diff mbox series

[ovs-dev,4/4] Eliminate "whitelist" and "blacklist" terms.

Message ID 20200617225204.3687632-5-blp@ovn.org
State New
Headers show
Series Use more sensitive terminology. | expand

Commit Message

Ben Pfaff June 17, 2020, 10:52 p.m. UTC
There is one remaining use under datapath.  That change should happen
upstream in Linux first according to our usual policy.

Signed-off-by: Ben Pfaff <blp@ovn.org>
---
 Documentation/howto/ipsec.rst                 |  2 +-
 Documentation/howto/selinux.rst               |  8 +--
 Documentation/topics/datapath.rst             |  2 +-
 Documentation/topics/ovsdb-replication.rst    |  9 ++-
 Makefile.am                                   | 10 +--
 build-aux/automake.mk                         |  2 +-
 ...ab-whitelist => initial-tab-allowed-files} |  0
 ...fety-blacklist => thread-safety-forbidden} |  0
 datapath/Makefile.am                          |  2 +-
 datapath/linux/Modules.mk                     |  2 +-
 ...heck-whitelist => export-check-allow-list} |  0
 include/openvswitch/automake.mk               |  2 +-
 lib/daemon.man                                |  2 +-
 lib/daemon.xml                                |  2 +-
 lib/dpif.c                                    | 14 ++--
 lib/dpif.h                                    |  2 +-
 lib/ovsdb-idl.h                               |  4 +-
 ovsdb/ovsdb-server.c                          |  8 +--
 ovsdb/replication.c                           | 72 +++++++++----------
 ovsdb/replication.h                           | 10 +--
 tests/ofproto-macros.at                       |  4 +-
 tests/system-kmod-macros.at                   |  6 +-
 tests/system-userspace-macros.at              |  6 +-
 tests/test-classifier.c                       |  3 +-
 utilities/checkpatch.py                       |  8 +--
 vswitchd/bridge.c                             | 27 ++++---
 vswitchd/ovs-vswitchd.c                       |  2 +-
 vswitchd/vswitch.xml                          |  2 +-
 28 files changed, 105 insertions(+), 106 deletions(-)
 rename build-aux/{initial-tab-whitelist => initial-tab-allowed-files} (100%)
 rename build-aux/{thread-safety-blacklist => thread-safety-forbidden} (100%)
 rename datapath/linux/compat/build-aux/{export-check-whitelist => export-check-allow-list} (100%)
diff mbox series

Patch

diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst
index 17153ac2be68..cd93484204c8 100644
--- a/Documentation/howto/ipsec.rst
+++ b/Documentation/howto/ipsec.rst
@@ -162,7 +162,7 @@  undesirable situation.
    `ipsec_skb_mark`. By setting the ipsec_skb_mark as 0/1, OVS IPsec prevents
    all unencrypted tunnel packets leaving the host since the default skb_mark
    value for tunnel packets are 0. This affects all OVS tunnels including those
-   without IPsec being set up. You can install OpenFlow rules to whitelist
+   without IPsec being set up. You can install OpenFlow rules to enable
    those non-IPsec tunnels by setting the skb_mark of the tunnel traffic as
    non-zero value.
 
diff --git a/Documentation/howto/selinux.rst b/Documentation/howto/selinux.rst
index 55c3e39cece4..f657d5e518b9 100644
--- a/Documentation/howto/selinux.rst
+++ b/Documentation/howto/selinux.rst
@@ -67,8 +67,8 @@  differently than SELinux.
 SELinux and Open vSwitch are moving targets.  What this means is that, if you
 solely rely on your Linux distribution's SELinux policy, then this policy might
 not have correctly anticipated that a newer Open vSwitch version needs extra
-white list rules.  However, if you solely rely on SELinux policy that ships
-with Open vSwitch, then Open vSwitch developers might not have correctly
+rules to allow behavior.  However, if you solely rely on SELinux policy that
+ships with Open vSwitch, then Open vSwitch developers might not have correctly
 anticipated the feature set that your SELinux implementation supports.
 
 Installation
@@ -136,8 +136,8 @@  Then verify that this module was indeed loaded::
     openvswitch          1.1.1
 
 If you still see Permission denied errors, then take a look into
-``selinux/openvswitch.te.in`` file in the OVS source tree and try to add white
-list rules.  This is really simple, just run SELinux audit2allow tool::
+``selinux/openvswitch.te.in`` file in the OVS source tree and try to add allow
+rules.  This is really simple, just run SELinux audit2allow tool::
 
     $ grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal
 
diff --git a/Documentation/topics/datapath.rst b/Documentation/topics/datapath.rst
index 8585c79eb936..e6dcfbc199e2 100644
--- a/Documentation/topics/datapath.rst
+++ b/Documentation/topics/datapath.rst
@@ -261,5 +261,5 @@  Implement the headers and codes for compatibility with older kernel in
 function should be prefixed with ``rpl_``.  Otherwise, the function should be
 prefixed with ``ovs_``.  For special case when it is not possible to follow
 this rule (e.g., the ``pskb_expand_head()`` function), the function name must
-be added to ``linux/compat/build-aux/export-check-whitelist``, otherwise, the
+be added to ``linux/compat/build-aux/export-check-allowlist``, otherwise, the
 compilation check ``check-export-symbol`` will fail.
diff --git a/Documentation/topics/ovsdb-replication.rst b/Documentation/topics/ovsdb-replication.rst
index 950dfc9b7cde..e762f07302fa 100644
--- a/Documentation/topics/ovsdb-replication.rst
+++ b/Documentation/topics/ovsdb-replication.rst
@@ -91,7 +91,7 @@  When sending a monitor request the standby server is doing the following:
 4. For each database with the same schema in both the active and standby
    servers: construct and send a monitor request message specifying the tables
    that will be monitored (i.e all the tables on the database except the ones
-   blacklisted [*]).
+   explicitly excluded [*]).
 
 5. Set the standby database to the current state of the active database.
 
@@ -100,10 +100,9 @@  receive notifications of changes occurring to the tables specified in the
 request. The process of handling this notifications is detailed in the next
 section.
 
-[*] A set of tables that will be excluded from replication can be configure as
-a blacklist of tables via the command line option
-``--sync-exclude-tables=db:table[,db:table]...``, where db corresponds to the
-database where the table resides.
+[*] A set of tables that will be excluded from replication can be configured
+via the command line option ``--sync-exclude-tables=db:table[,db:table]...``,
+where db corresponds to the database where the table resides.
 
 Replication Process
 -------------------
diff --git a/Makefile.am b/Makefile.am
index b279303d186c..e37d3a5e61f5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -276,7 +276,7 @@  static-check:
 	fi
 .PHONY: static-check
 
-# Check that assert.h is not used outside a whitelist of files.
+# Check that assert.h is not used (outside a small set of files).
 ALL_LOCAL += check-assert-h-usage
 check-assert-h-usage:
 	@if test -e $(srcdir)/.git && (git --version) >/dev/null 2>&1 && \
@@ -323,7 +323,7 @@  check-tabs:
 	if test -e .git && (git --version) >/dev/null 2>&1 && \
 	  grep -ln "^	" \
 	    `git ls-files \
-	      | grep -v -f build-aux/initial-tab-whitelist` /dev/null \
+	      | grep -v -f build-aux/initial-tab-allowed-files` /dev/null \
 	      | $(EGREP) -v ':[ 	]*/?\*'; \
 	then \
 	  echo "See above for files that use tabs for indentation."; \
@@ -336,16 +336,16 @@  ALL_LOCAL += thread-safety-check
 thread-safety-check:
 	@cd $(srcdir); \
 	if test -e .git && (git --version) >/dev/null 2>&1 && \
-	  grep -n -f build-aux/thread-safety-blacklist \
+	  grep -n -f build-aux/thread-safety-forbidden \
 	    `git ls-files | grep '\.[ch]$$' \
 	      | $(EGREP) -v '^datapath|^lib/sflow|^third-party'` /dev/null \
 	      | $(EGREP) -v ':[ 	]*/?\*'; \
 	then \
 	  echo "See above for list of calls to functions that are"; \
-	  echo "blacklisted due to thread safety issues"; \
+	  echo "forbidden due to thread safety issues"; \
 	  exit 1; \
 	fi
-EXTRA_DIST += build-aux/thread-safety-blacklist
+EXTRA_DIST += build-aux/thread-safety-forbidden
 .PHONY: thread-safety-check
 
 # Check that "ip" is used in preference to "ifconfig", because
diff --git a/build-aux/automake.mk b/build-aux/automake.mk
index 9007ecda9c19..6267ccd7cf43 100644
--- a/build-aux/automake.mk
+++ b/build-aux/automake.mk
@@ -5,7 +5,7 @@  EXTRA_DIST += \
 	build-aux/dist-docs \
 	build-aux/dpdkstrip.py \
 	build-aux/generate-dhparams-c \
-	build-aux/initial-tab-whitelist \
+	build-aux/initial-tab-allowed-files \
 	build-aux/sodepends.py \
 	build-aux/soexpand.py \
 	build-aux/text2c \
diff --git a/build-aux/initial-tab-whitelist b/build-aux/initial-tab-allowed-files
similarity index 100%
rename from build-aux/initial-tab-whitelist
rename to build-aux/initial-tab-allowed-files
diff --git a/build-aux/thread-safety-blacklist b/build-aux/thread-safety-forbidden
similarity index 100%
rename from build-aux/thread-safety-blacklist
rename to build-aux/thread-safety-forbidden
diff --git a/datapath/Makefile.am b/datapath/Makefile.am
index f2a85bc3bc3c..e4dd0c7044d4 100644
--- a/datapath/Makefile.am
+++ b/datapath/Makefile.am
@@ -42,7 +42,7 @@  COMPAT_EXPORTS := $(shell $(COMPAT_GET_EXPORTS))
 # Checks that all EXPORT_SYMBOL_GPL() export 'rpl_' or 'ovs_' prefixed functions.
 check-export-symbol:
 	@for fun_ in $(COMPAT_FUNCTIONS); do \
-	   if ! grep -- $${fun_} $(top_srcdir)/datapath/linux/compat/build-aux/export-check-whitelist > /dev/null; then \
+	   if ! grep -- $${fun_} $(top_srcdir)/datapath/linux/compat/build-aux/export-check-allow-list > /dev/null; then \
 	      if ! echo $${fun_} | grep -q -E '^(rpl|ovs)_'; then \
 	         echo "error: $${fun_}() needs to be prefixed with 'rpl_' or 'ovs_'."; \
 	         exit 1; \
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index 63a5cbae40cc..37224398800c 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -120,4 +120,4 @@  openvswitch_headers += \
 	linux/compat/include/linux/netfilter.h \
 	linux/compat/include/linux/overflow.h \
 	linux/compat/include/linux/rbtree.h
-EXTRA_DIST += linux/compat/build-aux/export-check-whitelist
+EXTRA_DIST += linux/compat/build-aux/export-check-allow-list
diff --git a/datapath/linux/compat/build-aux/export-check-whitelist b/datapath/linux/compat/build-aux/export-check-allow-list
similarity index 100%
rename from datapath/linux/compat/build-aux/export-check-whitelist
rename to datapath/linux/compat/build-aux/export-check-allow-list
diff --git a/include/openvswitch/automake.mk b/include/openvswitch/automake.mk
index 73c346175733..1fa6d88fabbf 100644
--- a/include/openvswitch/automake.mk
+++ b/include/openvswitch/automake.mk
@@ -72,7 +72,7 @@  endif
 # header file has the proper extern declaration for use with C++.
 #
 # Some header files don't declare any external functions, so they
-# don't really need extern "C".  We only white list a couple of these
+# don't really need extern "C".  We only permit a couple of these
 # below, which are the ones that seem unlikely to ever declare
 # external functions.  For the rest, we add extern "C" anyway; it
 # doesn't hurt.
diff --git a/lib/daemon.man b/lib/daemon.man
index 68c0a312db6a..a92f8c4d5a1d 100644
--- a/lib/daemon.man
+++ b/lib/daemon.man
@@ -58,7 +58,7 @@  This option has no effect when \fB\-\-detach\fR is not specified.
 .TP
 \fB\-\-no\-self\-confinement\fR
 By default daemon will try to self-confine itself to work with
-files under well-know, at build-time whitelisted directories.  It
+files under well-known directories determined during build.  It
 is better to stick with this default behavior and not to use this
 flag unless some other Access Control is used to confine daemon.
 Note that in contrast to other access control implementations that
diff --git a/lib/daemon.xml b/lib/daemon.xml
index 1b5e8acae21a..5a421ccab385 100644
--- a/lib/daemon.xml
+++ b/lib/daemon.xml
@@ -82,7 +82,7 @@ 
   <dt><code>--no-self-confinement</code></dt>
   <dd>
     By default this daemon will try to self-confine itself to work with files
-    under well-known directories whitelisted at build time.  It is better to
+    under well-known directories determined at build time.  It is better to
     stick with this default behavior and not to use this flag unless some other
     Access Control is used to confine daemon.  Note that in contrast to other
     access control implementations that are typically enforced from
diff --git a/lib/dpif.c b/lib/dpif.c
index 9d9c716c13aa..8fd91f9e1c78 100644
--- a/lib/dpif.c
+++ b/lib/dpif.c
@@ -79,9 +79,9 @@  struct registered_dpif_class {
     int refcount;
 };
 static struct shash dpif_classes = SHASH_INITIALIZER(&dpif_classes);
-static struct sset dpif_blacklist = SSET_INITIALIZER(&dpif_blacklist);
+static struct sset dpif_disallowed = SSET_INITIALIZER(&dpif_disallowed);
 
-/* Protects 'dpif_classes', including the refcount, and 'dpif_blacklist'. */
+/* Protects 'dpif_classes', including the refcount, and 'dpif_disallowed'. */
 static struct ovs_mutex dpif_mutex = OVS_MUTEX_INITIALIZER;
 
 /* Rate limit for individual messages going to or from the datapath, output at
@@ -134,8 +134,8 @@  dp_register_provider__(const struct dpif_class *new_class)
     struct registered_dpif_class *registered_class;
     int error;
 
-    if (sset_contains(&dpif_blacklist, new_class->type)) {
-        VLOG_DBG("attempted to register blacklisted provider: %s",
+    if (sset_contains(&dpif_disallowed, new_class->type)) {
+        VLOG_DBG("attempted to register disallowed provider: %s",
                  new_class->type);
         return EINVAL;
     }
@@ -219,13 +219,13 @@  dp_unregister_provider(const char *type)
     return error;
 }
 
-/* Blacklists a provider.  Causes future calls of dp_register_provider() with
+/* Disallows a provider.  Causes future calls of dp_register_provider() with
  * a dpif_class which implements 'type' to fail. */
 void
-dp_blacklist_provider(const char *type)
+dp_disallow_provider(const char *type)
 {
     ovs_mutex_lock(&dpif_mutex);
-    sset_add(&dpif_blacklist, type);
+    sset_add(&dpif_disallowed, type);
     ovs_mutex_unlock(&dpif_mutex);
 }
 
diff --git a/lib/dpif.h b/lib/dpif.h
index 4df8f7c8b7e7..9c37228b4303 100644
--- a/lib/dpif.h
+++ b/lib/dpif.h
@@ -400,7 +400,7 @@  struct sset;
 
 int dp_register_provider(const struct dpif_class *);
 int dp_unregister_provider(const char *type);
-void dp_blacklist_provider(const char *type);
+void dp_disallow_provider(const char *type);
 void dp_enumerate_types(struct sset *types);
 const char *dpif_normalize_type(const char *);
 
diff --git a/lib/ovsdb-idl.h b/lib/ovsdb-idl.h
index c56cd19b1f74..a1a577664e8e 100644
--- a/lib/ovsdb-idl.h
+++ b/lib/ovsdb-idl.h
@@ -100,12 +100,12 @@  const struct ovsdb_idl_table_class *ovsdb_idl_table_class_from_column(
  * The client may choose any subset of the columns and tables to replicate,
  * specifying it one of two ways:
  *
- *   - As a blacklist (adding the columns or tables to replicate).  To do so,
+ *   - As a deny list (adding the columns or tables to replicate).  To do so,
  *     the client passes false as 'monitor_everything_by_default' to
  *     ovsdb_idl_create() and then calls ovsdb_idl_add_column() and
  *     ovsdb_idl_add_table() for the desired columns and, if necessary, tables.
  *
- *   - As a whitelist (replicating all columns and tables except those
+ *   - As an allow list (replicating all columns and tables except those
  *     explicitly removed).  To do so, the client passes true as
  *     'monitor_everything_by_default' to ovsdb_idl_create() and then calls
  *     ovsdb_idl_omit() to remove columns.
diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
index ef4e996df22e..95d5ea3299de 100644
--- a/ovsdb/ovsdb-server.c
+++ b/ovsdb/ovsdb-server.c
@@ -1382,7 +1382,7 @@  ovsdb_server_set_sync_exclude_tables(struct unixctl_conn *conn,
 {
     struct server_config *config = config_;
 
-    char *err = set_blacklist_tables(argv[1], true);
+    char *err = set_excluded_tables(argv[1], true);
     if (!err) {
         free(*config->sync_exclude);
         *config->sync_exclude = xstrdup(argv[1]);
@@ -1394,7 +1394,7 @@  ovsdb_server_set_sync_exclude_tables(struct unixctl_conn *conn,
                                    config->all_dbs, server_uuid,
                                    *config->replication_probe_interval);
         }
-        err = set_blacklist_tables(argv[1], false);
+        err = set_excluded_tables(argv[1], false);
     }
     unixctl_command_reply(conn, err);
     free(err);
@@ -1406,7 +1406,7 @@  ovsdb_server_get_sync_exclude_tables(struct unixctl_conn *conn,
                                      const char *argv[] OVS_UNUSED,
                                      void *arg_ OVS_UNUSED)
 {
-    char *reply = get_blacklist_tables();
+    char *reply = get_excluded_tables();
     unixctl_command_reply(conn, reply);
     free(reply);
 }
@@ -1809,7 +1809,7 @@  parse_options(int argc, char *argv[],
             break;
 
         case OPT_SYNC_EXCLUDE: {
-            char *err = set_blacklist_tables(optarg, false);
+            char *err = set_excluded_tables(optarg, false);
             if (err) {
                 ovs_fatal(0, "%s", err);
             }
diff --git a/ovsdb/replication.c b/ovsdb/replication.c
index cbbce64dfbf5..8e430f467b92 100644
--- a/ovsdb/replication.c
+++ b/ovsdb/replication.c
@@ -68,11 +68,11 @@  static struct ovsdb_error *execute_update(struct ovsdb_txn *txn,
                                           struct json *new);
 
 /* Maps from db name to sset of table names. */
-static struct shash blacklist_tables = SHASH_INITIALIZER(&blacklist_tables);
+static struct shash excluded_tables = SHASH_INITIALIZER(&excluded_tables);
 
-static void blacklist_tables_clear(void);
-static void blacklist_tables_add(const char *database, const char *table);
-static bool blacklist_tables_find(const char *database, const char* table);
+static void excluded_tables_clear(void);
+static void excluded_tables_add(const char *database, const char *table);
+static bool excluded_tables_find(const char *database, const char* table);
 
 
 /* Keep track of request IDs of all outstanding OVSDB requests. */
@@ -131,7 +131,7 @@  replication_init(const char *sync_from_, const char *exclude_tables,
     sync_from = xstrdup(sync_from_);
     /* Caller should have verified that the 'exclude_tables' is
      * parseable. An error here is unexpected. */
-    ovs_assert(!set_blacklist_tables(exclude_tables, false));
+    ovs_assert(!set_excluded_tables(exclude_tables, false));
 
     replication_dbs_destroy();
 
@@ -407,38 +407,38 @@  replication_wait(void)
     }
 }
 
-/* Parse 'blacklist' to rebuild 'blacklist_tables'.  If 'dryrun' is false, the
- * current black list tables will be wiped out, regardless of whether
- * 'blacklist' can be parsed.  If 'dryrun' is true, only parses 'blacklist' and
- * reports any errors, without modifying the blacklist.
+/* Parse 'excluded' to rebuild 'excluded_tables'.  If 'dryrun' is false, the
+ * current set of excluded tables will be wiped out, regardless of whether
+ * 'excluded' can be parsed.  If 'dryrun' is true, only parses 'excluded' and
+ * reports any errors, without modifying the list of exclusions.
  *
  * On error, returns the error string, which the caller is
  * responsible for freeing. Returns NULL otherwise. */
 char * OVS_WARN_UNUSED_RESULT
-set_blacklist_tables(const char *blacklist, bool dryrun)
+set_excluded_tables(const char *excluded, bool dryrun)
 {
     struct sset set = SSET_INITIALIZER(&set);
     char *err = NULL;
 
-    if (blacklist) {
+    if (excluded) {
         const char *longname;
 
         if (!dryrun) {
             /* Can only add to an empty shash. */
-            blacklist_tables_clear();
+            excluded_tables_clear();
         }
 
-        sset_from_delimited_string(&set, blacklist, " ,");
+        sset_from_delimited_string(&set, excluded, " ,");
         SSET_FOR_EACH (longname, &set) {
             char *database = xstrdup(longname), *table = NULL;
             strtok_r(database, ":", &table);
             if (table && !dryrun) {
-                blacklist_tables_add(database, table);
+                excluded_tables_add(database, table);
             }
 
             free(database);
             if (!table) {
-                err = xasprintf("Can't parse black list table: %s", longname);
+                err = xasprintf("Can't parse excluded table: %s", longname);
                 goto done;
             }
         }
@@ -447,19 +447,19 @@  set_blacklist_tables(const char *blacklist, bool dryrun)
 done:
     sset_destroy(&set);
     if (err && !dryrun) {
-        /* On error, destroy the partially built 'blacklist_tables'. */
-        blacklist_tables_clear();
+        /* On error, destroy the partially built 'excluded_tables'. */
+        excluded_tables_clear();
     }
     return err;
 }
 
 char * OVS_WARN_UNUSED_RESULT
-get_blacklist_tables(void)
+get_excluded_tables(void)
 {
     struct shash_node *node;
     struct sset set = SSET_INITIALIZER(&set);
 
-    SHASH_FOR_EACH (node, &blacklist_tables) {
+    SHASH_FOR_EACH (node, &excluded_tables) {
         const char *database = node->name;
         const char *table;
         struct sset *tables = node->data;
@@ -489,35 +489,35 @@  get_blacklist_tables(void)
 }
 
 static void
-blacklist_tables_clear(void)
+excluded_tables_clear(void)
 {
     struct shash_node *node;
-    SHASH_FOR_EACH (node, &blacklist_tables) {
+    SHASH_FOR_EACH (node, &excluded_tables) {
         struct sset *tables = node->data;
         sset_destroy(tables);
     }
 
-    shash_clear_free_data(&blacklist_tables);
+    shash_clear_free_data(&excluded_tables);
 }
 
 static void
-blacklist_tables_add(const char *database, const char *table)
+excluded_tables_add(const char *database, const char *table)
 {
-    struct sset *tables = shash_find_data(&blacklist_tables, database);
+    struct sset *tables = shash_find_data(&excluded_tables, database);
 
     if (!tables) {
         tables = xmalloc(sizeof *tables);
         sset_init(tables);
-        shash_add(&blacklist_tables, database, tables);
+        shash_add(&excluded_tables, database, tables);
     }
 
     sset_add(tables, table);
 }
 
 static bool
-blacklist_tables_find(const char *database, const char *table)
+excluded_tables_find(const char *database, const char *table)
 {
-    struct sset *tables = shash_find_data(&blacklist_tables, database);
+    struct sset *tables = shash_find_data(&excluded_tables, database);
     return tables && sset_contains(tables, table);
 }
 
@@ -531,8 +531,8 @@  disconnect_active_server(void)
 void
 replication_destroy(void)
 {
-    blacklist_tables_clear();
-    shash_destroy(&blacklist_tables);
+    excluded_tables_clear();
+    shash_destroy(&excluded_tables);
 
     if (sync_from) {
         free(sync_from);
@@ -558,8 +558,8 @@  reset_database(struct ovsdb *db)
     struct shash_node *table_node;
 
     SHASH_FOR_EACH (table_node, &db->tables) {
-        /* Delete all rows if the table is not blacklisted. */
-        if (!blacklist_tables_find(db->schema->name, table_node->name)) {
+        /* Delete all rows if the table is not excluded. */
+        if (!excluded_tables_find(db->schema->name, table_node->name)) {
             struct ovsdb_table *table = table_node->data;
             struct ovsdb_row *row, *next;
             HMAP_FOR_EACH_SAFE (row, next, hmap_node, &table->rows) {
@@ -572,7 +572,7 @@  reset_database(struct ovsdb *db)
 }
 
 /* Create a monitor request for 'db'. The monitor request will include
- * any tables from 'blacklisted_tables'
+ * any tables from 'excluded_tables'
  *
  * Caller is responsible for disposing 'request'.
  */
@@ -590,8 +590,8 @@  create_monitor_request(struct ovsdb_schema *schema)
     for (int j = 0; j < n; j++) {
         struct ovsdb_table_schema *table = nodes[j]->data;
 
-        /* Monitor all tables not blacklisted. */
-        if (!blacklist_tables_find(db_name, table->name)) {
+        /* Monitor all tables not excluded. */
+        if (!excluded_tables_find(db_name, table->name)) {
             add_monitored_table(table, monitor_request);
         }
     }
@@ -914,10 +914,10 @@  replication_status(void)
             }
             ds_chomp(&ds, ',');
 
-            if (!shash_is_empty(&blacklist_tables)) {
+            if (!shash_is_empty(&excluded_tables)) {
                 ds_put_char(&ds, '\n');
                 ds_put_cstr(&ds, "exclude: ");
-                ds_put_and_free_cstr(&ds, get_blacklist_tables());
+                ds_put_and_free_cstr(&ds, get_excluded_tables());
             }
             break;
         }
diff --git a/ovsdb/replication.h b/ovsdb/replication.h
index c45f33e2629f..6d1be820f3d1 100644
--- a/ovsdb/replication.h
+++ b/ovsdb/replication.h
@@ -39,9 +39,9 @@  struct ovsdb;
  *   replication_get_last_error() should be call within the main loop
  *   whenever OVSDB server runs in the backup mode.
  *
- *  - set_blacklist_tables(), get_blacklist_tables(),
- *    disconnect_active_server() and replication_usage() are support functions
- *    used mainly by uinxctl commands.
+ * - set_excluded_tables(), get_excluded_tables(), disconnect_active_server()
+ *   and replication_usage() are support functions used mainly by unixctl
+ *   commands.
  */
 
 #define REPLICATION_DEFAULT_PROBE_INTERVAL 60000
@@ -58,9 +58,9 @@  int replication_get_last_error(void);
 char *replication_status(void);
 void replication_set_probe_interval(int);
 
-char *set_blacklist_tables(const char *blacklist, bool dryrun)
+char *set_excluded_tables(const char *excluded, bool dryrun)
     OVS_WARN_UNUSED_RESULT;
-char *get_blacklist_tables(void) OVS_WARN_UNUSED_RESULT;
+char *get_excluded_tables(void) OVS_WARN_UNUSED_RESULT;
 void disconnect_active_server(void);
 
 #endif /* ovsdb/replication.h */
diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index b2b17eed335a..eb794cd755f6 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -303,11 +303,11 @@  add_pmd_of_ports () {
 
 m4_divert_pop([PREPARE_TESTS])
 
-# OVS_VSWITCHD_STOP([WHITELIST])
+# OVS_VSWITCHD_STOP([ALLOWLIST])
 #
 # Gracefully stops ovs-vswitchd and ovsdb-server, checking their log files
 # for messages with severity WARN or higher and signaling an error if any
-# is present.  The optional WHITELIST may contain shell-quoted "sed"
+# is present.  The optional ALLOWLIST may contain shell-quoted "sed"
 # commands to delete any warnings that are actually expected, e.g.:
 #
 #   OVS_VSWITCHD_STOP(["/expected error/d"])
diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at
index daf66bdec827..15628a7c6f42 100644
--- a/tests/system-kmod-macros.at
+++ b/tests/system-kmod-macros.at
@@ -29,16 +29,16 @@  m4_define([OVS_TRAFFIC_VSWITCHD_START],
    AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| uuidfilt])], [0], [$2])
 ])
 
-# OVS_TRAFFIC_VSWITCHD_STOP([WHITELIST], [extra_cmds])
+# OVS_TRAFFIC_VSWITCHD_STOP([ALLOWLIST], [extra_cmds])
 #
 # Gracefully stops ovs-vswitchd and ovsdb-server, checking their log files
 # for messages with severity WARN or higher and signaling an error if any
-# is present.  The optional WHITELIST may contain shell-quoted "sed"
+# is present.  The optional ALLOWLIST may contain shell-quoted "sed"
 # commands to delete any warnings that are actually expected, e.g.:
 #
 #   OVS_TRAFFIC_VSWITCHD_STOP(["/expected error/d"])
 #
-# 'extra_cmds' are shell commands to be executed afte OVS_VSWITCHD_STOP() is
+# 'extra_cmds' are shell commands to be executed after OVS_VSWITCHD_STOP() is
 # invoked. They can be used to perform additional cleanups such as name space
 # removal.
 m4_define([OVS_TRAFFIC_VSWITCHD_STOP],
diff --git a/tests/system-userspace-macros.at b/tests/system-userspace-macros.at
index 72c84b9c7c82..34f82cee3db6 100644
--- a/tests/system-userspace-macros.at
+++ b/tests/system-userspace-macros.at
@@ -21,16 +21,16 @@  m4_define([OVS_TRAFFIC_VSWITCHD_START],
    AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| uuidfilt])], [0], [$2])
 ])
 
-# OVS_TRAFFIC_VSWITCHD_STOP([WHITELIST], [extra_cmds])
+# OVS_TRAFFIC_VSWITCHD_STOP([ALLOWLIST], [extra_cmds])
 #
 # Gracefully stops ovs-vswitchd and ovsdb-server, checking their log files
 # for messages with severity WARN or higher and signaling an error if any
-# is present.  The optional WHITELIST may contain shell-quoted "sed"
+# is present.  The optional ALLOWLIST may contain shell-quoted "sed"
 # commands to delete any warnings that are actually expected, e.g.:
 #
 #   OVS_TRAFFIC_VSWITCHD_STOP(["/expected error/d"])
 #
-# 'extra_cmds' are shell commands to be executed afte OVS_VSWITCHD_STOP() is
+# 'extra_cmds' are shell commands to be executed after OVS_VSWITCHD_STOP() is
 # invoked. They can be used to perform additional cleanups such as name space
 # removal.
 m4_define([OVS_TRAFFIC_VSWITCHD_STOP],
diff --git a/tests/test-classifier.c b/tests/test-classifier.c
index 2d98fad485c8..cff00c8fa35e 100644
--- a/tests/test-classifier.c
+++ b/tests/test-classifier.c
@@ -14,7 +14,8 @@ 
  * limitations under the License.
  */
 
-/* "White box" tests for classifier.
+/* Tests for classifier, written with knowledge of and to advantage of the
+ * classifier's internal structure.
  *
  * With very few exceptions, these tests obtain complete coverage of every
  * basic block and every branch in the classifier implementation, e.g. a clean
diff --git a/utilities/checkpatch.py b/utilities/checkpatch.py
index fc9e20bf1b5f..9eb4084f9323 100755
--- a/utilities/checkpatch.py
+++ b/utilities/checkpatch.py
@@ -189,13 +189,13 @@  skip_signoff_check = False
 # name, as they may have legitimate reasons to have longer lines.
 #
 # Python isn't checked as flake8 performs these checks during build.
-line_length_blacklist = re.compile(
+line_length_ignore_list = re.compile(
     r'\.(am|at|etc|in|m4|mk|patch|py)$|debian/rules')
 
 # Don't enforce a requirement that leading whitespace be all spaces on
 # files that include these characters in their name, since these kinds
 # of files need lines with leading tabs.
-leading_whitespace_blacklist = re.compile(r'\.(mk|am|at)$|debian/rules')
+leading_whitespace_ignore_list = re.compile(r'\.(mk|am|at)$|debian/rules')
 
 
 def is_subtracted_line(line):
@@ -522,11 +522,11 @@  file_checks = [
 
 checks = [
     {'regex': None,
-     'match_name': lambda x: not line_length_blacklist.search(x),
+     'match_name': lambda x: not line_length_ignore_list.search(x),
      'check': lambda x: line_length_check(x)},
 
     {'regex': None,
-     'match_name': lambda x: not leading_whitespace_blacklist.search(x),
+     'match_name': lambda x: not leading_whitespace_ignore_list.search(x),
      'check': lambda x: not leading_whitespace_is_spaces(x),
      'print': lambda: print_warning("Line has non-spaces leading whitespace")},
 
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index a976c20800aa..c46daf39f5e0 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -3907,49 +3907,48 @@  bridge_configure_remotes(struct bridge *br,
             && (!strncmp(c->target, "punix:", 6)
             || !strncmp(c->target, "unix:", 5))) {
             static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
-            char *whitelist;
+            char *allowed;
 
             if (!strncmp(c->target, "unix:", 5)) {
                 /* Connect to a listening socket */
-                whitelist = xasprintf("unix:%s/", ovs_rundir());
+                allowed = xasprintf("unix:%s/", ovs_rundir());
                 if (strchr(c->target, '/') &&
-                   !equal_pathnames(c->target, whitelist,
-                     strlen(whitelist))) {
+                   !equal_pathnames(c->target, allowed, strlen(allowed))) {
                     /* Absolute path specified, but not in ovs_rundir */
                     VLOG_ERR_RL(&rl, "bridge %s: Not connecting to socket "
                                   "controller \"%s\" due to possibility for "
                                   "remote exploit.  Instead, specify socket "
-                                  "in whitelisted \"%s\" or connect to "
+                                  "in permitted directory \"%s\" or connect to "
                                   "\"unix:%s/%s.mgmt\" (which is always "
                                   "available without special configuration).",
-                                  br->name, c->target, whitelist,
+                                  br->name, c->target, allowed,
                                   ovs_rundir(), br->name);
-                    free(whitelist);
+                    free(allowed);
                     continue;
                 }
             } else {
-               whitelist = xasprintf("punix:%s/%s.",
+               allowed = xasprintf("punix:%s/%s.",
                                      ovs_rundir(), br->name);
-               if (!equal_pathnames(c->target, whitelist, strlen(whitelist))
-                   || strchr(c->target + strlen(whitelist), '/')) {
+               if (!equal_pathnames(c->target, allowed, strlen(allowed))
+                   || strchr(c->target + strlen(allowed), '/')) {
                    /* Prevent remote ovsdb-server users from accessing
                     * arbitrary Unix domain sockets and overwriting arbitrary
                     * local files. */
                    VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
                                   "controller \"%s\" due to possibility of "
                                   "overwriting local files. Instead, specify "
-                                  "path in whitelisted format \"%s*\" or "
+                                  "path in permitteded format \"%s*\" or "
                                   "connect to \"unix:%s/%s.mgmt\" (which is "
                                   "always available without special "
                                   "configuration).",
-                                  br->name, c->target, whitelist,
+                                  br->name, c->target, allowed,
                                   ovs_rundir(), br->name);
-                   free(whitelist);
+                   free(allowed);
                    continue;
                }
             }
 
-            free(whitelist);
+            free(allowed);
         }
 
         bridge_configure_local_iface_netdev(br, c);
diff --git a/vswitchd/ovs-vswitchd.c b/vswitchd/ovs-vswitchd.c
index 1e72b628b1bd..f007f9c0bc06 100644
--- a/vswitchd/ovs-vswitchd.c
+++ b/vswitchd/ovs-vswitchd.c
@@ -228,7 +228,7 @@  parse_options(int argc, char *argv[], char **unixctl_pathp)
             break;
 
         case OPT_DISABLE_SYSTEM:
-            dp_blacklist_provider("system");
+            dp_disallow_provider("system");
             break;
 
         case OPT_DISABLE_SYSTEM_ROUTE:
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index c51809602fc6..65f9cbeffb54 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -1072,7 +1072,7 @@ 
               Drop all unencrypted tunneled packets in which the
               least-significant bit of <code>skb_mark</code> is 0.  This would
               be a useful policy if no unencrypted tunneled traffic should exit
-              the system without being specially whitelisted by setting
+              the system without being specially permitted by setting
               <code>skb_mark</code> to 1.
             </dd>