Current exclusions list from --excludefile takes linear time to match
against. Using a trie structure, we can do matching in O(log n) time,
with a hard maximum of 32 comparisons for IPv4 and 128 comparisons for
IPv6. Each node of the trie represents an address prefix that all
subsequent nodes share; matching stops when one is matched exactly or
when the candidate address does not match any prefix of the addresses in
the trie.
For now, only numeric addresses without netmask are supported. We plan
to extend this to addresses with netmasks, including resolved names.
Storing IPv4 ranges and wildcards in this structure would be
prohibitively complex, so the existing linear match method will be used
for those. It is unlikely that any users are using large exclusion lists
of these types of specifications, so performance impact is small.
Potential future features could use the trie structure to implement
custom routing or scope-limiting.
This was a todo list item based on this report:
https://seclists.org/nmap-dev/2012/q4/420
I got this error compiling on OS X 10.6:
In file included from netutil.cc:132:
../nbase/nbase.h: In function 'int checked_fd_isset(int, const fd_set*)':
../nbase/nbase.h:385: error: invalid conversion from 'const fd_set*' to 'fd_set*'
../nbase/nbase.h:385: error: initializing argument 2 of 'int __darwin_fd_isset(int, fd_set*)'
netutil.cc: In function 'int send_ipv6_ip(const sockaddr_in6*, const unsigned char*, size_t)':
netutil.cc:3846: warning: unused variable 'tclass'
make[2]: *** [netutil.o] Error 1
make[1]: *** [netutil_build] Error 2
Only FD_SET and FD_CLR were available. Added a FD_ISSET equivalent.
Implemented them as static inline instead of macros for consistency.
These functions abort() if the FD number is higher than FD_SETSIZE
(except on windows where no check is performed).
for file in `grep "* including the terms and conditions of this license text as well. \*" * -r --files-with-match `; do sed "s/\* including the terms and conditions of this license text as well. \*/* including the terms and conditions of this license text as well. */g" -i $file; done
This is simple IPv6 unicast ranges. For example,
nmap -6 en.wikipedia.org/120 -sn
The other, more complicated part of this overall change is automatic
multicast scanning of large local subnets. That part isn't done yet.
The Linux-specific SO_BINDTODEVICE sockopt causes packets to be sent on
a specific interface, in cases where merely setting the source address
does not uniquely determine the interface.
If you have trouble updating after this revision you need to follow
these instructions. You have probably just seen an error like this:
svn: URL 'svn://svn.insecure.org/nping' of existing directory 'nping'
does not match expected URL 'svn://svn.insecure.org/nmap/nping'
This is caused by the replacement of SVN externals.
Here's what you need to do. First, save any local changes you might have
in the nping, nsock, nbase, ncat, and zenmap directories. (For example
by running "cd nping; svn diff > ../nping.diff".) If you don't have any
local changes you can skip this step.
Then run these commands:
rm -rf nping/ nsock/ nbase/ ncat/ zenmap/
svn update
svn cleanup
If all else fails, you can just delete your whole working directory and
check out anew:
svn co --username guest --password "" svn://svn.insecure.org/nmap
There may be further discussion in the mailing list thread at
http://seclists.org/nmap-dev/2011/q4/303.
