@@ -162,7 +162,7 @@ undesirable situation.
`ipsec_skb_mark`. By setting the ipsec_skb_mark as 0/1, OVS IPsec prevents
all unencrypted tunnel packets leaving the host since the default skb_mark
value for tunnel packets are 0. This affects all OVS tunnels including those
- without IPsec being set up. You can install OpenFlow rules to whitelist
+ without IPsec being set up. You can install OpenFlow rules to enable
those non-IPsec tunnels by setting the skb_mark of the tunnel traffic as
non-zero value.
@@ -67,8 +67,8 @@ differently than SELinux.
SELinux and Open vSwitch are moving targets. What this means is that, if you
solely rely on your Linux distribution's SELinux policy, then this policy might
not have correctly anticipated that a newer Open vSwitch version needs extra
-white list rules. However, if you solely rely on SELinux policy that ships
-with Open vSwitch, then Open vSwitch developers might not have correctly
+rules to allow behavior. However, if you solely rely on SELinux policy that
+ships with Open vSwitch, then Open vSwitch developers might not have correctly
anticipated the feature set that your SELinux implementation supports.
Installation
@@ -136,8 +136,8 @@ Then verify that this module was indeed loaded::
openvswitch 1.1.1
If you still see Permission denied errors, then take a look into
-``selinux/openvswitch.te.in`` file in the OVS source tree and try to add white
-list rules. This is really simple, just run SELinux audit2allow tool::
+``selinux/openvswitch.te.in`` file in the OVS source tree and try to add allow
+rules. This is really simple, just run SELinux audit2allow tool::
$ grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal
@@ -261,5 +261,5 @@ Implement the headers and codes for compatibility with older kernel in
function should be prefixed with ``rpl_``. Otherwise, the function should be
prefixed with ``ovs_``. For special case when it is not possible to follow
this rule (e.g., the ``pskb_expand_head()`` function), the function name must
-be added to ``linux/compat/build-aux/export-check-whitelist``, otherwise, the
+be added to ``linux/compat/build-aux/export-check-allowlist``, otherwise, the
compilation check ``check-export-symbol`` will fail.
@@ -91,7 +91,7 @@ When sending a monitor request the standby server is doing the following:
4. For each database with the same schema in both the active and standby
servers: construct and send a monitor request message specifying the tables
that will be monitored (i.e all the tables on the database except the ones
- blacklisted [*]).
+ explicitly excluded [*]).
5. Set the standby database to the current state of the active database.
@@ -100,10 +100,9 @@ receive notifications of changes occurring to the tables specified in the
request. The process of handling this notifications is detailed in the next
section.
-[*] A set of tables that will be excluded from replication can be configure as
-a blacklist of tables via the command line option
-``--sync-exclude-tables=db:table[,db:table]...``, where db corresponds to the
-database where the table resides.
+[*] A set of tables that will be excluded from replication can be configured
+via the command line option ``--sync-exclude-tables=db:table[,db:table]...``,
+where db corresponds to the database where the table resides.
Replication Process
-------------------
@@ -276,7 +276,7 @@ static-check:
fi
.PHONY: static-check
-# Check that assert.h is not used outside a whitelist of files.
+# Check that assert.h is not used (outside a small set of files).
ALL_LOCAL += check-assert-h-usage
check-assert-h-usage:
@if test -e $(srcdir)/.git && (git --version) >/dev/null 2>&1 && \
@@ -323,7 +323,7 @@ check-tabs:
if test -e .git && (git --version) >/dev/null 2>&1 && \
grep -ln "^ " \
`git ls-files \
- | grep -v -f build-aux/initial-tab-whitelist` /dev/null \
+ | grep -v -f build-aux/initial-tab-allowed-files` /dev/null \
| $(EGREP) -v ':[ ]*/?\*'; \
then \
echo "See above for files that use tabs for indentation."; \
@@ -336,16 +336,16 @@ ALL_LOCAL += thread-safety-check
thread-safety-check:
@cd $(srcdir); \
if test -e .git && (git --version) >/dev/null 2>&1 && \
- grep -n -f build-aux/thread-safety-blacklist \
+ grep -n -f build-aux/thread-safety-forbidden \
`git ls-files | grep '\.[ch]$$' \
| $(EGREP) -v '^datapath|^lib/sflow|^third-party'` /dev/null \
| $(EGREP) -v ':[ ]*/?\*'; \
then \
echo "See above for list of calls to functions that are"; \
- echo "blacklisted due to thread safety issues"; \
+ echo "forbidden due to thread safety issues"; \
exit 1; \
fi
-EXTRA_DIST += build-aux/thread-safety-blacklist
+EXTRA_DIST += build-aux/thread-safety-forbidden
.PHONY: thread-safety-check
# Check that "ip" is used in preference to "ifconfig", because
@@ -5,7 +5,7 @@ EXTRA_DIST += \
build-aux/dist-docs \
build-aux/dpdkstrip.py \
build-aux/generate-dhparams-c \
- build-aux/initial-tab-whitelist \
+ build-aux/initial-tab-allowed-files \
build-aux/sodepends.py \
build-aux/soexpand.py \
build-aux/text2c \
similarity index 100%
rename from build-aux/initial-tab-whitelist
rename to build-aux/initial-tab-allowed-files
similarity index 100%
rename from build-aux/thread-safety-blacklist
rename to build-aux/thread-safety-forbidden
@@ -42,7 +42,7 @@ COMPAT_EXPORTS := $(shell $(COMPAT_GET_EXPORTS))
# Checks that all EXPORT_SYMBOL_GPL() export 'rpl_' or 'ovs_' prefixed functions.
check-export-symbol:
@for fun_ in $(COMPAT_FUNCTIONS); do \
- if ! grep -- $${fun_} $(top_srcdir)/datapath/linux/compat/build-aux/export-check-whitelist > /dev/null; then \
+ if ! grep -- $${fun_} $(top_srcdir)/datapath/linux/compat/build-aux/export-check-allow-list > /dev/null; then \
if ! echo $${fun_} | grep -q -E '^(rpl|ovs)_'; then \
echo "error: $${fun_}() needs to be prefixed with 'rpl_' or 'ovs_'."; \
exit 1; \
@@ -120,4 +120,4 @@ openvswitch_headers += \
linux/compat/include/linux/netfilter.h \
linux/compat/include/linux/overflow.h \
linux/compat/include/linux/rbtree.h
-EXTRA_DIST += linux/compat/build-aux/export-check-whitelist
+EXTRA_DIST += linux/compat/build-aux/export-check-allow-list
similarity index 100%
rename from datapath/linux/compat/build-aux/export-check-whitelist
rename to datapath/linux/compat/build-aux/export-check-allow-list
@@ -72,7 +72,7 @@ endif
# header file has the proper extern declaration for use with C++.
#
# Some header files don't declare any external functions, so they
-# don't really need extern "C". We only white list a couple of these
+# don't really need extern "C". We only permit a couple of these
# below, which are the ones that seem unlikely to ever declare
# external functions. For the rest, we add extern "C" anyway; it
# doesn't hurt.
@@ -58,7 +58,7 @@ This option has no effect when \fB\-\-detach\fR is not specified.
.TP
\fB\-\-no\-self\-confinement\fR
By default daemon will try to self-confine itself to work with
-files under well-know, at build-time whitelisted directories. It
+files under well-known directories determined during build. It
is better to stick with this default behavior and not to use this
flag unless some other Access Control is used to confine daemon.
Note that in contrast to other access control implementations that
@@ -82,7 +82,7 @@
<dt><code>--no-self-confinement</code></dt>
<dd>
By default this daemon will try to self-confine itself to work with files
- under well-known directories whitelisted at build time. It is better to
+ under well-known directories determined at build time. It is better to
stick with this default behavior and not to use this flag unless some other
Access Control is used to confine daemon. Note that in contrast to other
access control implementations that are typically enforced from
@@ -79,9 +79,9 @@ struct registered_dpif_class {
int refcount;
};
static struct shash dpif_classes = SHASH_INITIALIZER(&dpif_classes);
-static struct sset dpif_blacklist = SSET_INITIALIZER(&dpif_blacklist);
+static struct sset dpif_disallowed = SSET_INITIALIZER(&dpif_disallowed);
-/* Protects 'dpif_classes', including the refcount, and 'dpif_blacklist'. */
+/* Protects 'dpif_classes', including the refcount, and 'dpif_disallowed'. */
static struct ovs_mutex dpif_mutex = OVS_MUTEX_INITIALIZER;
/* Rate limit for individual messages going to or from the datapath, output at
@@ -134,8 +134,8 @@ dp_register_provider__(const struct dpif_class *new_class)
struct registered_dpif_class *registered_class;
int error;
- if (sset_contains(&dpif_blacklist, new_class->type)) {
- VLOG_DBG("attempted to register blacklisted provider: %s",
+ if (sset_contains(&dpif_disallowed, new_class->type)) {
+ VLOG_DBG("attempted to register disallowed provider: %s",
new_class->type);
return EINVAL;
}
@@ -219,13 +219,13 @@ dp_unregister_provider(const char *type)
return error;
}
-/* Blacklists a provider. Causes future calls of dp_register_provider() with
+/* Disallows a provider. Causes future calls of dp_register_provider() with
* a dpif_class which implements 'type' to fail. */
void
-dp_blacklist_provider(const char *type)
+dp_disallow_provider(const char *type)
{
ovs_mutex_lock(&dpif_mutex);
- sset_add(&dpif_blacklist, type);
+ sset_add(&dpif_disallowed, type);
ovs_mutex_unlock(&dpif_mutex);
}
@@ -400,7 +400,7 @@ struct sset;
int dp_register_provider(const struct dpif_class *);
int dp_unregister_provider(const char *type);
-void dp_blacklist_provider(const char *type);
+void dp_disallow_provider(const char *type);
void dp_enumerate_types(struct sset *types);
const char *dpif_normalize_type(const char *);
@@ -100,12 +100,12 @@ const struct ovsdb_idl_table_class *ovsdb_idl_table_class_from_column(
* The client may choose any subset of the columns and tables to replicate,
* specifying it one of two ways:
*
- * - As a blacklist (adding the columns or tables to replicate). To do so,
+ * - As a deny list (adding the columns or tables to replicate). To do so,
* the client passes false as 'monitor_everything_by_default' to
* ovsdb_idl_create() and then calls ovsdb_idl_add_column() and
* ovsdb_idl_add_table() for the desired columns and, if necessary, tables.
*
- * - As a whitelist (replicating all columns and tables except those
+ * - As an allow list (replicating all columns and tables except those
* explicitly removed). To do so, the client passes true as
* 'monitor_everything_by_default' to ovsdb_idl_create() and then calls
* ovsdb_idl_omit() to remove columns.
@@ -1382,7 +1382,7 @@ ovsdb_server_set_sync_exclude_tables(struct unixctl_conn *conn,
{
struct server_config *config = config_;
- char *err = set_blacklist_tables(argv[1], true);
+ char *err = set_excluded_tables(argv[1], true);
if (!err) {
free(*config->sync_exclude);
*config->sync_exclude = xstrdup(argv[1]);
@@ -1394,7 +1394,7 @@ ovsdb_server_set_sync_exclude_tables(struct unixctl_conn *conn,
config->all_dbs, server_uuid,
*config->replication_probe_interval);
}
- err = set_blacklist_tables(argv[1], false);
+ err = set_excluded_tables(argv[1], false);
}
unixctl_command_reply(conn, err);
free(err);
@@ -1406,7 +1406,7 @@ ovsdb_server_get_sync_exclude_tables(struct unixctl_conn *conn,
const char *argv[] OVS_UNUSED,
void *arg_ OVS_UNUSED)
{
- char *reply = get_blacklist_tables();
+ char *reply = get_excluded_tables();
unixctl_command_reply(conn, reply);
free(reply);
}
@@ -1809,7 +1809,7 @@ parse_options(int argc, char *argv[],
break;
case OPT_SYNC_EXCLUDE: {
- char *err = set_blacklist_tables(optarg, false);
+ char *err = set_excluded_tables(optarg, false);
if (err) {
ovs_fatal(0, "%s", err);
}
@@ -68,11 +68,11 @@ static struct ovsdb_error *execute_update(struct ovsdb_txn *txn,
struct json *new);
/* Maps from db name to sset of table names. */
-static struct shash blacklist_tables = SHASH_INITIALIZER(&blacklist_tables);
+static struct shash excluded_tables = SHASH_INITIALIZER(&excluded_tables);
-static void blacklist_tables_clear(void);
-static void blacklist_tables_add(const char *database, const char *table);
-static bool blacklist_tables_find(const char *database, const char* table);
+static void excluded_tables_clear(void);
+static void excluded_tables_add(const char *database, const char *table);
+static bool excluded_tables_find(const char *database, const char* table);
/* Keep track of request IDs of all outstanding OVSDB requests. */
@@ -131,7 +131,7 @@ replication_init(const char *sync_from_, const char *exclude_tables,
sync_from = xstrdup(sync_from_);
/* Caller should have verified that the 'exclude_tables' is
* parseable. An error here is unexpected. */
- ovs_assert(!set_blacklist_tables(exclude_tables, false));
+ ovs_assert(!set_excluded_tables(exclude_tables, false));
replication_dbs_destroy();
@@ -407,38 +407,38 @@ replication_wait(void)
}
}
-/* Parse 'blacklist' to rebuild 'blacklist_tables'. If 'dryrun' is false, the
- * current black list tables will be wiped out, regardless of whether
- * 'blacklist' can be parsed. If 'dryrun' is true, only parses 'blacklist' and
- * reports any errors, without modifying the blacklist.
+/* Parse 'excluded' to rebuild 'excluded_tables'. If 'dryrun' is false, the
+ * current set of excluded tables will be wiped out, regardless of whether
+ * 'excluded' can be parsed. If 'dryrun' is true, only parses 'excluded' and
+ * reports any errors, without modifying the list of exclusions.
*
* On error, returns the error string, which the caller is
* responsible for freeing. Returns NULL otherwise. */
char * OVS_WARN_UNUSED_RESULT
-set_blacklist_tables(const char *blacklist, bool dryrun)
+set_excluded_tables(const char *excluded, bool dryrun)
{
struct sset set = SSET_INITIALIZER(&set);
char *err = NULL;
- if (blacklist) {
+ if (excluded) {
const char *longname;
if (!dryrun) {
/* Can only add to an empty shash. */
- blacklist_tables_clear();
+ excluded_tables_clear();
}
- sset_from_delimited_string(&set, blacklist, " ,");
+ sset_from_delimited_string(&set, excluded, " ,");
SSET_FOR_EACH (longname, &set) {
char *database = xstrdup(longname), *table = NULL;
strtok_r(database, ":", &table);
if (table && !dryrun) {
- blacklist_tables_add(database, table);
+ excluded_tables_add(database, table);
}
free(database);
if (!table) {
- err = xasprintf("Can't parse black list table: %s", longname);
+ err = xasprintf("Can't parse excluded table: %s", longname);
goto done;
}
}
@@ -447,19 +447,19 @@ set_blacklist_tables(const char *blacklist, bool dryrun)
done:
sset_destroy(&set);
if (err && !dryrun) {
- /* On error, destroy the partially built 'blacklist_tables'. */
- blacklist_tables_clear();
+ /* On error, destroy the partially built 'excluded_tables'. */
+ excluded_tables_clear();
}
return err;
}
char * OVS_WARN_UNUSED_RESULT
-get_blacklist_tables(void)
+get_excluded_tables(void)
{
struct shash_node *node;
struct sset set = SSET_INITIALIZER(&set);
- SHASH_FOR_EACH (node, &blacklist_tables) {
+ SHASH_FOR_EACH (node, &excluded_tables) {
const char *database = node->name;
const char *table;
struct sset *tables = node->data;
@@ -489,35 +489,35 @@ get_blacklist_tables(void)
}
static void
-blacklist_tables_clear(void)
+excluded_tables_clear(void)
{
struct shash_node *node;
- SHASH_FOR_EACH (node, &blacklist_tables) {
+ SHASH_FOR_EACH (node, &excluded_tables) {
struct sset *tables = node->data;
sset_destroy(tables);
}
- shash_clear_free_data(&blacklist_tables);
+ shash_clear_free_data(&excluded_tables);
}
static void
-blacklist_tables_add(const char *database, const char *table)
+excluded_tables_add(const char *database, const char *table)
{
- struct sset *tables = shash_find_data(&blacklist_tables, database);
+ struct sset *tables = shash_find_data(&excluded_tables, database);
if (!tables) {
tables = xmalloc(sizeof *tables);
sset_init(tables);
- shash_add(&blacklist_tables, database, tables);
+ shash_add(&excluded_tables, database, tables);
}
sset_add(tables, table);
}
static bool
-blacklist_tables_find(const char *database, const char *table)
+excluded_tables_find(const char *database, const char *table)
{
- struct sset *tables = shash_find_data(&blacklist_tables, database);
+ struct sset *tables = shash_find_data(&excluded_tables, database);
return tables && sset_contains(tables, table);
}
@@ -531,8 +531,8 @@ disconnect_active_server(void)
void
replication_destroy(void)
{
- blacklist_tables_clear();
- shash_destroy(&blacklist_tables);
+ excluded_tables_clear();
+ shash_destroy(&excluded_tables);
if (sync_from) {
free(sync_from);
@@ -558,8 +558,8 @@ reset_database(struct ovsdb *db)
struct shash_node *table_node;
SHASH_FOR_EACH (table_node, &db->tables) {
- /* Delete all rows if the table is not blacklisted. */
- if (!blacklist_tables_find(db->schema->name, table_node->name)) {
+ /* Delete all rows if the table is not excluded. */
+ if (!excluded_tables_find(db->schema->name, table_node->name)) {
struct ovsdb_table *table = table_node->data;
struct ovsdb_row *row, *next;
HMAP_FOR_EACH_SAFE (row, next, hmap_node, &table->rows) {
@@ -572,7 +572,7 @@ reset_database(struct ovsdb *db)
}
/* Create a monitor request for 'db'. The monitor request will include
- * any tables from 'blacklisted_tables'
+ * any tables from 'excluded_tables'
*
* Caller is responsible for disposing 'request'.
*/
@@ -590,8 +590,8 @@ create_monitor_request(struct ovsdb_schema *schema)
for (int j = 0; j < n; j++) {
struct ovsdb_table_schema *table = nodes[j]->data;
- /* Monitor all tables not blacklisted. */
- if (!blacklist_tables_find(db_name, table->name)) {
+ /* Monitor all tables not excluded. */
+ if (!excluded_tables_find(db_name, table->name)) {
add_monitored_table(table, monitor_request);
}
}
@@ -914,10 +914,10 @@ replication_status(void)
}
ds_chomp(&ds, ',');
- if (!shash_is_empty(&blacklist_tables)) {
+ if (!shash_is_empty(&excluded_tables)) {
ds_put_char(&ds, '\n');
ds_put_cstr(&ds, "exclude: ");
- ds_put_and_free_cstr(&ds, get_blacklist_tables());
+ ds_put_and_free_cstr(&ds, get_excluded_tables());
}
break;
}
@@ -39,9 +39,9 @@ struct ovsdb;
* replication_get_last_error() should be call within the main loop
* whenever OVSDB server runs in the backup mode.
*
- * - set_blacklist_tables(), get_blacklist_tables(),
- * disconnect_active_server() and replication_usage() are support functions
- * used mainly by uinxctl commands.
+ * - set_excluded_tables(), get_excluded_tables(), disconnect_active_server()
+ * and replication_usage() are support functions used mainly by unixctl
+ * commands.
*/
#define REPLICATION_DEFAULT_PROBE_INTERVAL 60000
@@ -58,9 +58,9 @@ int replication_get_last_error(void);
char *replication_status(void);
void replication_set_probe_interval(int);
-char *set_blacklist_tables(const char *blacklist, bool dryrun)
+char *set_excluded_tables(const char *excluded, bool dryrun)
OVS_WARN_UNUSED_RESULT;
-char *get_blacklist_tables(void) OVS_WARN_UNUSED_RESULT;
+char *get_excluded_tables(void) OVS_WARN_UNUSED_RESULT;
void disconnect_active_server(void);
#endif /* ovsdb/replication.h */
@@ -303,11 +303,11 @@ add_pmd_of_ports () {
m4_divert_pop([PREPARE_TESTS])
-# OVS_VSWITCHD_STOP([WHITELIST])
+# OVS_VSWITCHD_STOP([ALLOWLIST])
#
# Gracefully stops ovs-vswitchd and ovsdb-server, checking their log files
# for messages with severity WARN or higher and signaling an error if any
-# is present. The optional WHITELIST may contain shell-quoted "sed"
+# is present. The optional ALLOWLIST may contain shell-quoted "sed"
# commands to delete any warnings that are actually expected, e.g.:
#
# OVS_VSWITCHD_STOP(["/expected error/d"])
@@ -29,16 +29,16 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START],
AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| uuidfilt])], [0], [$2])
])
-# OVS_TRAFFIC_VSWITCHD_STOP([WHITELIST], [extra_cmds])
+# OVS_TRAFFIC_VSWITCHD_STOP([ALLOWLIST], [extra_cmds])
#
# Gracefully stops ovs-vswitchd and ovsdb-server, checking their log files
# for messages with severity WARN or higher and signaling an error if any
-# is present. The optional WHITELIST may contain shell-quoted "sed"
+# is present. The optional ALLOWLIST may contain shell-quoted "sed"
# commands to delete any warnings that are actually expected, e.g.:
#
# OVS_TRAFFIC_VSWITCHD_STOP(["/expected error/d"])
#
-# 'extra_cmds' are shell commands to be executed afte OVS_VSWITCHD_STOP() is
+# 'extra_cmds' are shell commands to be executed after OVS_VSWITCHD_STOP() is
# invoked. They can be used to perform additional cleanups such as name space
# removal.
m4_define([OVS_TRAFFIC_VSWITCHD_STOP],
@@ -21,16 +21,16 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START],
AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| uuidfilt])], [0], [$2])
])
-# OVS_TRAFFIC_VSWITCHD_STOP([WHITELIST], [extra_cmds])
+# OVS_TRAFFIC_VSWITCHD_STOP([ALLOWLIST], [extra_cmds])
#
# Gracefully stops ovs-vswitchd and ovsdb-server, checking their log files
# for messages with severity WARN or higher and signaling an error if any
-# is present. The optional WHITELIST may contain shell-quoted "sed"
+# is present. The optional ALLOWLIST may contain shell-quoted "sed"
# commands to delete any warnings that are actually expected, e.g.:
#
# OVS_TRAFFIC_VSWITCHD_STOP(["/expected error/d"])
#
-# 'extra_cmds' are shell commands to be executed afte OVS_VSWITCHD_STOP() is
+# 'extra_cmds' are shell commands to be executed after OVS_VSWITCHD_STOP() is
# invoked. They can be used to perform additional cleanups such as name space
# removal.
m4_define([OVS_TRAFFIC_VSWITCHD_STOP],
@@ -14,7 +14,8 @@
* limitations under the License.
*/
-/* "White box" tests for classifier.
+/* Tests for classifier, written with knowledge of and to advantage of the
+ * classifier's internal structure.
*
* With very few exceptions, these tests obtain complete coverage of every
* basic block and every branch in the classifier implementation, e.g. a clean
@@ -189,13 +189,13 @@ skip_signoff_check = False
# name, as they may have legitimate reasons to have longer lines.
#
# Python isn't checked as flake8 performs these checks during build.
-line_length_blacklist = re.compile(
+line_length_ignore_list = re.compile(
r'\.(am|at|etc|in|m4|mk|patch|py)$|debian/rules')
# Don't enforce a requirement that leading whitespace be all spaces on
# files that include these characters in their name, since these kinds
# of files need lines with leading tabs.
-leading_whitespace_blacklist = re.compile(r'\.(mk|am|at)$|debian/rules')
+leading_whitespace_ignore_list = re.compile(r'\.(mk|am|at)$|debian/rules')
def is_subtracted_line(line):
@@ -522,11 +522,11 @@ file_checks = [
checks = [
{'regex': None,
- 'match_name': lambda x: not line_length_blacklist.search(x),
+ 'match_name': lambda x: not line_length_ignore_list.search(x),
'check': lambda x: line_length_check(x)},
{'regex': None,
- 'match_name': lambda x: not leading_whitespace_blacklist.search(x),
+ 'match_name': lambda x: not leading_whitespace_ignore_list.search(x),
'check': lambda x: not leading_whitespace_is_spaces(x),
'print': lambda: print_warning("Line has non-spaces leading whitespace")},
@@ -3909,49 +3909,48 @@ bridge_configure_remotes(struct bridge *br,
&& (!strncmp(c->target, "punix:", 6)
|| !strncmp(c->target, "unix:", 5))) {
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
- char *whitelist;
+ char *allowed;
if (!strncmp(c->target, "unix:", 5)) {
/* Connect to a listening socket */
- whitelist = xasprintf("unix:%s/", ovs_rundir());
+ allowed = xasprintf("unix:%s/", ovs_rundir());
if (strchr(c->target, '/') &&
- !equal_pathnames(c->target, whitelist,
- strlen(whitelist))) {
+ !equal_pathnames(c->target, allowed, strlen(allowed))) {
/* Absolute path specified, but not in ovs_rundir */
VLOG_ERR_RL(&rl, "bridge %s: Not connecting to socket "
"controller \"%s\" due to possibility for "
"remote exploit. Instead, specify socket "
- "in whitelisted \"%s\" or connect to "
+ "in permitted directory \"%s\" or connect to "
"\"unix:%s/%s.mgmt\" (which is always "
"available without special configuration).",
- br->name, c->target, whitelist,
+ br->name, c->target, allowed,
ovs_rundir(), br->name);
- free(whitelist);
+ free(allowed);
continue;
}
} else {
- whitelist = xasprintf("punix:%s/%s.",
+ allowed = xasprintf("punix:%s/%s.",
ovs_rundir(), br->name);
- if (!equal_pathnames(c->target, whitelist, strlen(whitelist))
- || strchr(c->target + strlen(whitelist), '/')) {
+ if (!equal_pathnames(c->target, allowed, strlen(allowed))
+ || strchr(c->target + strlen(allowed), '/')) {
/* Prevent remote ovsdb-server users from accessing
* arbitrary Unix domain sockets and overwriting arbitrary
* local files. */
VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
"controller \"%s\" due to possibility of "
"overwriting local files. Instead, specify "
- "path in whitelisted format \"%s*\" or "
+ "path in permitteded format \"%s*\" or "
"connect to \"unix:%s/%s.mgmt\" (which is "
"always available without special "
"configuration).",
- br->name, c->target, whitelist,
+ br->name, c->target, allowed,
ovs_rundir(), br->name);
- free(whitelist);
+ free(allowed);
continue;
}
}
- free(whitelist);
+ free(allowed);
}
bridge_configure_local_iface_netdev(br, c);
@@ -228,7 +228,7 @@ parse_options(int argc, char *argv[], char **unixctl_pathp)
break;
case OPT_DISABLE_SYSTEM:
- dp_blacklist_provider("system");
+ dp_disallow_provider("system");
break;
case OPT_DISABLE_SYSTEM_ROUTE:
@@ -1072,7 +1072,7 @@
Drop all unencrypted tunneled packets in which the
least-significant bit of <code>skb_mark</code> is 0. This would
be a useful policy if no unencrypted tunneled traffic should exit
- the system without being specially whitelisted by setting
+ the system without being specially permitted by setting
<code>skb_mark</code> to 1.
</dd>
There is one remaining use under datapath. That change should happen upstream in Linux first according to our usual policy. Signed-off-by: Ben Pfaff <blp@ovn.org> --- Documentation/howto/ipsec.rst | 2 +- Documentation/howto/selinux.rst | 8 +-- Documentation/topics/datapath.rst | 2 +- Documentation/topics/ovsdb-replication.rst | 9 ++- Makefile.am | 10 +-- build-aux/automake.mk | 2 +- ...ab-whitelist => initial-tab-allowed-files} | 0 ...fety-blacklist => thread-safety-forbidden} | 0 datapath/Makefile.am | 2 +- datapath/linux/Modules.mk | 2 +- ...heck-whitelist => export-check-allow-list} | 0 include/openvswitch/automake.mk | 2 +- lib/daemon.man | 2 +- lib/daemon.xml | 2 +- lib/dpif.c | 14 ++-- lib/dpif.h | 2 +- lib/ovsdb-idl.h | 4 +- ovsdb/ovsdb-server.c | 8 +-- ovsdb/replication.c | 72 +++++++++---------- ovsdb/replication.h | 10 +-- tests/ofproto-macros.at | 4 +- tests/system-kmod-macros.at | 6 +- tests/system-userspace-macros.at | 6 +- tests/test-classifier.c | 3 +- utilities/checkpatch.py | 8 +-- vswitchd/bridge.c | 27 ++++--- vswitchd/ovs-vswitchd.c | 2 +- vswitchd/vswitch.xml | 2 +- 28 files changed, 105 insertions(+), 106 deletions(-) rename build-aux/{initial-tab-whitelist => initial-tab-allowed-files} (100%) rename build-aux/{thread-safety-blacklist => thread-safety-forbidden} (100%) rename datapath/linux/compat/build-aux/{export-check-whitelist => export-check-allow-list} (100%)