb60b5 100644
--- a/pkg/sentry/socket/netlink/provider_vfs2.go
+++ b/pkg/sentry/socket/netlink/provider_vfs2.go
@@ -20,6 +20,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/vfs"
 	"gvisor.dev/gvisor/pkg/syserr"
+	"gvisor.dev/gvisor/pkg/tcpip"
 )
 
 // socketProviderVFS2 implements socket.Provider.
@@ -66,5 +67,5 @@ func (*socketProviderVFS2) Socket(t *kernel.Task, stype linux.SockType, protocol
 // Pair implements socket.Provider.Pair by returning an error.
 func (*socketProviderVFS2) Pair(*kernel.Task, linux.SockType, int) (*vfs.FileDescription, *vfs.FileDescription, *syserr.Error) {
 	// Netlink sockets never supports creating socket pairs.
-	return nil, nil, syserr.ErrNotSupported
+	return nil, nil, tcpip.SyserrNotSupported
 }
diff --git a/pkg/sentry/socket/netlink/route/protocol.go b/pkg/sentry/socket/netlink/route/protocol.go
index d526acb73..6f5cbfef9 100644
--- a/pkg/sentry/socket/netlink/route/protocol.go
+++ b/pkg/sentry/socket/netlink/route/protocol.go
@@ -27,6 +27,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/sentry/socket/netlink"
 	"gvisor.dev/gvisor/pkg/syserr"
+	"gvisor.dev/gvisor/pkg/tcpip"
 )
 
 // commandKind describes the operational class of a message type.
@@ -360,7 +361,7 @@ func parseForDestination(msg *netlink.Message) ([]byte, *syserr.Error) {
 	// commit bc234301af12. Note we don't check this flag for backward
 	// compatibility.
 	if rtMsg.Flags != 0 && rtMsg.Flags != linux.RTM_F_LOOKUP_TABLE {
-		return nil, syserr.ErrNotSupported
+		return nil, tcpip.SyserrNotSupported
 	}
 
 	// Expect first attribute is RTA_DST.
@@ -393,7 +394,7 @@ func (p *Protocol) dumpRoutes(ctx context.Context, msg *netlink.Message, ms *net
 		route, err := fillRoute(routeTables, dst)
 		if err != nil {
 			// TODO(gvisor.dev/issue/1237): return NLMSG_ERROR with ENETUNREACH.
-			return syserr.ErrNotSupported
+			return tcpip.SyserrNotSupported
 		}
 		routeTables = append([]inet.Route{}, route)
 	} else if hdr.Flags&linux.NLM_F_DUMP == linux.NLM_F_DUMP {
@@ -401,7 +402,7 @@ func (p *Protocol) dumpRoutes(ctx context.Context, msg *netlink.Message, ms *net
 		ms.Multi = true
 	} else {
 		// TODO(b/68878065): Only above cases are supported.
-		return syserr.ErrNotSupported
+		return tcpip.SyserrNotSupported
 	}
 
 	for _, rt := range routeTables {
@@ -489,7 +490,7 @@ func (p *Protocol) newAddr(ctx context.Context, msg *netlink.Message, ms *netlin
 			}
 		case linux.IFA_ADDRESS:
 		default:
-			return syserr.ErrNotSupported
+			return tcpip.SyserrNotSupported
 		}
 	}
 	return nil
@@ -530,11 +531,11 @@ func (p *Protocol) delAddr(ctx context.Context, msg *netlink.Message, ms *netlin
 				Addr:      value,
 			})
 			if err != nil {
-				return syserr.ErrBadLocalAddress
+				return tcpip.SyserrBadLocalAddress
 			}
 		case linux.IFA_ADDRESS:
 		default:
-			return syserr.ErrNotSupported
+			return tcpip.SyserrNotSupported
 		}
 	}
 
@@ -572,7 +573,7 @@ func (p *Protocol) ProcessMessage(ctx context.Context, msg *netlink.Message, ms
 		case linux.RTM_GETROUTE:
 			return p.dumpRoutes(ctx, msg, ms)
 		default:
-			return syserr.ErrNotSupported
+			return tcpip.SyserrNotSupported
 		}
 	} else if hdr.Flags&linux.NLM_F_REQUEST == linux.NLM_F_REQUEST {
 		switch hdr.Type {
@@ -587,10 +588,10 @@ func (p *Protocol) ProcessMessage(ctx context.Context, msg *netlink.Message, ms
 		case linux.RTM_DELADDR:
 			return p.delAddr(ctx, msg, ms)
 		default:
-			return syserr.ErrNotSupported
+			return tcpip.SyserrNotSupported
 		}
 	}
-	return syserr.ErrNotSupported
+	return tcpip.SyserrNotSupported
 }
 
 // init registers the NETLINK_ROUTE provider.
diff --git a/pkg/sentry/socket/netlink/socket.go b/pkg/sentry/socket/netlink/socket.go
index ed5fa9c38..267155807 100644
--- a/pkg/sentry/socket/netlink/socket.go
+++ b/pkg/sentry/socket/netlink/socket.go
@@ -312,19 +312,19 @@ func (s *socketOpsCommon) Connect(t *kernel.Task, sockaddr []byte, blocking bool
 // Accept implements socket.Socket.Accept.
 func (s *socketOpsCommon) Accept(t *kernel.Task, peerRequested bool, flags int, blocking bool) (int32, linux.SockAddr, uint32, *syserr.Error) {
 	// Netlink sockets never support accept.
-	return 0, nil, 0, syserr.ErrNotSupported
+	return 0, nil, 0, tcpip.SyserrNotSupported
 }
 
 // Listen implements socket.Socket.Listen.
 func (s *socketOpsCommon) Listen(t *kernel.Task, backlog int) *syserr.Error {
 	// Netlink sockets never support listen.
-	return syserr.ErrNotSupported
+	return tcpip.SyserrNotSupported
 }
 
 // Shutdown implements socket.Socket.Shutdown.
 func (s *socketOpsCommon) Shutdown(t *kernel.Task, how int) *syserr.Error {
 	// Netlink sockets never support shutdown.
-	return syserr.ErrNotSupported
+	return tcpip.SyserrNotSupported
 }
 
 // GetSockOpt implements socket.Socket.GetSockOpt.
diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go
index 2a1c2f246..c35cf06f6 100644
--- a/pkg/sentry/socket/netstack/netstack.go
+++ b/pkg/sentry/socket/netstack/netstack.go
@@ -492,7 +492,7 @@ func (s *SocketOperations) WriteTo(_ context.Context, _ *fs.File, dst io.Writer,
 		Peek: dup,
 	})
 	if err != nil {
-		return 0, syserr.TranslateNetstackError(err).ToError()
+		return 0, tcpip.TranslateNetstackError(err).ToError()
 	}
 	return int64(res.Count), nil
 }
@@ -505,7 +505,7 @@ func (s *SocketOperations) Write(ctx context.Context, _ *fs.File, src usermem.IO
 		return 0, linuxerr.ErrWouldBlock
 	}
 	if err != nil {
-		return 0, syserr.TranslateNetstackError(err).ToError()
+		return 0, tcpip.TranslateNetstackError(err).ToError()
 	}
 
 	if n < src.NumBytes() {
@@ -548,7 +548,7 @@ func (s *SocketOperations) ReadFrom(_ context.Context, _ *fs.File, r io.Reader,
 	if _, ok := err.(*tcpip.ErrBadBuffer); ok {
 		return n, f.err
 	}
-	return n, syserr.TranslateNetstackError(err).ToError()
+	return n, tcpip.TranslateNetstackError(err).ToError()
 }
 
 // Readiness returns a mask of ready events for socket s.
@@ -600,7 +600,7 @@ func (s *socketOpsCommon) Connect(t *kernel.Task, sockaddr []byte, blocking bool
 		if _, ok := err.(*tcpip.ErrNotSupported); ok {
 			return syserr.ErrAddressFamilyNotSupported
 		}
-		return syserr.TranslateNetstackError(err)
+		return tcpip.TranslateNetstackError(err)
 	}
 
 	if !s.checkFamily(family, false /* exact */) {
@@ -610,7 +610,7 @@ func (s *socketOpsCommon) Connect(t *kernel.Task, sockaddr []byte, blocking bool
 
 	// Always return right away in the non-blocking case.
 	if !blocking {
-		return syserr.TranslateNetstackError(s.Endpoint.Connect(addr))
+		return tcpip.TranslateNetstackError(s.Endpoint.Connect(addr))
 	}
 
 	// Register for notification when the endpoint becomes writable, then
@@ -627,9 +627,9 @@ func (s *socketOpsCommon) Connect(t *kernel.Task, sockaddr []byte, blocking bool
 			// find an available local ephemeral port.
 			return syserr.ErrAddressNotAvailable
 		}
-		return syserr.TranslateNetstackError(err)
+		return tcpip.TranslateNetstackError(err)
 	default:
-		return syserr.TranslateNetstackError(err)
+		return tcpip.TranslateNetstackError(err)
 	}
 
 	// It's pending, so we have to wait for a notification, and fetch the
@@ -639,7 +639,7 @@ func (s *socketOpsCommon) Connect(t *kernel.Task, sockaddr []byte, blocking bool
 	}
 
 	// Call Connect() again after blocking to find connect's result.
-	return syserr.TranslateNetstackError(s.Endpoint.Connect(addr))
+	return tcpip.TranslateNetstackError(s.Endpoint.Connect(addr))
 }
 
 // Bind implements the linux syscall bind(2) for sockets backed by
@@ -699,13 +699,13 @@ func (s *socketOpsCommon) Bind(_ *kernel.Task, sockaddr []byte) *syserr.Error {
 		err = &tcpip.ErrPortInUse{}
 	}
 
-	return syserr.TranslateNetstackError(err)
+	return tcpip.TranslateNetstackError(err)
 }
 
 // Listen implements the linux syscall listen(2) for sockets backed by
 // tcpip.Endpoint.
 func (s *socketOpsCommon) Listen(_ *kernel.Task, backlog int) *syserr.Error {
-	return syserr.TranslateNetstackError(s.Endpoint.Listen(backlog))
+	return tcpip.TranslateNetstackError(s.Endpoint.Listen(backlog))
 }
 
 // blockingAccept implements a blocking version of accept(2), that is, if no
@@ -721,7 +721,7 @@ func (s *socketOpsCommon) blockingAccept(t *kernel.Task, peerAddr *tcpip.FullAdd
 	for {
 		ep, wq, err := s.Endpoint.Accept(peerAddr)
 		if _, ok := err.(*tcpip.ErrWouldBlock); !ok {
-			return ep, wq, syserr.TranslateNetstackError(err)
+			return ep, wq, tcpip.TranslateNetstackError(err)
 		}
 
 		if err := t.Block(ch); err != nil {
@@ -740,7 +740,7 @@ func (s *SocketOperations) Accept(t *kernel.Task, peerRequested bool, flags int,
 	ep, wq, terr := s.Endpoint.Accept(peerAddr)
 	if terr != nil {
 		if _, ok := terr.(*tcpip.ErrWouldBlock); !ok || !blocking {
-			return 0, nil, 0, syserr.TranslateNetstackError(terr)
+			return 0, nil, 0, tcpip.TranslateNetstackError(terr)
 		}
 
 		var err *syserr.Error
@@ -802,7 +802,7 @@ func (s *socketOpsCommon) Shutdown(_ *kernel.Task, how int) *syserr.Error {
 	}
 
 	// Issue shutdown request.
-	return syserr.TranslateNetstackError(s.Endpoint.Shutdown(f))
+	return tcpip.TranslateNetstackError(s.Endpoint.Shutdown(f))
 }
 
 // GetSockOpt implements the linux syscall getsockopt(2) for sockets backed by
@@ -891,7 +891,7 @@ func getSockOptSocket(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, fam
 			return &optP, nil
 		}
 
-		optP := primitive.Int32(syserr.TranslateNetstackError(err).ToLinux())
+		optP := primitive.Int32(tcpip.TranslateNetstackError(err).ToLinux())
 		return &optP, nil
 
 	case linux.SO_PEERCRED:
@@ -976,7 +976,7 @@ func getSockOptSocket(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, fam
 		if !ok {
 			// The NICID no longer indicates a valid interface, probably because that
 			// interface was removed.
-			return nil, syserr.ErrUnknownDevice
+			return nil, tcpip.SyserrUnknownDevice
 		}
 
 		name := primitive.ByteSlice(append([]byte(nic.Name), 0))
@@ -1069,7 +1069,7 @@ func getSockOptSocket(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, fam
 func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name, outLen int) (marshal.Marshallable, *syserr.Error) {
 	if _, skType, skProto := s.Type(); !isTCPSocket(skType, skProto) {
 		log.Warningf("SOL_TCP options are only supported on TCP sockets: skType, skProto = %v, %d", skType, skProto)
-		return nil, syserr.ErrUnknownProtocolOption
+		return nil, tcpip.SyserrUnknownProtocolOption
 	}
 
 	switch name {
@@ -1104,7 +1104,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		v, err := ep.GetSockOptInt(tcpip.MaxSegOption)
 		if err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		vP := primitive.Int32(v)
 		return &vP, nil
@@ -1116,7 +1116,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		var v tcpip.KeepaliveIdleOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		keepAliveIdle := primitive.Int32(time.Duration(v) / time.Second)
 		return &keepAliveIdle, nil
@@ -1128,7 +1128,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		var v tcpip.KeepaliveIntervalOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		keepAliveInterval := primitive.Int32(time.Duration(v) / time.Second)
 		return &keepAliveInterval, nil
@@ -1140,7 +1140,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		v, err := ep.GetSockOptInt(tcpip.KeepaliveCountOption)
 		if err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		vP := primitive.Int32(v)
 		return &vP, nil
@@ -1152,7 +1152,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		var v tcpip.TCPUserTimeoutOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		tcpUserTimeout := primitive.Int32(time.Duration(v) / time.Millisecond)
 		return &tcpUserTimeout, nil
@@ -1160,7 +1160,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 	case linux.TCP_INFO:
 		var v tcpip.TCPInfoOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		// TODO(b/64800844): Translate fields once they are added to
@@ -1214,7 +1214,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		var v tcpip.CongestionControlOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		// We match linux behaviour here where it returns the lower of
@@ -1240,7 +1240,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		var v tcpip.TCPLingerTimeoutOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		var lingerTimeout primitive.Int32
 		if v >= 0 {
@@ -1257,7 +1257,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		var v tcpip.TCPDeferAcceptOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		tcpDeferAccept := primitive.Int32(time.Duration(v) / time.Second)
@@ -1270,7 +1270,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		v, err := ep.GetSockOptInt(tcpip.TCPSynCountOption)
 		if err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		vP := primitive.Int32(v)
 		return &vP, nil
@@ -1282,7 +1282,7 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 
 		v, err := ep.GetSockOptInt(tcpip.TCPWindowClampOption)
 		if err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		vP := primitive.Int32(v)
 		return &vP, nil
@@ -1296,12 +1296,12 @@ func getSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name,
 func getSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name int, outPtr hostarch.Addr, outLen int) (marshal.Marshallable, *syserr.Error) {
 	if _, ok := ep.(tcpip.Endpoint); !ok {
 		log.Warningf("SOL_IPV6 options not supported on endpoints other than tcpip.Endpoint: option = %d", name)
-		return nil, syserr.ErrUnknownProtocolOption
+		return nil, tcpip.SyserrUnknownProtocolOption
 	}
 
 	family, skType, _ := s.Type()
 	if family != linux.AF_INET6 {
-		return nil, syserr.ErrUnknownProtocolOption
+		return nil, tcpip.SyserrUnknownProtocolOption
 	}
 
 	switch name {
@@ -1324,7 +1324,7 @@ func getSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name
 		}
 		v, err := ep.GetSockOptInt(tcpip.IPv6TrafficClassOption)
 		if err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		uintv := primitive.Uint32(v)
@@ -1376,7 +1376,7 @@ func getSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name
 
 		var v tcpip.OriginalDestinationOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		a, _ := socket.ConvertAddress(linux.AF_INET6, tcpip.FullAddress(v))
@@ -1452,7 +1452,7 @@ func getSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name
 func getSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name int, outPtr hostarch.Addr, outLen int, _ int) (marshal.Marshallable, *syserr.Error) {
 	if _, ok := ep.(tcpip.Endpoint); !ok {
 		log.Warningf("SOL_IP options not supported on endpoints other than tcpip.Endpoint: option = %d", name)
-		return nil, syserr.ErrUnknownProtocolOption
+		return nil, tcpip.SyserrUnknownProtocolOption
 	}
 
 	switch name {
@@ -1463,7 +1463,7 @@ func getSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 
 		v, err := ep.GetSockOptInt(tcpip.TTLOption)
 		if err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		// Fill in the default value, if needed.
@@ -1481,7 +1481,7 @@ func getSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 
 		v, err := ep.GetSockOptInt(tcpip.MulticastTTLOption)
 		if err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		vP := primitive.Int32(v)
@@ -1494,7 +1494,7 @@ func getSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 
 		var v tcpip.MulticastInterfaceOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		a, _ := socket.ConvertAddress(linux.AF_INET, tcpip.FullAddress{Addr: v.InterfaceAddr})
@@ -1517,7 +1517,7 @@ func getSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 		}
 		v, err := ep.GetSockOptInt(tcpip.IPv4TOSOption)
 		if err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 		if outLen < sizeOfInt32 {
 			vP := primitive.Uint8(v)
@@ -1573,7 +1573,7 @@ func getSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 
 		var v tcpip.OriginalDestinationOption
 		if err := ep.GetSockOpt(&v); err != nil {
-			return nil, syserr.TranslateNetstackError(err)
+			return nil, tcpip.TranslateNetstackError(err)
 		}
 
 		a, _ := socket.ConvertAddress(linux.AF_INET, tcpip.FullAddress(v))
@@ -1793,7 +1793,7 @@ func setSockOptSocket(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, nam
 		}
 		name := string(optVal[:n])
 		if name == "" {
-			return syserr.TranslateNetstackError(ep.SocketOptions().SetBindToDevice(0))
+			return tcpip.TranslateNetstackError(ep.SocketOptions().SetBindToDevice(0))
 		}
 		s := t.NetworkContext()
 		if s == nil {
@@ -1801,10 +1801,10 @@ func setSockOptSocket(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, nam
 		}
 		for nicID, nic := range s.Interfaces() {
 			if nic.Name == name {
-				return syserr.TranslateNetstackError(ep.SocketOptions().SetBindToDevice(nicID))
+				return tcpip.TranslateNetstackError(ep.SocketOptions().SetBindToDevice(nicID))
 			}
 		}
-		return syserr.ErrUnknownDevice
+		return tcpip.SyserrUnknownDevice
 
 	case linux.SO_BROADCAST:
 		if len(optVal) < sizeOfInt32 {
@@ -1898,7 +1898,7 @@ func setSockOptSocket(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, nam
 	case linux.SO_DETACH_FILTER:
 		// optval is ignored.
 		var v tcpip.SocketDetachFilterOption
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&v))
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&v))
 
 	default:
 		socket.SetSockOptEmitUnimplementedEvent(t, name)
@@ -1911,7 +1911,7 @@ func setSockOptSocket(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, nam
 func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name int, optVal []byte) *syserr.Error {
 	if _, skType, skProto := s.Type(); !isTCPSocket(skType, skProto) {
 		log.Warningf("SOL_TCP options are only supported on TCP sockets: skType, skProto = %v, %d", skType, skProto)
-		return syserr.ErrUnknownProtocolOption
+		return tcpip.SyserrUnknownProtocolOption
 	}
 
 	switch name {
@@ -1948,7 +1948,7 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 		}
 
 		v := hostarch.ByteOrder.Uint32(optVal)
-		return syserr.TranslateNetstackError(ep.SetSockOptInt(tcpip.MaxSegOption, int(v)))
+		return tcpip.TranslateNetstackError(ep.SetSockOptInt(tcpip.MaxSegOption, int(v)))
 
 	case linux.TCP_KEEPIDLE:
 		if len(optVal) < sizeOfInt32 {
@@ -1960,7 +1960,7 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 			return syserr.ErrInvalidArgument
 		}
 		opt := tcpip.KeepaliveIdleOption(time.Second * time.Duration(v))
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&opt))
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&opt))
 
 	case linux.TCP_KEEPINTVL:
 		if len(optVal) < sizeOfInt32 {
@@ -1972,7 +1972,7 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 			return syserr.ErrInvalidArgument
 		}
 		opt := tcpip.KeepaliveIntervalOption(time.Second * time.Duration(v))
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&opt))
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&opt))
 
 	case linux.TCP_KEEPCNT:
 		if len(optVal) < sizeOfInt32 {
@@ -1983,7 +1983,7 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 		if v < 1 || v > linux.MAX_TCP_KEEPCNT {
 			return syserr.ErrInvalidArgument
 		}
-		return syserr.TranslateNetstackError(ep.SetSockOptInt(tcpip.KeepaliveCountOption, int(v)))
+		return tcpip.TranslateNetstackError(ep.SetSockOptInt(tcpip.KeepaliveCountOption, int(v)))
 
 	case linux.TCP_USER_TIMEOUT:
 		if len(optVal) < sizeOfInt32 {
@@ -1995,12 +1995,12 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 			return syserr.ErrInvalidArgument
 		}
 		opt := tcpip.TCPUserTimeoutOption(time.Millisecond * time.Duration(v))
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&opt))
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&opt))
 
 	case linux.TCP_CONGESTION:
 		v := tcpip.CongestionControlOption(optVal)
 		if err := ep.SetSockOpt(&v); err != nil {
-			return syserr.TranslateNetstackError(err)
+			return tcpip.TranslateNetstackError(err)
 		}
 		return nil
 
@@ -2011,7 +2011,7 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 
 		v := int32(hostarch.ByteOrder.Uint32(optVal))
 		opt := tcpip.TCPLingerTimeoutOption(time.Second * time.Duration(v))
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&opt))
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&opt))
 
 	case linux.TCP_DEFER_ACCEPT:
 		if len(optVal) < sizeOfInt32 {
@@ -2022,7 +2022,7 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 			v = 0
 		}
 		opt := tcpip.TCPDeferAcceptOption(time.Second * time.Duration(v))
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&opt))
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&opt))
 
 	case linux.TCP_SYNCNT:
 		if len(optVal) < sizeOfInt32 {
@@ -2030,7 +2030,7 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 		}
 		v := hostarch.ByteOrder.Uint32(optVal)
 
-		return syserr.TranslateNetstackError(ep.SetSockOptInt(tcpip.TCPSynCountOption, int(v)))
+		return tcpip.TranslateNetstackError(ep.SetSockOptInt(tcpip.TCPSynCountOption, int(v)))
 
 	case linux.TCP_WINDOW_CLAMP:
 		if len(optVal) < sizeOfInt32 {
@@ -2038,7 +2038,7 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 		}
 		v := hostarch.ByteOrder.Uint32(optVal)
 
-		return syserr.TranslateNetstackError(ep.SetSockOptInt(tcpip.TCPWindowClampOption, int(v)))
+		return tcpip.TranslateNetstackError(ep.SetSockOptInt(tcpip.TCPWindowClampOption, int(v)))
 
 	case linux.TCP_REPAIR_OPTIONS:
 		t.Kernel().EmitUnimplementedEvent(t)
@@ -2054,12 +2054,12 @@ func setSockOptTCP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name i
 func setSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name int, optVal []byte) *syserr.Error {
 	if _, ok := ep.(tcpip.Endpoint); !ok {
 		log.Warningf("SOL_IPV6 options not supported on endpoints other than tcpip.Endpoint: option = %d", name)
-		return syserr.ErrUnknownProtocolOption
+		return tcpip.SyserrUnknownProtocolOption
 	}
 
 	family, skType, skProto := s.Type()
 	if family != linux.AF_INET6 {
-		return syserr.ErrUnknownProtocolOption
+		return tcpip.SyserrUnknownProtocolOption
 	}
 
 	switch name {
@@ -2069,9 +2069,9 @@ func setSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name
 		}
 
 		if isTCPSocket(skType, skProto) && tcp.EndpointState(ep.State()) != tcp.StateInitial {
-			return syserr.ErrInvalidEndpointState
+			return tcpip.SyserrInvalidEndpointState
 		} else if isUDPSocket(skType, skProto) && transport.DatagramEndpointState(ep.State()) != transport.DatagramEndpointStateInitial {
-			return syserr.ErrInvalidEndpointState
+			return tcpip.SyserrInvalidEndpointState
 		}
 
 		v := hostarch.ByteOrder.Uint32(optVal)
@@ -2084,7 +2084,7 @@ func setSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name
 			return err
 		}
 
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&tcpip.AddMembershipOption{
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&tcpip.AddMembershipOption{
 			NIC:           tcpip.NICID(req.InterfaceIndex),
 			MulticastAddr: tcpip.Address(req.MulticastAddr[:]),
 		}))
@@ -2095,7 +2095,7 @@ func setSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name
 			return err
 		}
 
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&tcpip.RemoveMembershipOption{
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&tcpip.RemoveMembershipOption{
 			NIC:           tcpip.NICID(req.InterfaceIndex),
 			MulticastAddr: tcpip.Address(req.MulticastAddr[:]),
 		}))
@@ -2145,7 +2145,7 @@ func setSockOptIPv6(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name
 		if v == -1 {
 			v = 0
 		}
-		return syserr.TranslateNetstackError(ep.SetSockOptInt(tcpip.IPv6TrafficClassOption, int(v)))
+		return tcpip.TranslateNetstackError(ep.SetSockOptInt(tcpip.IPv6TrafficClassOption, int(v)))
 
 	case linux.IPV6_RECVTCLASS:
 		v, err := parseIntOrChar(optVal)
@@ -2260,7 +2260,7 @@ func parseIntOrChar(buf []byte) (int32, *syserr.Error) {
 func setSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name int, optVal []byte) *syserr.Error {
 	if _, ok := ep.(tcpip.Endpoint); !ok {
 		log.Warningf("SOL_IP options not supported on endpoints other than tcpip.Endpoint: option = %d", name)
-		return syserr.ErrUnknownProtocolOption
+		return tcpip.SyserrUnknownProtocolOption
 	}
 
 	switch name {
@@ -2277,7 +2277,7 @@ func setSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 		if v < 0 || v > 255 {
 			return syserr.ErrInvalidArgument
 		}
-		return syserr.TranslateNetstackError(ep.SetSockOptInt(tcpip.MulticastTTLOption, int(v)))
+		return tcpip.TranslateNetstackError(ep.SetSockOptInt(tcpip.MulticastTTLOption, int(v)))
 
 	case linux.IP_ADD_MEMBERSHIP:
 		req, err := copyInMulticastRequest(optVal, false /* allowAddr */)
@@ -2285,7 +2285,7 @@ func setSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 			return err
 		}
 
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&tcpip.AddMembershipOption{
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&tcpip.AddMembershipOption{
 			NIC: tcpip.NICID(req.InterfaceIndex),
 			// TODO(igudger): Change AddMembership to use the standard
 			// any address representation.
@@ -2299,7 +2299,7 @@ func setSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 			return err
 		}
 
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&tcpip.RemoveMembershipOption{
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&tcpip.RemoveMembershipOption{
 			NIC: tcpip.NICID(req.InterfaceIndex),
 			// TODO(igudger): Change DropMembership to use the standard
 			// any address representation.
@@ -2313,7 +2313,7 @@ func setSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 			return err
 		}
 
-		return syserr.TranslateNetstackError(ep.SetSockOpt(&tcpip.MulticastInterfaceOption{
+		return tcpip.TranslateNetstackError(ep.SetSockOpt(&tcpip.MulticastInterfaceOption{
 			NIC:           tcpip.NICID(req.InterfaceIndex),
 			InterfaceAddr: socket.BytesToIPAddress(req.InterfaceAddr[:]),
 		}))
@@ -2344,7 +2344,7 @@ func setSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 		} else if v < 1 || v > 255 {
 			return syserr.ErrInvalidArgument
 		}
-		return syserr.TranslateNetstackError(ep.SetSockOptInt(tcpip.TTLOption, int(v)))
+		return tcpip.TranslateNetstackError(ep.SetSockOptInt(tcpip.TTLOption, int(v)))
 
 	case linux.IP_TOS:
 		if len(optVal) == 0 {
@@ -2354,7 +2354,7 @@ func setSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 		if err != nil {
 			return err
 		}
-		return syserr.TranslateNetstackError(ep.SetSockOptInt(tcpip.IPv4TOSOption, int(v)))
+		return tcpip.TranslateNetstackError(ep.SetSockOptInt(tcpip.IPv4TOSOption, int(v)))
 
 	case linux.IP_RECVTOS:
 		v, err := parseIntOrChar(optVal)
@@ -2594,7 +2594,7 @@ func emitUnimplementedEventIP(t *kernel.Task, name int) {
 func (s *socketOpsCommon) GetSockName(*kernel.Task) (linux.SockAddr, uint32, *syserr.Error) {
 	addr, err := s.Endpoint.GetLocalAddress()
 	if err != nil {
-		return nil, 0, syserr.TranslateNetstackError(err)
+		return nil, 0, tcpip.TranslateNetstackError(err)
 	}
 
 	a, l := socket.ConvertAddress(s.family, addr)
@@ -2606,7 +2606,7 @@ func (s *socketOpsCommon) GetSockName(*kernel.Task) (linux.SockAddr, uint32, *sy
 func (s *socketOpsCommon) GetPeerName(*kernel.Task) (linux.SockAddr, uint32, *syserr.Error) {
 	addr, err := s.Endpoint.GetRemoteAddress()
 	if err != nil {
-		return nil, 0, syserr.TranslateNetstackError(err)
+		return nil, 0, tcpip.TranslateNetstackError(err)
 	}
 
 	a, l := socket.ConvertAddress(s.family, addr)
@@ -2679,7 +2679,7 @@ func (s *socketOpsCommon) nonBlockingRead(ctx context.Context, dst usermem.IOSeq
 		err = nil
 	}
 	if err != nil {
-		return 0, 0, nil, 0, socket.ControlMessages{}, syserr.TranslateNetstackError(err)
+		return 0, 0, nil, 0, socket.ControlMessages{}, tcpip.TranslateNetstackError(err)
 	}
 	// Set the control message, even if 0 bytes were read.
 	s.updateTimestamp(res.ControlMessages)
@@ -2717,7 +2717,7 @@ func (s *socketOpsCommon) nonBlockingRead(ctx context.Context, dst usermem.IOSeq
 			// We need to query it from socket option.
 			rql, err := s.Endpoint.GetSockOptInt(tcpip.ReceiveQueueSizeOption)
 			if err != nil {
-				return 0, 0, nil, 0, socket.ControlMessages{}, syserr.TranslateNetstackError(err)
+				return 0, 0, nil, 0, socket.ControlMessages{}, tcpip.TranslateNetstackError(err)
 			}
 			msgLen := int(dst.NumBytes())
 			if msgLen > rql {
@@ -2731,7 +2731,7 @@ func (s *socketOpsCommon) nonBlockingRead(ctx context.Context, dst usermem.IOSeq
 
 	cmsg := s.controlMessages(res.ControlMessages)
 	s.fillCmsgInq(&cmsg)
-	return res.Count, 0, nil, 0, cmsg, syserr.TranslateNetstackError(err)
+	return res.Count, 0, nil, 0, cmsg, tcpip.TranslateNetstackError(err)
 }
 
 func (s *socketOpsCommon) controlMessages(cm tcpip.ControlMessages) socket.ControlMessages {
@@ -2838,7 +2838,7 @@ func (s *socketOpsCommon) RecvMsg(t *kernel.Task, dst usermem.IOSequence, flags
 	}
 	n, msgFlags, senderAddr, senderAddrLen, controlMessages, err = s.nonBlockingRead(t, dst, peek, trunc, senderRequested)
 
-	if s.isPacketBased() && err == syserr.ErrClosedForReceive && flags&linux.MSG_DONTWAIT != 0 {
+	if s.isPacketBased() && err == tcpip.SyserrClosedForReceive && flags&linux.MSG_DONTWAIT != 0 {
 		// In this situation we should return EAGAIN.
 		return 0, 0, nil, 0, socket.ControlMessages{}, syserr.ErrTryAgain
 	}
@@ -2931,7 +2931,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b
 		n, err := s.Endpoint.Write(r, opts)
 		total += n
 		if flags&linux.MSG_DONTWAIT != 0 {
-			return int(total), syserr.TranslateNetstackError(err)
+			return int(total), tcpip.TranslateNetstackError(err)
 		}
 		block := true
 		switch err.(type) {
@@ -2962,7 +2962,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b
 			}
 			continue
 		}
-		return int(total), syserr.TranslateNetstackError(err)
+		return int(total), tcpip.TranslateNetstackError(err)
 	}
 }
 
@@ -2995,7 +2995,7 @@ func (s *socketOpsCommon) ioctl(ctx context.Context, io usermem.IO, args arch.Sy
 	case linux.TIOCINQ:
 		v, terr := s.Endpoint.GetSockOptInt(tcpip.ReceiveQueueSizeOption)
 		if terr != nil {
-			return 0, syserr.TranslateNetstackError(terr).ToError()
+			return 0, tcpip.TranslateNetstackError(terr).ToError()
 		}
 
 		if v > math.MaxInt32 {
@@ -3061,7 +3061,7 @@ func Ioctl(ctx context.Context, ep commonEndpoint, io usermem.IO, args arch.Sysc
 	case linux.TIOCINQ:
 		v, terr := ep.GetSockOptInt(tcpip.ReceiveQueueSizeOption)
 		if terr != nil {
-			return 0, syserr.TranslateNetstackError(terr).ToError()
+			return 0, tcpip.TranslateNetstackError(terr).ToError()
 		}
 
 		if v > math.MaxInt32 {
@@ -3075,7 +3075,7 @@ func Ioctl(ctx context.Context, ep commonEndpoint, io usermem.IO, args arch.Sysc
 	case linux.TIOCOUTQ:
 		v, terr := ep.GetSockOptInt(tcpip.SendQueueSizeOption)
 		if terr != nil {
-			return 0, syserr.TranslateNetstackError(terr).ToError()
+			return 0, tcpip.TranslateNetstackError(terr).ToError()
 		}
 
 		if v > math.MaxInt32 {
diff --git a/pkg/sentry/socket/netstack/netstack_vfs2.go b/pkg/sentry/socket/netstack/netstack_vfs2.go
index 3cdf29b80..ff10e159e 100644
--- a/pkg/sentry/socket/netstack/netstack_vfs2.go
+++ b/pkg/sentry/socket/netstack/netstack_vfs2.go
@@ -134,7 +134,7 @@ func (s *SocketVFS2) Write(ctx context.Context, src usermem.IOSequence, opts vfs
 		return 0, linuxerr.ErrWouldBlock
 	}
 	if err != nil {
-		return 0, syserr.TranslateNetstackError(err).ToError()
+		return 0, tcpip.TranslateNetstackError(err).ToError()
 	}
 
 	if n < src.NumBytes() {
@@ -155,7 +155,7 @@ func (s *SocketVFS2) Accept(t *kernel.Task, peerRequested bool, flags int, block
 	ep, wq, terr := s.Endpoint.Accept(peerAddr)
 	if terr != nil {
 		if _, ok := terr.(*tcpip.ErrWouldBlock); !ok || !blocking {
-			return 0, nil, 0, syserr.TranslateNetstackError(terr)
+			return 0, nil, 0, tcpip.TranslateNetstackError(terr)
 		}
 
 		var err *syserr.Error
diff --git a/pkg/sentry/socket/netstack/provider.go b/pkg/sentry/socket/netstack/provider.go
index 8605ad507..c9fc9497f 100644
--- a/pkg/sentry/socket/netstack/provider.go
+++ b/pkg/sentry/socket/netstack/provider.go
@@ -131,7 +131,7 @@ func (p *provider) Socket(t *kernel.Task, stype linux.SockType, protocol int) (*
 		}
 	}
 	if e != nil {
-		return nil, syserr.TranslateNetstackError(e)
+		return nil, tcpip.TranslateNetstackError(e)
 	}
 
 	return New(t, p.family, stype, int(transProto), wq, ep)
@@ -162,7 +162,7 @@ func packetSocket(t *kernel.Task, epStack *Stack, stype linux.SockType, protocol
 	wq := &waiter.Queue{}
 	ep, err := epStack.Stack.NewPacketEndpoint(cooked, netProto, wq)
 	if err != nil {
-		return nil, syserr.TranslateNetstackError(err)
+		return nil, tcpip.TranslateNetstackError(err)
 	}
 
 	return New(t, linux.AF_PACKET, stype, protocol, wq, ep)
diff --git a/pkg/sentry/socket/netstack/provider_vfs2.go b/pkg/sentry/socket/netstack/provider_vfs2.go
index ba1cc79e9..ac7456483 100644
--- a/pkg/sentry/socket/netstack/provider_vfs2.go
+++ b/pkg/sentry/socket/netstack/provider_vfs2.go
@@ -76,7 +76,7 @@ func (p *providerVFS2) Socket(t *kernel.Task, stype linux.SockType, protocol int
 		}
 	}
 	if e != nil {
-		return nil, syserr.TranslateNetstackError(e)
+		return nil, tcpip.TranslateNetstackError(e)
 	}
 
 	return NewVFS2(t, p.family, stype, int(transProto), wq, ep)
@@ -107,7 +107,7 @@ func packetSocketVFS2(t *kernel.Task, epStack *Stack, stype linux.SockType, prot
 	wq := &waiter.Queue{}
 	ep, err := epStack.Stack.NewPacketEndpoint(cooked, netProto, wq)
 	if err != nil {
-		return nil, syserr.TranslateNetstackError(err)
+		return nil, tcpip.TranslateNetstackError(err)
 	}
 
 	return NewVFS2(t, linux.AF_PACKET, stype, protocol, wq, ep)
diff --git a/pkg/sentry/socket/netstack/stack.go b/pkg/sentry/socket/netstack/stack.go
index ea199f223..19f76e7bc 100644
--- a/pkg/sentry/socket/netstack/stack.go
+++ b/pkg/sentry/socket/netstack/stack.go
@@ -74,7 +74,7 @@ func (s *Stack) Interfaces() map[int32]inet.Interface {
 // RemoveInterface implements inet.Stack.RemoveInterface.
 func (s *Stack) RemoveInterface(idx int32) error {
 	nic := tcpip.NICID(idx)
-	return syserr.TranslateNetstackError(s.Stack.RemoveNIC(nic)).ToError()
+	return tcpip.TranslateNetstackError(s.Stack.RemoveNIC(nic)).ToError()
 }
 
 // InterfaceAddrs implements inet.Stack.InterfaceAddrs.
@@ -156,7 +156,7 @@ func (s *Stack) AddInterfaceAddr(idx int32, addr inet.InterfaceAddr) error {
 	// Attach address to interface.
 	nicID := tcpip.NICID(idx)
 	if err := s.Stack.AddProtocolAddress(nicID, protocolAddress, stack.AddressProperties{}); err != nil {
-		return syserr.TranslateNetstackError(err).ToError()
+		return tcpip.TranslateNetstackError(err).ToError()
 	}
 
 	// Add route for local network if it doesn't exist already.
@@ -188,7 +188,7 @@ func (s *Stack) RemoveInterfaceAddr(idx int32, addr inet.InterfaceAddr) error {
 	// Remove addresses matching the address and prefix.
 	nicID := tcpip.NICID(idx)
 	if err := s.Stack.RemoveAddress(nicID, protocolAddress.AddressWithPrefix.Address); err != nil {
-		return syserr.TranslateNetstackError(err).ToError()
+		return tcpip.TranslateNetstackError(err).ToError()
 	}
 
 	// Remove the corresponding local network route if it exists.
@@ -212,7 +212,7 @@ func (s *Stack) TCPReceiveBufferSize() (inet.TCPBufferSize, error) {
 		Min:     rs.Min,
 		Default: rs.Default,
 		Max:     rs.Max,
-	}, syserr.TranslateNetstackError(err).ToError()
+	}, tcpip.TranslateNetstackError(err).ToError()
 }
 
 // SetTCPReceiveBufferSize implements inet.Stack.SetTCPReceiveBufferSize.
@@ -222,7 +222,7 @@ func (s *Stack) SetTCPReceiveBufferSize(size inet.TCPBufferSize) error {
 		Default: size.Default,
 		Max:     size.Max,
 	}
-	return syserr.TranslateNetstackError(s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, &rs)).ToError()
+	return tcpip.TranslateNetstackError(s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, &rs)).ToError()
 }
 
 // TCPSendBufferSize implements inet.Stack.TCPSendBufferSize.
@@ -233,7 +233,7 @@ func (s *Stack) TCPSendBufferSize() (inet.TCPBufferSize, error) {
 		Min:     ss.Min,
 		Default: ss.Default,
 		Max:     ss.Max,
-	}, syserr.TranslateNetstackError(err).ToError()
+	}, tcpip.TranslateNetstackError(err).ToError()
 }
 
 // SetTCPSendBufferSize implements inet.Stack.SetTCPSendBufferSize.
@@ -243,27 +243,27 @@ func (s *Stack) SetTCPSendBufferSize(size inet.TCPBufferSize) error {
 		Default: size.Default,
 		Max:     size.Max,
 	}
-	return syserr.TranslateNetstackError(s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, &ss)).ToError()
+	return tcpip.TranslateNetstackError(s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, &ss)).ToError()
 }
 
 // TCPSACKEnabled implements inet.Stack.TCPSACKEnabled.
 func (s *Stack) TCPSACKEnabled() (bool, error) {
 	var sack tcpip.TCPSACKEnabled
 	err := s.Stack.TransportProtocolOption(tcp.ProtocolNumber, &sack)
-	return bool(sack), syserr.TranslateNetstackError(err).ToError()
+	return bool(sack), tcpip.TranslateNetstackError(err).ToError()
 }
 
 // SetTCPSACKEnabled implements inet.Stack.SetTCPSACKEnabled.
 func (s *Stack) SetTCPSACKEnabled(enabled bool) error {
 	opt := tcpip.TCPSACKEnabled(enabled)
-	return syserr.TranslateNetstackError(s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, &opt)).ToError()
+	return tcpip.TranslateNetstackError(s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, &opt)).ToError()
 }
 
 // TCPRecovery implements inet.Stack.TCPRecovery.
 func (s *Stack) TCPRecovery() (inet.TCPLossRecovery, error) {
 	var recovery tcpip.TCPRecovery
 	if err := s.Stack.TransportProtocolOption(tcp.ProtocolNumber, &recovery); err != nil {
-		return 0, syserr.TranslateNetstackError(err).ToError()
+		return 0, tcpip.TranslateNetstackError(err).ToError()
 	}
 	return inet.TCPLossRecovery(recovery), nil
 }
@@ -271,7 +271,7 @@ func (s *Stack) TCPRecovery() (inet.TCPLossRecovery, error) {
 // SetTCPRecovery implements inet.Stack.SetTCPRecovery.
 func (s *Stack) SetTCPRecovery(recovery inet.TCPLossRecovery) error {
 	opt := tcpip.TCPRecovery(recovery)
-	return syserr.TranslateNetstackError(s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, &opt)).ToError()
+	return tcpip.TranslateNetstackError(s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, &opt)).ToError()
 }
 
 // Statistics implements inet.Stack.Statistics.
@@ -479,5 +479,5 @@ func (s *Stack) PortRange() (uint16, uint16) {
 
 // SetPortRange implements inet.Stack.SetPortRange.
 func (s *Stack) SetPortRange(start uint16, end uint16) error {
-	return syserr.TranslateNetstackError(s.Stack.SetPortRange(start, end)).ToError()
+	return tcpip.TranslateNetstackError(s.Stack.SetPortRange(start, end)).ToError()
 }
diff --git a/pkg/sentry/socket/socket.go b/pkg/sentry/socket/socket.go
index d4b80a39d..fc5431eb1 100644
--- a/pkg/sentry/socket/socket.go
+++ b/pkg/sentry/socket/socket.go
@@ -92,7 +92,7 @@ func sockErrCmsgToLinux(sockErr *tcpip.SockError) linux.SockErrCMsg {
 	}
 
 	ee := linux.SockExtendedErr{
-		Errno:  uint32(syserr.TranslateNetstackError(sockErr.Err).ToLinux()),
+		Errno:  uint32(tcpip.TranslateNetstackError(sockErr.Err).ToLinux()),
 		Origin: errOriginToLinux(sockErr.Cause.Origin()),
 		Type:   sockErr.Cause.Type(),
 		Code:   sockErr.Cause.Code(),
diff --git a/pkg/sentry/socket/unix/transport/connectioned.go b/pkg/sentry/socket/unix/transport/connectioned.go
index b3f0cf563..46fbaac1b 100644
--- a/pkg/sentry/socket/unix/transport/connectioned.go
+++ b/pkg/sentry/socket/unix/transport/connectioned.go
@@ -260,7 +260,7 @@ func (e *connectionedEndpoint) BidirectionalConnect(ctx context.Context, ce Conn
 
 	// Check if ce is e to avoid a deadlock.
 	if ce, ok := ce.(*connectionedEndpoint); ok && ce == e {
-		return syserr.ErrInvalidEndpointState
+		return tcpip.SyserrInvalidEndpointState
 	}
 
 	// Do a dance to safely acquire locks on both endpoints.
@@ -281,7 +281,7 @@ func (e *connectionedEndpoint) BidirectionalConnect(ctx context.Context, ce Conn
 	if ce.Listening() {
 		e.Unlock()
 		ce.Unlock()
-		return syserr.ErrInvalidEndpointState
+		return tcpip.SyserrInvalidEndpointState
 	}
 
 	// Check bound state.
@@ -384,7 +384,7 @@ func (e *connectionedEndpoint) Listen(backlog int) *syserr.Error {
 		// Adjust the size of the channel iff we can fix existing
 		// pending connections into the new one.
 		if len(e.acceptedChan) > backlog {
-			return syserr.ErrInvalidEndpointState
+			return tcpip.SyserrInvalidEndpointState
 		}
 		origChan := e.acceptedChan
 		e.acceptedChan = make(chan *connectionedEndpoint, backlog)
@@ -395,7 +395,7 @@ func (e *connectionedEndpoint) Listen(backlog int) *syserr.Error {
 		return nil
 	}
 	if !e.isBound() {
-		return syserr.ErrInvalidEndpointState
+		return tcpip.SyserrInvalidEndpointState
 	}
 
 	// Normal case.
@@ -409,7 +409,7 @@ func (e *connectionedEndpoint) Accept(peerAddr *tcpip.FullAddress) (Endpoint, *s
 
 	if !e.Listening() {
 		e.Unlock()
-		return nil, syserr.ErrInvalidEndpointState
+		return nil, tcpip.SyserrInvalidEndpointState
 	}
 
 	select {
@@ -422,7 +422,7 @@ func (e *connectionedEndpoint) Accept(peerAddr *tcpip.FullAddress) (Endpoint, *s
 			if c != nil {
 				addr, err := c.GetLocalAddress()
 				if err != nil {
-					return nil, syserr.TranslateNetstackError(err)
+					return nil, tcpip.TranslateNetstackError(err)
 				}
 				*peerAddr = addr
 			}
@@ -448,11 +448,11 @@ func (e *connectionedEndpoint) Bind(addr tcpip.FullAddress, commit func() *syser
 	e.Lock()
 	defer e.Unlock()
 	if e.isBound() || e.Listening() {
-		return syserr.ErrAlreadyBound
+		return tcpip.SyserrAlreadyBound
 	}
 	if addr.Addr == "" {
 		// The empty string is not permitted.
-		return syserr.ErrBadLocalAddress
+		return tcpip.SyserrBadLocalAddress
 	}
 	if commit != nil {
 		if err := commit(); err != nil {
@@ -471,7 +471,7 @@ func (e *connectionedEndpoint) SendMsg(ctx context.Context, data [][]byte, c Con
 	// Stream sockets do not support specifying the endpoint. Seqpacket
 	// sockets ignore the passed endpoint.
 	if e.stype == linux.SOCK_STREAM && to != nil {
-		return 0, syserr.ErrNotSupported
+		return 0, tcpip.SyserrNotSupported
 	}
 	return e.baseEndpoint.SendMsg(ctx, data, c, to)
 }
diff --git a/pkg/sentry/socket/unix/transport/connectionless.go b/pkg/sentry/socket/unix/transport/connectionless.go
index 61311718e..6f4d4feb8 100644
--- a/pkg/sentry/socket/unix/transport/connectionless.go
+++ b/pkg/sentry/socket/unix/transport/connectionless.go
@@ -109,7 +109,7 @@ func (e *connectionlessEndpoint) SendMsg(ctx context.Context, data [][]byte, c C
 
 	connected, err := to.UnidirectionalConnect(ctx)
 	if err != nil {
-		return 0, syserr.ErrInvalidEndpointState
+		return 0, tcpip.SyserrInvalidEndpointState
 	}
 	defer connected.Release(ctx)
 
@@ -148,12 +148,12 @@ func (e *connectionlessEndpoint) Connect(ctx context.Context, server BoundEndpoi
 
 // Listen starts listening on the connection.
 func (*connectionlessEndpoint) Listen(int) *syserr.Error {
-	return syserr.ErrNotSupported
+	return tcpip.SyserrNotSupported
 }
 
 // Accept accepts a new connection.
 func (*connectionlessEndpoint) Accept(*tcpip.FullAddress) (Endpoint, *syserr.Error) {
-	return nil, syserr.ErrNotSupported
+	return nil, tcpip.SyserrNotSupported
 }
 
 // Bind binds the connection.
@@ -168,11 +168,11 @@ func (e *connectionlessEndpoint) Bind(addr tcpip.FullAddress, commit func() *sys
 	e.Lock()
 	defer e.Unlock()
 	if e.isBound() {
-		return syserr.ErrAlreadyBound
+		return tcpip.SyserrAlreadyBound
 	}
 	if addr.Addr == "" {
 		// The empty string is not permitted.
-		return syserr.ErrBadLocalAddress
+		return tcpip.SyserrBadLocalAddress
 	}
 	if commit != nil {
 		if err := commit(); err != nil {
diff --git a/pkg/sentry/socket/unix/transport/queue.go b/pkg/sentry/socket/unix/transport/queue.go
index 188ad3bd9..3a57ed0ef 100644
--- a/pkg/sentry/socket/unix/transport/queue.go
+++ b/pkg/sentry/socket/unix/transport/queue.go
@@ -120,7 +120,7 @@ func (q *queue) Enqueue(ctx context.Context, data [][]byte, c ControlMessages, f
 
 	if q.closed {
 		q.mu.Unlock()
-		return 0, false, syserr.ErrClosedForSend
+		return 0, false, tcpip.SyserrClosedForSend
 	}
 
 	for _, d := range data {
@@ -188,7 +188,7 @@ func (q *queue) Dequeue() (e *message, notify bool, err *syserr.Error) {
 	if q.dataList.Front() == nil {
 		err := syserr.ErrWouldBlock
 		if q.closed {
-			err = syserr.ErrClosedForReceive
+			err = tcpip.SyserrClosedForReceive
 			if q.unread {
 				err = syserr.ErrConnectionReset
 			}
@@ -219,7 +219,7 @@ func (q *queue) Peek() (*message, *syserr.Error) {
 	if q.dataList.Front() == nil {
 		err := syserr.ErrWouldBlock
 		if q.closed {
-			if err = syserr.ErrClosedForReceive; q.unread {
+			if err = tcpip.SyserrClosedForReceive; q.unread {
 				err = syserr.ErrConnectionReset
 			}
 		}
diff --git a/pkg/sentry/socket/unix/unix.go b/pkg/sentry/socket/unix/unix.go
index e9e482017..032678032 100644
--- a/pkg/sentry/socket/unix/unix.go
+++ b/pkg/sentry/socket/unix/unix.go
@@ -167,7 +167,7 @@ func extractPath(sockaddr []byte) (string, *syserr.Error) {
 func (s *socketOpsCommon) GetPeerName(t *kernel.Task) (linux.SockAddr, uint32, *syserr.Error) {
 	addr, err := s.ep.GetRemoteAddress()
 	if err != nil {
-		return nil, 0, syserr.TranslateNetstackError(err)
+		return nil, 0, tcpip.TranslateNetstackError(err)
 	}
 
 	a, l := socket.ConvertAddress(linux.AF_UNIX, addr)
@@ -179,7 +179,7 @@ func (s *socketOpsCommon) GetPeerName(t *kernel.Task) (linux.SockAddr, uint32, *
 func (s *socketOpsCommon) GetSockName(t *kernel.Task) (linux.SockAddr, uint32, *syserr.Error) {
 	addr, err := s.ep.GetLocalAddress()
 	if err != nil {
-		return nil, 0, syserr.TranslateNetstackError(err)
+		return nil, 0, tcpip.TranslateNetstackError(err)
 	}
 
 	a, l := socket.ConvertAddress(linux.AF_UNIX, addr)
@@ -288,13 +288,13 @@ func (s *SocketOperations) Bind(t *kernel.Task, sockaddr []byte) *syserr.Error {
 		// Is it abstract?
 		if p[0] == 0 {
 			if t.IsNetworkNamespaced() {
-				return syserr.ErrInvalidEndpointState
+				return tcpip.SyserrInvalidEndpointState
 			}
 			asn := t.AbstractSockets()
 			name := p[1:]
 			if err := asn.Bind(t, name, bep, s); err != nil {
-				// syserr.ErrPortInUse corresponds to EADDRINUSE.
-				return syserr.ErrPortInUse
+				// tcpip.SyserrPortInUse corresponds to EADDRINUSE.
+				return tcpip.SyserrPortInUse
 			}
 			s.abstractName = name
 			s.abstractNamespace = asn
@@ -326,7 +326,7 @@ func (s *SocketOperations) Bind(t *kernel.Task, sockaddr []byte) *syserr.Error {
 				d, err = t.MountNamespace().FindInode(t, root, cwd, subPath, &remainingTraversals)
 				if err != nil {
 					// No path available.
-					return syserr.ErrNoSuchFile
+					return tcpip.SyserrNoSuchFile
 				}
 				defer d.DecRef(t)
 				name = p[lastSlash+1:]
@@ -340,7 +340,7 @@ func (s *SocketOperations) Bind(t *kernel.Task, sockaddr []byte) *syserr.Error {
 			// unresolved until VFS2 replaces this code.
 			childDir, err := d.Bind(t, t.FSContext().RootDirectory(), name, bep, fs.FilePermissions{User: fs.PermMask{Read: true}})
 			if err != nil {
-				return syserr.ErrPortInUse
+				return tcpip.SyserrPortInUse
 			}
 			childDir.DecRef(t)
 		}
@@ -477,7 +477,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b
 			if s.State() == linux.SS_CONNECTED {
 				return 0, syserr.ErrAlreadyConnected
 			}
-			return 0, syserr.ErrNotSupported
+			return 0, tcpip.SyserrNotSupported
 		default:
 			ep, err := extractEndpoint(t, to)
 			if err != nil {
diff --git a/pkg/sentry/socket/unix/unix_vfs2.go b/pkg/sentry/socket/unix/unix_vfs2.go
index 8c5075a1c..b05233dfe 100644
--- a/pkg/sentry/socket/unix/unix_vfs2.go
+++ b/pkg/sentry/socket/unix/unix_vfs2.go
@@ -202,13 +202,13 @@ func (s *SocketVFS2) Bind(t *kernel.Task, sockaddr []byte) *syserr.Error {
 		// Is it abstract?
 		if p[0] == 0 {
 			if t.IsNetworkNamespaced() {
-				return syserr.ErrInvalidEndpointState
+				return tcpip.SyserrInvalidEndpointState
 			}
 			asn := t.AbstractSockets()
 			name := p[1:]
 			if err := asn.Bind(t, name, bep, s); err != nil {
-				// syserr.ErrPortInUse corresponds to EADDRINUSE.
-				return syserr.ErrPortInUse
+				// tcpip.SyserrPortInUse corresponds to EADDRINUSE.
+				return tcpip.SyserrPortInUse
 			}
 			s.abstractName = name
 			s.abstractNamespace = asn
diff --git a/pkg/syserr/netstack.go b/pkg/syserr/netstack.go
deleted file mode 100644
index eb44f1254..000000000
--- a/pkg/syserr/netstack.go
+++ /dev/null
@@ -1,146 +0,0 @@
-// Copyright 2018 The gVisor Authors.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package syserr
-
-import (
-	"fmt"
-
-	"gvisor.dev/gvisor/pkg/abi/linux/errno"
-	"gvisor.dev/gvisor/pkg/tcpip"
-)
-
-// LINT.IfChange
-
-// Mapping for tcpip.Error types.
-var (
-	ErrUnknownProtocol       = New((&tcpip.ErrUnknownProtocol{}).String(), errno.EINVAL)
-	ErrUnknownNICID          = New((&tcpip.ErrUnknownNICID{}).String(), errno.ENODEV)
-	ErrUnknownDevice         = New((&tcpip.ErrUnknownDevice{}).String(), errno.ENODEV)
-	ErrUnknownProtocolOption = New((&tcpip.ErrUnknownProtocolOption{}).String(), errno.ENOPROTOOPT)
-	ErrDuplicateNICID        = New((&tcpip.ErrDuplicateNICID{}).String(), errno.EEXIST)
-	ErrDuplicateAddress      = New((&tcpip.ErrDuplicateAddress{}).String(), errno.EEXIST)
-	ErrAlreadyBound          = New((&tcpip.ErrAlreadyBound{}).String(), errno.EINVAL)
-	ErrInvalidEndpointState  = New((&tcpip.ErrInvalidEndpointState{}).String(), errno.EINVAL)
-	ErrAlreadyConnecting     = New((&tcpip.ErrAlreadyConnecting{}).String(), errno.EALREADY)
-	ErrNoPortAvailable       = New((&tcpip.ErrNoPortAvailable{}).String(), errno.EAGAIN)
-	ErrPortInUse             = New((&tcpip.ErrPortInUse{}).String(), errno.EADDRINUSE)
-	ErrBadLocalAddress       = New((&tcpip.ErrBadLocalAddress{}).String(), errno.EADDRNOTAVAIL)
-	ErrClosedForSend         = New((&tcpip.ErrClosedForSend{}).String(), errno.EPIPE)
-	ErrClosedForReceive      = New((&tcpip.ErrClosedForReceive{}).String(), errno.NOERRNO)
-	ErrTimeout               = New((&tcpip.ErrTimeout{}).String(), errno.ETIMEDOUT)
-	ErrAborted               = New((&tcpip.ErrAborted{}).String(), errno.EPIPE)
-	ErrConnectStarted        = New((&tcpip.ErrConnectStarted{}).String(), errno.EINPROGRESS)
-	ErrDestinationRequired   = New((&tcpip.ErrDestinationRequired{}).String(), errno.EDESTADDRREQ)
-	ErrNotSupported          = New((&tcpip.ErrNotSupported{}).String(), errno.EOPNOTSUPP)
-	ErrQueueSizeNotSupported = New((&tcpip.ErrQueueSizeNotSupported{}).String(), errno.ENOTTY)
-	ErrNoSuchFile            = New((&tcpip.ErrNoSuchFile{}).String(), errno.ENOENT)
-	ErrInvalidOptionValue    = New((&tcpip.ErrInvalidOptionValue{}).String(), errno.EINVAL)
-	ErrBroadcastDisabled     = New((&tcpip.ErrBroadcastDisabled{}).String(), errno.EACCES)
-	ErrNotPermittedNet       = New((&tcpip.ErrNotPermitted{}).String(), errno.EPERM)
-	ErrBadBuffer             = New((&tcpip.ErrBadBuffer{}).String(), errno.EFAULT)
-	ErrMalformedHeader       = New((&tcpip.ErrMalformedHeader{}).String(), errno.EINVAL)
-	ErrInvalidPortRange      = New((&tcpip.ErrInvalidPortRange{}).String(), errno.EINVAL)
-)
-
-// TranslateNetstackError converts an error from the tcpip package to a sentry
-// internal error.
-func TranslateNetstackError(err tcpip.Error) *Error {
-	switch err.(type) {
-	case nil:
-		return nil
-	case *tcpip.ErrUnknownProtocol:
-		return ErrUnknownProtocol
-	case *tcpip.ErrUnknownNICID:
-		return ErrUnknownNICID
-	case *tcpip.ErrUnknownDevice:
-		return ErrUnknownDevice
-	case *tcpip.ErrUnknownProtocolOption:
-		return ErrUnknownProtocolOption
-	case *tcpip.ErrDuplicateNICID:
-		return ErrDuplicateNICID
-	case *tcpip.ErrDuplicateAddress:
-		return ErrDuplicateAddress
-	case *tcpip.ErrNoRoute:
-		return ErrNoRoute
-	case *tcpip.ErrAlreadyBound:
-		return ErrAlreadyBound
-	case *tcpip.ErrInvalidEndpointState:
-		return ErrInvalidEndpointState
-	case *tcpip.ErrAlreadyConnecting:
-		return ErrAlreadyConnecting
-	case *tcpip.ErrAlreadyConnected:
-		return ErrAlreadyConnected
-	case *tcpip.ErrNoPortAvailable:
-		return ErrNoPortAvailable
-	case *tcpip.ErrPortInUse:
-		return ErrPortInUse
-	case *tcpip.ErrBadLocalAddress:
-		return ErrBadLocalAddress
-	case *tcpip.ErrClosedForSend:
-		return ErrClosedForSend
-	case *tcpip.ErrClosedForReceive:
-		return ErrClosedForReceive
-	case *tcpip.ErrWouldBlock:
-		return ErrWouldBlock
-	case *tcpip.ErrConnectionRefused:
-		return ErrConnectionRefused
-	case *tcpip.ErrTimeout:
-		return ErrTimeout
-	case *tcpip.ErrAborted:
-		return ErrAborted
-	case *tcpip.ErrConnectStarted:
-		return ErrConnectStarted
-	case *tcpip.ErrDestinationRequired:
-		return ErrDestinationRequired
-	case *tcpip.ErrNotSupported:
-		return ErrNotSupported
-	case *tcpip.ErrQueueSizeNotSupported:
-		return ErrQueueSizeNotSupported
-	case *tcpip.ErrNotConnected:
-		return ErrNotConnected
-	case *tcpip.ErrConnectionReset:
-		return ErrConnectionReset
-	case *tcpip.ErrConnectionAborted:
-		return ErrConnectionAborted
-	case *tcpip.ErrNoSuchFile:
-		return ErrNoSuchFile
-	case *tcpip.ErrInvalidOptionValue:
-		return ErrInvalidOptionValue
-	case *tcpip.ErrBadAddress:
-		return ErrBadAddress
-	case *tcpip.ErrNetworkUnreachable:
-		return ErrNetworkUnreachable
-	case *tcpip.ErrMessageTooLong:
-		return ErrMessageTooLong
-	case *tcpip.ErrNoBufferSpace:
-		return ErrNoBufferSpace
-	case *tcpip.ErrBroadcastDisabled:
-		return ErrBroadcastDisabled
-	case *tcpip.ErrNotPermitted:
-		return ErrNotPermittedNet
-	case *tcpip.ErrAddressFamilyNotSupported:
-		return ErrAddressFamilyNotSupported
-	case *tcpip.ErrBadBuffer:
-		return ErrBadBuffer
-	case *tcpip.ErrMalformedHeader:
-		return ErrMalformedHeader
-	case *tcpip.ErrInvalidPortRange:
-		return ErrInvalidPortRange
-	default:
-		panic(fmt.Sprintf("unknown error %T", err))
-	}
-}
-
-// LINT.ThenChange(../tcpip/errors.go)
diff --git a/pkg/tcpip/syserr.go b/pkg/tcpip/syserr.go
new file mode 100644
index 000000000..c73a0fb79
--- /dev/null
+++ b/pkg/tcpip/syserr.go
@@ -0,0 +1,146 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tcpip
+
+import (
+	"fmt"
+
+	"gvisor.dev/gvisor/pkg/abi/linux/errno"
+	"gvisor.dev/gvisor/pkg/syserr"
+)
+
+// LINT.IfChange
+
+// Mapping for tcpip.Error types.
+var (
+	SyserrUnknownProtocol       = syserr.New((&ErrUnknownProtocol{}).String(), errno.EINVAL)
+	SyserrUnknownNICID          = syserr.New((&ErrUnknownNICID{}).String(), errno.ENODEV)
+	SyserrUnknownDevice         = syserr.New((&ErrUnknownDevice{}).String(), errno.ENODEV)
+	SyserrUnknownProtocolOption = syserr.New((&ErrUnknownProtocolOption{}).String(), errno.ENOPROTOOPT)
+	SyserrDuplicateNICID        = syserr.New((&ErrDuplicateNICID{}).String(), errno.EEXIST)
+	SyserrDuplicateAddress      = syserr.New((&ErrDuplicateAddress{}).String(), errno.EEXIST)
+	SyserrAlreadyBound          = syserr.New((&ErrAlreadyBound{}).String(), errno.EINVAL)
+	SyserrInvalidEndpointState  = syserr.New((&ErrInvalidEndpointState{}).String(), errno.EINVAL)
+	SyserrAlreadyConnecting     = syserr.New((&ErrAlreadyConnecting{}).String(), errno.EALREADY)
+	SyserrNoPortAvailable       = syserr.New((&ErrNoPortAvailable{}).String(), errno.EAGAIN)
+	SyserrPortInUse             = syserr.New((&ErrPortInUse{}).String(), errno.EADDRINUSE)
+	SyserrBadLocalAddress       = syserr.New((&ErrBadLocalAddress{}).String(), errno.EADDRNOTAVAIL)
+	SyserrClosedForSend         = syserr.New((&ErrClosedForSend{}).String(), errno.EPIPE)
+	SyserrClosedForReceive      = syserr.New((&ErrClosedForReceive{}).String(), errno.NOERRNO)
+	SyserrTimeout               = syserr.New((&ErrTimeout{}).String(), errno.ETIMEDOUT)
+	SyserrAborted               = syserr.New((&ErrAborted{}).String(), errno.EPIPE)
+	SyserrConnectStarted        = syserr.New((&ErrConnectStarted{}).String(), errno.EINPROGRESS)
+	SyserrDestinationRequired   = syserr.New((&ErrDestinationRequired{}).String(), errno.EDESTADDRREQ)
+	SyserrNotSupported          = syserr.New((&ErrNotSupported{}).String(), errno.EOPNOTSUPP)
+	SyserrQueueSizeNotSupported = syserr.New((&ErrQueueSizeNotSupported{}).String(), errno.ENOTTY)
+	SyserrNoSuchFile            = syserr.New((&ErrNoSuchFile{}).String(), errno.ENOENT)
+	SyserrInvalidOptionValue    = syserr.New((&ErrInvalidOptionValue{}).String(), errno.EINVAL)
+	SyserrBroadcastDisabled     = syserr.New((&ErrBroadcastDisabled{}).String(), errno.EACCES)
+	SyserrNotPermittedNet       = syserr.New((&ErrNotPermitted{}).String(), errno.EPERM)
+	SyserrBadBuffer             = syserr.New((&ErrBadBuffer{}).String(), errno.EFAULT)
+	SyserrMalformedHeader       = syserr.New((&ErrMalformedHeader{}).String(), errno.EINVAL)
+	SyserrInvalidPortRange      = syserr.New((&ErrInvalidPortRange{}).String(), errno.EINVAL)
+)
+
+// TranslateNetstackError converts an error from the tcpip package to a sentry
+// internal error.
+func TranslateNetstackError(err Error) *syserr.Error {
+	switch err.(type) {
+	case nil:
+		return nil
+	case *ErrUnknownProtocol:
+		return SyserrUnknownProtocol
+	case *ErrUnknownNICID:
+		return SyserrUnknownNICID
+	case *ErrUnknownDevice:
+		return SyserrUnknownDevice
+	case *ErrUnknownProtocolOption:
+		return SyserrUnknownProtocolOption
+	case *ErrDuplicateNICID:
+		return SyserrDuplicateNICID
+	case *ErrDuplicateAddress:
+		return SyserrDuplicateAddress
+	case *ErrNoRoute:
+		return syserr.ErrNoRoute
+	case *ErrAlreadyBound:
+		return SyserrAlreadyBound
+	case *ErrInvalidEndpointState:
+		return SyserrInvalidEndpointState
+	case *ErrAlreadyConnecting:
+		return SyserrAlreadyConnecting
+	case *ErrAlreadyConnected:
+		return syserr.ErrAlreadyConnected
+	case *ErrNoPortAvailable:
+		return SyserrNoPortAvailable
+	case *ErrPortInUse:
+		return SyserrPortInUse
+	case *ErrBadLocalAddress:
+		return SyserrBadLocalAddress
+	case *ErrClosedForSend:
+		return SyserrClosedForSend
+	case *ErrClosedForReceive:
+		return SyserrClosedForReceive
+	case *ErrWouldBlock:
+		return syserr.ErrWouldBlock
+	case *ErrConnectionRefused:
+		return syserr.ErrConnectionRefused
+	case *ErrTimeout:
+		return SyserrTimeout
+	case *ErrAborted:
+		return SyserrAborted
+	case *ErrConnectStarted:
+		return SyserrConnectStarted
+	case *ErrDestinationRequired:
+		return SyserrDestinationRequired
+	case *ErrNotSupported:
+		return SyserrNotSupported
+	case *ErrQueueSizeNotSupported:
+		return SyserrQueueSizeNotSupported
+	case *ErrNotConnected:
+		return syserr.ErrNotConnected
+	case *ErrConnectionReset:
+		return syserr.ErrConnectionReset
+	case *ErrConnectionAborted:
+		return syserr.ErrConnectionAborted
+	case *ErrNoSuchFile:
+		return SyserrNoSuchFile
+	case *ErrInvalidOptionValue:
+		return SyserrInvalidOptionValue
+	case *ErrBadAddress:
+		return syserr.ErrBadAddress
+	case *ErrNetworkUnreachable:
+		return syserr.ErrNetworkUnreachable
+	case *ErrMessageTooLong:
+		return syserr.ErrMessageTooLong
+	case *ErrNoBufferSpace:
+		return syserr.ErrNoBufferSpace
+	case *ErrBroadcastDisabled:
+		return SyserrBroadcastDisabled
+	case *ErrNotPermitted:
+		return SyserrNotPermittedNet
+	case *ErrAddressFamilyNotSupported:
+		return syserr.ErrAddressFamilyNotSupported
+	case *ErrBadBuffer:
+		return SyserrBadBuffer
+	case *ErrMalformedHeader:
+		return SyserrMalformedHeader
+	case *ErrInvalidPortRange:
+		return SyserrInvalidPortRange
+	default:
+		panic(fmt.Sprintf("unknown error %T", err))
+	}
+}
+
+// LINT.ThenChange(../tcpip/errors.go)