hi there

so, i was given an assignment: implement a syscall that blocks all packets sent to a given IP (without using iptables)

i'm really new to kernel programming btw (and i'm enjoying it a lot)

so, my syscall is called ip_block() and receives a regular IP string as only argument - eg: ip_block("")

so what i did was: i implemented this syscall in "net/socket.c", and it pretty much stores the IP passed as argument in a structure i implemented as well

then, i modified the already implemented syscall sendto(), as we know, the syscall that's called everytime a packet is sent.

this syscall receives as an argument a sockaddr struct, which stores the packet's socket address; it's fields are sa_family (a flag so we know which kind of address it stores) and an array of chars called sa_data, which is the address itself.

so, what I did was: everytime sendto() was called, i would check the packet's address, and if it matched the IP i had passed to my own syscall, it would just ignore the packet.

but what i have noticed is that all packet's sent from my computer are not IPv4 nor IPv6 packet's -- as I "debugged" the syscall sendto() and made it print on the screen all sent packet's sa_family field, I realized all packet's addresses "sa_family" flag were, instead of AF_INET or AF_INET6 (IPv4 and IPv6) were actually from family AF_NETLINK or AF_PACKET - which I can't extract the IP from, meaning i can't block them since i don't know if they're the ones i want to block!

I have done the same modification in syscall connect(), and it worked: most of the connections made through connect() were given a sockaddr struct as argument and it's sa_family flag were either AF_INET or AF_INET6, which I could easily extract the IP from and compare it with the one I had in my own structure - the one I wanted to block.

So, do you have any ideas of what i should do? as I've done some research I realized AF_NETLINK and AF_PACKET means the packet's are only exchanging data between userspace and kernelspace only, but clearly TCP/IP packets are being sent from my machine as well - where can I get their IP addresses?

Since it's an assignment, I can't just implement a syscall that goes like:

syscall ip_block(){ system("iptables etc. DROP"); }

since i was asked to filter these ip's using kernel programming...

any thoughts or ideas?

thanks in advance, and sorry if there are any language mistakes above - english is not my native language (brazilian here)