diff --git a/go/protect_server/protect_server_linux.go b/go/protect_server/protect_server_linux.go
index 737a7ed..37a63ab 100644
--- a/go/protect_server/protect_server_linux.go
+++ b/go/protect_server/protect_server_linux.go
@@ -72,6 +72,7 @@ func ServeProtect(path string, fwmark int) {
 					log.Println("getOneFd:", err)
 					return
 				}
+				defer syscall.Close(fd)
 
 				if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, fwmark); err != nil {
 					log.Println("syscall.SetsockoptInt:", err)
diff --git a/go/toolbox_linux.go b/go/toolbox_linux.go
index 8ce44b9..82e1e47 100644
--- a/go/toolbox_linux.go
+++ b/go/toolbox_linux.go
@@ -2,9 +2,13 @@ package main
 
 import (
 	"flag"
+	"io"
 	"log"
 	"nekoray_core/protect_server"
+	"net"
+	"net/http"
 	"os"
+	"syscall"
 
 	"github.com/jsimonetti/rtnetlink"
 	linuxcap "kernel.org/pub/linux/libs/security/libcap/cap"
@@ -63,5 +67,27 @@ func ToolBox() {
 			log.Println(protectListenPath, protectFwMark)
 			protect_server.ServeProtect(protectListenPath, protectFwMark)
 		}
+	case "btd": // Test the permission
+		{
+			d := &net.Dialer{
+				Control: func(network, address string, c syscall.RawConn) (err error) {
+					c.Control(func(fd uintptr) {
+						err = syscall.BindToDevice(int(fd), os.Args[3])
+					})
+					return
+				},
+			}
+			c := http.Client{
+				Transport: &http.Transport{
+					DialContext: d.DialContext,
+				},
+			}
+			resp, err := c.Get(os.Args[4])
+			if err != nil {
+				log.Fatalln(err)
+			}
+			io.Copy(os.Stdout, resp.Body)
+			resp.Body.Close()
+		}
 	}
 }