denylist4: Rename from blacklist4

Adds denylist, deprecates "blacklist."

First half of #341.

docs/en/config-atomic.md

@@ -17,7 +17,6 @@ title: Atomic Configuration
 4. [Examples](#examples)
 	1. [SIIT](#siit)
 	2. [NAT64](#nat64)
-6. [Changes from Jool 3](#changes-from-jool-3)
 
 ## Introduction
 
@@ -100,8 +99,8 @@ Unrecognized tags will trigger errors, but any amount of `comment`s are allowed
 		}
 	],
 
-	"comment": "This comment is relevant to blacklist4 maybe.",
-	"<a href="usr-flags-blacklist4.html">blacklist4</a>": [
+	"comment": "This comment is relevant to denylist4 maybe.",
+	"<a href="usr-flags-denylist4.html">denylist4</a>": [
 		"198.51.100.0",
 		"198.51.100.2/32",
 		"198.51.100.32/27"
@@ -195,26 +194,3 @@ Also, `pool6` is mandatory and immutable (as normal). It must be set during inst
 
 Updating a NAT64 instance through atomic configuration is not the same as dropping the instance and then creating another one in its place. Aside from skipping the translatorless time window through the former, you get to keep the BIB/session database.
 
-## Changes from Jool 3
-
-1. `pool6` and the RFC 6791 IPv4 pool were moved to the `global` object. (They used to be in the root.)
-2. On NAT64, `pool6` is immutable now.
-3. Added the `instance` (the instance name) and `framework` (`netfilter` or `iptables`) tags.
-4. In object contexts,
-	1. Comment tags are now allowed.
-	2. Unknown tags are no longer allowed.
-	3. Tag redeclarations are no longer allowed. (Even if they define the same value.)
-5. Configuration of static BIB entries is now supported (but only on instance creation).
-6. The configuration is not incremental anymore. (See the following paragraphs for an explatation.)
-
-Jool 3's atomic configuration used to try to retain old values when instances were being updated. For example, if an existing instance's `logging-bib` option was set to the non-default `true`, then an atomic configuration run using a JSON file that lacked the `logging-bib` tag would result in `logging-bib` remaining `true` rather than resetting.
-
-Despite the good intentions, this turned to be inconsistent, and therefore hard to explain and error-prone. This is because of the databases.
-
-If the blacklist database has prefixes `192.0.2/24`, `198.51.100/24`, `203.0.113/24`, then what should happen if the user runs atomic configuration with blacklist prefix `192.0.2.128/23`? Should Jool reject it because of collision? Did they meant to replace the first prefix? And if Jool treated it that way, then what would the user have to do to delete the other prefixes? Obviously, that was a dead end, so databases were always completely replaced as long as the base tag (`blacklist4` in this case) existed.
-
-So individual `global` values survived reconfigurations, but individual database entries did not.
-
-Starting from Jool 4, all tags work the same, which is to say, the JSON file is a snapshot of the ENTIRE configuration at a given time. Anything that's absent from the file will be mercilessly defaulted during updates.
-
-This also leads to simpler code.

docs/en/documentation.md

@@ -60,7 +60,7 @@ See [RFC 6586](https://tools.ietf.org/html/rfc6586) for deployment experiences u
 	4. [`file`](config-atomic.html)
 2. `jool_siit`-only modes
 	1. [`eamt`](usr-flags-eamt.html)
-	2. [`blacklist4`](usr-flags-blacklist4.html)
+	2. [`denylist4`](usr-flags-denylist4.html)
 	3. [`address`](usr-flags-address.html)
 3. `jool`-only modes
 	1. [`pool4`](usr-flags-pool4.html)

docs/en/intro-jool.md

@@ -125,11 +125,11 @@ SIIT Jool also returns the packet to the kernel when at least one of these condi
 - The packet is IPv4 and at least one of its addresses cannot be translated. An IPv4 address cannot be translated when
 	- it's subnet-scoped,
 	- belongs to one of the translator's interfaces,
-	- is [blacklist4ed](usr-flags-blacklist4.html), or
+	- is [denylist4ed](usr-flags-denylist4.html), or
 	- cannot be translated by any of the populated address translation strategies (EAMT, pool6 and rfc6791).
 - The packet is IPv6 and at least one of its addresses cannot be translated. An IPv6 address cannot be translated when
 	- it cannot be translated by any of the populated address translation strategies (EAMT, pool6 and rfc6791),
-	- its IPv4 counterpart is blacklist4ed,
+	- its IPv4 counterpart is denylist4ed,
 	- its IPv4 counterpart is subnet-scoped, or
 	- its IPv4 counterpart belongs to a local interface.
 

docs/en/usr-clients.md

@@ -64,7 +64,7 @@ All JSON tags other than `"instance"` are ignored. (The idea is to allow you to
 - [`stats`](usr-flags-stats.html)
 - [`global`](usr-flags-global.html)
 - [`eamt`](usr-flags-eamt.html) (SIIT only)
-- [`blacklist4`](usr-flags-blacklist4.html) (SIIT only)
+- [`denylist4`](usr-flags-denylist4.html) (SIIT only)
 - [`pool4`](usr-flags-pool4.html) (NAT64 only)
 - [`bib`](usr-flags-bib.html) (NAT64 only)
 - [`session`](usr-flags-session.html) (NAT64 only)

docs/en/usr-flags-blacklist4.md

@@ -1,93 +1,5 @@
 ---
-language: en
-layout: default
-category: Documentation
-title: blacklist4 Mode
+layout: redirect
+redirect_link: usr-flags-denylist4.html
 ---
 
-[Documentation](documentation.html) > [Userspace Clients](documentation.html#userspace-clients) > `blacklist4` Mode
-
-# `blacklist4` Mode
-
-## Index
-
-1. [Description](#description)
-2. [Syntax](#syntax)
-3. [Arguments](#arguments)
-	1. [Operations](#operations)
-	2. [Options](#options)
-4. [Examples](#examples)
-
-## Description
-
-Interacts with Jool's blacklisted addresses pool.
-
-The pool lists IPv4 translation addresses which are _banned_ from [pool6](usr-flags-pool6.html)-based translation. If an incoming IPv4 packet contains one of these addresses (which would be translated via pool6 and not the EAMT), Jool will silently abort translation. If an incoming IPv6 packet translates (through pool6) into an IPv4 packet that contains one of these addresses, Jool will also silently abort translation. 
-
-blacklist4 applies on most addresses. The only exception is source addresses from ICMP errors. These are translated regardless of blacklist4 for the sake of troubleshooting purposes.
-
-As an aside, there are some addresses Jool will refuse to translate, regardless of `blacklist4`. These include
-
-- The addresses that belong to Jool's node (because Jool can only be used in a forwarding fashion, currently).
-- Software addresses (0.0.0.0/8).
-- Host addresses (127.0.0.0/8).
-- Link-local addresses (169.254.0.0/16).
-- Multicast addresses (224.0.0.0/4).
-- Limited broadcast (255.255.255.255/32).
-
-The blacklist is mostly only relevant in Netfilter Jool, because iptables Jool already has matching conditionals by nature.
-
-## Syntax
-
-	jool_siit blacklist4 (
-		display [--csv]
-		| add <IPv4-prefix>
-		| remove <IPv4-prefix>
-		| flush
-	)
-
-## Arguments
-
-### Operations
-
-* `display`: The pool's addresses/prefixes are printed in standard output.
-* `add`: Uploads `<IPv4-prefix>` to the pool.
-* `remove`: Deletes `<IPv4-prefix>` from the pool.
-* `flush`: Removes all addresses/prefixes from the pool.
-
-`<IPv4-prefix>`'s prefix length defaults to 32.
-
-### Options
-
-| **Flag** | **Description** |
-| `--csv` | Print the table in [_Comma/Character-Separated Values_ format](http://en.wikipedia.org/wiki/Comma-separated_values). This is intended to be redirected into a .csv file. |
-
-## Examples
-
-These examples assume that the name of the Jool instance is "default."
-
-Add addresses:
-
-	# jool_siit blacklist4 add 192.0.2.0/28
-	# jool_siit blacklist4 add 198.51.100.0/30
-	# jool_siit blacklist4 add 203.0.113.8/32
-
-Display the current addresses:
-
-	# jool_siit blacklist4 display
-	+--------------------+
-	|        IPv4 Prefix |
-	+--------------------+
-	|       192.0.2.0/28 |
-	|    198.51.100.0/30 |
-	|     203.0.113.8/32 |
-	+--------------------+
-
-Remove an entry:
-
-	# jool_siit blacklist4 remove 198.51.100.0/30
-
-Clear the table:
-
-	# jool_siit blacklist4 flush
-

docs/en/usr-flags-denylist4.md

@@ -0,0 +1,95 @@
+---
+language: en
+layout: default
+category: Documentation
+title: denylist4 Mode
+---
+
+[Documentation](documentation.html) > [Userspace Clients](documentation.html#userspace-clients) > `denylist4` Mode
+
+# `denylist4` Mode
+
+## Index
+
+1. [Description](#description)
+2. [Syntax](#syntax)
+3. [Arguments](#arguments)
+	1. [Operations](#operations)
+	2. [Options](#options)
+4. [Examples](#examples)
+
+## Description
+
+Interacts with Jool's denylist address pool.
+
+The pool lists IPv4 translation addresses which are _banned_ from [pool6](usr-flags-pool6.html)-based translation. If an incoming IPv4 packet contains one of these addresses (which would be translated via pool6 and not the EAMT), Jool will silently abort translation. If an incoming IPv6 packet translates (through pool6) into an IPv4 packet that contains one of these addresses, Jool will also silently abort translation. 
+
+denylist4 applies on most addresses. The only exception is source addresses from ICMP errors. These are translated regardless of denylist4 for the sake of troubleshooting purposes.
+
+As an aside, there are some addresses Jool will refuse to translate, regardless of `denylist4`. These include
+
+- The addresses that belong to Jool's node (because Jool can only be used in a forwarding fashion, currently).
+- Software addresses (0.0.0.0/8).
+- Host addresses (127.0.0.0/8).
+- Link-local addresses (169.254.0.0/16).
+- Multicast addresses (224.0.0.0/4).
+- Limited broadcast (255.255.255.255/32).
+
+The denylist is mostly only relevant in Netfilter Jool, because iptables Jool already has matching conditionals by nature.
+
+> ![Note!](../images/bulb.svg) Before Jool 4.1.4, `denylist4` used to be called "`blacklist4`." The latter still works, but is considered a deprecated alias.
+
+## Syntax
+
+	jool_siit denylist4 (
+		display [--csv]
+		| add <IPv4-prefix>
+		| remove <IPv4-prefix>
+		| flush
+	)
+
+## Arguments
+
+### Operations
+
+* `display`: The pool's addresses/prefixes are printed in standard output.
+* `add`: Uploads `<IPv4-prefix>` to the pool.
+* `remove`: Deletes `<IPv4-prefix>` from the pool.
+* `flush`: Removes all addresses/prefixes from the pool.
+
+`<IPv4-prefix>`'s prefix length defaults to 32.
+
+### Options
+
+| **Flag** | **Description** |
+| `--csv` | Print the table in [_Comma/Character-Separated Values_ format](http://en.wikipedia.org/wiki/Comma-separated_values). This is intended to be redirected into a .csv file. |
+
+## Examples
+
+These examples assume that the name of the Jool instance is "default."
+
+Add addresses:
+
+	# jool_siit denylist4 add 192.0.2.0/28
+	# jool_siit denylist4 add 198.51.100.0/30
+	# jool_siit denylist4 add 203.0.113.8/32
+
+Display the current addresses:
+
+	# jool_siit denylist4 display
+	+--------------------+
+	|        IPv4 Prefix |
+	+--------------------+
+	|       192.0.2.0/28 |
+	|    198.51.100.0/30 |
+	|     203.0.113.8/32 |
+	+--------------------+
+
+Remove an entry:
+
+	# jool_siit denylist4 remove 198.51.100.0/30
+
+Clear the table:
+
+	# jool_siit denylist4 flush
+

src/mod/common/Kbuild

@@ -46,7 +46,7 @@ jool_common-objs += nl/attribute.o
 jool_common-objs += nl/nl_handler.o
 jool_common-objs += nl/nl_core.o
 jool_common-objs += nl/bib.o
-jool_common-objs += nl/blacklist4.o
+jool_common-objs += nl/denylist4.o
 jool_common-objs += nl/eam.o
 jool_common-objs += nl/global.o
 jool_common-objs += nl/instance.o
@@ -56,10 +56,9 @@ jool_common-objs += nl/pool4.o
 jool_common-objs += nl/session.o
 jool_common-objs += nl/stats.o
 
-jool_common-objs += db/blacklist4.o
+jool_common-objs += db/denylist4.o
 jool_common-objs += db/global.o
 jool_common-objs += db/eam.o
-jool_common-objs += db/pool.o
 jool_common-objs += db/rbtree.o
 jool_common-objs += db/rfc6791v4.o
 jool_common-objs += db/rfc6791v6.o

src/mod/common/address_xlat.c

@@ -2,7 +2,7 @@
 
 #include "mod/common/address.h"
 #include "mod/common/rfc6052.h"
-#include "mod/common/db/blacklist4.h"
+#include "mod/common/db/denylist4.h"
 #include "mod/common/db/eam.h"
 
 static bool is_illegal_source(struct in6_addr *src)
@@ -33,7 +33,7 @@ static struct addrxlat_result programming_error(void)
 
 struct addrxlat_result addrxlat_siit64(struct xlator *instance,
 		struct in6_addr *in, struct result_addrxlat64 *out,
-		bool enable_blacklists)
+		bool enable_denylists)
 {
 	struct addrxlat_result result;
 	int error;
@@ -56,16 +56,16 @@ struct addrxlat_result addrxlat_siit64(struct xlator *instance,
 		return result;
 	}
 
-	if (enable_blacklists && blacklist4_contains(instance->siit.blacklist4,
+	if (enable_denylists && denylist4_contains(instance->siit.denylist4,
 			&out->addr)) {
 		result.verdict = ADDRXLAT_ACCEPT;
 		/* No, that's not a typo. */
-		result.reason = "The resulting address (%pI4) is blacklist4ed";
+		result.reason = "The resulting address (%pI4) is denylist4ed";
 		return result;
 	}
 
 success:
-	if (enable_blacklists && must_not_translate(&out->addr, instance->ns)) {
+	if (enable_denylists && must_not_translate(&out->addr, instance->ns)) {
 		result.verdict = ADDRXLAT_ACCEPT;
 		result.reason = "The resulting address is subnet-scoped or belongs to a local interface";
 		return result;
@@ -78,13 +78,13 @@ struct addrxlat_result addrxlat_siit64(struct xlator *instance,
 
 struct addrxlat_result addrxlat_siit46(struct xlator *instance,
 		__be32 in, struct result_addrxlat46 *out,
-		bool enable_eam, bool enable_blacklists)
+		bool enable_eam, bool enable_denylists)
 {
 	struct in_addr tmp = { .s_addr = in };
 	struct addrxlat_result result;
 	int error;
 
-	if (enable_blacklists && must_not_translate(&tmp, instance->ns)) {
+	if (enable_denylists && must_not_translate(&tmp, instance->ns)) {
 		result.verdict = ADDRXLAT_ACCEPT;
 		result.reason = "The address is subnet-scoped or belongs to a local interface";
 		return result;
@@ -98,9 +98,9 @@ struct addrxlat_result addrxlat_siit46(struct xlator *instance,
 			return programming_error();
 	}
 
-	if (blacklist4_contains(instance->siit.blacklist4, &tmp)) {
+	if (denylist4_contains(instance->siit.denylist4, &tmp)) {
 		result.verdict = ADDRXLAT_ACCEPT;
-		result.reason = "The address lacks EAMT entry and is blacklist4ed";
+		result.reason = "The address lacks EAMT entry and is denylist4ed";
 		return result;
 	}
 

src/mod/common/address_xlat.h

@@ -34,9 +34,9 @@ struct addrxlat_result {
 
 struct addrxlat_result addrxlat_siit64(struct xlator *instance,
 		struct in6_addr *in, struct result_addrxlat64 *out,
-		bool enable_blacklists);
+		bool enable_denylists);
 struct addrxlat_result addrxlat_siit46(struct xlator *instance,
 		__be32 in, struct result_addrxlat46 *out,
-		bool enable_eam, bool enable_blacklists);
+		bool enable_eam, bool enable_denylists);
 
 #endif /* SRC_MOD_COMMON_ADDRESS_XLAT_H_ */