diff --git a/external/bsd/blacklist/bin/blacklist.h b/external/bsd/blacklist/bin/blacklist.h
index f7b05e189e1b..eb3eceec559b 100644
--- a/external/bsd/blacklist/bin/blacklist.h
+++ b/external/bsd/blacklist/bin/blacklist.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklist.h,v 1.2 2015/01/19 19:02:35 christos Exp $	*/
+/*	$NetBSD: blacklist.h,v 1.3 2015/01/20 00:52:15 christos Exp $	*/
 
 /*-
  * Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -36,6 +36,7 @@
 typedef enum {
 	BL_INVALID,
 	BL_ADD,
+	BL_DELETE
 } bl_type_t;
 
 typedef struct blacklist *bl_t;
diff --git a/external/bsd/blacklist/bin/blacklistd.c b/external/bsd/blacklist/bin/blacklistd.c
index 70714821f9e0..3bb90b0a5100 100644
--- a/external/bsd/blacklist/bin/blacklistd.c
+++ b/external/bsd/blacklist/bin/blacklistd.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklistd.c,v 1.4 2015/01/20 00:19:21 christos Exp $	*/
+/*	$NetBSD: blacklistd.c,v 1.5 2015/01/20 00:52:15 christos Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -29,7 +29,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.4 2015/01/20 00:19:21 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.5 2015/01/20 00:52:15 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -72,6 +72,7 @@ size_t nconf;
 static DB *state;
 static const char *dbfile = _PATH_BLSTATE;
 static sig_atomic_t rconf = 1;
+static sig_atomic_t done;
 
 void (*lfun)(int, const char *, ...) = syslog;
 
@@ -81,6 +82,11 @@ sighup(int n)
 	rconf++;
 }
 
+static void
+sigdone(int n)
+{
+	done++;
+}
 static __dead void
 usage(void)
 {
@@ -172,6 +178,7 @@ process(bl_t bl)
 	}
 	if (state_get(state, &rss, &c, &dbi) == -1)
 		goto out;
+
 	if (debug) {
 		char b1[128], b2[128];
 		sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss);
@@ -180,13 +187,29 @@ process(bl_t bl)
 		    fmttime(b1, sizeof(b1), dbi.last),
 		    fmttime(b2, sizeof(b2), ts.tv_sec));
 	}
-	dbi.count++;
-	dbi.last = ts.tv_sec;
-	if (dbi.count >= c.c_nfail) {
-		int res = run_add(c.c_proto, (in_port_t)c.c_port, &rss);
-		if (res == -1)
+
+	switch (bi->bi_type) {
+	case BL_ADD:
+		dbi.count++;
+		dbi.last = ts.tv_sec;
+		if (dbi.id != -1) {
+			(*lfun)(LOG_ERR, "rule exists %d", dbi.id);
 			goto out;
-		dbi.id = res;
+		}
+		if (dbi.count >= c.c_nfail) {
+			int res = run_add(c.c_proto, (in_port_t)c.c_port, &rss);
+			if (res == -1)
+				goto out;
+			dbi.id = res;
+		}
+		break;
+	case BL_DELETE:
+		if (dbi.last == 0)
+			goto out;
+		dbi.last = 0;
+		break;
+	default:
+		(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); 
 	}
 	if (state_put(state, &rss, &c, &dbi) == -1)
 		goto out;
@@ -267,10 +290,13 @@ main(int argc, char *argv[])
 	}
 
 	signal(SIGHUP, sighup);
+	signal(SIGINT, sigdone);
+	signal(SIGQUIT, sigdone);
+	signal(SIGTERM, sigdone);
 
 	if (debug) {
 		lfun = dlog;
-		tout = 1000;
+		tout = 5000;
 	} else {
 		daemon(0, 0);
 		tout = 15000;
@@ -290,7 +316,7 @@ main(int argc, char *argv[])
 	struct pollfd pfd;
 	pfd.fd = bl_getfd(bl);
 	pfd.events = POLLIN;
-	for (;;) {
+	while (!done) {
 		if (rconf) {
 			rconf = 0;
 			parseconf(configfile);
@@ -302,11 +328,12 @@ main(int argc, char *argv[])
 			(*lfun)(LOG_ERR, "poll (%m)");
 			return EXIT_FAILURE;
 		case 0:
-			update();
 			break;
 		default:
 			process(bl);
 		}
+		update();
 	}
+	state_close(state);
 	return 0;
 }
diff --git a/external/bsd/blacklist/bin/run.c b/external/bsd/blacklist/bin/run.c
index 0276f9e2377c..0d6fa14b6e23 100644
--- a/external/bsd/blacklist/bin/run.c
+++ b/external/bsd/blacklist/bin/run.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: run.c,v 1.1 2015/01/20 00:19:21 christos Exp $	*/
+/*	$NetBSD: run.c,v 1.2 2015/01/20 00:52:15 christos Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -29,7 +29,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: run.c,v 1.1 2015/01/20 00:19:21 christos Exp $");
+__RCSID("$NetBSD: run.c,v 1.2 2015/01/20 00:52:15 christos Exp $");
 
 #include <stdio.h>
 #include <util.h>
@@ -98,6 +98,7 @@ run_add(int proto, in_port_t port, const struct sockaddr_storage *ss)
 	const char *prname;
 	char poname[64], adname[128], *rv;
 	int id, e;
+	size_t off;
 
 	switch (proto) {
 	case IPPROTO_TCP:
@@ -117,7 +118,9 @@ run_add(int proto, in_port_t port, const struct sockaddr_storage *ss)
 	rv = run("add", prname, adname, poname, NULL);
 	if (rv == NULL)
 		return -1;
-	id = (int)strtoi(rv, NULL, 0, 0, INT_MAX, &e);
+	rv[strcspn(rv, "\n")] = '\0';
+	off = strncmp(rv, "OK ", 3) == 0 ? 3 : 0;
+	id = (int)strtoi(rv + off, NULL, 0, 0, INT_MAX, &e);
 	if (e) {
 		(*lfun)(LOG_ERR, "%s: bad number %s (%m)", __func__, rv);
 		id = -1;
diff --git a/external/bsd/blacklist/bin/state.c b/external/bsd/blacklist/bin/state.c
index 681330abab37..741a25089eba 100644
--- a/external/bsd/blacklist/bin/state.c
+++ b/external/bsd/blacklist/bin/state.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: state.c,v 1.1 2015/01/20 00:19:21 christos Exp $	*/
+/*	$NetBSD: state.c,v 1.2 2015/01/20 00:52:15 christos Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -30,13 +30,14 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: state.c,v 1.1 2015/01/20 00:19:21 christos Exp $");
+__RCSID("$NetBSD: state.c,v 1.2 2015/01/20 00:52:15 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <syslog.h>
 #include <netinet/in.h>
 
@@ -72,8 +73,11 @@ state_open(const char *dbname, int flags, mode_t perm)
 	DB *db;
 
 	db = dbopen(dbname, flags, perm, DB_HASH, &openinfo);
-	if (db == NULL)
+	if (db == NULL) {
+		if (errno == ENOENT && (flags & O_CREAT) == 0)
+			return NULL;
 		(*lfun)(LOG_ERR, "%s: can't open `%s' (%m)", __func__, dbname);
+	}
 	return db;
 }
 
diff --git a/external/bsd/blacklist/include/bl.h b/external/bsd/blacklist/include/bl.h
index 7846c32467f2..0981d1b4e661 100644
--- a/external/bsd/blacklist/include/bl.h
+++ b/external/bsd/blacklist/include/bl.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: bl.h,v 1.5 2015/01/19 19:02:35 christos Exp $	*/
+/*	$NetBSD: bl.h,v 1.6 2015/01/20 00:52:15 christos Exp $	*/
 
 /*-
  * Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -42,7 +42,7 @@ typedef struct {
 	char bi_msg[1024];
 } bl_info_t;
 
-#define _PATH_BLSOCK "/tmp/blsock"
+#define _PATH_BLSOCK "/var/run/blsock"
 
 __BEGIN_DECLS
 bl_t bl_create2(bool, const char *, void (*)(int, const char *, ...));
diff --git a/external/bsd/blacklist/lib/bl.c b/external/bsd/blacklist/lib/bl.c
index a1ac0b4321f7..29e4c51ed4f6 100644
--- a/external/bsd/blacklist/lib/bl.c
+++ b/external/bsd/blacklist/lib/bl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: bl.c,v 1.6 2015/01/20 00:19:21 christos Exp $	*/
+/*	$NetBSD: bl.c,v 1.7 2015/01/20 00:52:15 christos Exp $	*/
 
 /*-
  * Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -29,7 +29,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: bl.c,v 1.6 2015/01/20 00:19:21 christos Exp $");
+__RCSID("$NetBSD: bl.c,v 1.7 2015/01/20 00:52:15 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -92,7 +92,11 @@ bl_init(bl_t b, bool srv)
 		.sun_family = AF_LOCAL,
 		.sun_len = sizeof(sun),
 	};
+	mode_t om;
+	int rv;
+
 	strlcpy(sun.sun_path, b->b_path, sizeof(sun.sun_path));
+
 	if (srv)
 		(void)unlink(b->b_path);
 
@@ -109,8 +113,11 @@ bl_init(bl_t b, bool srv)
 	if (b->b_connected)
 		return 0;
 
-	if ((srv ? bind : connect)(b->b_fd, (const void *)&sun,
-	    (socklen_t)sizeof(sun)) == -1) {
+	om = umask(0);
+	rv = (srv ? bind : connect)(b->b_fd, (const void *)&sun,
+	    (socklen_t)sizeof(sun));
+	(void)umask(om);
+	if (rv == -1) {
 		(*b->b_fun)(LOG_ERR, "%s: %s failed (%m)", __func__,
 		    srv ? "bind" : "connect");
 		goto out;