Kernel Korner - Network Programming in the Kernel

Take a tour of the kernel's networking functionality by writing a network client that runs in kernel space.
FTP Commands

Here is a list of a few the FTP commands we used. Because our program provides only a basic implementation of the protocol, we discuss only the relevant commands:

  • The client sends a USER <username>\r\n command to the server to begin the authentication process.

  • To send the password, the client uses PASS password\r\n'.

  • In some cases, the client sends a PORT command to inform the server of its preferred port for data transfer. In such cases, the client sends PORT <a1,a2,a3,a4,p1,p2>\r\n. The RFC for FTP requires that the a1–a4 constitute the 32-bit IP address of the client, and p1–p2 constitute the 16-bit port number. For example, if the client's IP address is and it chooses port 12001 for data transfer, the client sends PORT 10,10,1,2,46,225.

  • Some FTP clients request, by default, that data be transferred in binary format, while others explicitly ask the server to enable data transfer in binary mode. Such clients send a TYPE I\r\n command to the server to request this.

Figure 2 is a diagram that shows a few FTP commands and their responses from the server.

Figure 2. The client issues FTP commands over the control connection to set up the file transfer.

Socket Programming in the Kernel

Writing programs in the kernel is different from doing the same in user space.

We explain a few issues concerned with writing a network application in the kernel. Refer to Greg Kroah-Hartman's article “Things You Never Should Do in the Kernel” (see the on-line Resources). First, let's examine how a system call in user space completes its task. For example, look at the socket() system call:

sockfd = socket(AF_INET,SOCK_STREAM,0);

When a program executes a system call, it traps into the kernel via an interrupt and hands over control to the kernel. Among other things, the kernel performs various tasks, such as saving contents of registers, making changes to address space boundaries and checking for errors with system call parameters. Eventually, the sys_socket() function in the kernel is responsible for creating the socket of specified address and family type, finding an unused file descriptor and returning this number back to user space. Browsing through the kernel's code we can trace the path followed by this function (Figure 3).

Figure 3. Behind the scenes of a system call: when user space executes socket(), the kernel does necessary housekeeping and then returns a new file descriptor.

Design of an FTP Client

We now explain the design and implementation of a kernel FTP client. Please follow through the code available at the Linux Journal FTP site (see Resources) as you read through the article. The main functionality of this client is written in the form of a kernel module that adds a system call dynamically that user-space programs can invoke to start the FTP client process. The module allows only the root user to read a file using FTP. The user-space program that calls the system call in this module should be used with extreme caution. For example, it is easy to imagine the catastrophic results when root runs:

./a.out foo_file /dev/hda1/*

and overwrites /dev/hda1 with a downloaded file from

Exporting sys_call_table

We first need to configure the Linux kernel to allow us to add new system calls via a kernel module dynamically. Starting with version 2.6, the symbol sys_call_table is no longer exported by the kernel. For our module to be able to add a system call dynamically, we need to add the following lines to arch/i386/kernel/i386_ksyms.c in the kernel source (assuming you are using a Pentium-class machine):

extern void *sys_call_table;

After recompiling the kernel and booting the machine into it, we are all set to run the FTP client. Refer to the Kernel Rebuild HOWTO (see Resources) for details on compiling a kernel.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Fail to create dynamic system call

Kunsheng's picture

Hi everyone,

Has anyone tried this code themselves? I failed to insert that system call dynamically (but succeeded to compile and insmod the module).

I am wondering if anyone know what's going on there.

PS: I am using Linux 2.6.29 in Ubuntu.

Thanks in advance,


kernel raw sockets

Anonymous's picture

I am new to linux kernel development. so if any mistakes you find, pls
frgive it and correct me.

I wanted to send raw packets through ethernet, from kernel level.
So i use PF_PACKET family. & SOCK_RAW.And i used sock_create()
function to create socket.
But I found that when i create socket with
sock_create(PF_PACKET,SOCK_RAW,.....) the program always fails in
bind. (when i do sock->ops->bind(.....))
why is it so ? but when I use PF_INET & SOCK_PACKET to create socket.
bind happens successfully.
Can any one help me to come out of this issue?? OR direct me to create
raw packets and send from kernel??

thanks in advance

create_address doesn't exist

Derek's picture

The function create_address doesn't exist in my kernel header (2.6.17). Where should I get the definition?


It's true.Create_address is

Prafulla's picture

It's true.Create_address is not in Kernel Header.
Has anyone found how to get it?
Please reply

insmod 'ing the module

Nathan's picture

In your example you don't actually use insmod after building the module, does that mean its not necessary? If not then how does the userland program see the system call. If so then do you know why it insmod'ing it would freeze my system? Cause it does. I did fiddle with the code a bit, mostly stripped it down to just connect, send a message, and close.


Problem was redefining the

Nathan's picture

Problem was redefining the system call. Seems linux doesn't appreciate it none too much and freezes. I've read its not really done anymore anyway.