I have numerous address lists that overlap. I wish I could partial match them... In example below:
Is it possible to have a partial match?

ljb

here are a useful collection of scripts

hope that help

Rextended Fragments of Snippets
viewtopic.php?t=177551

That would be possible if address lists could be grouped. Mikrotik did not add that to ROS so it is not possible.

But looking at your example, use one name for both entries. The second one with a timeout will stop existing in the listing when the counter reach zero.

Strange that you did not test that yourself.

The firewall filter rule that reads the name of the address list does not honour an asterisk (*), underscore (_) or questions mark (?) as a wildcard, instead it reads it as a textual character. Is there any sequence of special characters that represents a wildcard for the src-address-list and dst-address-list field in the Filter, NAT and Mangle rules list?

@chechito, thanks. That's a handy resource of information.

@msatter I am sorry to say that manipulating an address list with more than 50 000 entries with scripting time consuming and creates room for error.

I reiterate my initial question in the headline, does wildcard characters exist or should I go ahead with a feature request?

No, it does not exist and it also does not exist in the underlying Linux mechanism that is used by RouterOS.
What DOES exist in Linux is the possibility of a "list of lists". There you can define a new address-list that has other address-lists as members.
So you could make a "range-blacklist" that has members "range-blacklist-permanent" and "range-blacklist-temporary", and you can specify "range-blacklist" in a firewall rule. It will then match entries from both member lists.
You can put THAT as a feature request item, but... it has been requested before.

The issue is that for this to work, address-lists would have to be defined/configured before adding the first item.
That is not done now in RouterOS, an address-list is implicitly created by adding the first item to it.
That precludes having configuration items at the top level, which in Linux would be required for this to work.
Having it would also allow the possibility of other types of address-list and of other optional items, like a match counter for every member.

Unfortunately such a move would always introduce some compatibility issues and complaints from people: "my script no longer works!".
So it is a tradeoff, and apparently MikroTik decided not to do it yet.

@pe1chl

Thanks for the elaborate response. It is really insightful.

A "list of lists" is likely a better approach to overlapping lists rather than a wildcard / 'LIKE' implementation.

The unfortunate truth is that "My script no longer works!" will always be around.

Perhaps a child list specification could allow you to attach specific blocks to multiple lists rather than having them listed five and 10 times?

ljb

The early philosophy of RouterOS always was to bother users as little as possible with creation of container items and do that all in the background.
So you can create firewall chains, packet marks, connection marks, address-lists etc simply by adding a first item. In Linux, you would first have to create it before you can add items.

More recently, RouterOS has changed that. E.g. "interface lists" (a later addition) first have to be created before you can add interfaces to it.
And "routing tables" now (since v7) also have to be defined before you can add routes, instead of auto-creating them by adding a route with a routing mark or a routing protocol that manages a routing table.
That change caused quite some bugs early in the v7 cycle. Routing table creation commands were automatically added to the config whenever routes were present in the v6 config being converted, but at first they ended up in the wrong place, and on every upgrade new tables were auto-added causing duplicates and matching problems.

So they probably have learned now. But it is not out of the question that at some point there will be a "lists" button under the IP->Firewall->address lists menu where you first have to create your lists before you can add an item to them.
That can still be auto-converted from existing config that already had hard address-list members, but it will fail for scripts that attempt to add entries to an address-list that does not yet exist. The user first needs to create it.

This change would open the possibility for lots of advanced address-list features and also a little better efficiency. At the moment, RouterOS can do no better than create a list of "hashed subnets" with the "timeout" option, but there are lots of other address-list possibilities in Linux.
(they are named "ipset" there, google for "Linux ipset" to see documentation)