Remove problematic terminology: whitelist and blacklist.

- Replace 'x whitelists y' with 'x approves y'.
- Replace 'the whitelist' with 'the allow-list'.
- Replace 'whitelisted' with 'approved' or 'allowed' as appropriate.
- Replace most uses of 'blacklist' with 'blocklist'.

confd/pkg/backends/calico/routes.go

@@ -240,9 +240,9 @@ func (rg *routeGenerator) getAllRoutesForService(svc *v1.Service) []string {
 
 	if svc.Spec.ExternalIPs != nil {
 		for _, externalIP := range svc.Spec.ExternalIPs {
-			// Only advertise whitelisted external IPs
+			// Only advertise allowed external IPs
 			if !rg.isAllowedExternalIP(externalIP) {
-				log.WithFields(log.Fields{"ip": externalIP, "svc": svcID}).Info("Cannot advertise External IP - not whitelisted")
+				log.WithFields(log.Fields{"ip": externalIP, "svc": svcID}).Info("Cannot advertise External IP - not in allow list")
 				continue
 			}
 			routes = append(routes, externalIP)
@@ -252,9 +252,9 @@ func (rg *routeGenerator) getAllRoutesForService(svc *v1.Service) []string {
 	if svc.Status.LoadBalancer.Ingress != nil {
 		for _, lbIngress := range svc.Status.LoadBalancer.Ingress {
 			if len(lbIngress.IP) > 0 {
-				// Only advertise whitelisted LB IPs
+				// Only advertise allowed LB IPs
 				if !rg.isAllowedLoadBalancerIP(lbIngress.IP) {
-					log.WithFields(log.Fields{"ip": lbIngress.IP, "svc": svcID}).Info("Cannot advertise LoadBalancer IP - not whitelisted")
+					log.WithFields(log.Fields{"ip": lbIngress.IP, "svc": svcID}).Info("Cannot advertise LoadBalancer IP - not not in allow list")
 					continue
 				}
 				routes = append(routes, lbIngress.IP)
@@ -307,7 +307,7 @@ func (rg *routeGenerator) setRoutesForKey(key string, routes []string) {
 }
 
 // isAllowedExternalIP determines if the given IP is in the list of
-// whitelisted External IP CIDRs given in the default bgpconfiguration.
+// allowed External IP CIDRs given in the default bgpconfiguration.
 func (rg *routeGenerator) isAllowedExternalIP(externalIP string) bool {
 	ip := net.ParseIP(externalIP)
 	if ip == nil {
@@ -326,7 +326,7 @@ func (rg *routeGenerator) isAllowedExternalIP(externalIP string) bool {
 }
 
 // isAllowedLoadBalancerIP determines if the given IP is in the list of
-// whitelisted LoadBalancer CIDRs given in the default bgpconfiguration.
+// allowed LoadBalancer CIDRs given in the default bgpconfiguration.
 func (rg *routeGenerator) isAllowedLoadBalancerIP(loadBalancerIP string) bool {
 	ip := net.ParseIP(loadBalancerIP)
 	if ip == nil {
@@ -345,7 +345,7 @@ func (rg *routeGenerator) isAllowedLoadBalancerIP(loadBalancerIP string) bool {
 }
 
 // isSingleLoadBalancerIP determines if the given IP is in the list of
-// whitelisted LoadBalancer CIDRs given in the default bgpconfiguration
+// allowed LoadBalancer CIDRs given in the default bgpconfiguration
 // and is a single IP entry (/32 for IPV4 or /128 for IPV6)
 func (rg *routeGenerator) isSingleLoadBalancerIP(loadBalancerIP string) bool {
 

confd/pkg/backends/calico/routes_test.go

@@ -317,7 +317,7 @@ var _ = Describe("RouteGenerator", func() {
 		})
 
 		Context("onSvc[Add|Delete]", func() {
-			It("should add the service's cluster IP and whitelisted external IPs into the svcRouteMap", func() {
+			It("should add the service's cluster IP and approved external IPs into the svcRouteMap", func() {
 				// add
 				initRevision := rg.client.cacheRevision
 				rg.onSvcAdd(svc)
@@ -397,7 +397,7 @@ var _ = Describe("RouteGenerator", func() {
 		})
 
 		Context("onSvcUpdate", func() {
-			It("should add the service's cluster IP and whitelisted external IPs into the svcRouteMap and then remove them for unsupported service type", func() {
+			It("should add the service's cluster IP and approved external IPs into the svcRouteMap and then remove them for unsupported service type", func() {
 				initRevision := rg.client.cacheRevision
 				rg.onSvcUpdate(nil, svc)
 				Expect(rg.client.cacheRevision).To(Equal(initRevision + 2))
@@ -421,7 +421,7 @@ var _ = Describe("RouteGenerator", func() {
 		})
 
 		Context("onEp[Add|Delete]", func() {
-			It("should add the service's cluster IP and whitelisted external IPs into the svcRouteMap", func() {
+			It("should add the service's cluster IP and approved external IPs into the svcRouteMap", func() {
 				// add
 				initRevision := rg.client.cacheRevision
 				rg.onEPAdd(ep)
@@ -444,7 +444,7 @@ var _ = Describe("RouteGenerator", func() {
 		})
 
 		Context("onEpDelete", func() {
-			It("should add the service's cluster IP and whitelisted external IPs into the svcRouteMap and then remove it for unsupported service type", func() {
+			It("should add the service's cluster IP and approved external IPs into the svcRouteMap and then remove it for unsupported service type", func() {
 				initRevision := rg.client.cacheRevision
 				rg.onEPUpdate(nil, ep)
 				Expect(rg.client.cacheRevision).To(Equal(initRevision + 2))

felix/bpf-apache/filter.c

@@ -89,13 +89,13 @@ enum xdp_action prefilter(struct xdp_md* xdp)
 
 	ip4val_to_lpm(&sip, 32, ihdr->saddr);
 
-	// Drop the packet if source IP matches a blacklist entry.
+	// Drop the packet if source IP matches a blocklist entry.
 	if (NULL != bpf_map_lookup_elem(&calico_prefilter_v4, &sip)) {
-		// In blacklist - "thou shall not XDP_PASS!"
+		// In blocklist - "thou shall not XDP_PASS!"
 		return XDP_DROP;
 	}
 
-	// Not in blacklist - pass.
+	// Not in blocklist - pass.
 	return XDP_PASS;
 }
 

felix/bpf-gpl/conntrack.h

@@ -89,18 +89,18 @@ static CALI_BPF_INLINE int calico_ct_v4_create_tracking(struct cali_tc_ctx *ctx,
 			ct_value->a_to_b.seqno = seq;
 			ct_value->a_to_b.syn_seen = syn;
 			if (CALI_F_TO_HOST) {
-				ct_value->a_to_b.whitelisted = 1;
+				ct_value->a_to_b.approved = 1;
 			} else {
-				ct_value->b_to_a.whitelisted = 1;
+				ct_value->b_to_a.approved = 1;
 			}
 		} else  {
 			CALI_VERB("CT-ALL update src_to_dst B->A\n");
 			ct_value->b_to_a.seqno = seq;
 			ct_value->b_to_a.syn_seen = syn;
 			if (CALI_F_TO_HOST) {
-				ct_value->b_to_a.whitelisted = 1;
+				ct_value->b_to_a.approved = 1;
 			} else {
-				ct_value->a_to_b.whitelisted = 1;
+				ct_value->a_to_b.approved = 1;
 			}
 		}
 
@@ -180,36 +180,36 @@ static CALI_BPF_INLINE int calico_ct_v4_create_tracking(struct cali_tc_ctx *ctx,
 	dst_to_src->ifindex = CT_INVALID_IFINDEX;
 
 	if (CALI_F_FROM_WEP) {
-		/* src is the from the WEP, policy whitelisted this side */
-		src_to_dst->whitelisted = 1;
-		CALI_DEBUG("CT-ALL Whitelisted source side - from WEP\n");
+		/* src is the from the WEP, policy approved this side */
+		src_to_dst->approved = 1;
+		CALI_DEBUG("CT-ALL approved source side - from WEP\n");
 	} else if (CALI_F_FROM_HEP) {
-		/* src is the from the HEP, policy whitelisted this side */
-		src_to_dst->whitelisted = 1;
+		/* src is the from the HEP, policy approved this side */
+		src_to_dst->approved = 1;
 
 		if (ct_ctx->allow_return) {
 			/* When we do NAT and forward through the tunnel, we go through
 			 * a single policy, what we forward we also accept back,
-			 * whitelist both sides.
+			 * approve both sides.
 			 */
-			dst_to_src->whitelisted = 1;
+			dst_to_src->approved = 1;
 		}
-		CALI_DEBUG("CT-ALL Whitelisted source side - from HEP tun allow_return=%d\n",
+		CALI_DEBUG("CT-ALL approved source side - from HEP tun allow_return=%d\n",
 				ct_ctx->allow_return);
 	} else if (CALI_F_TO_HEP && !skb_seen(ct_ctx->skb) && (ct_ctx->type == CALI_CT_TYPE_NAT_REV)) {
-		src_to_dst->whitelisted = 1;
-		dst_to_src->whitelisted = 1;
-		CALI_DEBUG("CT-ALL Whitelisted both due to host source port conflict resolution.\n");
+		src_to_dst->approved = 1;
+		dst_to_src->approved = 1;
+		CALI_DEBUG("CT-ALL approved both due to host source port conflict resolution.\n");
 	} else if (CALI_F_FROM_HOST) {
 		if (ctx->state->flags & CALI_ST_CT_NP_LOOP) {
 			/* we do not run policy and it should behave like TO_HOST */
-			src_to_dst->whitelisted = 1;
-			CALI_DEBUG("CT-ALL Whitelisted source side - from HEP tun allow_return=%d\n",
+			src_to_dst->approved = 1;
+			CALI_DEBUG("CT-ALL approved source side - from HEP tun allow_return=%d\n",
 					ct_ctx->allow_return);
 		} else {
-			/* dst is to the EP, policy whitelisted this side */
-			dst_to_src->whitelisted = 1;
-			CALI_DEBUG("CT-ALL Whitelisted dest side - to EP\n");
+			/* dst is to the EP, policy approved this side */
+			dst_to_src->approved = 1;
+			CALI_DEBUG("CT-ALL approved dest side - to EP\n");
 		}
 	}
 
@@ -667,7 +667,7 @@ static CALI_BPF_INLINE struct calico_ct_result calico_ct_v4_lookup(struct cali_t
 			ct_result_set_flag(result.rc, CT_RES_TUN_SRC_CHANGED);
 		}
 
-		if (tracking_v->a_to_b.whitelisted && tracking_v->b_to_a.whitelisted) {
+		if (tracking_v->a_to_b.approved && tracking_v->b_to_a.approved) {
 			ct_result_set_flag(result.rc, CT_RES_CONFIRMED);
 		}
 
@@ -732,7 +732,7 @@ static CALI_BPF_INLINE struct calico_ct_result calico_ct_v4_lookup(struct cali_t
 			result.rc =	CALI_CT_ESTABLISHED;
 		}
 
-		if (v->a_to_b.whitelisted && v->b_to_a.whitelisted) {
+		if (v->a_to_b.approved && v->b_to_a.approved) {
 			ct_result_set_flag(result.rc, CT_RES_CONFIRMED);
 		}
 
@@ -754,17 +754,17 @@ static CALI_BPF_INLINE struct calico_ct_result calico_ct_v4_lookup(struct cali_t
 			CALI_CT_VERB("A-to-B: fin_seen %d.\n", v->a_to_b.fin_seen);
 			CALI_CT_VERB("A-to-B: rst_seen %d.\n", v->a_to_b.rst_seen);
 		}
-		CALI_CT_VERB("A: whitelisted %d.\n", v->a_to_b.whitelisted);
+		CALI_CT_VERB("A: approved %d.\n", v->a_to_b.approved);
 		if (tcp_header) {
 			CALI_CT_VERB("B-to-A: seqno %u.\n", bpf_ntohl(v->b_to_a.seqno));
 			CALI_CT_VERB("B-to-A: syn_seen %d.\n", v->b_to_a.syn_seen);
 			CALI_CT_VERB("B-to-A: ack_seen %d.\n", v->b_to_a.ack_seen);
 			CALI_CT_VERB("B-to-A: fin_seen %d.\n", v->b_to_a.fin_seen);
 			CALI_CT_VERB("B-to-A: rst_seen %d.\n", v->b_to_a.rst_seen);
 		}
-		CALI_CT_VERB("B: whitelisted %d.\n", v->b_to_a.whitelisted);
+		CALI_CT_VERB("B: approved %d.\n", v->b_to_a.approved);
 
-		if (v->a_to_b.whitelisted && v->b_to_a.whitelisted) {
+		if (v->a_to_b.approved && v->b_to_a.approved) {
 			result.rc = CALI_CT_ESTABLISHED_BYPASS;
 			ct_result_set_flag(result.rc, CT_RES_CONFIRMED);
 		} else {
@@ -788,7 +788,7 @@ static CALI_BPF_INLINE struct calico_ct_result calico_ct_v4_lookup(struct cali_t
 	int ret_from_tun = CALI_F_FROM_HEP &&
 				tc_ctx->state->tun_ip &&
 				ct_result_rc(result.rc) == CALI_CT_ESTABLISHED_DNAT &&
-				src_to_dst->whitelisted &&
+				src_to_dst->approved &&
 				result.flags & CALI_CT_FLAG_NP_FWD;
 
 	if (related) {
@@ -807,30 +807,30 @@ static CALI_BPF_INLINE struct calico_ct_result calico_ct_v4_lookup(struct cali_t
 	if (ret_from_tun) {
 		CALI_DEBUG("Packet returned from tunnel %x\n", bpf_ntohl(tc_ctx->state->tun_ip));
 	} else if (CALI_F_TO_HOST || (skb_from_host(tc_ctx->skb) && result.flags & CALI_CT_FLAG_HOST_PSNAT)) {
-		/* Source of the packet is the endpoint, so check the src whitelist. */
-		if (src_to_dst->whitelisted) {
-			CALI_CT_VERB("Packet whitelisted by this workload's policy.\n");
+		/* Source of the packet is the endpoint, so check the src approval flag. */
+		if (src_to_dst->approved) {
+			CALI_CT_VERB("Packet approved by this workload's policy.\n");
 		} else {
-			/* Only whitelisted by the other side (so far)?  Unlike
+			/* Only approved by the other side (so far)?  Unlike
 			 * TCP we have no way to distinguish packets that open a
 			 * new connection so we have to return NEW here in order
 			 * to invoke policy.
 			 */
-			CALI_CT_DEBUG("Packet not allowed by ingress/egress whitelist flags (TH).\n");
+			CALI_CT_DEBUG("Packet not allowed by ingress/egress approval flags (TH).\n");
 			result.rc = tcp_header ? CALI_CT_INVALID : CALI_CT_NEW;
 		}
 	} else if (CALI_F_FROM_HOST) {
-		/* Dest of the packet is the endpoint, so check the dest whitelist. */
-		if (dst_to_src->whitelisted) {
-			// Packet was whitelisted by the policy attached to this endpoint.
-			CALI_CT_VERB("Packet whitelisted by this workload's policy.\n");
+		/* Dest of the packet is the endpoint, so check the dest approval flag. */
+		if (dst_to_src->approved) {
+			// Packet was approved by the policy attached to this endpoint.
+			CALI_CT_VERB("Packet approved by this workload's policy.\n");
 		} else {
-			/* Only whitelisted by the other side (so far)?  Unlike
+			/* Only approved by the other side (so far)?  Unlike
 			 * TCP we have no way to distinguish packets that open a
 			 * new connection so we have to return NEW here in order
 			 * to invoke policy.
 			 */
-			CALI_CT_DEBUG("Packet not allowed by ingress/egress whitelist flags (FH).\n");
+			CALI_CT_DEBUG("Packet not allowed by ingress/egress approval flags (FH).\n");
 			result.rc = (tcp_header && !syn) ? CALI_CT_INVALID : CALI_CT_NEW;
 		}
 	}

felix/bpf-gpl/conntrack_types.h

@@ -47,7 +47,7 @@ struct calico_ct_leg {
 	__u32 fin_seen:1;
 	__u32 rst_seen:1;
 
-	__u32 whitelisted:1;
+	__u32 approved:1;
 
 	__u32 opener:1;
 

felix/bpf/bpf.go

@@ -13,7 +13,7 @@
 // limitations under the License.
 
 // Package bpf provides primitives to manage Calico-specific XDP programs
-// attached to network interfaces, along with the blacklist LPM map and the
+// attached to network interfaces, along with the blocklist LPM map and the
 // failsafe map.
 //
 // It does not call the bpf() syscall itself but executes external programs

felix/bpf/bpf_test.go

@@ -749,7 +749,7 @@ func TestIPv6NotSupported(t *testing.T) {
 	t.Log("Creating an IPv6 CIDR map should fail for now")
 	_, err := bpfDP.NewCIDRMap("myiface2", IPFamilyV6)
 	if err == nil {
-		t.Fatalf("creating an IPv6 blacklist should have failed")
+		t.Fatalf("creating an IPv6 blocklist should have failed")
 	}
 }
 

felix/bpf/cmd/felix-xdp.go

@@ -75,7 +75,7 @@ func dump() {
 		fmt.Printf("  %s: %d\n", proto, entry.Port)
 	}
 
-	fmt.Printf("Interfaces with blacklist:\n")
+	fmt.Printf("Interfaces with blocklist:\n")
 	ifaces, err := bpfLib.GetXDPIfaces()
 	if err != nil {
 		log.Fatalf("%v", err)

felix/bpf/conntrack/conntrack_test.go

@@ -45,16 +45,16 @@ var (
 	timeouts = conntrack.DefaultTimeouts()
 
 	genericJustCreated    = makeValue(now-1, now-1, conntrack.Leg{}, conntrack.Leg{})
-	genericAlmostTimedOut = makeValue(now-(20*time.Minute), now-(599*time.Second), conntrack.Leg{Whitelisted: true}, conntrack.Leg{})
-	genericTimedOut       = makeValue(now-(20*time.Minute), now-(601*time.Second), conntrack.Leg{Whitelisted: true}, conntrack.Leg{})
+	genericAlmostTimedOut = makeValue(now-(20*time.Minute), now-(599*time.Second), conntrack.Leg{Approved: true}, conntrack.Leg{})
+	genericTimedOut       = makeValue(now-(20*time.Minute), now-(601*time.Second), conntrack.Leg{Approved: true}, conntrack.Leg{})
 
 	udpJustCreated    = makeValue(now-1, now-1, conntrack.Leg{}, conntrack.Leg{})
-	udpAlmostTimedOut = makeValue(now-(2*time.Minute), now-(59*time.Second), conntrack.Leg{Whitelisted: true}, conntrack.Leg{})
-	udpTimedOut       = makeValue(now-(2*time.Minute), now-(61*time.Second), conntrack.Leg{Whitelisted: true}, conntrack.Leg{})
+	udpAlmostTimedOut = makeValue(now-(2*time.Minute), now-(59*time.Second), conntrack.Leg{Approved: true}, conntrack.Leg{})
+	udpTimedOut       = makeValue(now-(2*time.Minute), now-(61*time.Second), conntrack.Leg{Approved: true}, conntrack.Leg{})
 
 	icmpJustCreated    = makeValue(now-1, now-1, conntrack.Leg{}, conntrack.Leg{})
-	icmpAlmostTimedOut = makeValue(now-(2*time.Minute), now-(4*time.Second), conntrack.Leg{Whitelisted: true}, conntrack.Leg{})
-	icmpTimedOut       = makeValue(now-(2*time.Minute), now-(6*time.Second), conntrack.Leg{Whitelisted: true}, conntrack.Leg{})
+	icmpAlmostTimedOut = makeValue(now-(2*time.Minute), now-(4*time.Second), conntrack.Leg{Approved: true}, conntrack.Leg{})
+	icmpTimedOut       = makeValue(now-(2*time.Minute), now-(6*time.Second), conntrack.Leg{Approved: true}, conntrack.Leg{})
 
 	tcpJustCreated        = makeValue(now-1, now-1, conntrack.Leg{SynSeen: true}, conntrack.Leg{})
 	tcpHandshakeTimeout   = makeValue(now-22*time.Second, now-21*time.Second, conntrack.Leg{SynSeen: true}, conntrack.Leg{})

felix/bpf/conntrack/v2/map.go

@@ -282,14 +282,14 @@ func NewValueNATReverseSNAT(created, lastSeen time.Duration, flags uint16, legA,
 }
 
 type Leg struct {
-	Seqno       uint32
-	SynSeen     bool
-	AckSeen     bool
-	FinSeen     bool
-	RstSeen     bool
-	Whitelisted bool
-	Opener      bool
-	Ifindex     uint32
+	Seqno    uint32
+	SynSeen  bool
+	AckSeen  bool
+	FinSeen  bool
+	RstSeen  bool
+	Approved bool
+	Opener   bool
+	Ifindex  uint32
 }
 
 const legSize int = 12
@@ -312,7 +312,7 @@ func (leg Leg) AsBytes() []byte {
 	setBit(&bits, 1, leg.AckSeen)
 	setBit(&bits, 2, leg.FinSeen)
 	setBit(&bits, 3, leg.RstSeen)
-	setBit(&bits, 4, leg.Whitelisted)
+	setBit(&bits, 4, leg.Approved)
 	setBit(&bits, 5, leg.Opener)
 
 	binary.LittleEndian.PutUint32(bytes[legExtra+0:legExtra+4], leg.Seqno)
@@ -336,7 +336,7 @@ func (leg Leg) Flags() uint32 {
 	if leg.RstSeen {
 		flags |= 1 << 3
 	}
-	if leg.Whitelisted {
+	if leg.Approved {
 		flags |= 1 << 4
 	}
 	if leg.Opener {
@@ -352,14 +352,14 @@ func bitSet(bits uint32, bit uint8) bool {
 func readConntrackLeg(b []byte) Leg {
 	bits := binary.LittleEndian.Uint32(b[legExtra+4 : legExtra+8])
 	return Leg{
-		Seqno:       binary.BigEndian.Uint32(b[legExtra+0 : legExtra+4]),
-		SynSeen:     bitSet(bits, 0),
-		AckSeen:     bitSet(bits, 1),
-		FinSeen:     bitSet(bits, 2),
-		RstSeen:     bitSet(bits, 3),
-		Whitelisted: bitSet(bits, 4),
-		Opener:      bitSet(bits, 5),
-		Ifindex:     binary.LittleEndian.Uint32(b[legExtra+8 : legExtra+12]),
+		Seqno:    binary.BigEndian.Uint32(b[legExtra+0 : legExtra+4]),
+		SynSeen:  bitSet(bits, 0),
+		AckSeen:  bitSet(bits, 1),
+		FinSeen:  bitSet(bits, 2),
+		RstSeen:  bitSet(bits, 3),
+		Approved: bitSet(bits, 4),
+		Opener:   bitSet(bits, 5),
+		Ifindex:  binary.LittleEndian.Uint32(b[legExtra+8 : legExtra+12]),
 	}
 }