http://stackoverflow.com/questions/17330160/python-how-does-decorator-property-work
http://martyalchin.com/2007/nov/23/python-descriptors-part-1-of-2/
http://users.rcn.com/python/download/Descriptor.htm
http://www.ibm.com/developerworks/library/os-pythondescriptors/
2013年8月30日星期五
2013年8月26日星期一
vi 行编辑模式
Selecting columns with visual block mode
#22
If you want to edit several adjacent lines with a similar format, you
might save a lot of time by making a columnar selection. This episode
will demonstrate how to achieve this using Vim’s visual block mode.ctrl-v.In most text editing environments, if you want to replace some text, you can just start typing and the replacement will overwrite the selection. But Vim’s visual modes are similar to normal mode, in that each key will execute a command. Here are some of the commands covered in this episode:
| command | action |
|---|---|
c |
change selection (delete and switch to insert mode) |
I |
insert in front of cursor |
A |
append after cursor |
r |
replace every character in selection |
d |
delete selection |
o |
toggle cursor to opposite corner |
2013年8月1日星期四
screen命令
linux screen 命令详解 - [linux]
linux screen 命令详解
2008-10-22 15:05
功能说明:
使 用telnet或SSH远程登录linux时,如果连接非正常中断,重新连接时,系统将开一个新的session,无法恢复原来的 session.screen命令可以解决这个问题。Screen工具是一个终端多路转接器,在本质上,这意味着你能够使用一个单一的终端窗口运行多终端 的应用。 语 法: screen [-AmRvx -ls -wipe][-d <作业名称>][-h <行数>][-r <作业名称>][-s ][-S <作业名称>] 补充说明: screen为多重视窗管理程序。此处所谓的视窗,是指一个全屏幕的文字模式画面。通常只有在使用telnet登入主机或是使用老式的终端机时,才有可能用到screen程序。 参 数: -A 将所有的视窗都调整为目前终端机的大小。 -d <作业名称> 将指定的screen作业离线。 -h <行数> 指定视窗的缓冲区行数。 -m 即使目前已在作业中的screen作业,仍强制建立新的screen作业。 -r <作业名称> 恢复离线的screen作业。 -R 先试图恢复离线的作业。若找不到离线的作业,即建立新的screen作业。 -s 指定建立新视窗时,所要执行的shell。 -S <作业名称> 指定screen作业的名称。 -v 显示版本信息。 -x 恢复之前离线的screen作业。 -ls或--list 显示目前所有的screen作业。 -wipe 检查目前所有的screen作业,并删除已经无法使用的screen作业。 常用screen参数: screen -S yourname -> 新建一个叫yourname的session screen -ls -> 列出当前所有的session screen -r yourname -> 回到yourname这个session screen -d yourname -> 远程detach某个session screen -d -r yourname -> 结束当前session并回到yourname这个session 在每个screen session 下,所有命令都以 ctrl+a(C-a) 开始。 C-a ? -> Help,显示简单说明 C-a c -> Create,开启新的 window C-a n -> Next,切换到下个 window C-a p -> Previous,前一个 window C-a 0..9 -> 切换到第 0..9 个window Ctrl+a [Space] -> 由視窗0循序換到視窗9 C-a C-a -> 在两个最近使用的 window 间切换 C-a x -> 锁住当前的 window,需用用户密码解锁 C-a d -> detach,暂时离开当前session,将目前的 screen session (可能含有多个 windows) 丢到后台执行,并会回到还没进 screen 时的状态,此时在 screen session 里 每个 window 内运行的 process (无论是前台/后台)都在继续执行,即使 logout 也不影响。 C-a z -> 把当前session放到后台执行,用 shell 的 fg 命令則可回去。 C-a w -> Windows,列出已开启的 windows 有那些 C-a t -> Time,显示当前时间,和系统的 load C-a K -> kill window,强行关闭当前的 window C-a [ -> 进入 copy mode,在 copy mode 下可以回滚、搜索、复制就像用使用 vi 一样 C-b Backward,PageUp C-f Forward,PageDown H(大写) High,将光标移至左上角 L Low,将光标移至左下角 0 移到行首 $ 行末 w forward one word,以字为单位往前移 b backward one word,以字为单位往后移 Space 第一次按为标记区起点,第二次按为终点 Esc 结束 copy mode C-a ] -> Paste,把刚刚在 copy mode 选定的内容贴上 --End-- |
关于NAT模拟
As we talk yesterday, I think you have to setup the
environment for yourself, because the virtual machine image is too large.
First I will give an introduction on how to emulate
the NAT behavior. Then I’ll give you the steps on how to set it up.
I have not fully tested on them for lack of
machine(I use vm on laptop, the memory is only 4G), maybe you can help test
them and report if any problem and we can review It together.
To better understand different NAT behavior, there is rfc4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP, if you don’t have time, you don’t have to read it now and refer to it later when necessary. However, I strongly suggest that you take a look at the paper “Improving NAT/Software compatibility through Flexible NAT Emulation Software” of FlexNES, it gives introduction on what behaviors of NAT FlexNES can emulate, and those behavioral are more related to ICE connection setup.
To better understand different NAT behavior, there is rfc4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP, if you don’t have time, you don’t have to read it now and refer to it later when necessary. However, I strongly suggest that you take a look at the paper “Improving NAT/Software compatibility through Flexible NAT Emulation Software” of FlexNES, it gives introduction on what behaviors of NAT FlexNES can emulate, and those behavioral are more related to ICE connection setup.
Pre-requirements: You
have to setup VM with two network interface, say eth0 and eth1, eth0 connected
to the public network(in office, such as 10.224.173.97, you can use DHCP to get
the ip addr or set it as static ip), and eth1 connected to the private network
as the gateway(192.168.1.1). Then you have to turn on the ipforward.
Then you can set the test client using it as the gateway, set the ip to the internal ip.
Then you can set the test client using it as the gateway, set the ip to the internal ip.
As written in previous mail. There are two possible solutions(have some updates here):
1.
Use iptables NAT, iptables NAT is port restricted + symmetric,
the NAT behavior changes case by case.
a. if with --ramdom param, it’s symmetric, else:
b. when there is one client behind the NAT, then it’s port restricted.
c. if more than one clients behind the NAT, it MAY be symmetric.
d. p2p connection by STUN is impossible even when two peer are both behind iptables NAT. The reason is because in this cases(during the hole punching process) there is one NAT behave like symmetric.
Other characters about iptables NAT, and it can’t be changed
a. Mapping refresh (30 second)
b. iptable NAT will reserve port, and will solve conflict.
reference links:
iptables下udp穿越基础篇
iptables下udp穿越实用篇----iptables与natcheck
Correctly classifying iptables NAT beahaviour
The command is simple
iptables -F #clear rules in all table, so all traffics are not filtered by default
iptables -t nat -F #clear the NAT table, no need if “iptables -F” excuted
iptalbes -t nat -A POSTROUTING -o eth0 -j MASQUERADE #add rule to replace the source ip using the external ip.
a. if with --ramdom param, it’s symmetric, else:
b. when there is one client behind the NAT, then it’s port restricted.
c. if more than one clients behind the NAT, it MAY be symmetric.
d. p2p connection by STUN is impossible even when two peer are both behind iptables NAT. The reason is because in this cases(during the hole punching process) there is one NAT behave like symmetric.
Other characters about iptables NAT, and it can’t be changed
a. Mapping refresh (30 second)
b. iptable NAT will reserve port, and will solve conflict.
reference links:
iptables下udp穿越基础篇
iptables下udp穿越实用篇----iptables与natcheck
Correctly classifying iptables NAT beahaviour
The command is simple
iptables -F #clear rules in all table, so all traffics are not filtered by default
iptables -t nat -F #clear the NAT table, no need if “iptables -F” excuted
iptalbes -t nat -A POSTROUTING -o eth0 -j MASQUERADE #add rule to replace the source ip using the external ip.
2.
Use FlexNES,
recommend this one. FlexNES has emulated the main NAT behaviors relating to UDP
connectivity
a. Address and Port mapping.
b. Port Assignment.
c. Port Parity.
d. Mapping Refresh.
e. Filtering behavior.
f. Hairpinning.
And as I stated before:
- Full Cone: Endpoint-Independent mapping + Endpoint-Independent filtering
- Restricted Cone: Endpoint-Independent mapping + Address-Dependent filtering
- Port Restricted Cone: Endpoint-Independent mapping + Address and Port-Dependent filtering
- Symmetric: Address and Port-Dependent Mapping + Address and Port-Dependent filtering
To compile FlexNES, you have to compile it in linux kernel 2.6(I use centos5.4), and install the dependences:
1. boost-dev. (yum install boost-devel)
2. Libnet. (http://packetfactory.openwall.net/projects/libnet/)
3. Netfilter dev( I have downloaded the centos 5.4 rpms, and they are under directory “/root/flexNES-1.0/src” in 10.224.195.53, username: “root”, password: “pass”, you can copy them using scp, port 22.
- iptables-1.3.5-5.6.1.el5.i386.rpm
- iptables-devel-1.3.5-5.6.1.el5.i386.rpm
- libnetfilter_queue-1.0.0-1.el5.i386.rpm
- libnetfilter_queue-devel-1.0.0-1.el5.i386.rpm
- libnfnetlink-1.0.1-1.el5.i386.rpm
- libnfnetlink-devel-1.0.1-1.el5.i386.rpm
You can use rpm –ivh [rpmpkg] to install them.
4. Some source files need to modified to make the compiler happy, you can also copy the source file there.
5. “make depend;make” will generate the binary file.
a. Address and Port mapping.
b. Port Assignment.
c. Port Parity.
d. Mapping Refresh.
e. Filtering behavior.
f. Hairpinning.
And as I stated before:
- Full Cone: Endpoint-Independent mapping + Endpoint-Independent filtering
- Restricted Cone: Endpoint-Independent mapping + Address-Dependent filtering
- Port Restricted Cone: Endpoint-Independent mapping + Address and Port-Dependent filtering
- Symmetric: Address and Port-Dependent Mapping + Address and Port-Dependent filtering
To compile FlexNES, you have to compile it in linux kernel 2.6(I use centos5.4), and install the dependences:
1. boost-dev. (yum install boost-devel)
2. Libnet. (http://packetfactory.openwall.net/projects/libnet/)
3. Netfilter dev( I have downloaded the centos 5.4 rpms, and they are under directory “/root/flexNES-1.0/src” in 10.224.195.53, username: “root”, password: “pass”, you can copy them using scp, port 22.
- iptables-1.3.5-5.6.1.el5.i386.rpm
- iptables-devel-1.3.5-5.6.1.el5.i386.rpm
- libnetfilter_queue-1.0.0-1.el5.i386.rpm
- libnetfilter_queue-devel-1.0.0-1.el5.i386.rpm
- libnfnetlink-1.0.1-1.el5.i386.rpm
- libnfnetlink-devel-1.0.1-1.el5.i386.rpm
You can use rpm –ivh [rpmpkg] to install them.
4. Some source files need to modified to make the compiler happy, you can also copy the source file there.
5. “make depend;make” will generate the binary file.
Testing: using
natcheck, source file can be
downloaded http://midcom-p2p.cvs.sourceforge.net/viewvc/midcom-p2p/web/
, you need at least three servers for the test(or you can use one server with 3
ip)
./natserver 1
./natserver 2
./natserver 1
./natserver 2
./natserver 3
Besides, you have to change
the hardcoded value in natcheck.c,
or you can walk around this by setting them in “/etc/resolv.conf” to the ip
addr of the servers.
Possibly
two approaches now:
1. Using iptables
2. Using 3rd party tools build directly using
netfilter.
Still
in progress, and not tested yet. Will update with more clear guides later when
tested on the solutions.
Following
is for who interested in the details.
Solution
1
----------------------
Firewalling with netfilter/iptables
介绍了用iptable做防火墙的配置,主要介绍了filter和nat两种table的使用。
Advanced Features of netfilter/iptables介绍了用iptable的一些高级功能,比如用来做负载均衡,流量控制,按时间进行访问控制,限制链接数等。
NAT - Network Address Translation详细介绍了linux用来做NAT的原理和配置。
NAT-HOWTO
介绍了用iptable做防火墙的配置,主要介绍了filter和nat两种table的使用。
Advanced Features of netfilter/iptables介绍了用iptable的一些高级功能,比如用来做负载均衡,流量控制,按时间进行访问控制,限制链接数等。
NAT - Network Address Translation详细介绍了linux用来做NAT的原理和配置。
NAT-HOWTO
NAT可以分为下面几种类型:
• Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
• Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
• Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
• Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
这里实际上有两层意思,一个是出去的连接ip,port的分配(mapping),一个是允许外面什么样的包能进来(filter)。
我们用iptable是可以来模拟NAT的,但这种NAT具体又是哪种类型的呢?如何才能模拟不同类型的NAT呢?这些问题在网上也是众说纷纭,下面给一个相对比较权威的答案。
“As I wrote at netfilter-devel around May this year,
- According to the terminology of RFC 3489, netfilter implements port
restricted cone NAT. If the –random flag is specified to the
SNAT/MASQUERADE/… targets, it's better described as a symmetric NAT.
- According to the terminology of RFC 4787 and RFC 5382, netfilter
implements
- endpoint-independent mapping. If the –random flag is
specified to the SNAT/MASQUERADE/… targets, it's an
address and port-dependent mapping.
- address and port-dependent filtering.
”
链接在这:Correctly classifying iptables NAT
beahaviour
下面是我的一些理解:
要模拟不同的NAT类型,实际是就是模拟mapping和filtering。
对 于core类型,三种mapping策略都是一样的,不同的只是filtering策略; mapping策略就是对于同样的内网(ip,port),分配同样的外网(ip,port)。如果我们使用SNAT或者MASQUERADE动作,就可 以仅仅替换ip,端口维持不变,这样就模拟了mapping。而filtering策略,则有iptable中的filter表来做相应的处理;由于 Address Restricted Cone和Port Restricted Cone是需要记录状态的,记录之前内网的ip,port有没有给相应的dst_ip或者(dst_ip,dst_port)发送过数据。在创建 filter的规则时,是可以指定状态的(具体见Firewalling with netfilter/iptables),对于Address Restricted Cone,状态应该是RELATED,对于Port Restricted Cone,状态则是ESTABLISHED。iptable中默认是ESTABLISHED,即Port Restricted的。
而对于Symmetric,mapping策略就不一样了,如果SNAT或者MASQUERADE是指定的–random参数,那就是Symmetric类型。Filtering默认就是和Port Restricted Cone一样。
• Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
• Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
• Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
• Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
这里实际上有两层意思,一个是出去的连接ip,port的分配(mapping),一个是允许外面什么样的包能进来(filter)。
我们用iptable是可以来模拟NAT的,但这种NAT具体又是哪种类型的呢?如何才能模拟不同类型的NAT呢?这些问题在网上也是众说纷纭,下面给一个相对比较权威的答案。
“As I wrote at netfilter-devel around May this year,
- According to the terminology of RFC 3489, netfilter implements port
restricted cone NAT. If the –random flag is specified to the
SNAT/MASQUERADE/… targets, it's better described as a symmetric NAT.
- According to the terminology of RFC 4787 and RFC 5382, netfilter
implements
- endpoint-independent mapping. If the –random flag is
specified to the SNAT/MASQUERADE/… targets, it's an
address and port-dependent mapping.
- address and port-dependent filtering.
”
链接在这:Correctly classifying iptables NAT
beahaviour
下面是我的一些理解:
要模拟不同的NAT类型,实际是就是模拟mapping和filtering。
对 于core类型,三种mapping策略都是一样的,不同的只是filtering策略; mapping策略就是对于同样的内网(ip,port),分配同样的外网(ip,port)。如果我们使用SNAT或者MASQUERADE动作,就可 以仅仅替换ip,端口维持不变,这样就模拟了mapping。而filtering策略,则有iptable中的filter表来做相应的处理;由于 Address Restricted Cone和Port Restricted Cone是需要记录状态的,记录之前内网的ip,port有没有给相应的dst_ip或者(dst_ip,dst_port)发送过数据。在创建 filter的规则时,是可以指定状态的(具体见Firewalling with netfilter/iptables),对于Address Restricted Cone,状态应该是RELATED,对于Port Restricted Cone,状态则是ESTABLISHED。iptable中默认是ESTABLISHED,即Port Restricted的。
而对于Symmetric,mapping策略就不一样了,如果SNAT或者MASQUERADE是指定的–random参数,那就是Symmetric类型。Filtering默认就是和Port Restricted Cone一样。
Solution
2
----------------------
订阅:
博文 (Atom)