ConfigFile change to allowlist and blocklist (#1375)

* ConfigFile change to allowlist and blocklist * revised names and warnings * consistent file naming in kebab case, and generic use of blocklist and allowlist in cmoments for clarity * update ci files Co-authored-by: Ian Bashford <ianbashford@gmail.com>
2020-06-26 22:18:30 +01:00 · 2020-06-26 22:18:30 +01:00 · b089d49d25
parent 19c0c3f7db
commit b089d49d25
10 changed files with 104 additions and 56 deletions
--- a/.ci/allowed-names.txt
+++ b/.ci/allowed-names.txt
--- a/.ci/ip-blacklist.txt
+++ b/.ci/ip-blacklist.txt
--- a/.ci/blocked-names.txt
+++ b/.ci/blocked-names.txt
@ -1,5 +1,5 @@
 ##################
-# Test blacklist #
+# Test blocklist #
 ##################

 ad.*
--- a/.ci/ci-test.sh
+++ b/.ci/ci-test.sh
@ -20,7 +20,7 @@ section() {
    true
 }

-rm -f blocked.log ip-blocked.log query.log nx.log whitelisted.log
+rm -f blocked-names.log blocked-ips.log query.log nx.log allowed-names.log

 t || (
    cd ../dnscrypt-proxy
@ -94,14 +94,14 @@ kill $(cat /tmp/dnscrypt-proxy.pidfile)
 sleep 5

 section
-t || grep -Fq 'telemetry.example' blocked.log || fail
-t || grep -Fq 'telemetry.*' blocked.log || fail
-t || grep -Fq 'tracker.xdebian.org' blocked.log || fail
-t || grep -Fq 'tracker.*' blocked.log || fail
+t || grep -Fq 'telemetry.example' blocked-names.log || fail
+t || grep -Fq 'telemetry.*' blocked-names.log || fail
+t || grep -Fq 'tracker.xdebian.org' blocked-names.log || fail
+t || grep -Fq 'tracker.*' blocked-names.log || fail

 section
-t || grep -Fq 'dns.google' ip-blocked.log || fail
-t || grep -Fq '8.8.8.8' ip-blocked.log || fail
+t || grep -Fq 'dns.google' blocked-ips.log || fail
+t || grep -Fq '8.8.8.8' blocked-ips.log || fail

 section
 t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail
@ -127,8 +127,8 @@ t || grep -Eq 'tracker.xdebian.org.*REJECT' query.log || fail
 t || grep -Eq 'tracker.debian.org.*PASS' query.log || fail

 section
-t || grep -Fq 'tracker.debian.org' whitelisted.log || fail
-t || grep -Fq '*.tracker.debian' whitelisted.log || fail
+t || grep -Fq 'tracker.debian.org' allowed-names.log || fail
+t || grep -Fq '*.tracker.debian' allowed-names.log || fail

 if [ -s error.log ]; then
    cat *.log
--- a/.ci/test2-dnscrypt-proxy.toml
+++ b/.ci/test2-dnscrypt-proxy.toml
@ -23,17 +23,17 @@ file = 'query.log'
 [nx_log]
 file = 'nx.log'

-[blacklist]
-blacklist_file = 'blacklist.txt'
-log_file = 'blocked.log'
+[blocked_names]
+blocked_names_file = 'blocked-names.txt'
+log_file = 'blocked-names.log'

-[ip_blacklist]
-blacklist_file = 'ip-blacklist.txt'
-log_file = 'ip-blocked.log'
+[blocked_ips]
+blocked_ips_file = 'blocked-ips.txt'
+log_file = 'blocked-ips.log'

-[whitelist]
-whitelist_file = 'whitelist.txt'
-log_file = 'whitelisted.log'
+[allowed_names]
+allowed_names_file = 'allowed-names.txt'
+log_file = 'allowed-names.log'

 [schedules]

--- a/dnscrypt-proxy/config.go
+++ b/dnscrypt-proxy/config.go
@ -61,9 +61,12 @@ type Config struct {
 	CloakTTL                 uint32                      `toml:"cloak_ttl"`
 	QueryLog                 QueryLogConfig              `toml:"query_log"`
 	NxLog                    NxLogConfig                 `toml:"nx_log"`
-	BlockName                BlockNameConfig             `toml:"blacklist"`
-	WhitelistName            WhitelistNameConfig         `toml:"whitelist"`
-	BlockIP                  BlockIPConfig               `toml:"ip_blacklist"`
+	BlockName                BlockNameConfig             `toml:"blocked_names"`
+	BlockNameLegacy          BlockNameConfigLegacy       `toml:"blacklist"`
+	WhitelistNameLegacy      WhitelistNameConfigLegacy   `toml:"whitelist"`
+	AllowedName              AllowedNameConfig           `toml:"allowed_names"`
+	BlockIP                  BlockIPConfig               `toml:"blocked_ips"`
+	BlockIPLegacy            BlockIPConfigLegacy         `toml:"ip_blacklist"`
 	ForwardFile              string                      `toml:"forwarding_rules"`
 	CloakFile                string                      `toml:"cloaking_rules"`
 	StaticsConfig            map[string]StaticConfig     `toml:"static"`
@ -174,18 +177,36 @@ type NxLogConfig struct {
 }

 type BlockNameConfig struct {
+	File    string `toml:"blocked_names_file"`
+	LogFile string `toml:"log_file"`
+	Format  string `toml:"log_format"`
+}
+
+type BlockNameConfigLegacy struct {
 	File    string `toml:"blacklist_file"`
 	LogFile string `toml:"log_file"`
 	Format  string `toml:"log_format"`
 }

-type WhitelistNameConfig struct {
+type WhitelistNameConfigLegacy struct {
 	File    string `toml:"whitelist_file"`
 	LogFile string `toml:"log_file"`
 	Format  string `toml:"log_format"`
 }

+type AllowedNameConfig struct {
+	File    string `toml:"allowed_names_file"`
+	LogFile string `toml:"log_file"`
+	Format  string `toml:"log_format"`
+}
+
 type BlockIPConfig struct {
+	File    string `toml:"blocked_ips_file"`
+	LogFile string `toml:"log_file"`
+	Format  string `toml:"log_format"`
+}
+
+type BlockIPConfigLegacy struct {
 	File    string `toml:"blacklist_file"`
 	LogFile string `toml:"log_file"`
 	Format  string `toml:"log_format"`
@ -457,6 +478,15 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 	proxy.nxLogFile = config.NxLog.File
 	proxy.nxLogFormat = config.NxLog.Format

+	if len(config.BlockName.File) > 0 && len(config.BlockNameLegacy.File) > 0 {
+		dlog.Fatal("Don't specify both [blocked_names] and [blacklist] sections - Update your config file.")
+	}
+	if len(config.BlockNameLegacy.File) > 0 {
+		dlog.Notice("Use of [blacklist] is deprecated - Update your config file.")
+		config.BlockName.File = config.BlockNameLegacy.File
+		config.BlockName.Format = config.BlockNameLegacy.Format
+		config.BlockName.LogFile = config.BlockNameLegacy.LogFile
+	}
 	if len(config.BlockName.Format) == 0 {
 		config.BlockName.Format = "tsv"
 	} else {
@ -469,18 +499,36 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 	proxy.blockNameFormat = config.BlockName.Format
 	proxy.blockNameLogFile = config.BlockName.LogFile

-	if len(config.WhitelistName.Format) == 0 {
-		config.WhitelistName.Format = "tsv"
+	if len(config.AllowedName.File) > 0 && len(config.WhitelistNameLegacy.File) > 0 {
+		dlog.Fatal("Don't specify both [whitelist] and [allowed_names] sections - Update your config file.")
+	}
+	if len(config.WhitelistNameLegacy.File) > 0 {
+		dlog.Notice("Use of [whitelist] is deprecated - Update your config file.")
+		config.AllowedName.File = config.WhitelistNameLegacy.File
+		config.AllowedName.Format = config.WhitelistNameLegacy.Format
+		config.AllowedName.LogFile = config.WhitelistNameLegacy.LogFile
+	}
+	if len(config.AllowedName.Format) == 0 {
+		config.AllowedName.Format = "tsv"
 	} else {
-		config.WhitelistName.Format = strings.ToLower(config.WhitelistName.Format)
+		config.AllowedName.Format = strings.ToLower(config.AllowedName.Format)
 	}
-	if config.WhitelistName.Format != "tsv" && config.WhitelistName.Format != "ltsv" {
-		return errors.New("Unsupported whitelist log format")
+	if config.AllowedName.Format != "tsv" && config.AllowedName.Format != "ltsv" {
+		return errors.New("Unsupported allowed_names log format")
 	}
-	proxy.whitelistNameFile = config.WhitelistName.File
-	proxy.whitelistNameFormat = config.WhitelistName.Format
-	proxy.whitelistNameLogFile = config.WhitelistName.LogFile
+	proxy.whitelistNameFile = config.AllowedName.File
+	proxy.whitelistNameFormat = config.AllowedName.Format
+	proxy.whitelistNameLogFile = config.AllowedName.LogFile

+	if len(config.BlockIP.File) > 0 && len(config.BlockIPLegacy.File) > 0 {
+		dlog.Fatal("Don't specify both [blocked_ips] and [ip_blacklist] sections - Update your config file.")
+	}
+	if len(config.BlockIPLegacy.File) > 0 {
+		dlog.Notice("Use of [ip_blacklist] is deprecated - Update your config file.")
+		config.BlockIP.File = config.BlockIPLegacy.File
+		config.BlockIP.Format = config.BlockIPLegacy.Format
+		config.BlockIP.LogFile = config.BlockIPLegacy.LogFile
+	}
 	if len(config.BlockIP.Format) == 0 {
 		config.BlockIP.Format = "tsv"
 	} else {
--- a/dnscrypt-proxy/example-allowed-names.txt
+++ b/dnscrypt-proxy/example-allowed-names.txt
--- a/dnscrypt-proxy/example-ip-blacklist.txt
+++ b/dnscrypt-proxy/example-ip-blacklist.txt
--- a/dnscrypt-proxy/example-blocked-names.txt
+++ b/dnscrypt-proxy/example-blocked-names.txt
--- a/dnscrypt-proxy/example-dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml
@ -75,7 +75,7 @@ require_dnssec = false
 # Server must not log user queries (declarative)
 require_nolog = true

-# Server must not enforce its own blacklist (for parental control, ads blocking...)
+# Server must not enforce its own blocklist (for parental control, ads blocking...)
 require_nofilter = true

 # Server names to avoid even if they match all criteria
@ -275,7 +275,7 @@ log_files_max_backups = 1

 ## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
 ## configure dnscrypt-proxy to do any kind of filtering (including the filters
-## below and blacklists).
+## below and blocklists).
 ## You can still choose resolvers that do DNSSEC validation.


@ -298,7 +298,7 @@ block_undelegated = true


 ## TTL for synthetic responses sent when a request has been blocked (due to
-## IPv6 or blacklists).
+## IPv6 or blocklists).

 reject_ttl = 600

@ -444,10 +444,10 @@ cache_neg_max_ttl = 600


 ######################################################
-#        Pattern-based blocking (blacklists)        #
+#        Pattern-based blocking (blocklists)        #
 ######################################################

-## Blacklists are made of one pattern per line. Example of valid patterns:
+## Blocklists are made of one pattern per line. Example of valid patterns:
 ##
 ##   example.com
 ##   =example.com
@ -456,20 +456,20 @@ cache_neg_max_ttl = 600
 ##   ads*.example.*
 ##   ads*.example[0-9]*.com
 ##
-## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
-## A script to build blacklists from public feeds can be found in the
+## Example blocklist files can be found at https://download.dnscrypt.info/blacklists/
+## A script to build blocklists from public feeds can be found in the
 ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.

-[blacklist]
+[blocked_names]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

-  # blacklist_file = 'blacklist.txt'
+  # blocked_names_file = 'blocked-names.txt'


  ## Optional path to a file logging blocked queries

-  # log_file = 'blocked.log'
+  # log_file = 'blocked-names.log'


  ## Optional log format: tsv or ltsv (default: tsv)
@ -479,25 +479,25 @@ cache_neg_max_ttl = 600


 ###########################################################
-#        Pattern-based IP blocking (IP blacklists)        #
+#        Pattern-based IP blocking (IP blocklists)        #
 ###########################################################

-## IP blacklists are made of one pattern per line. Example of valid patterns:
+## IP blocklists are made of one pattern per line. Example of valid patterns:
 ##
 ##   127.*
 ##   fe80:abcd:*
 ##   192.168.1.4

-[ip_blacklist]
+[blocked_ips]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

-  # blacklist_file = 'ip-blacklist.txt'
+  # blocked_ips_file = 'blocked-ips.txt'


  ## Optional path to a file logging blocked queries

-  # log_file = 'ip-blocked.log'
+  # log_file = 'blocked-ips.log'


  ## Optional log format: tsv or ltsv (default: tsv)
@ -507,25 +507,25 @@ cache_neg_max_ttl = 600


 ######################################################
-#   Pattern-based whitelisting (blacklists bypass)   #
+#   Pattern-based allowlisting (blocklists bypass)   #
 ######################################################

-## Whitelists support the same patterns as blacklists
-## If a name matches a whitelist entry, the corresponding session
+## Allowlists support the same patterns as blocklists
+## If a name matches a allowlist entry, the corresponding session
 ## will bypass names and IP filters.
 ##
 ## Time-based rules are also supported to make some websites only accessible at specific times of the day.

-[whitelist]
+[allowed_names]

-  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file)
+  ## Path to the file of allowlisting rules (absolute, or relative to the same directory as the config file)

-  # whitelist_file = 'whitelist.txt'
+  # allowed_names_file = 'allowed-names.txt'


-  ## Optional path to a file logging whitelisted queries
+  ## Optional path to a file logging allowlisted queries

-  # log_file = 'whitelisted.log'
+  # log_file = 'allowed-names.log'


  ## Optional log format: tsv or ltsv (default: tsv)
@ -539,10 +539,10 @@ cache_neg_max_ttl = 600
 ##########################################

 ## One or more weekly schedules can be defined here.
-## Patterns in the name-based blocklist can optionally be followed with @schedule_name
+## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
 ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
 ##
-## For example, the following rule in a blacklist file:
+## For example, the following rule in a blocklist file:
 ## *.youtube.* @time-to-sleep
 ## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
 ##