Skip to content

Commit

Permalink
Modernize terminology
Browse files Browse the repository at this point in the history
  • Loading branch information
zluudg committed Jan 15, 2025
1 parent 5498a14 commit 9ae9a13
Show file tree
Hide file tree
Showing 18 changed files with 283 additions and 283 deletions.
20 changes: 10 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ policy-related functions.
TAPIR-POP presents a single output with all conflicts resolved,
rather than feeding the resolver multiple sources of data from
which to look for policy guidance, where sources can even be conflicting
(eg. a domainname may be flagged by one source but whitelisted by another).
(eg. a domainname may be flagged by one source but allowlisted by another).

The result is smaller, as no whitelisting information is needed for the resolver.
The result is smaller, as no allowlisting information is needed for the resolver.

## TAPIR-POP supports a local policy configuration

Expand All @@ -29,9 +29,9 @@ design a suitable threat policy TAPIR-POP uses a number of concepts:

- __lists__: there are three types of lists of domain names:

- whitelists (names that must not be blocked)
- blacklists (names that must be blocked)
- greylists (names that should perhaps be blocked)
- allowlists (names that must not be blocked)
- denylists (names that must be blocked)
- doubtlists (names that should perhaps be blocked)

- __observations__: these are attributes of a suspicious domain name. In reality
whether a particular domain name should be blocked or not is not an
Expand All @@ -50,7 +50,7 @@ design a suitable threat policy TAPIR-POP uses a number of concepts:
- __MQTT__: DNS TAPIR Core Analyser sends out rapid updates for small numbers
of names via an MQTT message bus infrastructure.
- __DAWG__: Directed Acyclic Word Graphs are extremely compact data structures.
TEM is able to mmap very large lists in DAWG format which is used for large whitelists.
TEM is able to mmap very large lists in DAWG format which is used for large allowlists.
- __CSV Files__: Text files on local disk, either with just domain names, or in
CSV format are supported.
- __HTTPS__: To bootstrap an intelligence feed that only distributes deltas
Expand All @@ -64,12 +64,12 @@ design a suitable threat policy TAPIR-POP uses a number of concepts:

The resulting policy has the following structure (in order of precedence):

- no whitelisted name is ever included.
- no allowlisted name is ever included.
- blocklisted names are always included, together with a configurable
RPZ action.
- greylisted names that have particular tags that the resolver operator
- doubtlisted names that have particular tags that the resolver operator
chooses are included, together with a configurable RPZ action.
- the same greylisted name that appear in N distinct intelligence feeds
- the same doubtlisted name that appear in N distinct intelligence feeds
is included, where N is configureable, as is the RPZ action.
- a greylisted name that has M or more tags is included, where both
- a doubtlisted name that has M or more tags is included, where both
M and the action are configurable.
52 changes: 26 additions & 26 deletions apihandler.go
Original file line number Diff line number Diff line change
Expand Up @@ -265,49 +265,49 @@ func APIbootstrap(conf *Config) func(w http.ResponseWriter, r *http.Request) {
log.Printf("API: received /bootstrap request (cmd: %s) from %s.\n", bp.Command, r.RemoteAddr)

switch bp.Command {
case "greylist-status":
case "doubtlist-status":
me := conf.PopData.MqttEngine
stats := me.Stats()
// resp.MsgCounters = stats.MsgCounters
// resp.MsgTimeStamps = stats.MsgTimeStamps
resp.TopicData = stats
// log.Printf("API: greylist-status: msgs: %d last msg: %v", stats.MsgCounters[bp.ListName], stats.MsgTimeStamps[bp.ListName])
log.Printf("API: greylist-status: %v", stats)
// log.Printf("API: doubtlist-status: msgs: %d last msg: %v", stats.MsgCounters[bp.ListName], stats.MsgTimeStamps[bp.ListName])
log.Printf("API: doubtlist-status: %v", stats)

case "export-greylist":
case "export-doubtlist":
td := conf.PopData
td.mu.RLock()
defer td.mu.RUnlock()

greylist, ok := td.Lists["greylist"][bp.ListName]
doubtlist, ok := td.Lists["doubtlist"][bp.ListName]
if !ok {
resp.Error = true
resp.ErrorMsg = fmt.Sprintf("Greylist '%s' not found", bp.ListName)
resp.ErrorMsg = fmt.Sprintf("Doubtlist '%s' not found", bp.ListName)
return
}
log.Printf("Found %s greylist containing %d names", bp.ListName, len(greylist.Names))
log.Printf("Found %s doubtlist containing %d names", bp.ListName, len(doubtlist.Names))

switch bp.Encoding {
case "gob":
w.Header().Set("Content-Type", "application/octet-stream")
w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=greylist-%s.gob", bp.ListName))
w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=doubtlist-%s.gob", bp.ListName))

encoder := gob.NewEncoder(w)
err := encoder.Encode(greylist)
err := encoder.Encode(doubtlist)
if err != nil {
log.Printf("Error encoding greylist: %v", err)
log.Printf("Error encoding doubtlist: %v", err)
resp.Error = true
resp.ErrorMsg = err.Error()
return
}

// case "protobuf":
// w.Header().Set("Content-Type", "application/octet-stream")
// w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=greylist-%s.protobuf", bp.ListName))
// w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=doubtlist-%s.protobuf", bp.ListName))
//
// data, err := proto.Marshal(greylist)
// data, err := proto.Marshal(doubtlist)
// if err != nil {
// log.Printf("Error encoding greylist to protobuf: %v", err)
// log.Printf("Error encoding doubtlist to protobuf: %v", err)
// resp.Error = true
// resp.ErrorMsg = err.Error()
// return
Expand All @@ -323,31 +323,31 @@ func APIbootstrap(conf *Config) func(w http.ResponseWriter, r *http.Request) {

// case "flatbuffer":
// w.Header().Set("Content-Type", "application/octet-stream")
// w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=greylist-%s.flatbuffer", bp.ListName))
// w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=doubtlist-%s.flatbuffer", bp.ListName))

// builder := flatbuffers.NewBuilder(0)
// names := make([]flatbuffers.UOffsetT, len(greylist.Names))
// names := make([]flatbuffers.UOffsetT, len(doubtlist.Names))

// i := 0
// for name := range greylist.Names {
// for name := range doubtlist.Names {
// nameOffset := builder.CreateString(name)
// tapir.NameStart(builder)
// tapir.NameAddName(builder, nameOffset)
// names[i] = tapir.NameEnd(builder)
// i++
// }

// tapir.GreylistStartNamesVector(builder, len(names))
// tapir.DoubtlistStartNamesVector(builder, len(names))
// for j := len(names) - 1; j >= 0; j-- {
// builder.PrependUOffsetT(names[j])
// }
// namesVector := builder.EndVector(len(names))

// tapir.GreylistStart(builder)
// tapir.GreylistAddNames(builder, namesVector)
// greylistOffset := tapir.GreylistEnd(builder)
// tapir.DoubtlistStart(builder)
// tapir.DoubtlistAddNames(builder, namesVector)
// doubtlistOffset := tapir.DoubtlistEnd(builder)

// builder.Finish(greylistOffset)
// builder.Finish(doubtlistOffset)
// buf := builder.FinishedBytes()

// _, err := w.Write(buf)
Expand Down Expand Up @@ -433,7 +433,7 @@ func APIdebug(conf *Config) func(w http.ResponseWriter, r *http.Request) {
case "reaper-stats":
log.Printf("TAPIR-POP debug reaper stats")
resp.ReaperStats = make(map[string]map[time.Time][]string)
for SrcName, list := range td.Lists["greylist"] {
for SrcName, list := range td.Lists["doubtlist"] {
resp.ReaperStats[SrcName] = make(map[time.Time][]string)
for ts, names := range list.ReaperData {
for name := range names {
Expand All @@ -442,8 +442,8 @@ func APIdebug(conf *Config) func(w http.ResponseWriter, r *http.Request) {
}
}

case "colourlists":
log.Printf("TAPIR-POP debug white/black/grey lists")
case "filterlists":
log.Printf("TAPIR-POP debug allow/deny/doubt lists")
resp.Lists = map[string]map[string]*tapir.WBGlist{}
for t, l := range td.Lists {
resp.Lists[t] = map[string]*tapir.WBGlist{}
Expand All @@ -469,8 +469,8 @@ func APIdebug(conf *Config) func(w http.ResponseWriter, r *http.Request) {
resp.Error = true
resp.ErrorMsg = err.Error()
}
resp.BlacklistedNames = td.BlacklistedNames
resp.GreylistedNames = td.GreylistedNames
resp.DenylistedNames = td.DenylistedNames
resp.DoubtlistedNames = td.DoubtlistedNames
for _, rpzn := range td.Rpz.Axfr.Data {
resp.RpzOutput = append(resp.RpzOutput, *rpzn)
}
Expand Down
22 changes: 11 additions & 11 deletions bootstrap.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) {
td.Logger.Printf("BootstrapMqttSource: MQTT bootstrap server %s uptime: %v. It has processed %d MQTT messages", server, uptime, 17)

status, buf, err := api.RequestNG(http.MethodPost, "/bootstrap", tapir.BootstrapPost{
Command: "greylist-status",
Command: "doubtlist-status",
ListName: src.Name,
Encoding: "json", // XXX: This is our default, but we'll test other encodings later
}, true)
Expand All @@ -88,11 +88,11 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) {
var br tapir.BootstrapResponse
err = json.Unmarshal(buf, &br)
if err != nil {
td.Logger.Printf("BootstrapMqttSource: Error decoding greylist-status response from %s: %v. Giving up.\n", server, err)
td.Logger.Printf("BootstrapMqttSource: Error decoding doubtlist-status response from %s: %v. Giving up.\n", server, err)
continue
}
if br.Error {
td.Logger.Printf("BootstrapMqttSource: Bootstrap server %s responded with error: %s (instead of greylist status)", server, br.ErrorMsg)
td.Logger.Printf("BootstrapMqttSource: Bootstrap server %s responded with error: %s (instead of doubtlist status)", server, br.ErrorMsg)
}
if len(br.Msg) != 0 {
td.Logger.Printf("BootstrapMqttSource: Bootstrap server %s responded: %s", server, br.Msg)
Expand All @@ -101,7 +101,7 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) {
td.Logger.Printf("BootstrapMqttSource: MQTT bootstrap server %s uptime: %v. It has processed %d MQTT messages on the %s topic (last sub msg arrived at %s), ", server, uptime, br.TopicData[src.Name].SubMsgs, src.Name, br.TopicData[src.Name].LatestSub.Format(tapir.TimeLayout))

status, buf, err = api.RequestNG(http.MethodPost, "/bootstrap", tapir.BootstrapPost{
Command: "export-greylist",
Command: "export-doubtlist",
ListName: src.Name,
Encoding: "gob", // XXX: This is our default, but we'll test other encodings later
}, true)
Expand All @@ -116,11 +116,11 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) {
continue
}

var greylist tapir.WBGlist
var doubtlist tapir.WBGlist
decoder := gob.NewDecoder(bytes.NewReader(buf))
err = decoder.Decode(&greylist)
err = decoder.Decode(&doubtlist)
if err != nil {
// fmt.Printf("Error decoding greylist data: %v\n", err)
// fmt.Printf("Error decoding doubtlist data: %v\n", err)
// If decoding the gob failed, perhaps we received a tapir.BootstrapResponse instead?
var br tapir.BootstrapResponse
err = json.Unmarshal(buf, &br)
Expand All @@ -139,17 +139,17 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) {
}

if td.Debug {
td.Logger.Printf("%v", greylist)
td.Logger.Printf("Names present in greylist %s:", src.Name)
td.Logger.Printf("%v", doubtlist)
td.Logger.Printf("Names present in doubtlist %s:", src.Name)
out := []string{"Name|Time added|TTL|Tags"}
for _, n := range greylist.Names {
for _, n := range doubtlist.Names {
out = append(out, fmt.Sprintf("%s|%v|%v|%v", n.Name, n.TimeAdded.Format(tapir.TimeLayout), n.TTL, n.TagMask))
}
td.Logger.Printf("%s", columnize.SimpleFormat(out))
}

// Successfully received and decoded bootstrap data
return &greylist, nil
return &doubtlist, nil
}

// If no bootstrap server succeeded
Expand Down
10 changes: 5 additions & 5 deletions config.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,19 +103,19 @@ type SourceConf struct {
type PolicyConf struct {
Logfile string
// Logger *log.Logger
Whitelist struct {
Allowlist struct {
Action string `validate:"required"`
}
Blacklist struct {
Denylist struct {
Action string `validate:"required"`
}
Greylist GreylistConf
Doubtlist DoubtlistConf
}

type ListConf struct {
}

type GreylistConf struct {
type DoubtlistConf struct {
NumSources struct {
Limit int `validate:"required"`
Action string `validate:"required"`
Expand All @@ -124,7 +124,7 @@ type GreylistConf struct {
Limit int `validate:"required"`
Action string `validate:"required"`
}
BlackTapir struct {
DenyTapir struct {
Tags []string `validate:"required"`
Action string `validate:"required"`
}
Expand Down
4 changes: 2 additions & 2 deletions configupdater.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,8 @@ func (pd *PopData) ProcessTapirGlobalConfig(gconfig tapir.GlobalConfig) {
bootstrapUrl := gconfig.Bootstrap.BaseUrl
bootstrapKey := gconfig.Bootstrap.ApiToken

//for _, listtype := range []string{"whitelist", "blacklist", "greylist"} {
for _, wbgl := range pd.Lists["greylist"] {
//for _, listtype := range []string{"allowlist", "denylist", "doubtlist"} {
for _, wbgl := range pd.Lists["doubtlist"] {
if wbgl.Immutable || wbgl.Datasource != "mqtt" {
continue
}
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module tapir-pop
go 1.22.0

require (
github.com/dnstapir/tapir v0.0.0-20241112185916-6aeac4bb8fcf
github.com/dnstapir/tapir v0.0.0-20250114144620-18cc0cdb5c33
github.com/go-playground/validator/v10 v10.24.0
github.com/google/uuid v1.6.0
github.com/gorilla/mux v1.8.1
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etly
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
github.com/dnstapir/tapir v0.0.0-20241112185916-6aeac4bb8fcf h1:vu4ixsu/GKB0iC4iTRXa+Qo9hsOw85Q45MU1qYwT6vE=
github.com/dnstapir/tapir v0.0.0-20241112185916-6aeac4bb8fcf/go.mod h1:HawPZkAsNV3X7oAEXdGeL9bVlb6osfqyztqCn5EZyUs=
github.com/dnstapir/tapir v0.0.0-20250114144620-18cc0cdb5c33 h1:Lf+/NSB7DtzdR6NWHz801UCijHow97wwTpSBxptjB7M=
github.com/dnstapir/tapir v0.0.0-20250114144620-18cc0cdb5c33/go.mod h1:RO6+sbbg0euAnaMm1HTN+aFoyBvXXdxuZPBie5erN24=
github.com/eclipse/paho.golang v0.21.0 h1:cxxEReu+iFbA5RrHfRGxJOh8tXZKDywuehneoeBeyn8=
github.com/eclipse/paho.golang v0.21.0/go.mod h1:GHF6vy7SvDbDHBguaUpfuBkEB5G6j0zKxMG4gbh6QRQ=
github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
Expand Down
Loading

0 comments on commit 9ae9a13

Please sign in to comment.