rbbcc 0.10.0 → 0.11.0.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6550ee287fe7fb0e1e51112ed55345e2f7b314e9d581b8f28a166eec6f4542aa
-  data.tar.gz: 9c826257aa21ad3ba3862eb7324683db36f9081d02b45b61a5c189ecb24f8836
+  metadata.gz: 1c5cbecb6f86bc56c109433915be6daea255c5578145372e7fef05e643c74f22
+  data.tar.gz: 73b4dcb08ed7882ffd905f44b3662e1f26fbc7075b9e832c29f44701304b1826
 SHA512:
-  metadata.gz: 50cb035a4d0db91343599437ef2183b9a60eb138ee156ee406f2dd505e9725f8289f7ebdc6c6e04a07264d3eb6095a7a1c8b09a6b509840e6af03b767c38179d
-  data.tar.gz: bc64019b6a2aa9d3be9c255e9f49c15f6313984e504b910306eff4ad7c410d478b5b106d24dd6ae489848c23e7ae274537d8b38fd59773e0a2f14518e601610f
+  metadata.gz: ce916936932a3a0bb00bf28b3bd67d55b2d2068e0d4d05308296d472306db0ffae3dd495a441189fdcfe0db0c29705a389f31781f0e3971f1ef349b1d0eb4a1f
+  data.tar.gz: 15da5d9cd65ec31dd5a3fd1b3b87ce76edf4c40805f2cb800bbb5178300ec003975aea1bff084e740a1a8820a8137701692c861188bd9b85cbd31a971caf5535

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.10.0)
+    rbbcc (0.11.0.pre)
       fiddle
 
 GEM
@@ -23,6 +23,7 @@ GEM
 PLATFORMS
   aarch64-linux
   arm64-darwin-21
+  arm64-darwin-24
   arm64-darwin-25
 
 DEPENDENCIES

data/examples/dns_blocker.rb

@@ -0,0 +1,133 @@
+#!/usr/bin/env ruby
+#
+# dns_blocker.rb  Block DNS queries for a specified domain using TC/eBPF.
+#
+# Uses TC clsact qdisc and attaches a SCHED_CLS BPF program to the
+# egress path.  Because pyroute2 is unavailable in Ruby, the BPF
+# program is pinned to /sys/fs/bpf and attached via the `tc` shell
+# command.
+#
+# Usage (must be run as root):
+#   ruby dns_blocker.rb -i eth0 -d ruby-lang.org
+#
+
+require 'rbbcc'
+require 'optparse'
+
+include RbBCC
+
+def domain_to_payload_check_code(domain)
+  # Convert a domain name to DNS wire format (length-prefixed labels)
+  # For example, "example.com" becomes "\\x07example\\x03com\\x00"
+  dns_expression = domain.split('.').map { |label| "#{label.length.chr}#{label}" }.join + "\x00"
+  c_check_code = dns_expression.chars.map.with_index { |c, i| "payload[offset+#{i}] == #{c.ord}" }.join(" &&\n  ")
+  c_check_code
+end
+
+BPF_TEXT = ->(domain) {
+  <<~CLANG
+  // Some Hack :(
+  #define BPF_LOAD_ACQ -1
+  #define BPF_STORE_REL -2
+
+  #include <uapi/linux/bpf.h>
+  #include <uapi/linux/pkt_cls.h>
+  #include <linux/if_ether.h>
+  #include <linux/ip.h>
+  #include <linux/udp.h>
+
+  int block_dns(struct __sk_buff *skb) {
+      void *data     = (void *)(long)skb->data;
+      void *data_end = (void *)(long)skb->data_end;
+
+      // Ethernet header check
+      struct ethhdr *eth = data;
+      if ((void *)(eth + 1) > data_end) return TC_ACT_OK;
+      if (eth->h_proto != bpf_htons(ETH_P_IP)) return TC_ACT_OK;
+
+      // IP header check
+      struct iphdr *ip = (void *)(eth + 1);
+      if ((void *)(ip + 1) > data_end) return TC_ACT_OK;
+      if (ip->protocol != IPPROTO_UDP) return TC_ACT_OK;
+
+      // UDP header check
+      struct udphdr *udp = (void *)ip + (ip->ihl * 4);
+      if ((void *)(udp + 1) > data_end) return TC_ACT_OK;
+
+      // Only care about port 53 (DNS) egress queries
+      if (udp->dest != bpf_htons(53)) return TC_ACT_OK;
+
+      // DNS payload boundary check: DNS header (12 bytes) + "example.com" wire format (13 bytes)
+      unsigned char *payload = (unsigned char *)(udp + 1);
+      if ((void *)(payload + 12 + 13) > data_end) return TC_ACT_OK;
+
+      // "example.com" in DNS wire format: \\x07example\\x03com\\x00
+      int offset = 12;
+      if (#{domain_to_payload_check_code(domain)}) {
+          bpf_trace_printk("Blocked DNS query for #{domain}\\n");
+          return TC_ACT_SHOT;
+      }
+
+      return TC_ACT_OK;
+  }
+  CLANG
+  }
+
+PIN_PATH = "/sys/fs/bpf/dns_blocker_prog"
+
+def setup_tc(interface)
+  # Run idempotently
+  system("sudo tc qdisc add dev #{interface} clsact 2>/dev/null")
+end
+
+def attach_tc(interface)
+  system(
+    "sudo `tc filter add dev #{interface} egress" +
+    " bpf pinned #{PIN_PATH} da",
+    exception: true
+  )
+end
+
+def cleanup_tc(interface)
+  system("sudo tc qdisc del dev #{interface} clsact", exception: true)
+  File.unlink(PIN_PATH) if File.exist?(PIN_PATH)
+end
+
+options = {domain: "example.com"}
+OptionParser.new { |opts|
+  opts.banner = "Usage: #{$0} -i INTERFACE"
+  opts.on("-i", "--interface IFACE", "Network interface to monitor (e.g. eth0)") do |v|
+    options[:interface] = v
+  end
+  opts.on("-d", "--domain DOMAIN", "Domain to block (default: example.com)") do |v|
+    options[:domain] = v
+  end
+}.parse!
+
+iface = options[:interface] || abort("Error: Interface name is required")
+
+# Clean up any leftover state from a previous run
+cleanup_tc(iface)
+
+puts "[*] Compiling BPF program..."
+b = BCC.new(text: BPF_TEXT.call(options[:domain]))
+fn = b.load_func("block_dns", BPF::SCHED_CLS)
+
+# Pin the loaded BPF program so that `tc` can reference it by path
+puts "[*] Pinning BPF program to #{PIN_PATH} ..."
+BCC.pin!(fn, PIN_PATH)
+
+# Set up clsact qdisc and attach the pinned program to egress
+puts "[*] Attaching TC filter to #{iface} (egress) ..."
+setup_tc(iface)
+attach_tc(iface)
+
+puts "[*] Blocking DNS queries for #{options[:domain]} on #{iface}. Press Ctrl+C to stop."
+begin
+  b.trace_print
+rescue Interrupt
+  puts "\n[*] Shutting down..."
+ensure
+  cleanup_tc(iface)
+  puts "[*] Cleanup done."
+end

data/lib/rbbcc/bcc.rb

@@ -180,7 +180,7 @@ module RbBCC
         end
         orig_name = c.inspect
         c.define_singleton_method :inspect do
-          orig_name.sub /(?=>$)/, " original_desc=#{desc.inspect}" rescue super
+          orig_name.sub(/(?=>$)/, " original_desc=#{desc.inspect}") rescue super
         end
         c
       end
@@ -218,6 +218,23 @@ module RbBCC
         fn[:sock] = sock
         fn
       end
+
+      #: (Integer | Hash[Symbol, untyped] fd, String path) -> String
+      def pin!(fd, path)
+        fd = fd[:fd] if fd.is_a?(Hash)
+        unless fd.is_a?(Integer) && fd >= 0
+          raise ArgumentError, "fd must exist and be a non-negative Integer"
+        end
+        unless path.is_a?(String) && !path.empty?
+          raise ArgumentError, "path must be a non-empty String"
+        end
+
+        res = Clib.bpf_obj_pin(fd, path)
+        if res < 0
+          raise SystemCallError.new("Failed to pin BPF object to %s" % path, Fiddle.last_error)
+        end
+        path
+      end
     end
 
     def initialize(text: "", src_file: nil, hdr_file: nil, debug: 0, cflags: [], usdt_contexts: [], allow_rlimit: 0, dev_name: nil)
@@ -279,7 +296,6 @@ module RbBCC
 
     def gen_args_from_usdt
       ptr = Clib.bcc_usdt_genargs(@usdt_contexts.map(&:context).pack('J*'), @usdt_contexts.size)
-      code = ""
       if !ptr || ptr.null?
         return nil
       end

data/lib/rbbcc/clib.rb

@@ -192,6 +192,7 @@ module RbBCC
 
     extern 'int bpf_open_raw_sock(const char *name)'
     extern 'int bpf_attach_socket(int sockfd, int progfd)'
+    extern 'int bpf_obj_pin(int fd, const char *pathname)'
   end
 end
 

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.10.0"
+  VERSION = "0.11.0.pre"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.0.pre
 platform: ruby
 authors:
 - Uchio Kondo
@@ -84,6 +84,7 @@ files:
 - examples/collectsyscall.rb
 - examples/dddos.rb
 - examples/disksnoop.rb
+- examples/dns_blocker.rb
 - examples/example.gif
 - examples/extract_arg.rb
 - examples/hello_fields.rb
@@ -141,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 3.6.9
 specification_version: 4
 summary: BCC port for MRI
 test_files: []