URL Filter List - Maximum Length

[itsming]

Hi guys,

I am just curious about why the maximum length of the URL filter list is 64 in asuswrt-merlin (version 386). Also, anyone knows how to increase the limit?

Thanks,
Ming

 

[ColinTaylor]

The router has a very limited amount of space to store it's configuration. Therefore lists like this have to be restricted to a certain size to prevent problems.

 

[itsming]

The router has a very limited amount of space to store it's configuration. Therefore lists like this have to be restricted to a certain size to prevent problems.

I see. Thanks mate.

 

[eibgrad]

Given the URL filter only works w/ http (i.e., unencrypted packets), and VERY little traffic these days is unencrypted, the URL filter isn't all that useful anymore anyway. Way back in the early part of the 2000's, the story was different. I'm surprised it's still maintained in the GUI.

Interestingly, Merlin extended the life of URL filtering a bit by adding logic to search DNS queries (udp port 53) for the same string, then dropping the request on a match.

admin@lab-merlin1:/tmp/home/root# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
…
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 STRING match  "|0378797a03636f6d|" ALGO name bm TO 65535 ICASE
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url xyz.com  reject-with tcp-reset
…

The rule for tcp is the normal URL filtering rule. The one for udp was added for DNS queries. Technically, the latter is NOT URL filtering. But as I said, he gave the feature some added life w/ that change. But if that's what you need, then you can simply block those same domain names directly in DNSMasq and NOT be limited to 64 entries.

address=/xyz.com/0.0.0.0

There are users blocking tens of thousands of domain names this way, typically through configuration of ad blockers.

 

[RMerlin]

Interestingly, Merlin extended the life of URL filtering a bit by adding logic to search DNS queries (udp port 53) for the same string, then dropping the request on a match.

Wasn't from me, must be Asus if it really does that.

 

[itsming]

Given the URL filter only works w/ http (i.e., unencrypted packets), and VERY little traffic these days is unencrypted, the URL filter isn't all that useful anymore anyway. Way back in the early part of the 2000's, the story was different. I'm surprised it's still maintained in the GUI.

Interestingly, Merlin extended the life of URL filtering a bit by adding logic to search DNS queries (udp port 53) for the same string, then dropping the request on a match.

admin@lab-merlin1:/tmp/home/root# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        
…
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 STRING match  "|0378797a03636f6d|" ALGO name bm TO 65535 ICASE
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url xyz.com  reject-with tcp-reset
…

The rule for tcp is the normal URL filtering rule. The one for udp was added for DNS queries. Technically, the latter is NOT URL filtering. But as I said, he gave the feature some added life w/ that change. But if that's what you need, then you can simply block those same domain names directly in DNSMasq and NOT be limited to 64 entries.

address=/xyz.com/0.0.0.0

There are users blocking tens of thousands of domain names this way, typically through configuration of ad blockers.

URL filter actually works for https. But it will not work when VPN is used in the client, which makes sense because the packets are not encrypted by the router.

Yeah, I will try DNSMasq. Thanks for the solution.