From 9ae9a132c701e8b5808d9302482ce53a02a1fd6b Mon Sep 17 00:00:00 2001 From: Leon Fernandez Date: Wed, 15 Jan 2025 14:17:46 +0100 Subject: [PATCH] Modernize terminology --- README.md | 20 ++++---- apihandler.go | 52 ++++++++++---------- bootstrap.go | 22 ++++----- config.go | 10 ++-- configupdater.go | 4 +- go.mod | 2 +- go.sum | 2 + lists.go | 40 ++++++++-------- mqtt.go | 2 +- policy.go | 76 +++++++++++++++--------------- pop-outputs.sample.yaml | 4 +- pop-policy.sample.yaml | 12 ++--- pop-sources.sample.yaml | 46 +++++++++--------- reaper.go | 2 +- refreshengine.go | 54 ++++++++++----------- rpz.go | 100 +++++++++++++++++++-------------------- sources.go | 102 ++++++++++++++++++++-------------------- structs.go | 16 +++---- 18 files changed, 283 insertions(+), 283 deletions(-) diff --git a/README.md b/README.md index dc24de4..5f6367b 100644 --- a/README.md +++ b/README.md @@ -17,9 +17,9 @@ policy-related functions. TAPIR-POP presents a single output with all conflicts resolved, rather than feeding the resolver multiple sources of data from which to look for policy guidance, where sources can even be conflicting -(eg. a domainname may be flagged by one source but whitelisted by another). +(eg. a domainname may be flagged by one source but allowlisted by another). -The result is smaller, as no whitelisting information is needed for the resolver. +The result is smaller, as no allowlisting information is needed for the resolver. ## TAPIR-POP supports a local policy configuration @@ -29,9 +29,9 @@ design a suitable threat policy TAPIR-POP uses a number of concepts: - __lists__: there are three types of lists of domain names: - - whitelists (names that must not be blocked) - - blacklists (names that must be blocked) - - greylists (names that should perhaps be blocked) + - allowlists (names that must not be blocked) + - denylists (names that must be blocked) + - doubtlists (names that should perhaps be blocked) - __observations__: these are attributes of a suspicious domain name. In reality whether a particular domain name should be blocked or not is not an @@ -50,7 +50,7 @@ design a suitable threat policy TAPIR-POP uses a number of concepts: - __MQTT__: DNS TAPIR Core Analyser sends out rapid updates for small numbers of names via an MQTT message bus infrastructure. - __DAWG__: Directed Acyclic Word Graphs are extremely compact data structures. - TEM is able to mmap very large lists in DAWG format which is used for large whitelists. + TEM is able to mmap very large lists in DAWG format which is used for large allowlists. - __CSV Files__: Text files on local disk, either with just domain names, or in CSV format are supported. - __HTTPS__: To bootstrap an intelligence feed that only distributes deltas @@ -64,12 +64,12 @@ design a suitable threat policy TAPIR-POP uses a number of concepts: The resulting policy has the following structure (in order of precedence): -- no whitelisted name is ever included. +- no allowlisted name is ever included. - blocklisted names are always included, together with a configurable RPZ action. -- greylisted names that have particular tags that the resolver operator +- doubtlisted names that have particular tags that the resolver operator chooses are included, together with a configurable RPZ action. -- the same greylisted name that appear in N distinct intelligence feeds +- the same doubtlisted name that appear in N distinct intelligence feeds is included, where N is configureable, as is the RPZ action. -- a greylisted name that has M or more tags is included, where both +- a doubtlisted name that has M or more tags is included, where both M and the action are configurable. diff --git a/apihandler.go b/apihandler.go index 8db90ae..12fe754 100644 --- a/apihandler.go +++ b/apihandler.go @@ -265,37 +265,37 @@ func APIbootstrap(conf *Config) func(w http.ResponseWriter, r *http.Request) { log.Printf("API: received /bootstrap request (cmd: %s) from %s.\n", bp.Command, r.RemoteAddr) switch bp.Command { - case "greylist-status": + case "doubtlist-status": me := conf.PopData.MqttEngine stats := me.Stats() // resp.MsgCounters = stats.MsgCounters // resp.MsgTimeStamps = stats.MsgTimeStamps resp.TopicData = stats - // log.Printf("API: greylist-status: msgs: %d last msg: %v", stats.MsgCounters[bp.ListName], stats.MsgTimeStamps[bp.ListName]) - log.Printf("API: greylist-status: %v", stats) + // log.Printf("API: doubtlist-status: msgs: %d last msg: %v", stats.MsgCounters[bp.ListName], stats.MsgTimeStamps[bp.ListName]) + log.Printf("API: doubtlist-status: %v", stats) - case "export-greylist": + case "export-doubtlist": td := conf.PopData td.mu.RLock() defer td.mu.RUnlock() - greylist, ok := td.Lists["greylist"][bp.ListName] + doubtlist, ok := td.Lists["doubtlist"][bp.ListName] if !ok { resp.Error = true - resp.ErrorMsg = fmt.Sprintf("Greylist '%s' not found", bp.ListName) + resp.ErrorMsg = fmt.Sprintf("Doubtlist '%s' not found", bp.ListName) return } - log.Printf("Found %s greylist containing %d names", bp.ListName, len(greylist.Names)) + log.Printf("Found %s doubtlist containing %d names", bp.ListName, len(doubtlist.Names)) switch bp.Encoding { case "gob": w.Header().Set("Content-Type", "application/octet-stream") - w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=greylist-%s.gob", bp.ListName)) + w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=doubtlist-%s.gob", bp.ListName)) encoder := gob.NewEncoder(w) - err := encoder.Encode(greylist) + err := encoder.Encode(doubtlist) if err != nil { - log.Printf("Error encoding greylist: %v", err) + log.Printf("Error encoding doubtlist: %v", err) resp.Error = true resp.ErrorMsg = err.Error() return @@ -303,11 +303,11 @@ func APIbootstrap(conf *Config) func(w http.ResponseWriter, r *http.Request) { // case "protobuf": // w.Header().Set("Content-Type", "application/octet-stream") - // w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=greylist-%s.protobuf", bp.ListName)) + // w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=doubtlist-%s.protobuf", bp.ListName)) // - // data, err := proto.Marshal(greylist) + // data, err := proto.Marshal(doubtlist) // if err != nil { - // log.Printf("Error encoding greylist to protobuf: %v", err) + // log.Printf("Error encoding doubtlist to protobuf: %v", err) // resp.Error = true // resp.ErrorMsg = err.Error() // return @@ -323,13 +323,13 @@ func APIbootstrap(conf *Config) func(w http.ResponseWriter, r *http.Request) { // case "flatbuffer": // w.Header().Set("Content-Type", "application/octet-stream") - // w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=greylist-%s.flatbuffer", bp.ListName)) + // w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=doubtlist-%s.flatbuffer", bp.ListName)) // builder := flatbuffers.NewBuilder(0) - // names := make([]flatbuffers.UOffsetT, len(greylist.Names)) + // names := make([]flatbuffers.UOffsetT, len(doubtlist.Names)) // i := 0 - // for name := range greylist.Names { + // for name := range doubtlist.Names { // nameOffset := builder.CreateString(name) // tapir.NameStart(builder) // tapir.NameAddName(builder, nameOffset) @@ -337,17 +337,17 @@ func APIbootstrap(conf *Config) func(w http.ResponseWriter, r *http.Request) { // i++ // } - // tapir.GreylistStartNamesVector(builder, len(names)) + // tapir.DoubtlistStartNamesVector(builder, len(names)) // for j := len(names) - 1; j >= 0; j-- { // builder.PrependUOffsetT(names[j]) // } // namesVector := builder.EndVector(len(names)) - // tapir.GreylistStart(builder) - // tapir.GreylistAddNames(builder, namesVector) - // greylistOffset := tapir.GreylistEnd(builder) + // tapir.DoubtlistStart(builder) + // tapir.DoubtlistAddNames(builder, namesVector) + // doubtlistOffset := tapir.DoubtlistEnd(builder) - // builder.Finish(greylistOffset) + // builder.Finish(doubtlistOffset) // buf := builder.FinishedBytes() // _, err := w.Write(buf) @@ -433,7 +433,7 @@ func APIdebug(conf *Config) func(w http.ResponseWriter, r *http.Request) { case "reaper-stats": log.Printf("TAPIR-POP debug reaper stats") resp.ReaperStats = make(map[string]map[time.Time][]string) - for SrcName, list := range td.Lists["greylist"] { + for SrcName, list := range td.Lists["doubtlist"] { resp.ReaperStats[SrcName] = make(map[time.Time][]string) for ts, names := range list.ReaperData { for name := range names { @@ -442,8 +442,8 @@ func APIdebug(conf *Config) func(w http.ResponseWriter, r *http.Request) { } } - case "colourlists": - log.Printf("TAPIR-POP debug white/black/grey lists") + case "filterlists": + log.Printf("TAPIR-POP debug allow/deny/doubt lists") resp.Lists = map[string]map[string]*tapir.WBGlist{} for t, l := range td.Lists { resp.Lists[t] = map[string]*tapir.WBGlist{} @@ -469,8 +469,8 @@ func APIdebug(conf *Config) func(w http.ResponseWriter, r *http.Request) { resp.Error = true resp.ErrorMsg = err.Error() } - resp.BlacklistedNames = td.BlacklistedNames - resp.GreylistedNames = td.GreylistedNames + resp.DenylistedNames = td.DenylistedNames + resp.DoubtlistedNames = td.DoubtlistedNames for _, rpzn := range td.Rpz.Axfr.Data { resp.RpzOutput = append(resp.RpzOutput, *rpzn) } diff --git a/bootstrap.go b/bootstrap.go index 87d3247..ad71e93 100644 --- a/bootstrap.go +++ b/bootstrap.go @@ -70,7 +70,7 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) { td.Logger.Printf("BootstrapMqttSource: MQTT bootstrap server %s uptime: %v. It has processed %d MQTT messages", server, uptime, 17) status, buf, err := api.RequestNG(http.MethodPost, "/bootstrap", tapir.BootstrapPost{ - Command: "greylist-status", + Command: "doubtlist-status", ListName: src.Name, Encoding: "json", // XXX: This is our default, but we'll test other encodings later }, true) @@ -88,11 +88,11 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) { var br tapir.BootstrapResponse err = json.Unmarshal(buf, &br) if err != nil { - td.Logger.Printf("BootstrapMqttSource: Error decoding greylist-status response from %s: %v. Giving up.\n", server, err) + td.Logger.Printf("BootstrapMqttSource: Error decoding doubtlist-status response from %s: %v. Giving up.\n", server, err) continue } if br.Error { - td.Logger.Printf("BootstrapMqttSource: Bootstrap server %s responded with error: %s (instead of greylist status)", server, br.ErrorMsg) + td.Logger.Printf("BootstrapMqttSource: Bootstrap server %s responded with error: %s (instead of doubtlist status)", server, br.ErrorMsg) } if len(br.Msg) != 0 { td.Logger.Printf("BootstrapMqttSource: Bootstrap server %s responded: %s", server, br.Msg) @@ -101,7 +101,7 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) { td.Logger.Printf("BootstrapMqttSource: MQTT bootstrap server %s uptime: %v. It has processed %d MQTT messages on the %s topic (last sub msg arrived at %s), ", server, uptime, br.TopicData[src.Name].SubMsgs, src.Name, br.TopicData[src.Name].LatestSub.Format(tapir.TimeLayout)) status, buf, err = api.RequestNG(http.MethodPost, "/bootstrap", tapir.BootstrapPost{ - Command: "export-greylist", + Command: "export-doubtlist", ListName: src.Name, Encoding: "gob", // XXX: This is our default, but we'll test other encodings later }, true) @@ -116,11 +116,11 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) { continue } - var greylist tapir.WBGlist + var doubtlist tapir.WBGlist decoder := gob.NewDecoder(bytes.NewReader(buf)) - err = decoder.Decode(&greylist) + err = decoder.Decode(&doubtlist) if err != nil { - // fmt.Printf("Error decoding greylist data: %v\n", err) + // fmt.Printf("Error decoding doubtlist data: %v\n", err) // If decoding the gob failed, perhaps we received a tapir.BootstrapResponse instead? var br tapir.BootstrapResponse err = json.Unmarshal(buf, &br) @@ -139,17 +139,17 @@ func (td *PopData) BootstrapMqttSource(src SourceConf) (*tapir.WBGlist, error) { } if td.Debug { - td.Logger.Printf("%v", greylist) - td.Logger.Printf("Names present in greylist %s:", src.Name) + td.Logger.Printf("%v", doubtlist) + td.Logger.Printf("Names present in doubtlist %s:", src.Name) out := []string{"Name|Time added|TTL|Tags"} - for _, n := range greylist.Names { + for _, n := range doubtlist.Names { out = append(out, fmt.Sprintf("%s|%v|%v|%v", n.Name, n.TimeAdded.Format(tapir.TimeLayout), n.TTL, n.TagMask)) } td.Logger.Printf("%s", columnize.SimpleFormat(out)) } // Successfully received and decoded bootstrap data - return &greylist, nil + return &doubtlist, nil } // If no bootstrap server succeeded diff --git a/config.go b/config.go index ee1eaaf..5891ea5 100644 --- a/config.go +++ b/config.go @@ -103,19 +103,19 @@ type SourceConf struct { type PolicyConf struct { Logfile string // Logger *log.Logger - Whitelist struct { + Allowlist struct { Action string `validate:"required"` } - Blacklist struct { + Denylist struct { Action string `validate:"required"` } - Greylist GreylistConf + Doubtlist DoubtlistConf } type ListConf struct { } -type GreylistConf struct { +type DoubtlistConf struct { NumSources struct { Limit int `validate:"required"` Action string `validate:"required"` @@ -124,7 +124,7 @@ type GreylistConf struct { Limit int `validate:"required"` Action string `validate:"required"` } - BlackTapir struct { + DenyTapir struct { Tags []string `validate:"required"` Action string `validate:"required"` } diff --git a/configupdater.go b/configupdater.go index f41dad2..d871c37 100644 --- a/configupdater.go +++ b/configupdater.go @@ -77,8 +77,8 @@ func (pd *PopData) ProcessTapirGlobalConfig(gconfig tapir.GlobalConfig) { bootstrapUrl := gconfig.Bootstrap.BaseUrl bootstrapKey := gconfig.Bootstrap.ApiToken - //for _, listtype := range []string{"whitelist", "blacklist", "greylist"} { - for _, wbgl := range pd.Lists["greylist"] { + //for _, listtype := range []string{"allowlist", "denylist", "doubtlist"} { + for _, wbgl := range pd.Lists["doubtlist"] { if wbgl.Immutable || wbgl.Datasource != "mqtt" { continue } diff --git a/go.mod b/go.mod index 82784d2..ad2eaf4 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module tapir-pop go 1.22.0 require ( - github.com/dnstapir/tapir v0.0.0-20241112185916-6aeac4bb8fcf + github.com/dnstapir/tapir v0.0.0-20250114144620-18cc0cdb5c33 github.com/go-playground/validator/v10 v10.24.0 github.com/google/uuid v1.6.0 github.com/gorilla/mux v1.8.1 diff --git a/go.sum b/go.sum index 5971d2a..e0c647a 100644 --- a/go.sum +++ b/go.sum @@ -8,6 +8,8 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etly github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/dnstapir/tapir v0.0.0-20241112185916-6aeac4bb8fcf h1:vu4ixsu/GKB0iC4iTRXa+Qo9hsOw85Q45MU1qYwT6vE= github.com/dnstapir/tapir v0.0.0-20241112185916-6aeac4bb8fcf/go.mod h1:HawPZkAsNV3X7oAEXdGeL9bVlb6osfqyztqCn5EZyUs= +github.com/dnstapir/tapir v0.0.0-20250114144620-18cc0cdb5c33 h1:Lf+/NSB7DtzdR6NWHz801UCijHow97wwTpSBxptjB7M= +github.com/dnstapir/tapir v0.0.0-20250114144620-18cc0cdb5c33/go.mod h1:RO6+sbbg0euAnaMm1HTN+aFoyBvXXdxuZPBie5erN24= github.com/eclipse/paho.golang v0.21.0 h1:cxxEReu+iFbA5RrHfRGxJOh8tXZKDywuehneoeBeyn8= github.com/eclipse/paho.golang v0.21.0/go.mod h1:GHF6vy7SvDbDHBguaUpfuBkEB5G6j0zKxMG4gbh6QRQ= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= diff --git a/lists.go b/lists.go index 8c0b42c..c8f696b 100644 --- a/lists.go +++ b/lists.go @@ -12,19 +12,19 @@ import ( "github.com/dnstapir/tapir" ) -func (pd *PopData) Whitelisted(name string) bool { - for _, list := range pd.Lists["whitelist"] { +func (pd *PopData) Allowlisted(name string) bool { + for _, list := range pd.Lists["allowlist"] { switch list.Format { case "dawg": if tapir.GlobalCF.Debug { - pd.Logger.Printf("Whitelisted: DAWG: checking %s in whitelist %s", name, list.Name) + pd.Logger.Printf("Allowlisted: DAWG: checking %s in allowlist %s", name, list.Name) } if list.Dawgf.IndexOf(name) != -1 { return true } case "map": if tapir.GlobalCF.Debug { - pd.Logger.Printf("Whitelisted: MAP: checking %s in whitelist %s", name, list.Name) + pd.Logger.Printf("Allowlisted: MAP: checking %s in allowlist %s", name, list.Name) } if _, exists := list.Names[name]; exists { return true @@ -34,10 +34,10 @@ func (pd *PopData) Whitelisted(name string) bool { return false } -func (pd *PopData) Blacklisted(name string) bool { - for _, list := range pd.Lists["blacklist"] { +func (pd *PopData) Denylisted(name string) bool { + for _, list := range pd.Lists["denylist"] { if tapir.GlobalCF.Debug { - pd.Logger.Printf("Blacklisted: checking %s in blacklist %s", name, list.Name) + pd.Logger.Printf("Denylisted: checking %s in Denylist %s", name, list.Name) } switch list.Format { case "dawg": @@ -53,10 +53,10 @@ func (pd *PopData) Blacklisted(name string) bool { return false } -func (pd *PopData) Greylisted(name string) bool { - for _, list := range pd.Lists["greylist"] { +func (pd *PopData) Doubtlisted(name string) bool { + for _, list := range pd.Lists["doubtlist"] { if tapir.GlobalCF.Debug { - pd.Logger.Printf("Greylisted: checking %s in greylist %s", name, list.Name) + pd.Logger.Printf("Doubtlisted: checking %s in doubtlist %s", name, list.Name) } switch list.Format { case "map": @@ -66,29 +66,29 @@ func (pd *PopData) Greylisted(name string) bool { // case "trie": // return list.Trie.Search(name) != nil default: - log.Fatalf("Unknown greylist format %s", list.Format) + log.Fatalf("Unknown doubtlist format %s", list.Format) } } return false } -func (pd *PopData) GreylistingReport(name string) (bool, string) { +func (pd *PopData) DoubtlistingReport(name string) (bool, string) { var report string - // if len(pd.Greylists) == 0 { - if len(pd.Lists["greylist"]) == 0 { - return false, fmt.Sprintf("Domain name \"%s\" is not greylisted (there are no active greylists).\n", name) + // if len(pd.Doubtlists) == 0 { + if len(pd.Lists["doubtlist"]) == 0 { + return false, fmt.Sprintf("Domain name \"%s\" is not doubtlisted (there are no active doubtlists).\n", name) } - // for _, list := range pd.Greylists { - for _, list := range pd.Lists["greylist"] { - pd.Logger.Printf("Greylisted: checking %s in greylist %s", name, list.Name) - report += fmt.Sprintf("Domain name \"%s\" could be present in greylist %s\n", name, list.Name) + // for _, list := range pd.Doubtlists { + for _, list := range pd.Lists["doubtlist"] { + pd.Logger.Printf("Doubtlisted: checking %s in doubtlist %s", name, list.Name) + report += fmt.Sprintf("Domain name \"%s\" could be present in doubtlist %s\n", name, list.Name) } return false, report } -func (pd *PopData) GreylistAdd(name, policy, source string) (string, error) { +func (pd *PopData) DoubtlistAdd(name, policy, source string) (string, error) { msg := fmt.Sprintf("Domain name \"%s\" added to RPZ source %s with policy %s", name, source, policy) return msg, nil } diff --git a/mqtt.go b/mqtt.go index 8010d32..5c067ae 100644 --- a/mqtt.go +++ b/mqtt.go @@ -74,7 +74,7 @@ func (pd *PopData) ProcessTapirUpdate(tm tapir.TapirMsg) (bool, error) { pd.Logger.Printf("ProcessTapirUpdate: looking up list [%s][%s]", tm.ListType, tm.SrcName) switch tm.ListType { - case "whitelist", "greylist", "blacklist": + case "allowlist", "doubtlist", "denylist": wbgl, exists = pd.Lists[tm.ListType][tm.SrcName] default: pd.Logger.Printf("TapirUpdate for unknown listtype from source \"%s\" rejected.", tm.SrcName) diff --git a/policy.go b/policy.go index e1ab7a2..241e74b 100644 --- a/policy.go +++ b/policy.go @@ -21,7 +21,7 @@ type PopOutput struct { Active bool Name string Description string - Type string // listtype, usually "greylist" + Type string // listtype, usually "doubtlist" Format string // i.e. rpz, etc Downstream string } @@ -103,54 +103,54 @@ func (pd *PopData) ParseOutputs() error { return nil } -// Note: we onlygethere when we know that this name is only greylisted -// so no need tocheckfor white- or blacklisting -func (pd *PopData) ComputeRpzGreylistAction(name string) tapir.Action { +// Note: we onlygethere when we know that this name is only doubtlisted +// so no need tocheckfor allow- or denylisting +func (pd *PopData) ComputeRpzDoubtlistAction(name string) tapir.Action { - var greyHits = map[string]*tapir.TapirName{} - for listname, list := range pd.Lists["greylist"] { + var doubtHits = map[string]*tapir.TapirName{} + for listname, list := range pd.Lists["doubtlist"] { switch list.Format { case "map": if v, exists := list.Names[name]; exists { - // pd.Logger.Printf("ComputeRpzGreylistAction: found %s in greylist %s (%d names)", + // pd.Logger.Printf("ComputeRpzDoubtlistAction: found %s in doubtlist %s (%d names)", // name, listname, len(list.Names)) - greyHits[listname] = &v + doubtHits[listname] = &v } // case "trie": // if list.Trie.Search(name) != nil { - // greyHits = append(greyHits, v) + // doubtHits = append(doubtHits, v) // } default: - POPExiter("Unknown greylist format %s", list.Format) + POPExiter("Unknown doubtlist format %s", list.Format) } } - if len(greyHits) >= pd.Policy.Greylist.NumSources { - pd.Policy.Logger.Printf("ComputeRpzGreylistAction: name %s is in %d or more sources, action is %s", - name, pd.Policy.Greylist.NumSources, tapir.ActionToString[pd.Policy.Greylist.NumSourcesAction]) - return pd.Policy.Greylist.NumSourcesAction + if len(doubtHits) >= pd.Policy.Doubtlist.NumSources { + pd.Policy.Logger.Printf("ComputeRpzDoubtlistAction: name %s is in %d or more sources, action is %s", + name, pd.Policy.Doubtlist.NumSources, tapir.ActionToString[pd.Policy.Doubtlist.NumSourcesAction]) + return pd.Policy.Doubtlist.NumSourcesAction } - pd.Policy.Logger.Printf("ComputeRpzGreylistAction: name %s is in %d sources, not enough for action", name, len(greyHits)) - - if _, exists := greyHits["dns-tapir"]; exists { - numtapirtags := greyHits["dns-tapir"].TagMask.NumTags() - if numtapirtags >= pd.Policy.Greylist.NumTapirTags { - pd.Policy.Logger.Printf("ComputeRpzGreylistAction: name %s has more than %d tapir tags, action is %s", - name, pd.Policy.Greylist.NumTapirTags, tapir.ActionToString[pd.Policy.Greylist.NumTapirTagsAction]) - return pd.Policy.Greylist.NumTapirTagsAction + pd.Policy.Logger.Printf("ComputeRpzDoubtlistAction: name %s is in %d sources, not enough for action", name, len(doubtHits)) + + if _, exists := doubtHits["dns-tapir"]; exists { + numtapirtags := doubtHits["dns-tapir"].TagMask.NumTags() + if numtapirtags >= pd.Policy.Doubtlist.NumTapirTags { + pd.Policy.Logger.Printf("ComputeRpzDoubtlistAction: name %s has more than %d tapir tags, action is %s", + name, pd.Policy.Doubtlist.NumTapirTags, tapir.ActionToString[pd.Policy.Doubtlist.NumTapirTagsAction]) + return pd.Policy.Doubtlist.NumTapirTagsAction } - pd.Policy.Logger.Printf("ComputeRpzGreylistAction: name %s has %d tapir tags, not enough for action", name, numtapirtags) + pd.Policy.Logger.Printf("ComputeRpzDoubtlistAction: name %s has %d tapir tags, not enough for action", name, numtapirtags) } - pd.Policy.Logger.Printf("ComputeRpzGreylistAction: name %s is present in %d greylists, but does not trigger any action", - name, len(greyHits)) - return pd.Policy.WhitelistAction + pd.Policy.Logger.Printf("ComputeRpzDoubtlistAction: name %s is present in %d doubtlists, but does not trigger any action", + name, len(doubtHits)) + return pd.Policy.AllowlistAction } -// Decision to block a greylisted name: +// Decision to block a doubtlisted name: // 1. More than N tags present // 2. Name is present in more than M sources // 3. Name -func ApplyGreyPolicy(name string, v *tapir.TapirName) string { +func ApplyDoubtPolicy(name string, v *tapir.TapirName) string { var rpzaction string if v.HasAction(tapir.NXDOMAIN) { rpzaction = "." @@ -167,21 +167,21 @@ func ApplyGreyPolicy(name string, v *tapir.TapirName) string { } func (pd *PopData) ComputeRpzAction(name string) tapir.Action { - if pd.Whitelisted(name) { + if pd.Allowlisted(name) { if pd.Debug { - pd.Policy.Logger.Printf("ComputeRpzAction: name %s is whitelisted, action is %s", name, tapir.ActionToString[pd.Policy.WhitelistAction]) + pd.Policy.Logger.Printf("ComputeRpzAction: name %s is doubtlisted, action is %s", name, tapir.ActionToString[pd.Policy.AllowlistAction]) } - return pd.Policy.WhitelistAction - } else if pd.Blacklisted(name) { + return pd.Policy.AllowlistAction + } else if pd.Denylisted(name) { if pd.Debug { - pd.Policy.Logger.Printf("ComputeRpzAction: name %s is blacklisted, action is %s", name, tapir.ActionToString[pd.Policy.BlacklistAction]) + pd.Policy.Logger.Printf("ComputeRpzAction: name %s is denylisted, action is %s", name, tapir.ActionToString[pd.Policy.DenylistAction]) } - return pd.Policy.BlacklistAction - } else if pd.Greylisted(name) { + return pd.Policy.DenylistAction + } else if pd.Doubtlisted(name) { if pd.Debug { - pd.Policy.Logger.Printf("ComputeRpzAction: name %s is greylisted, needs further evaluation to determine action", name) + pd.Policy.Logger.Printf("ComputeRpzAction: name %s is doubtlisted, needs further evaluation to determine action", name) } - return pd.ComputeRpzGreylistAction(name) // This is not complete, only a placeholder for now. + return pd.ComputeRpzDoubtlistAction(name) // This is not complete, only a placeholder for now. } - return tapir.WHITELIST + return tapir.ALLOWLIST } diff --git a/pop-outputs.sample.yaml b/pop-outputs.sample.yaml index d5aea63..34a0f76 100644 --- a/pop-outputs.sample.yaml +++ b/pop-outputs.sample.yaml @@ -9,7 +9,7 @@ outputs: active: false name: dns-tapir-out description: "local mqtt reflector" - type: greylist + type: doubtlist source: mqtt format: tapir-mqtt-1 @@ -17,7 +17,7 @@ outputs: active: false name: dns-tapir-bootstrapper description: "Updated bootstrap feed for the DNS TAPIR MQTT stream" - type: greylist + type: doubtlist source: http url: http://127.0.0.1:5678/tapir/v1/bootstrap diff --git a/pop-policy.sample.yaml b/pop-policy.sample.yaml index 3e57d42..1d55843 100644 --- a/pop-policy.sample.yaml +++ b/pop-policy.sample.yaml @@ -1,20 +1,20 @@ # manually maintained -# policies ONLY affect GREYLISTED sources. whitelisted and blacklisted +# policies ONLY affect DOUBTLISTED sources. allowlisted and denylisted # sources go stright into (or not) the resulting RPZ # known actions: passthru, drop, nxdomain, nodata, tapir, police policy: - whitelist: + allowlist: action: PASSTHRU - blacklist: - action: NODATA # present in any blacklist->action - greylist: + denylist: + action: NODATA # present in any denylist->action + doubtlist: numsources: # present in more than limit sources->action limit: 3 action: NXDOMAIN numtapirtags: # more than limit tags->action limit: 4 action: DROP - blacktapir: # any of these->action + denytapir: # any of these->action tags: [ likelymalware, badip ] action: REDIRECT diff --git a/pop-sources.sample.yaml b/pop-sources.sample.yaml index 749135a..dfa7ee5 100644 --- a/pop-sources.sample.yaml +++ b/pop-sources.sample.yaml @@ -1,11 +1,11 @@ # manually maintained sources: - active: [ tapir, rpz2, black_as_sin, white_and_shiny, localwhitelist ] + active: [ tapir, rpz2, sinful, shiny, localallowlist ] tapir: name: dns-tapir # must have EXACTLY this name! description: DNS TAPIR main intelligence feed - type: greylist + type: doubtlist source: mqtt bootstrap: [ 77.72.231.135:5454, 77.72.230.61 ] # www.axfr.net+nsb bootstrapurl: https://%s/api/v1 @@ -13,7 +13,7 @@ sources: rpztfc: name: rpz.threat-feed.com description: Commercial RPZ feed from threat-feed.com - type: greylist + type: doubtlist source: xfr zone: rpz.threat-feed.com upstream: nsa.johani.org:53 @@ -21,54 +21,52 @@ sources: rpz2: name: rpz.axfr.net description: Test RPZ feed from axfr.net - type: greylist + type: doubtlist source: xfr zone: rpz.axfr.net upstream: nsa.johani.org:53 format: rpz - black_as_sin: + sinful: name: bas - description: "Locally maintained blacklisted domain names" - type: blacklist + description: "Locally maintained denylisted domain names" + type: denylist source: file # format: dawg -# filename: /var/tmp/dnstapir/black-as-sin.dawg +# filename: /var/tmp/dnstapir/sinful.dawg format: domains - filename: /var/tmp/dnstapir/black-as-sin.txt - white_and_shiny: + filename: /var/tmp/dnstapir/sinful.txt + shiny: name: was - description: "Locally maintained whitelisted domain names" - type: whitelist + description: "Locally maintained allowlisted domain names" + type: allowlist source: file -# format: dawg -# filename: /var/tmp/dnstapir/black-as-sin.dawg format: domains - filename: /var/tmp/dnstapir/white-and-shiny.txt - localwhitelist: - name: local-whitelist - description: "Locally maintained whitelisted domain names" - type: whitelist + filename: /var/tmp/dnstapir/shiny.txt + localallowlist: + name: local-allowlist + description: "Locally maintained allowlisted domain names" + type: allowlist source: file format: dawg # domains | dawg filename: /var/tmp/dnstapir/well-known-domains.dawg wellknowndomains: name: wkdlist - description: "External list of 10M whitelisted domain names" - type: whitelist + description: "External list of 10M allowlisted domain names" + type: allowlist source: http format: csv # domains | dawg | csv url: https://www.domcop.com/files/top outfile: /var/tmp/dnstapir/well-known-domains.new.dawg inactive_source: name: - type: greylist + type: doubtlist format: rpz zone: rpz.zone source: xfr upstream: 10.1.2.3:53 tsig: ... - black_1: - type: blacklist + deny_1: + type: denylist format: rpz zone: rpz.zone source: xfr diff --git a/reaper.go b/reaper.go index 5597fd0..197f7f8 100644 --- a/reaper.go +++ b/reaper.go @@ -21,7 +21,7 @@ func (pd *PopData) Reaper(full bool) error { // tpkg := tapir.MqttPkgIn{} tm := tapir.TapirMsg{} pd.Logger.Printf("Reaper: working on time slot %s across all lists", timekey.Format(tapir.TimeLayout)) - for _, listtype := range []string{"whitelist", "greylist", "blacklist"} { + for _, listtype := range []string{"allowlist", "doubtlist", "denylist"} { for listname, wbgl := range pd.Lists[listtype] { // This loop is here to ensure that we don't have any old data in the ReaperData bucket // that has already passed its time slot. diff --git a/refreshengine.go b/refreshengine.go index dc15d16..8d4752e 100644 --- a/refreshengine.go +++ b/refreshengine.go @@ -345,31 +345,31 @@ func (pd *PopData) RefreshEngine(conf *Config, stopch chan struct{}) { case "RPZ-ADD": log.Printf("RefreshEngine: recieved an RPZ ADD command: %s (policy %s)", cmd.Domain, cmd.Policy) - if pd.Whitelisted(cmd.Domain) { + if pd.Allowlisted(cmd.Domain) { resp.Error = true - resp.ErrorMsg = fmt.Sprintf("Domain name \"%s\" is whitelisted. No change.", + resp.ErrorMsg = fmt.Sprintf("Domain name \"%s\" is allowlisted. No change.", cmd.Domain) cmd.Result <- resp continue } - if pd.Blacklisted(cmd.Domain) { + if pd.Denylisted(cmd.Domain) { resp.Error = true - resp.ErrorMsg = fmt.Sprintf("Domain name \"%s\" is already blacklisted. No change.", + resp.ErrorMsg = fmt.Sprintf("Domain name \"%s\" is already denylisted. No change.", cmd.Domain) cmd.Result <- resp continue } - // if the name isn't either whitelisted or blacklisted - if cmd.ListType == "greylist" { - _, err := pd.GreylistAdd(cmd.Domain, cmd.Policy, cmd.RpzSource) + // if the name isn't either allowlisted or denylisted + if cmd.ListType == "doubtlist" { + _, err := pd.DoubtlistAdd(cmd.Domain, cmd.Policy, cmd.RpzSource) if err != nil { resp.Error = true - resp.ErrorMsg = fmt.Sprintf("Error adding domain name \"%s\" to greylisting DB: %v", cmd.Domain, err) + resp.ErrorMsg = fmt.Sprintf("Error adding domain name \"%s\" to doubtlisting DB: %v", cmd.Domain, err) } else { - resp.Msg = fmt.Sprintf("Domain name \"%s\" (policy %s) added to greylisting DB.", + resp.Msg = fmt.Sprintf("Domain name \"%s\" (policy %s) added to doubtlisting DB.", cmd.Domain, cmd.Policy) } cmd.Result <- resp @@ -385,48 +385,48 @@ func (pd *PopData) RefreshEngine(conf *Config, stopch chan struct{}) { case "RPZ-LOOKUP": log.Printf("RefreshEngine: recieved an RPZ LOOKUP command: %s", cmd.Domain) var msg string - if pd.Whitelisted(cmd.Domain) { - resp.Msg = fmt.Sprintf("Domain name \"%s\" is whitelisted.", cmd.Domain) + if pd.Allowlisted(cmd.Domain) { + resp.Msg = fmt.Sprintf("Domain name \"%s\" is allowlisted.", cmd.Domain) cmd.Result <- resp continue } - msg += fmt.Sprintf("Domain name \"%s\" is not whitelisted.\n", cmd.Domain) + msg += fmt.Sprintf("Domain name \"%s\" is not allowlisted.\n", cmd.Domain) - if pd.Blacklisted(cmd.Domain) { - resp.Msg = fmt.Sprintf("Domain name \"%s\" is blacklisted.", cmd.Domain) + if pd.Denylisted(cmd.Domain) { + resp.Msg = fmt.Sprintf("Domain name \"%s\" is denylisted.", cmd.Domain) cmd.Result <- resp continue } - msg += fmt.Sprintf("Domain name \"%s\" is not blacklisted.\n", cmd.Domain) + msg += fmt.Sprintf("Domain name \"%s\" is not denylisted.\n", cmd.Domain) - // if the name isn't either whitelisted or blacklisted: go though all greylists - _, greymsg := pd.GreylistingReport(cmd.Domain) - resp.Msg = msg + greymsg + // if the name isn't either allowlisted or denylisted: go though all doubtlists + _, doubtmsg := pd.DoubtlistingReport(cmd.Domain) + resp.Msg = msg + doubtmsg cmd.Result <- resp continue case "RPZ-LIST-SOURCES": log.Printf("RefreshEngine: recieved an RPZ LIST-SOURCES command") list := []string{} - // for _, wl := range pd.Whitelists { - for _, wl := range pd.Lists["whitelist"] { + // for _, wl := range pd.Allowlists { + for _, wl := range pd.Lists["allowlist"] { list = append(list, wl.Name) } - resp.Msg += fmt.Sprintf("Whitelist srcs: %s\n", strings.Join(list, ", ")) + resp.Msg += fmt.Sprintf("Allowlist srcs: %s\n", strings.Join(list, ", ")) list = []string{} - // for _, bl := range pd.Blacklists { - for _, bl := range pd.Lists["blacklist"] { + // for _, bl := range pd.Denylists { + for _, bl := range pd.Lists["denylist"] { list = append(list, bl.Name) } - resp.Msg += fmt.Sprintf("Blacklist srcs: %s\n", strings.Join(list, ", ")) + resp.Msg += fmt.Sprintf("denylist srcs: %s\n", strings.Join(list, ", ")) list = []string{} - // for _, gl := range pd.Greylists { - for _, gl := range pd.Lists["greylist"] { + // for _, gl := range pd.Doubtlists { + for _, gl := range pd.Lists["doubtlist"] { list = append(list, gl.Name) } - resp.Msg += fmt.Sprintf("Greylist srcs: %s\n", strings.Join(list, ", ")) + resp.Msg += fmt.Sprintf("Doubtlist srcs: %s\n", strings.Join(list, ", ")) cmd.Result <- resp default: diff --git a/rpz.go b/rpz.go index f3f507e..b159b98 100644 --- a/rpz.go +++ b/rpz.go @@ -14,87 +14,87 @@ import ( // Generate the RPZ output based on the currently loaded sources. // The output is a tapir.ZoneData, but with only the RRs (i.e. a []dns.RR) populated. // Output should consist of: -// 1. Walk all blacklists: -// a) remove any whitelisted names +// 1. Walk all denylists: +// a) remove any allowlisted names // b) rest goes straight into output -// 2. Walk all greylists: -// a) remove any already blacklisted name -// b) remove any whitelisted name -// c) collect complete grey data on each name -// d) evalutate the grey data to make a decision on inclusion or not +// 2. Walk all doubtlists: +// a) remove any already denylisted name +// b) remove any allowlisted name +// c) collect complete doubt data on each name +// d) evalutate the doubt data to make a decision on inclusion or not // 3. When all names that should be in the output have been collected: // a) iterate through the list generating dns.RR and put them in a []dns.RR // b) add a header SOA+NS func (pd *PopData) GenerateRpzAxfr() error { - var black = make(map[string]bool, 10000) - var grey = make(map[string]*tapir.TapirName, 10000) + var deny = make(map[string]bool, 10000) + var doubt = make(map[string]*tapir.TapirName, 10000) - for bname, blist := range pd.Lists["blacklist"] { - pd.Logger.Printf("---> GenerateRpzAxfr: working on blacklist %s (%d names)", + for bname, blist := range pd.Lists["denylist"] { + pd.Logger.Printf("---> GenerateRpzAxfr: working on denylist %s (%d names)", bname, len(blist.Names)) switch blist.Format { case "dawg": - pd.Logger.Printf("Cannot list DAWG lists. Ignoring blacklist %s.", bname) + pd.Logger.Printf("Cannot list DAWG lists. Ignoring denylist %s.", bname) case "map": for k := range blist.Names { // if tapir.GlobalCF.Debug { - // pd.Logger.Printf("Adding name %s from blacklist %s to tentative output.", + // pd.Logger.Printf("Adding name %s from denylist %s to tentative output.", // k, bname) // } - // if pd.Whitelisted(k) { - // pd.Logger.Printf("Blacklisted name %s is also whitelisted. Dropped from output.", k) + // if pd.Allowlisted(k) { + // pd.Logger.Printf("Denylisted name %s is also allowlisted. Dropped from output.", k) // } else { - // pd.Logger.Printf("Blacklisted name %s is not whitelisted. Added to output.", k) - black[k] = true + // pd.Logger.Printf("Denylisted name %s is not allowlisted. Added to output.", k) + deny[k] = true // } } } } - pd.BlacklistedNames = black - pd.Logger.Printf("GenRpzAxfr: There are a total of %d blacklisted names in the sources", len(black)) + pd.DenylistedNames = deny + pd.Logger.Printf("GenRpzAxfr: There are a total of %d Denylisted names in the sources", len(deny)) - for gname, glist := range pd.Lists["greylist"] { - pd.Logger.Printf("---> GenRpzAxfr: working on greylist %s (%d names)", + for gname, glist := range pd.Lists["doubtlist"] { + pd.Logger.Printf("---> GenRpzAxfr: working on doubtlist %s (%d names)", gname, len(glist.Names)) switch glist.Format { case "map": for k, v := range glist.Names { - // pd.Logger.Printf("Adding name %s from greylist %s to tentative output.", k, gname) - if _, exists := pd.BlacklistedNames[k]; exists { - // pd.Logger.Printf("Greylisted name %s is also blacklisted. No need to add twice.", k) - } else if pd.Whitelisted(k) { - // pd.Logger.Printf("Greylisted name %s is also whitelisted. Dropped from output.", k) + // pd.Logger.Printf("Adding name %s from doubtlist %s to tentative output.", k, gname) + if _, exists := pd.DenylistedNames[k]; exists { + // pd.Logger.Printf("Doubtlisted name %s is also denylisted. No need to add twice.", k) + } else if pd.Allowlisted(k) { + // pd.Logger.Printf("Doubtlisted name %s is also allowlisted. Dropped from output.", k) } else { - // pd.Logger.Printf("Greylisted name %s is not whitelisted. Evalutate inclusion in output.", k) + // pd.Logger.Printf("Doubtlisted name %s is not allowlisted. Evalutate inclusion in output.", k) action := pd.ComputeRpzAction(k) - if action == tapir.WHITELIST { - // pd.Logger.Printf("Greylisted name %s is not included in output.", k) + if action == tapir.ALLOWLIST { + // pd.Logger.Printf("Doubtlisted name %s is not included in output.", k) } else { - // pd.Logger.Printf("Greylisted name %s is included in output.", k) + // pd.Logger.Printf("Doubtlisted name %s is included in output.", k) - if _, exists := grey[k]; exists { - // pd.Logger.Printf("Grey name %s already in output. Combining tags and actions.", k) - tmp := grey[k] - tmp.TagMask = grey[k].TagMask | v.TagMask + if _, exists := doubt[k]; exists { + // pd.Logger.Printf("Doubt name %s already in output. Combining tags and actions.", k) + tmp := doubt[k] + tmp.TagMask = doubt[k].TagMask | v.TagMask tmp.Action = tmp.Action | v.Action - grey[k] = tmp + doubt[k] = tmp } else { - grey[k] = &v + doubt[k] = &v } } } } default: - pd.Logger.Printf("*** Error: Greylist %s has unknown format \"%s\".", gname, glist.Format) + pd.Logger.Printf("*** Error: Doubtlist %s has unknown format \"%s\".", gname, glist.Format) } } - pd.GreylistedNames = grey - pd.Logger.Printf("GenRpzAxfr: There are a total of %d greylisted names in the sources", len(grey)) + pd.DoubtlistedNames = doubt + pd.Logger.Printf("GenRpzAxfr: There are a total of %d doubtlisted names in the sources", len(doubt)) // newaxfrdata := []*tapir.RpzName{} // pd.Rpz.RpzMap = map[string]*tapir.RpzName{} - for name := range pd.BlacklistedNames { + for name := range pd.DenylistedNames { cname := new(dns.CNAME) cname.Hdr = dns.RR_Header{ Name: name + pd.Rpz.ZoneName, @@ -102,13 +102,13 @@ func (pd *PopData) GenerateRpzAxfr() error { Class: dns.ClassINET, Ttl: 3600, } - cname.Target = tapir.ActionToCNAMETarget[pd.Policy.BlacklistAction] + cname.Target = tapir.ActionToCNAMETarget[pd.Policy.DenylistAction] rr := dns.RR(cname) rpzn := tapir.RpzName{ Name: name, RR: &rr, - Action: pd.Policy.BlacklistAction, + Action: pd.Policy.DenylistAction, } // newaxfrdata = append(newaxfrdata, &rpzn) // pd.Rpz.RpzMap[nname+pd.Rpz.ZoneName] = &rpzn @@ -117,8 +117,8 @@ func (pd *PopData) GenerateRpzAxfr() error { pd.mu.Unlock() } - for name, v := range pd.GreylistedNames { - rpzaction := ApplyGreyPolicy(name, v) + for name, v := range pd.DoubtlistedNames { + rpzaction := ApplyDoubtPolicy(name, v) if rpzaction != "" { cname := new(dns.CNAME) @@ -135,7 +135,7 @@ func (pd *PopData) GenerateRpzAxfr() error { rpzn := tapir.RpzName{ Name: name, RR: &rr, - Action: pd.Policy.BlacklistAction, // XXX: naa + Action: pd.Policy.DenylistAction, // XXX: naa } // newaxfrdata = append(newaxfrdata, &rpzn) // pd.Rpz.RpzMap[name+pd.Rpz.ZoneName] = &rpzn @@ -197,7 +197,7 @@ func (pd *PopData) GenerateRpzIxfr(data *tapir.TapirMsg) (RpzIxfr, error) { } removeData = append(removeData, cur) - if newAction != tapir.WHITELIST { + if newAction != tapir.ALLOWLIST { cname := new(dns.CNAME) cname.Hdr = dns.RR_Header{ Name: tn.Name + pd.Rpz.ZoneName, @@ -234,10 +234,10 @@ func (pd *PopData) GenerateRpzIxfr(data *tapir.TapirMsg) (RpzIxfr, error) { addtorpz = false newAction := pd.ComputeRpzAction(tn.Name) if cur, exist := pd.Rpz.Axfr.Data[tn.Name]; exist { - if newAction == tapir.WHITELIST { + if newAction == tapir.ALLOWLIST { // delete from rpz if pd.Debug { - pd.Policy.Logger.Printf("GenRpzIxfr[ADD]: name %s already exists in rpz, new action is WHITELIST: -->DELETE", tn.Name) + pd.Policy.Logger.Printf("GenRpzIxfr[ADD]: name %s already exists in rpz, new action is ALLOWLIST: -->DELETE", tn.Name) } removeData = append(removeData, cur) } else { @@ -254,10 +254,10 @@ func (pd *PopData) GenerateRpzIxfr(data *tapir.TapirMsg) (RpzIxfr, error) { } } else { // name doesn't exist in current rpz, what is the action? - if newAction != tapir.WHITELIST { + if newAction != tapir.ALLOWLIST { // add it if pd.Debug { - pd.Policy.Logger.Printf("GenRpzIxfr[ADD]: name %s NOT present in rpz, newaction(%s) != WHITELIST: -->ADD", + pd.Policy.Logger.Printf("GenRpzIxfr[ADD]: name %s NOT present in rpz, newaction(%s) != ALLOWLIST: -->ADD", tn.Name, tapir.ActionToString[newAction]) } addtorpz = true diff --git a/sources.go b/sources.go index e3ac56f..432465a 100644 --- a/sources.go +++ b/sources.go @@ -48,9 +48,9 @@ func NewPopData(conf *Config, lg *log.Logger) (*PopData, error) { Debug: viper.GetBool("log.debug"), } - pd.Lists["whitelist"] = make(map[string]*tapir.WBGlist, 3) - pd.Lists["greylist"] = make(map[string]*tapir.WBGlist, 3) - pd.Lists["blacklist"] = make(map[string]*tapir.WBGlist, 3) + pd.Lists["allowlist"] = make(map[string]*tapir.WBGlist, 3) + pd.Lists["doubtlist"] = make(map[string]*tapir.WBGlist, 3) + pd.Lists["denylist"] = make(map[string]*tapir.WBGlist, 3) pd.Downstreams = map[string]RpzDownstream{} pd.DownstreamSerials = map[string]uint32{} @@ -68,42 +68,42 @@ func NewPopData(conf *Config, lg *log.Logger) (*PopData, error) { } pd.Policy.Logger = conf.Loggers.Policy - pd.Policy.WhitelistAction, err = tapir.StringToAction(viper.GetString("policy.whitelist.action")) + pd.Policy.AllowlistAction, err = tapir.StringToAction(viper.GetString("policy.allowlist.action")) if err != nil { - POPExiter("Error parsing whitelist policy: %v", err) + POPExiter("Error parsing allowlist policy: %v", err) } - pd.Policy.BlacklistAction, err = tapir.StringToAction(viper.GetString("policy.blacklist.action")) + pd.Policy.DenylistAction, err = tapir.StringToAction(viper.GetString("policy.denylist.action")) if err != nil { - POPExiter("Error parsing blacklist policy: %v", err) + POPExiter("Error parsing denylist policy: %v", err) } - pd.Policy.Greylist.NumSources = viper.GetInt("policy.greylist.numsources.limit") - if pd.Policy.Greylist.NumSources == 0 { + pd.Policy.Doubtlist.NumSources = viper.GetInt("policy.doubtlist.numsources.limit") + if pd.Policy.Doubtlist.NumSources == 0 { //nolint:typecheck - POPExiter("Error parsing policy: greylist.numsources.limit cannot be 0") + POPExiter("Error parsing policy: doubtlist.numsources.limit cannot be 0") } - pd.Policy.Greylist.NumSourcesAction, err = - tapir.StringToAction(viper.GetString("policy.greylist.numsources.action")) + pd.Policy.Doubtlist.NumSourcesAction, err = + tapir.StringToAction(viper.GetString("policy.doubtlist.numsources.action")) if err != nil { POPExiter("Error parsing policy: %v", err) } - pd.Policy.Greylist.NumTapirTags = viper.GetInt("policy.greylist.numtapirtags.limit") - if pd.Policy.Greylist.NumTapirTags == 0 { - POPExiter("Error parsing policy: greylist.numtapirtags.limit cannot be 0") + pd.Policy.Doubtlist.NumTapirTags = viper.GetInt("policy.doubtlist.numtapirtags.limit") + if pd.Policy.Doubtlist.NumTapirTags == 0 { + POPExiter("Error parsing policy: doubtlist.numtapirtags.limit cannot be 0") } - pd.Policy.Greylist.NumTapirTagsAction, err = - tapir.StringToAction(viper.GetString("policy.greylist.numtapirtags.action")) + pd.Policy.Doubtlist.NumTapirTagsAction, err = + tapir.StringToAction(viper.GetString("policy.doubtlist.numtapirtags.action")) if err != nil { POPExiter("Error parsing policy: %v", err) } - tmp := viper.GetStringSlice("policy.greylist.blacktapir.tags") - pd.Policy.Greylist.BlackTapirTags, err = tapir.StringsToTagMask(tmp) + tmp := viper.GetStringSlice("policy.doubtlist.denytapir.tags") + pd.Policy.Doubtlist.DenyTapirTags, err = tapir.StringsToTagMask(tmp) if err != nil { POPExiter("Error parsing policy: %v", err) } - pd.Policy.Greylist.BlackTapirAction, err = - tapir.StringToAction(viper.GetString("policy.greylist.blacktapir.action")) + pd.Policy.Doubtlist.DenyTapirAction, err = + tapir.StringToAction(viper.GetString("policy.doubtlist.denytapir.action")) if err != nil { POPExiter("Error parsing policy: %v", err) } @@ -131,22 +131,22 @@ func (pd *PopData) ParseSourcesNG() error { // } pd.mu.Lock() - pd.Lists["whitelist"]["white_catchall"] = + pd.Lists["allowlist"]["allow_catchall"] = &tapir.WBGlist{ - Name: "white_catchall", - Description: "Whitelist consisting of white names found in black- or greylist sources", - Type: "whitelist", + Name: "allow_catchall", + Description: "Allowlist consisting of allow names found in deny- or doubtlist sources", + Type: "allowlist", SrcFormat: "none", Format: "map", Datasource: "Data misplaced in other sources", Names: map[string]tapir.TapirName{}, ReaperData: map[time.Time]map[string]bool{}, } - pd.Lists["greylist"]["grey_catchall"] = + pd.Lists["doubtlist"]["doubt_catchall"] = &tapir.WBGlist{ - Name: "grey_catchall", - Description: "Greylist consisting of grey names found in whitelist sources", - Type: "greylist", + Name: "doubt_catchall", + Description: "Doubtlist consisting of doubt names found in allowlist sources", + Type: "doubtlist", SrcFormat: "none", Format: "map", Datasource: "Data misplaced in other sources", @@ -232,8 +232,8 @@ func (pd *PopData) ParseSourcesNG() error { } } pd.mu.Lock() - pd.Lists["greylist"][newsource.Name] = &newsource - pd.Logger.Printf("Created list [greylist][%s]", newsource.Name) + pd.Lists["doubtlist"][newsource.Name] = &newsource + pd.Logger.Printf("Created list [doubtlist][%s]", newsource.Name) pd.mu.Unlock() pd.Logger.Printf("*** MQTT sources are only managed via RefreshEngine.") rptchan <- name @@ -315,8 +315,8 @@ func (pd *PopData) ParseLocalFile(sourceid string, s *tapir.WBGlist, rpt chan st } case "dawg": - if s.Type != "whitelist" { - POPExiter("Error: source %s (file %s): DAWG is only defined for whitelists.", + if s.Type != "allowlist" { + POPExiter("Error: source %s (file %s): DAWG is only defined for allowlists.", sourceid, s.Filename) } pd.Logger.Printf("ParseLocalFile: loading DAWG: %s", s.Filename) @@ -381,11 +381,11 @@ func (pd *PopData) ParseRpzFeed(sourceid string, s *tapir.WBGlist, rpt chan stri // Parse the CNAME (in the shape of a dns.RR) that is found in the RPZ and sort the data into the // appropriate list in PopData. Note that there are two special cases: -// 1. If a "whitelist" RPZ source has a rule with an action other than "rpz-passthru." then that rule doesn't -// really belong in a "whitelist" source. So we take that rule an put it in the grey_catchall bucket instead. -// 2. If a "{grey|black}list" RPZ source has a rule with an "rpz-passthru." (i.e. whitelist) action then that -// rule doesn't really belong in a "{grey|black}list" source. So we take that rule an put it in the -// white_catchall bucket instead. +// 1. If a "allowlist" RPZ source has a rule with an action other than "rpz-passthru." then that rule doesn't +// really belong in a "allowlist" source. So we take that rule an put it in the doubt_catchall bucket instead. +// 2. If a "{doubt|deny}list" RPZ source has a rule with an "rpz-passthru." (i.e. allowlist) action then that +// rule doesn't really belong in a "{doubt|deny}list" source. So we take that rule an put it in the +// allow_catchall bucket instead. func (pd *PopData) RpzParseFuncFactory(s *tapir.WBGlist) func(*dns.RR, *tapir.ZoneData) bool { return func(rr *dns.RR, zd *tapir.ZoneData) bool { var action tapir.Action @@ -406,7 +406,7 @@ func (pd *PopData) RpzParseFuncFactory(s *tapir.WBGlist) func(*dns.RR, *tapir.Zo case "rpz-drop.": action = tapir.DROP case "rpz-passthru.": - action = tapir.WHITELIST + action = tapir.ALLOWLIST default: pd.Logger.Printf("UNKNOWN RPZ action: \"%s\" (src: %s)", (*rr).(*dns.CNAME).Target, s.Name) action = tapir.UnknownAction @@ -416,38 +416,38 @@ func (pd *PopData) RpzParseFuncFactory(s *tapir.WBGlist) func(*dns.RR, *tapir.Zo name, action) } switch s.Type { - case "whitelist": - if action == tapir.WHITELIST { + case "allowlist": + if action == tapir.ALLOWLIST { s.Names[name] = tapir.TapirName{Name: name} // drop all other actions } else { - pd.Logger.Printf("Warning: whitelist RPZ source %s has blacklisted name: %s", + pd.Logger.Printf("Warning: allowlist RPZ source %s has denylisted name: %s", s.RpzZoneName, name) pd.mu.Lock() - pd.Lists["greylist"]["grey_catchall"].Names[name] = + pd.Lists["doubtlist"]["doubt_catchall"].Names[name] = tapir.TapirName{ Name: name, Action: action, } // drop all other actions pd.mu.Unlock() } - case "blacklist": - if action != tapir.WHITELIST { + case "denylist": + if action != tapir.ALLOWLIST { s.Names[name] = tapir.TapirName{Name: name, Action: action} } else { - pd.Logger.Printf("Warning: blacklist RPZ source %s has whitelisted name: %s", + pd.Logger.Printf("Warning: denylist RPZ source %s has allowlisted name: %s", s.RpzZoneName, name) pd.mu.Lock() - pd.Lists["whitelist"]["white_catchall"].Names[name] = tapir.TapirName{Name: name} + pd.Lists["allowlist"]["allow_catchall"].Names[name] = tapir.TapirName{Name: name} pd.mu.Unlock() } - case "greylist": - if action != tapir.WHITELIST { + case "doubtlist": + if action != tapir.ALLOWLIST { s.Names[name] = tapir.TapirName{Name: name, Action: action} } else { - pd.Logger.Printf("Warning: greylist RPZ source %s has whitelisted name: %s", + pd.Logger.Printf("Warning: doubtlist RPZ source %s has allowlisted name: %s", s.RpzZoneName, name) pd.mu.Lock() - pd.Lists["whitelist"]["white_catchall"].Names[name] = tapir.TapirName{Name: name} + pd.Lists["allowlist"]["allow_catchall"].Names[name] = tapir.TapirName{Name: name} pd.mu.Unlock() } } diff --git a/structs.go b/structs.go index 5656dcf..391b1b2 100644 --- a/structs.go +++ b/structs.go @@ -25,8 +25,8 @@ type PopData struct { ComponentStatusCh chan tapir.ComponentStatusUpdate Logger *log.Logger MqttLogger *log.Logger - BlacklistedNames map[string]bool - GreylistedNames map[string]*tapir.TapirName + DenylistedNames map[string]bool + DoubtlistedNames map[string]*tapir.TapirName Policy PopPolicy Rpz RpzData RpzSources map[string]*tapir.ZoneData @@ -71,18 +71,18 @@ type RpzAxfr struct { type PopPolicy struct { Logger *log.Logger - WhitelistAction tapir.Action - BlacklistAction tapir.Action - Greylist GreylistPolicy + AllowlistAction tapir.Action + DenylistAction tapir.Action + Doubtlist DoubtlistPolicy } -type GreylistPolicy struct { +type DoubtlistPolicy struct { NumSources int NumSourcesAction tapir.Action NumTapirTags int NumTapirTagsAction tapir.Action - BlackTapirTags tapir.TagMask - BlackTapirAction tapir.Action + DenyTapirTags tapir.TagMask + DenyTapirAction tapir.Action } // type WBGC map[string]*tapir.WBGlist