From: Klemens Nanni <kn@openbsd.org>
Subject: Re: unwind: support wildcard in blacklist
To: Otto Moerbeek <otto@drijf.net>, OpenBSD tech <tech@openbsd.org>, florian@openbsd.org
Date: Sat, 24 Aug 2024 11:25:06 +0000

06.07.2024 18:40, Kirill A. Korinsky пишет:
> Folks,
> 
> Here a reminder about this diff.
> 
> I'm using it for about two weeks and it jsut works.
> 
> The diff changes symantic of blacklist into:
> 
>      type list file [log]

       block|pass list file [log]

Would match known terminology and keep tags working, i.e. ":tblock" in man's pager.

>              A file with domains to build the block or allow list. The block
>              list allows querying all possible domains, and any matching
>              domain returns a REFUSED response. The allow list allows querying
>              only matching domains. With log blocked queries are logged. The
>              list supports limited wildcard syntax: domains starting with .
>              (dot) are treated as any subdomains on that zone.

This can almost certainly be improved, we can polish this if/when there's consensus.

> 
> So, after that this two lines:
> 
> google.com
> *.google.com
> 
> blocks any requests to google.com and all its subdomains, or allows access
> only to google.com which depends on type of this list.

I came here to reduce the current blocklist's line count on a simple VPN box,
but the opposite approach seems sensible as well and basically comes for free.

Works nicely for me.

Florian, what do you think, overall?



> +static void
> +reverse(char* begin, char* end)

Should be `type *name' to match style(9).

> +{
> +	char t;

Should use a tab to match the rest of the file.

I'd add an empty line here to seperate.

> +	while (begin < --end) {
> +		t = *begin;
> +		*begin = *end;
> +		*end = t;
> +		++begin;
> +	}
> +}