is can happen either because the rule has been removed manually, or
 because there were more attempts in flight while the rule block was being
 added.
 This condition is normal; in that case
-.Xr blacklistd 8
+.Xr blocklistd 8
 will first attempt to remove the existing rule, and then it will re-add
 it to make sure that there is only one rule active.
 .Sh HISTORY
diff --git a/contrib/blocklist/bin/blacklistctl.c b/contrib/blocklist/bin/blocklistctl.c
similarity index 94%
rename from contrib/blocklist/bin/blacklistctl.c
rename to contrib/blocklist/bin/blocklistctl.c
index 89b72921caf5..8c75e0430c61 100644
--- a/contrib/blocklist/bin/blacklistctl.c
+++ b/contrib/blocklist/bin/blocklistctl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $	*/
+/*	$NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,8 +32,10 @@
 #include "config.h"
 #endif
 
+#ifdef HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $");
+#endif
+__RCSID("$NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $");
 
 #include <stdio.h>
 #include <time.h>
@@ -63,7 +65,8 @@ usage(int c)
 		warnx("Missing/unknown command");
 	else if (c != '?')
 		warnx("Unknown option `%c'", (char)c);
-	fprintf(stderr, "Usage: %s dump [-abdnrw]\n", getprogname());
+	fprintf(stderr,
+	    "Usage: %s dump [-abdnrw] [-D dbname]\n", getprogname());
 	exit(EXIT_FAILURE);
 }
 
diff --git a/contrib/blocklist/bin/blacklistd.8 b/contrib/blocklist/bin/blocklistd.8
similarity index 85%
rename from contrib/blocklist/bin/blacklistd.8
rename to contrib/blocklist/bin/blocklistd.8
index 82e1f15f61c9..e0b9fb482cbd 100644
--- a/contrib/blocklist/bin/blacklistd.8
+++ b/contrib/blocklist/bin/blocklistd.8
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $
+.\" $NetBSD: blocklistd.8,v 1.8 2025/02/25 22:13:34 christos Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,11 +27,11 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 21, 2020
-.Dt BLACKLISTD 8
+.Dd February 25, 2025
+.Dt BLOCKLISTD 8
 .Os
 .Sh NAME
-.Nm blacklistd
+.Nm blocklistd
 .Nd block and release ports on demand to avoid DoS abuse
 .Sh SYNOPSIS
 .Nm
@@ -53,22 +53,35 @@ for notifications from other daemons about successful or failed connection
 attempts.
 If no such file is specified, then it only listens to the socket path
 specified by
-.Ar sockspath
+.Ar sockpath
 or if that is not specified to
-.Pa /var/run/blacklistd.sock .
+.Pa /var/run/blocklistd.sock .
 Each notification contains an (action, port, protocol, address, owner) tuple
 that identifies the remote connection and the action.
-This tuple is consulted against entries in
-.Ar configfile
-with syntax specified in
-.Xr blacklistd.conf 5 .
+This tuple is consulted against entries from the
+.Ar configfile ,
+with the syntax specified in
+.Xr blocklistd.conf 5 .
 If an entry is matched, a state entry is created for that tuple.
 Each entry contains a number of tries limit and a duration.
 .Pp
+If
+.Ar configfile
+is a directory, or a directory exists with the same name as
+.Ar configfile
+with
+.Qq .d
+appended to it, each file in the directory will be read as configuration file.
+If
+.Ar configfile
+exists as a file it will be processed before the contents of the
+.Ar configfile Ns .d
+directory if that also exists.
+.Pp
 The way
 .Nm
 does configuration entry matching is by having the client side pass the
-file descriptor associated with the connection the client wants to blacklist
+file descriptor associated with the connection the client wants to blocklist
 as well as passing socket credentials.
 .Pp
 The file descriptor is used to retrieve information (address and port)
@@ -116,7 +129,7 @@ specified by the arguments.
 The
 .Ar rulename
 argument can be set from the command line (default
-.Dv blacklistd ) .
+.Dv blocklistd ) .
 The script could print a numerical id to stdout as a handle for
 the rule that can be used later to remove that connection, but
 that is not required as all information to remove the rule is
@@ -152,8 +165,8 @@ The following options are available:
 .It Fl C Ar controlprog
 Use
 .Ar controlprog
-to communicate with the packet filter, usually
-.Pa /usr/libexec/blacklistd-helper .
+to communicate with the packet filter, instead of the default, which is
+.Pa /usr/libexec/blocklistd-helper .
 The following arguments are passed to the control program:
 .Bl -tag -width protocol
 .It action
@@ -161,7 +174,7 @@ The action to perform:
 .Dv add ,
 .Dv rem ,
 or
-.Dv flush
+.Dv flush ;
 to add, remove or flush a firewall rule.
 .It name
 The rule name.
@@ -183,13 +196,17 @@ identifier of the rule to be removed.
 The add command is expected to return the rule identifier string to stdout.
 .El
 .It Fl c Ar configuration
-The name of the configuration file to read, usually
-.Pa /etc/blacklistd.conf .
+The name of the configuration file to read.
+The default when
+.Fl c
+is not given is
+.Pa /etc/blocklistd.conf .
 .It Fl D Ar dbfile
 The Berkeley DB file where
 .Nm
-stores its state, usually
-.Pa /var/db/blacklistd.db .
+stores its state.
+It defaults to
+.Pa /var/db/blocklistd.db .
 .It Fl d
 Normally,
 .Nm
@@ -203,14 +220,14 @@ are deleted by invoking the control script as:
 .Bd -literal -offset indent
 control flush <rulename>
 .Ed
-.It Fl P Ar sockspathsfile
+.It Fl P Ar sockpathsfile
 A file containing a list of pathnames, one per line that
 .Nm
 will create sockets to listen to.
 This is useful for chrooted environments.
 .It Fl R Ar rulename
 Specify the default rule name for the packet filter rules, usually
-.Dv blacklistd .
+.Dv blocklistd .
 .It Fl r
 Re-read the firewall rules from the internal database, then
 remove and re-add them.
@@ -256,19 +273,21 @@ This signal tells
 to decrease the internal debugging level by 1.
 .El
 .Sh FILES
-.Bl -tag -width /usr/libexec/blacklistd-helper -compact
-.It Pa /usr/libexec/blacklistd-helper
+.Bl -tag -width /usr/libexec/blocklistd-helper -compact
+.It Pa /usr/libexec/blocklistd-helper
 Shell script invoked to interface with the packet filter.
-.It Pa /etc/blacklistd.conf
+.It Pa /etc/blocklistd.conf
 Configuration file.
-.It Pa /var/db/blacklistd.db
+.It Pa /var/db/blocklistd.db
 Database of current connection entries.
-.It Pa /var/run/blacklistd.sock
+.It Pa /var/run/blocklistd.sock
 Socket to receive connection notifications.
 .El
 .Sh SEE ALSO
-.Xr blacklistd.conf 5 ,
-.Xr blacklistctl 8 ,
+.Xr blocklistd.conf 5 ,
+.Xr blocklistctl 8 ,
+.Xr ipf 8 ,
+.Xr ipfw 8 ,
 .Xr pfctl 8 ,
 .Xr syslogd 8
 .Sh HISTORY
diff --git a/contrib/blocklist/bin/blacklistd.c b/contrib/blocklist/bin/blocklistd.c
similarity index 91%
rename from contrib/blocklist/bin/blacklistd.c
rename to contrib/blocklist/bin/blocklistd.c
index 714abcbcaf0e..4846b507c8d1 100644
--- a/contrib/blocklist/bin/blacklistd.c
+++ b/contrib/blocklist/bin/blocklistd.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $	*/
+/*	$NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -31,8 +31,11 @@
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
+
+#ifdef HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $");
+#endif
+__RCSID("$NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -175,6 +178,8 @@ process(bl_t bl)
 	struct dbinfo dbi;
 	struct timespec ts;
 
+	memset(&dbi, 0, sizeof(dbi));
+	memset(&c, 0, sizeof(c));
 	if (clock_gettime(CLOCK_REALTIME, &ts) == -1) {
 		(*lfun)(LOG_ERR, "clock_gettime failed (%m)");
 		return;
@@ -188,10 +193,11 @@ process(bl_t bl)
 	if (getremoteaddress(bi, &rss, &rsl) == -1)
 		goto out;
 
-	if (debug) {
+	if (debug || bi->bi_msg[0]) {
 		sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss);
-		(*lfun)(LOG_DEBUG, "processing type=%d fd=%d remote=%s msg=%s"
-		    " uid=%lu gid=%lu", bi->bi_type, bi->bi_fd, rbuf,
+		(*lfun)(bi->bi_msg[0] ? LOG_INFO : LOG_DEBUG,
+		    "processing type=%d fd=%d remote=%s msg=%s uid=%lu gid=%lu",
+		    bi->bi_type, bi->bi_fd, rbuf,
 		    bi->bi_msg, (unsigned long)bi->bi_uid,
 		    (unsigned long)bi->bi_gid);
 	}
@@ -216,16 +222,19 @@ process(bl_t bl)
 	switch (bi->bi_type) {
 	case BL_ABUSE:
 		/*
-		 * If the application has signaled abusive behavior,
-		 * set the number of fails to be one less than the
-		 * configured limit.  Fallthrough to the normal BL_ADD
-		 * processing, which will increment the failure count
-		 * to the threshhold, and block the abusive address.
+		 * If the application has signaled abusive behavior, set the
+		 * number of fails to be two less than the configured limit.
+		 * Fall through to the normal BL_ADD and BL_BADUSER processing,
+		 * which will increment the failure count to the threshhold, and
+		 * block the abusive address.
 		 */
 		if (c.c_nfail != -1)
-			dbi.count = c.c_nfail - 1;
+			dbi.count = c.c_nfail - 2;
 		/*FALLTHROUGH*/
 	case BL_ADD:
+		dbi.count++;		/* will become += 2 */
+		/*FALLTHROUGH*/
+	case BL_BADUSER:
 		dbi.count++;
 		dbi.last = ts.tv_sec;
 		if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
@@ -254,9 +263,6 @@ process(bl_t bl)
 		dbi.count = 0;
 		dbi.last = 0;
 		break;
-	case BL_BADUSER:
-		/* ignore for now */
-		break;
 	default:
 		(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
 	}
@@ -334,7 +340,7 @@ static void
 addfd(struct pollfd **pfdp, bl_t **blp, size_t *nfd, size_t *maxfd,
     const char *path)
 {
-	bl_t bl = bl_create(true, path, vflag ? vdlog : vsyslog);
+	bl_t bl = bl_create(true, path, vflag ? vdlog : vsyslog_r);
 	if (bl == NULL || !bl_isconnected(bl))
 		exit(EXIT_FAILURE);
 	if (*nfd >= *maxfd) {
@@ -395,15 +401,25 @@ rules_flush(void)
 static void
 rules_restore(void)
 {
+	DB *db;
 	struct conf c;
 	struct dbinfo dbi;
 	unsigned int f;
 
-	for (f = 1; state_iterate(state, &c, &dbi, f) == 1; f = 0) {
+	db = state_open(dbfile, O_RDONLY, 0);
+	if (db == NULL) {
+		(*lfun)(LOG_ERR, "Can't open `%s' to restore state (%m)",
+			dbfile);
+		return;
+	}
+	for (f = 1; state_iterate(db, &c, &dbi, f) == 1; f = 0) {
 		if (dbi.id[0] == '\0')
 			continue;
 		(void)run_change("add", &c, dbi.id, sizeof(dbi.id));
+		state_put(state, &c, &dbi);
 	}
+	state_close(db);
+	state_sync(state);
 }
 
 int
diff --git a/contrib/blocklist/bin/blacklistd.conf.5 b/contrib/blocklist/bin/blocklistd.conf.5
similarity index 83%
rename from contrib/blocklist/bin/blacklistd.conf.5
rename to contrib/blocklist/bin/blocklistd.conf.5
index 70036441eb4b..3a7dbfc07f58 100644
--- a/contrib/blocklist/bin/blacklistd.conf.5
+++ b/contrib/blocklist/bin/blocklistd.conf.5
@@ -1,6 +1,6 @@
-.\" $NetBSD: blacklistd.conf.5,v 1.9 2019/11/06 20:33:30 para Exp $
+.\" $NetBSD: blocklistd.conf.5,v 1.7 2025/02/11 17:47:05 christos Exp $
 .\"
-.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2015, 2025 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This code is derived from software contributed to The NetBSD Foundation
@@ -27,17 +27,17 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 18, 2020
-.Dt BLACKLISTD.CONF 5
+.Dd February 5, 2025
+.Dt BLOCKLISTD.CONF 5
 .Os
 .Sh NAME
-.Nm blacklistd.conf
-.Nd configuration file format for blacklistd
+.Nm blocklistd.conf
+.Nd configuration file format for blocklistd
 .Sh DESCRIPTION
 The
 .Nm
 file contains configuration entries for
-.Xr blacklistd 8
+.Xr blocklistd 8
 in a fashion similar to
 .Xr inetd.conf 5 .
 Only one entry per line is permitted.
@@ -48,34 +48,34 @@ Comments are denoted by a
 at the beginning of a line.
 .Pp
 There are two kinds of configuration lines,
-.Va local
+.Va [local]
 and
-.Va remote .
+.Va [remote] .
 By default, configuration lines are
-.Va local ,
+.Va [local] ,
 i.e. the address specified refers to the addresses on the local machine.
 To switch to between
-.Va local
+.Va [local]
 and
-.Va remote
+.Va [remote]
 configuration lines you can specify the stanzas:
 .Dq [local]
 and
 .Dq [remote] .
 .Pp
 On
-.Va local
+.Va [local]
 and
-.Va remote
+.Va [remote]
 lines
 .Dq *
 means use the default, or wildcard match.
 In addition, for
-.Va remote
+.Va [remote]
 lines
 .Dq =
 means use the values from the matched
-.Va local
+.Va [local]
 configuration line.
 .Pp
 The first four fields,
@@ -85,9 +85,9 @@ The first four fields,
 and
 .Va owner
 are used to match the
-.Va local
+.Va [local]
 or
-.Va remote
+.Va [remote]
 addresses, whereas the last 3 fields
 .Va name ,
 .Va nfail ,
@@ -110,8 +110,8 @@ The
 can be an IPv4 address in numeric format, an IPv6 address
 in numeric format and enclosed by square brackets, or an interface name.
 Mask modifiers are not allowed on interfaces because interfaces
-can have multiple addresses in different protocols where the mask has a different
-size.
+can have multiple addresses in different protocols where the mask has a
+different size.
 .Pp
 The
 .Dv mask
@@ -143,8 +143,8 @@ The
 field, is the name of the packet filter rule to be used.
 If the
 .Va name
-starts with a
-.Dq - ,
+starts with a hyphen
+.Pq Dq - ,
 then the default rulename is prepended to the given name.
 If the
 .Dv name
@@ -160,13 +160,13 @@ field contains the number of failed attempts before access is blocked,
 defaulting to
 .Dq *
 meaning never, and the last field
-.Va disable
+.Va duration
 specifies the amount of time since the last access that the blocking
 rule should be active, defaulting to
 .Dq *
 meaning forever.
 The default unit for
-.Va disable
+.Va duration
 is seconds, but one can specify suffixes for different units, such as
 .Dq m
 for minutes
@@ -176,28 +176,34 @@ for hours and
 for days.
 .Pp
 Matching is done first by checking the
-.Va local
+.Va [local]
 rules individually, in the order of the most specific to the least specific.
-If a match is found, then the
-.Va remote
+If a match is found, then the matching
+.Va [remote]
 rules are applied.
 The
 .Va name ,
 .Va nfail ,
 and
-.Va disable
+.Va duration
 fields can be altered by the
-.Va remote
+.Va [remote]
 rule that matched.
 .Pp
 The
-.Va remote
+.Va [remote]
 rules can be used for allowing specific addresses, changing the mask
-size, the rule that the packet filter uses, the number of failed attempts,
-or the block duration.
+size (via
+.Va name ) ,
+the rule that the packet filter uses (also via
+.Va name ) ,
+the number of failed attempts (via
+.Va nfail ) ,
+or the duration to block (via
+.Va duration ) .
 .Sh FILES
-.Bl -tag -width /etc/blacklistd.conf -compact
-.It Pa /etc/blacklistd.conf
+.Bl -tag -width /etc/blocklistd.conf -compact
+.It Pa /etc/blocklistd.conf
 Configuration file.
 .El
 .Sh EXAMPLES
@@ -209,13 +215,15 @@ bnx0:ssh	*	*	*	*	3	6h
 [remote]
 # Never block 1.2.3.4
 1.2.3.4:ssh	*	*	*	*	*	*
-# For addresses coming from 8.8.0.0/16 block whole /24 networks instead of
+# Never block the example IPv6 subnet either
+[2001:db8::]/32:ssh	*	*	*	*	*	*
+# For addresses coming from 8.8.0.0/16 block whole /24 networks instead
 # individual hosts, but keep the rest of the blocking parameters the same.
 8.8.0.0/16:ssh	*	*	*	/24	=	=
 .Ed
 .Sh SEE ALSO
-.Xr blacklistctl 8 ,
-.Xr blacklistd 8
+.Xr blocklistctl 8 ,
+.Xr blocklistd 8
 .Sh HISTORY
*** 2792 LINES SKIPPED ***