mirror of
https://github.com/nmap/nmap.git
synced 2026-01-19 20:59:01 +00:00
324965d1d2
Current exclusions list from --excludefile takes linear time to match against. Using a trie structure, we can do matching in O(log n) time, with a hard maximum of 32 comparisons for IPv4 and 128 comparisons for IPv6. Each node of the trie represents an address prefix that all subsequent nodes share; matching stops when one is matched exactly or when the candidate address does not match any prefix of the addresses in the trie. For now, only numeric addresses without netmask are supported. We plan to extend this to addresses with netmasks, including resolved names. Storing IPv4 ranges and wildcards in this structure would be prohibitively complex, so the existing linear match method will be used for those. It is unlikely that any users are using large exclusion lists of these types of specifications, so performance impact is small. Potential future features could use the trie structure to implement custom routing or scope-limiting. This was a todo list item based on this report: https://seclists.org/nmap-dev/2012/q4/420