06-13-2011
1,
0
Join Date: Jun 2011
Last Activity: 13 June 2011, 8:56 AM EDT
Posts: 1
Thanks Given: 0
Thanked 0 Times in 0 Posts
help implementing an ip filter in linux/net/socket.c (kernel programming)
hi there
so, i was given an assignment: implement a linux system call that blocks all packets that are sent to a given IP (i have to do it without using iptables)
i'm really new to kernel programming btw (and i'm enjoying it a lot)
so, my syscall is called ip_block() and receives a regular IP string as it's only argument - eg: ip_block("200.225.123.34")
so what i did was: i implemented the ip_block syscall in "net/socket.c", and this syscall pretty much stores the IP passed as argument, the one i want to block packets i send to, for later use
then, i modified the already implemented syscall sendto(), as we know, the syscall that's called everytime a packet is sent.
this syscall receives as an argument a sockaddr struct, which stores the packet's socket address; it's fields are sa_family (a flag so we know which kind of address it stores) and an array of chars called sa_data, which is the address itself.
so, what I did was: everytime sendto() was called, i would check the packet's address, and if it matched the IP i had passed to my own syscall, it would just ignore the packet.
but what i have noticed is that all packet's sent from my computer are not IPv4 nor IPv6 packet's -- as I "debugged" the syscall sendto() and made it print on the screen all sent packet's sa_family field, I realized all packet's addresses "sa_family" flag were, instead of AF_INET or AF_INET6 (IPv4 and IPv6) were actually from family AF_NETLINK or AF_PACKET - which I can't extract the IP from, meaning i can't block them since i don't know if they're the ones i want to block!
I have done the same modification in syscall connect(), and it worked: most of the connections made through connect() were given a sockaddr struct as argument and it's sa_family flag were either AF_INET or AF_INET6, which I could easily extract the IP from and compare it with the one I had in my own structure - the one I wanted to block.
So, do you have any ideas of what i should do? as I've done some research I realized AF_NETLINK and AF_PACKET means the packet's are only exchanging data between userspace and kernelspace only, but clearly TCP/IP packets are being sent from my machine as well - where can I get their IP addresses?
Since it's an assignment, I can't just implement a syscall that goes like:
syscall ip_block(){ system("iptables etc. DROP"); }
since i was asked to filter these ip's using kernel programming...
any thoughts or ideas?
thanks in advance, and sorry if there are any language mistakes above - english is not my native language (brazilian here)