<div dir="ltr">There are some awesome data structures for simultaneously matching against huge numbers of patterns (as opposed to literal fixed strings). dnsmasq would get a lot more complicated if it tried to implement them, and complication in an internet-facing daemon is a "BAD thing" because it increases the chance that there's an exploitable bug. Since the feature you're using is designed for something completely different from request blocking, perhaps there should be a pluggable interface just for filtering requests (e.g. open a pipe to an external process, just like it does for lease script, and writes nul-separated hostnames getting back a boolean response whether to allow or block each request). Then the external process could be compiled for speed using antlr or bison or any other parser generator that knows how to build the fancy state machine tables. And buffer overflows or anything else that went seriously wrong in the request filter couldn't impact dnsmasq -- it would just cause a broken pipe. Because the request filter wouldn't need root access like the leasefile script, it could respawn on SIGUSR.<div><br></div><div>Just my two cents, I'm not volunteering to write the code.</div><div><br></div><div>Ben</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 5, 2015 at 9:35 AM, <a href="mailto:wkitty42@gmail.com">wkitty42@gmail.com</a> <span dir="ltr"><<a href="mailto:wkitty42@gmail.com" target="_blank">wkitty42@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 10/03/2015 06:37 PM, Simon Kelley wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
address=/abcd/<a href="http://0.0.0.0/" rel="noreferrer" target="_blank">0.0.0.0/</a> does NOT use the cache code. There's an implied<br>
wildcard in the domain name, it matches *.abcd. The matching for this<br>
is a relatively slow, linear, search. It is certainly not suitable for<br>
250000 names!<br>
<br>
If you don't need the wildcard matching, then using<br>
<br>
host-record=abcd,0.0.0.0<br>
<br>
instead will make real cache entries, which are efficently searched.<br>
That will be much, much faster.<br>
</blockquote>
<br></span>
what does one do if they do need wildcard matching?<span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
NOTE: No off-list assistance is given without prior approval.<br>
*Please keep mailing list traffic on the list* unless<br>
private contact is specifically requested and granted.</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</div></div></blockquote></div><br></div>