diff --git a/lib/Makefile b/lib/Makefile
index 23c620c3b9ce..a1b31f19283f 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.286 2020/10/29 20:11:17 nia Exp $
+#	$NetBSD: Makefile,v 1.287 2021/03/07 15:09:12 christos Exp $
 #	from: @(#)Makefile	5.25.1.1 (Berkeley) 5/7/91
 
 .include <bsd.own.mk>
@@ -27,7 +27,7 @@ SUBDIR+=	libarch \
 		libossaudio libpci libposix libprop libpthread \
 		libpuffs libresolv librmt librpcsvc librt \
 		libtelnet libterminfo \
-		libusbhid libutil libwrap liby libz
+		libusbhid libutil liby libz
 
 .if !defined(BSD_MK_COMPAT_FILE)
 SUBDIR+=	libkern
@@ -178,6 +178,8 @@ SUBDIR+=	../external/mit/libuv/lib
 #==================== 2nd library dependency barrier ====================
 SUBDIR+=	.WAIT
 
+SUBDIR+=	libwrap
+
 .if (${MKGCC} != "no" && ${MKCXX} != "no" && ${MKLIBSTDCXX} != "no")
 .for sanitizer in asan lsan ubsan
 .if exists(../external/gpl3/${EXTERNAL_GCC_SUBDIR}/lib/lib${sanitizer})
diff --git a/lib/libwrap/Makefile b/lib/libwrap/Makefile
index 35c2732b33b9..bd0189939cd6 100644
--- a/lib/libwrap/Makefile
+++ b/lib/libwrap/Makefile
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.11 2019/01/11 20:37:30 christos Exp $
+#	$NetBSD: Makefile,v 1.12 2021/03/07 15:09:12 christos Exp $
 
 USE_FORT?= yes	# network server
 
@@ -14,6 +14,9 @@ MLINKS+=hosts_access.3 hosts_ctl.3
 MLINKS+=hosts_access.3 request_init.3
 MLINKS+=hosts_access.3 request_set.3
 
+#LDADD+=-lblocklist
+PADD+=${LIBBLOCKLIST}
+
 INCS= tcpd.h
 INCSDIR=/usr/include
 
diff --git a/lib/libwrap/hosts_access.c b/lib/libwrap/hosts_access.c
index 80f551b4f2ed..ed05c3e20f59 100644
--- a/lib/libwrap/hosts_access.c
+++ b/lib/libwrap/hosts_access.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $	*/
+/*	$NetBSD: hosts_access.c,v 1.23 2021/03/07 15:09:12 christos Exp $	*/
 
  /*
   * This module implements a simple access control language that is based on
@@ -24,7 +24,7 @@
 #if 0
 static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
 #else
-__RCSID("$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $");
+__RCSID("$NetBSD: hosts_access.c,v 1.23 2021/03/07 15:09:12 christos Exp $");
 #endif
 #endif
 
@@ -37,6 +37,7 @@ __RCSID("$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $");
 #endif
 #include <netinet/in.h>
 #include <arpa/inet.h>
+#include <blocklist.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <syslog.h>
@@ -103,6 +104,24 @@ static int masked_match6(char *, char *, char *);
 
 #define	BUFLEN 2048
 
+static void
+pfilter_notify(struct request_info *request, int b)
+{
+    static struct blocklist *blstate;
+
+    if (blstate == NULL) {
+	blstate = blocklist_open();
+    }
+    if (request->client->sin != NULL) {
+	    blocklist_sa_r(blstate, b, request->fd != -1 ? request->fd : 3,
+		request->client->sin, request->client->sin->sa_len,
+		request->daemon ? request->daemon : getprogname());
+    } else {
+	    blocklist_r(blstate, b, (request->fd != -1) ? request->fd : 3,
+		request->daemon ? request->daemon : getprogname());
+    }
+}
+
 /* hosts_access - host access control facility */
 
 int
@@ -128,12 +147,21 @@ hosts_access(struct request_info *request)
     if (resident <= 0)
 	resident++;
     verdict = setjmp(tcpd_buf);
-    if (verdict != 0)
+    if (verdict != 0) {
+	if (verdict != AC_PERMIT)
+	    pfilter_notify(request, BLOCKLIST_AUTH_FAIL);
+	/* XXX pfilter_notify(0)??? */
 	return (verdict == AC_PERMIT);
-    if (table_match(hosts_allow_table, request))
+    }
+    if (table_match(hosts_allow_table, request)) {
+	/* XXX pfilter_notify(0)??? */
 	return (YES);
-    if (table_match(hosts_deny_table, request))
+    }
+    if (table_match(hosts_deny_table, request)) {
+	pfilter_notify(request, BLOCKLIST_AUTH_FAIL);
 	return (NO);
+    }
+    /* XXX pfilter_notify(0)??? */
     return (YES);
 }
 
diff --git a/tests/fs/nfs/nfsservice/Makefile b/tests/fs/nfs/nfsservice/Makefile
index 0a2630c93e85..97a8eb91b0bc 100644
--- a/tests/fs/nfs/nfsservice/Makefile
+++ b/tests/fs/nfs/nfsservice/Makefile
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.15 2020/03/01 18:08:14 christos Exp $
+#	$NetBSD: Makefile,v 1.16 2021/03/07 15:09:12 christos Exp $
 #
 
 NOMAN=	1
@@ -45,8 +45,8 @@ CPPFLAGS+=	-I${LIBRPCDIR} -DPORTMAP -DLIBWRAP -DRPCBIND_RUMP
 # CPPFLAGS+=	-DRPCBIND_DEBUG
 # CPPFLAGS+=	-DSVC_RUN_DEBUG
 
-LDADD+= -lwrap -lutil
-DPADD+= ${LIBWRAP} ${LIBUTIL}
+LDADD+= -lwrap -lblocklist -lutil
+DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 SANITIZER_RENAME_SYMBOL+=	__getmntinfo13
 
diff --git a/usr.sbin/inetd/Makefile b/usr.sbin/inetd/Makefile
index 99c84b282554..3c9110f21328 100644
--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@@ -1,5 +1,5 @@
 #	from: @(#)Makefile	8.1 (Berkeley) 6/6/93
-#	$NetBSD: Makefile,v 1.23 2009/10/22 22:50:35 tsarna Exp $
+#	$NetBSD: Makefile,v 1.24 2021/03/07 15:09:12 christos Exp $
 
 .include <bsd.own.mk>
 
@@ -13,8 +13,8 @@ MLINKS=	inetd.8 inetd.conf.5
 CPPFLAGS+=-DLIBWRAP
 # Use LIBWRAP_INTERNAL for libwrap checking of inetd's `internal' services.
 #CPPFLAGS+=-DLIBWRAP_INTERNAL
-LDADD+= -lwrap -lutil
-DPADD+= ${LIBWRAP} ${LIBUTIL}
+LDADD+= -lwrap -lblocklist -lutil
+DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 .if (${USE_INET6} != "no")
 CPPFLAGS+=-DINET6
diff --git a/usr.sbin/lpr/lpd/Makefile b/usr.sbin/lpr/lpd/Makefile
index b965a8bf1b03..4cee57b15753 100644
--- a/usr.sbin/lpr/lpd/Makefile
+++ b/usr.sbin/lpr/lpd/Makefile
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.18 2005/01/10 02:58:59 lukem Exp $
+#	$NetBSD: Makefile,v 1.19 2021/03/07 15:09:12 christos Exp $
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
 
 .include <bsd.own.mk>
@@ -8,8 +8,8 @@ MAN=	lpd.8
 SRCS=	lpd.c printjob.c recvjob.c lpdchar.c key.c modes.c ttcompat.c rcmd.c
 
 CPPFLAGS+=-DLIBWRAP
-LDADD+=	-lwrap
-DPADD+=	${LIBWRAP}
+LDADD+=	-lwrap -lblocklist
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST}
 
 .if (${USE_INET6} != "no")
 CPPFLAGS.rcmd.c=	-DINET6
diff --git a/usr.sbin/syslogd/Makefile b/usr.sbin/syslogd/Makefile
index ee54a844cf45..6a584dbdb9cf 100644
--- a/usr.sbin/syslogd/Makefile
+++ b/usr.sbin/syslogd/Makefile
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.30 2019/10/13 07:28:22 mrg Exp $
+#	$NetBSD: Makefile,v 1.31 2021/03/07 15:09:12 christos Exp $
 #	from: @(#)Makefile	8.1 (Berkeley) 6/6/93
 .include <bsd.own.mk>
 
@@ -25,8 +25,8 @@ CPPFLAGS+=-DLIBWRAP
 .if ${HAVE_OPENSSL} < 11
 CPPFLAGS+=-DOPENSSL_API_COMPAT=0x10100000L
 .endif
-LDADD+=	-lwrap
-DPADD+=	${LIBWRAP}
+LDADD+=	-lwrap -lblocklist 
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST} 
 
 LDADD+=	-lssl -lcrypto
 
diff --git a/usr.sbin/tcpdchk/Makefile b/usr.sbin/tcpdchk/Makefile
index 507c0aa3e3d3..57c24072dd77 100644
--- a/usr.sbin/tcpdchk/Makefile
+++ b/usr.sbin/tcpdchk/Makefile
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.13 2009/04/22 15:23:08 lukem Exp $
+#	$NetBSD: Makefile,v 1.14 2021/03/07 15:09:12 christos Exp $
 
 WARNS?=	1	# XXX: many issues in lib/libwrap to address first
 
@@ -7,8 +7,8 @@ WARNS?=	1	# XXX: many issues in lib/libwrap to address first
 PROG=	tcpdchk
 SRCS=	tcpdchk.c fakelog.c inetcf.c scaffold.c percent_m.c
 MAN=	tcpdchk.8
-LDADD=	-lwrap
-DPADD=	${LIBWRAP}
+LDADD=	-lwrap -lblocklist 
+DPADD=	${LIBWRAP} ${LIBBLOCKLIST} 
 
 CPPFLAGS+= -I${NETBSDSRCDIR}/lib/libwrap -DSYS_ERRLIST_DEFINED
 
diff --git a/usr.sbin/tcpdmatch/Makefile b/usr.sbin/tcpdmatch/Makefile
index 8dc7d8d6f07c..a06d4ef87e72 100644
--- a/usr.sbin/tcpdmatch/Makefile
+++ b/usr.sbin/tcpdmatch/Makefile
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.12 2009/04/22 15:23:09 lukem Exp $
+#	$NetBSD: Makefile,v 1.13 2021/03/07 15:09:13 christos Exp $
 #
 
 WARNS?=	1	# XXX: many issues in lib/libwrap to address first
@@ -11,8 +11,8 @@ MAN=	tcpdmatch.8
 TCPDCHK=${NETBSDSRCDIR}/usr.sbin/tcpdchk
 .PATH: ${TCPDCHK}
 CPPFLAGS+= -I${TCPDCHK} -I${NETBSDSRCDIR}/lib/libwrap -DSYS_ERRLIST_DEFINED
-LDADD=	-lwrap
-DPADD=	${LIBWRAP}
+LDADD=	-lwrap -lblocklist
+DPADD=	${LIBWRAP} ${LIBBLOCKLIST}
 
 .include "${NETBSDSRCDIR}/lib/libwrap/Makefile.cflags"
 
diff --git a/usr.sbin/ypserv/ypserv/Makefile b/usr.sbin/ypserv/ypserv/Makefile
index 3c53f97d546d..449983d67b72 100644
--- a/usr.sbin/ypserv/ypserv/Makefile
+++ b/usr.sbin/ypserv/ypserv/Makefile
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.20 2019/10/13 07:28:22 mrg Exp $
+#	$NetBSD: Makefile,v 1.21 2021/03/07 15:09:13 christos Exp $
 
 .include <bsd.own.mk>
 
@@ -12,8 +12,8 @@ LIBCDIR=${NETBSDSRCDIR}/lib/libc
 CPPFLAGS+=-DOPTIMIZE_DB -DLIBWRAP -I. -I${LIBCDIR}/include
 YHEADER=1
 
-LDADD+=	-lwrap -lutil
-DPADD+=	${LIBWRAP} ${LIBUTIL}
+LDADD+=	-lwrap -lblocklist -lutil
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 CPPFLAGS.gethnamaddr.c=	-UYP -D_LIBC
 CPPFLAGS.getnetnamadr.c=-UYP -D_LIBC
diff --git a/usr.sbin/ypserv/ypserv/ypserv.c b/usr.sbin/ypserv/ypserv/ypserv.c
index e1461f27e19f..e01140dc5fd7 100644
--- a/usr.sbin/ypserv/ypserv/ypserv.c
+++ b/usr.sbin/ypserv/ypserv/ypserv.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: ypserv.c,v 1.26 2012/03/15 02:02:24 joerg Exp $	*/
+/*	$NetBSD: ypserv.c,v 1.27 2021/03/07 15:09:13 christos Exp $	*/
 
 /*
  * Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@@ -28,7 +28,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ypserv.c,v 1.26 2012/03/15 02:02:24 joerg Exp $");
+__RCSID("$NetBSD: ypserv.c,v 1.27 2021/03/07 15:09:13 christos Exp $");
 #endif
 
 #include <sys/types.h>
@@ -141,7 +141,7 @@ ypprog_2(struct svc_req *rqstp, SVCXPRT *transp)
 #ifdef LIBWRAP
 	caller = svc_getrpccaller(transp)->buf;
 	(void)request_init(&req, RQ_DAEMON, getprogname(), RQ_CLIENT_SIN,
-	    caller, NULL);
+	    caller, RQ_FILE, transp->xp_fd, NULL);
 	sock_methods(&req);
 
 	/*