diff --git a/client/FwmarkClient.cpp b/client/FwmarkClient.cpp
index 03cd5fb..db2009f 100644
--- a/client/FwmarkClient.cpp
+++ b/client/FwmarkClient.cpp
@@ -43,7 +43,7 @@
 int FwmarkClient::send(void* data, size_t len, int fd) {
     mChannel = socket(AF_UNIX, SOCK_STREAM, 0);
     if (mChannel == -1) {
-        return errno;
+        return -errno;
     }
 
     if (TEMP_FAILURE_RETRY(connect(mChannel, reinterpret_cast<const sockaddr*>(&FWMARK_SERVER_PATH),
@@ -78,13 +78,13 @@
     memcpy(CMSG_DATA(cmsgh), &fd, sizeof(fd));
 
     if (TEMP_FAILURE_RETRY(sendmsg(mChannel, &message, 0)) == -1) {
-        return errno;
+        return -errno;
     }
 
     int error = 0;
 
     if (TEMP_FAILURE_RETRY(recv(mChannel, &error, sizeof(error), 0)) == -1) {
-        return errno;
+        return -errno;
     }
 
     return error;
diff --git a/client/FwmarkClient.h b/client/FwmarkClient.h
index 37f89bc..620275e 100644
--- a/client/FwmarkClient.h
+++ b/client/FwmarkClient.h
@@ -29,7 +29,7 @@
     ~FwmarkClient();
 
     // Sends |data| to the fwmark server, along with |fd| as ancillary data using cmsg(3).
-    // Returns 0 on success or an errno value on failure.
+    // Returns 0 on success or a negative errno value on failure.
     int send(void* data, size_t len, int fd);
 
 private:
diff --git a/client/NetdClient.cpp b/client/NetdClient.cpp
index 7380224..f499f2a 100644
--- a/client/NetdClient.cpp
+++ b/client/NetdClient.cpp
@@ -43,7 +43,7 @@
 
 int closeFdAndSetErrno(int fd, int error) {
     close(fd);
-    errno = error;
+    errno = -error;
     return -1;
 }
 
@@ -58,7 +58,7 @@
     } else {
         socklen_t familyLen = sizeof(family);
         if (getsockopt(acceptedSocket, SOL_SOCKET, SO_DOMAIN, &family, &familyLen) == -1) {
-            return closeFdAndSetErrno(acceptedSocket, errno);
+            return closeFdAndSetErrno(acceptedSocket, -errno);
         }
     }
     if (FwmarkClient::shouldSetFwmark(family)) {
@@ -76,7 +76,7 @@
         FwmarkCommand command = {FwmarkCommand::ON_CONNECT, 0};
         int error = FwmarkClient().send(&command, sizeof(command), sockfd);
         if (error) {
-            errno = error;
+            errno = -error;
             return -1;
         }
     }
@@ -124,7 +124,7 @@
         socketFd = socket(AF_INET6, SOCK_DGRAM, 0);
     }
     if (socketFd < 0) {
-        return errno;
+        return -errno;
     }
     int error = setNetworkForSocket(netId, socketFd);
     if (!error) {
@@ -166,12 +166,12 @@
 
 extern "C" int getNetworkForSocket(unsigned* netId, int socketFd) {
     if (!netId || socketFd < 0) {
-        return EBADF;
+        return -EBADF;
     }
     Fwmark fwmark;
     socklen_t fwmarkLen = sizeof(fwmark.intValue);
     if (getsockopt(socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) {
-        return errno;
+        return -errno;
     }
     *netId = fwmark.netId;
     return 0;
@@ -183,7 +183,7 @@
 
 extern "C" int setNetworkForSocket(unsigned netId, int socketFd) {
     if (socketFd < 0) {
-        return EBADF;
+        return -EBADF;
     }
     FwmarkCommand command = {FwmarkCommand::SELECT_NETWORK, netId};
     return FwmarkClient().send(&command, sizeof(command), socketFd);
@@ -199,7 +199,7 @@
 
 extern "C" int protectFromVpn(int socketFd) {
     if (socketFd < 0) {
-        return EBADF;
+        return -EBADF;
     }
     FwmarkCommand command = {FwmarkCommand::PROTECT_FROM_VPN, 0};
     return FwmarkClient().send(&command, sizeof(command), socketFd);
diff --git a/include/NetdClient.h b/include/NetdClient.h
index 1a2f8be..742902f 100644
--- a/include/NetdClient.h
+++ b/include/NetdClient.h
@@ -22,7 +22,7 @@
 
 __BEGIN_DECLS
 
-// All functions below that return an int return 0 on success or an errno value on failure.
+// All functions below that return an int return 0 on success or a negative errno value on failure.
 
 int getNetworkForSocket(unsigned* netId, int socketFd);
 int setNetworkForSocket(unsigned netId, int socketFd);
diff --git a/server/FwmarkServer.cpp b/server/FwmarkServer.cpp
index 605e724..b5a5872 100644
--- a/server/FwmarkServer.cpp
+++ b/server/FwmarkServer.cpp
@@ -34,8 +34,7 @@
 
 bool FwmarkServer::onDataAvailable(SocketClient* client) {
     int fd = -1;
-    processClient(client, &fd);
-    int error = errno;
+    int error = processClient(client, &fd);
     if (fd >= 0) {
         close(fd);
     }
@@ -50,7 +49,7 @@
     return false;
 }
 
-void FwmarkServer::processClient(SocketClient* client, int* fd) {
+int FwmarkServer::processClient(SocketClient* client, int* fd) {
     FwmarkCommand command;
 
     iovec iov;
@@ -73,12 +72,11 @@
 
     int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, 0));
     if (messageLength <= 0) {
-        return;
+        return -errno;
     }
 
     if (messageLength != sizeof(command)) {
-        errno = EINVAL;
-        return;
+        return -EBADMSG;
     }
 
     cmsghdr* const cmsgh = CMSG_FIRSTHDR(&message);
@@ -88,14 +86,13 @@
     }
 
     if (*fd < 0) {
-        errno = EBADF;
-        return;
+        return -EBADF;
     }
 
     Fwmark fwmark;
     socklen_t fwmarkLen = sizeof(fwmark.intValue);
     if (getsockopt(*fd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) {
-        return;
+        return -errno;
     }
 
     fwmark.permission = mPermissionsController->getPermissionForUser(client->getUid());
@@ -105,8 +102,7 @@
             // Called after a socket accept(). The kernel would've marked the netId into the socket
             // already, so we just need to check permissions here.
             if (!mPermissionsController->isUserPermittedOnNetwork(client->getUid(), fwmark.netId)) {
-                errno = EPERM;
-                return;
+                return -EPERM;
             }
             break;
         }
@@ -132,13 +128,11 @@
                     fwmark.protectedFromVpn = true;
                 }
                 if (!mNetworkController->isValidNetwork(command.netId)) {
-                    errno = ENONET;
-                    return;
+                    return -ENONET;
                 }
                 if (!mPermissionsController->isUserPermittedOnNetwork(client->getUid(),
                                                                       command.netId)) {
-                    errno = EPERM;
-                    return;
+                    return -EPERM;
                 }
             }
             break;
@@ -152,14 +146,13 @@
 
         default: {
             // unknown command
-            errno = EINVAL;
-            return;
+            return -EPROTO;
         }
     }
 
     if (setsockopt(*fd, SOL_SOCKET, SO_MARK, &fwmark.intValue, sizeof(fwmark.intValue)) == -1) {
-        return;
+        return -errno;
     }
 
-    errno = 0;
+    return 0;
 }
diff --git a/server/FwmarkServer.h b/server/FwmarkServer.h
index 5629bf9..04fb280 100644
--- a/server/FwmarkServer.h
+++ b/server/FwmarkServer.h
@@ -31,8 +31,8 @@
     // Overridden from SocketListener:
     bool onDataAvailable(SocketClient* client);
 
-    // Returns success / failure implicitly via errno.
-    void processClient(SocketClient* client, int* fd);
+    // Returns 0 on success or a negative errno value on failure.
+    int processClient(SocketClient* client, int* fd);
 
     NetworkController* const mNetworkController;
     PermissionsController* const mPermissionsController;