title: Rules generation
All blackholes are configured from the same set of rules
  -Sub-blackholes may have <b>private</b> rules
   (unknown to the master blackhole)
  -Why ?
Sub-blackholes receive a subset
  -Based on the <b>horizons</b> they can reach
Rules are made using host name (and vserver name)
  -Master blackholes use the management network
  -Sub-blackholes use the production network
  -Sub-blackholes may reach a host using a different IP
/etc/hosts on sub-blackhole vservers
  -Must be assembled on the fly
  -We must know on the master blackhole which horizons are reachable
   from sub-blackholes.
  -The master can connect to all hosts and retrieve their IPs.
Utility blackhole-rulefilter