Hi everyone,

I want to be able to tell if the endpoint of a UDP or TCP connection is actually on the same machine. Using the Linux Security Module, I'm able to check the destination IP of all outgoing traffic, but I'm not sure how to get a machine's IP from inside the kernel (to compare with the destination IP) . Does anyone know how to do this?

I'm not sure exactly what you mean, but if the connection is to the destination computer, it is a 'loopback' (assuming the same interface on the same system) and the destination IP will show up as an IP starting with '127'. To get the IP addresses of the network interfaces on your machine, type 'ifconfig'. If you have more than one interface and only want to see the IP address of one of your interfaces type 'ifconfig eth0' where 'eth0' is the name of the card. Could also be 'eth1' or 'wlan0' and so on and so forth depending upon your distro and hardware. Hope that helps!

Thanks for your input, but I think I was unclear with what I'm trying to do.

I'm trying to write a kernel module that blocks certain kinds of IPC's between processes. One of those IPC's I wish to block are TCP/UDP connections that are actually local (the source and destination addresses actually refer to the EXACT same machine). I could check for an IP starting with 127, but I also want to be able to catch the case where the client fills in my machine's ACTUAL IP address (ie: it sets the address field to 123.123.123.123 instead of 127.0.0.1). This is the reason I want to be able to find the IP address(es) of a machine. And I need to be able to do this from a kernel module . Any ideas?

Or, alternatively, does anyone know HOW ifconfig does its job? I tried using strace on it but I'm too much of a newbie to see what structures and key functions the system calls access to get the information.

Does the machine have more than one NIC. You can disable loopback without writing a module IIRC. I'm not sure that it will block requests to the real IP from the same machine, you could always block incoming connections from 'localhost' on your firewall.

the output of netstat should tell you this.

This sounds like the sort of thing you'd use iptables for; I just don't know if iptables rules can be applied to loopback traffic as well.

yeah it can be seen through netstat.

The problem is I can't use netstat to get this information IN the kernel itself. I'm coding inside the linux kernel. I really don't want to call a fork and execve to get netstat running to get the information I want :S.

Netstat must have some way of asking the kernel for the information...I want to know how it's doing this :S. I've tried using strace and looking through the system calls it does but I can't pinpoint exactly where the local IP address(es) are found . I need to know where in the kernel code the lookup of a machine's IP address is done (and what data structures it uses). Does anyone know where INSIDE the linux kernel code this is done?

And yes, the machine does have more than one NIC . Actually, blocking requests to the real IP from the same machine is EXACTLY my problem. I need to know given this destination address, is it mine?

First of all I would suggest you report this thread for closure (see the "Report" button) and after it's closed open a thread in either the kernel or Programming forum for this topic (and link back to it). Not only are those more appropriate fora but creating a new thread "the right way" should rid you of any userland-related answers and focus on in-kernel work.

Asserting a packet came in from the wire first (socket buffer), and Linux being efficient, it'll cache info where it can. So I think you're looking for the (RIB/FIB) route caches (of which stuff is exported to /proc for userland reading). How SKBs work says that in sk_buff you have dst_entry (packet route). So searching LXR for "struct dst_entry" could be a start else maybe the "protocol independent destination cache definitions" from include/net/dst.h. Stuff related to route caches should probably have something like "rt_cache", "rt_dst" or alike anyway, or else terms like "cache lookup" or "routing table" (yielding anything in include/net/) could be interesting (to you that is ;-p).