2020年7月3日星期五

我的动森光速开荒日志

不包含剧透,给希望光速开荒的玩家一个参考。

Day 0 (Jun 11, 2020)

输入昵称、生日,捏脸
造 3 个帐篷(慎重选址,拆迁很贵)
输入岛屿名称(不能修改)

Day 1 (Jun 11)

清日常(签到、打招呼、摇树)
赚取 5000 哩数,还贷
捐赠 5 种虫或鱼给狸克(提示“咦?这是……”即是新物种)
造博物馆
保管想要明天捐赠的物种

Day 2 (Jun 12)

清日常(签到、打招呼、摇树、漂流瓶)
解锁联机和无人岛
解锁撑杆和铲子
捐赠 10 种虫、鱼、化石给傅达
保管想要大后天捐赠的物种
开矿,挖钱
收集除特产水果之外的 5 种水果及竹子
去无人岛领养 3 只动物(否则会随机分配)
收集木材×30、软木×30、硬木×30、铁矿×30
造商店

Day 3 (Jun 13)

清日常(签到、打招呼、摇树、开矿、挖钱、漂流瓶)
买大头菜(从本周日起)
保管想要明天捐赠的物种
造桥
造 3 个房子,解锁梯子
造 18 个家具

Day 4 (Jun 14)

欢迎第 3 位岛民
清日常(签到、打招呼、摇树、开矿、挖钱、炒菜、漂流瓶)
解锁巴猎岛
解锁季节活动(6 月新娘)
解锁家具改造
捐赠前两日收集的物种
向娟儿买够 $5000 服装

Day 5 (Jun 15)

欢迎第 4 位岛民
清日常,清季节活动
博物馆开始接受美术品

Day 6 (Jun 16)

欢迎第 5 位岛民
种下的果树开始结果
清日常,清季节活动
向狐利买艺术品并捐赠给博物馆
取钱,明天 ATM 将不能用
晚上傅珂出现,解锁流星许愿

Day 7 (Jun 17)

村委会和博物馆扩建

Day 8 (Jun 18)

欢迎西施惠
游戏背景音乐发生改变
解锁建造桥梁和斜坡、移动建筑物
解锁岛屿音乐、岛屿旗帜
解锁兑换四行背包容量
可以进入狐利的船上商店了
新的主线任务:邀请 K.K.
造露营地

Day 9 (Jun 19)

可以向骆岚购买地毯、壁纸、地板了
第六日节日活动,婚礼派对
解锁巴猎岛海报

Day 10 (Jun 20)

娟儿再次来岛
露营地来人了,强制收留
造新房子
解锁出售土地

Day 11 (Jun 21)

欢迎第 6 位岛民
解锁岛屿评价系统
解锁 amiibo
建服装店

Day 12 (Jun 22)

欢迎第 7 位岛民

Day 13 (Jun 23)

欢迎第 8 位岛民
服装店开业
岛评达到三星,成功邀请 K.K.
傅珂出现,有流星雨

Day 14 (Jun 24)

欢迎第 9 位岛民
K.K. 来岛上开演唱会
解锁岛屿创作家

主线剧情结束。


Day 15 (Jun 25)

欢迎第 10 位岛民

Day 17 (Jun 27)

龙克斯来岛
第一次捕虫大会

Day 19 (Jun 29)

俞司廷来岛
傅珂出现,有流星雨
算出天气种子 (714058723)

Day 20 (Jun 30)

薛革来岛
季节活动结束
露营地来客

Day 22 (Jul 2)

龙克斯来岛

Day 23 (Jul 3)

软件更新到版本 v1.3.0,开放潜水
然然来岛

Day 28 (Jul 8)

绵儿来岛

Day 29 (Jul 9)

「我的房子」扩建完成

2020年3月25日星期三

Reply UDP with correct source address on a multihomed Linux server

这篇文章有中文版:https://blog.swineson.me/________(还未发布)

Multihoming means connecting a machine to multiple computer networks. A multihomed server has multiple IP address on either single or multiple network interfaces.
One particular problem for Linux is, all outgoing UDP packets will use the primary IP address, even for requests sent to the secondary IP address.

Fix at userland, if possible

First, check whether your application supports multihoming. For example, OpenVPN supports a --multihome switch to enable multihome support.
Sometimes, you can bind the server to a specific IP address and run multiple instances on different IP addresses.

Otherwise, fix at kernel side

A: If all IP addresses are assigned to the same network interface

For example:
eth0:
    inet 192.0.2.2/24 brd 192.0.2.255 scope global eth0
        valid_lft forever preferred_lft forever
    inet 192.0.2.3/24 brd 192.0.2.255 scope global eth0
        valid_lft forever preferred_lft forever
The main routing table:
default via 192.0.2.1 dev eth0 onlink
We use iptables to perform a DNAT to the primary IP address for incoming UDP packets.
sudo iptables -t nat -A PREROUTING -i eth0 -m addrtype --dst-type LOCAL -p udp -j REDIRECT
sudo conntrack -F
If you prefer to use the newer nftables instead of the older iptables, here is the equivalant nft commands:
sudo nft add table nat
sudo nft add chain nat prerouting { type nat hook prerouting priority dstnat \; }
sudo nft add rule ip nat prerouting iifname "eth0" meta l4proto udp fib daddr type local counter redirect
sudo conntrack -F
That's it, we've done.

B: If IP addresses are assigned to different network interfaces

For example:
eth0:
    inet 192.0.2.2/24 brd 192.0.2.255 scope global eth0
        valid_lft forever preferred_lft forever
eth1:
    inet 198.51.100.2/24 brd 198.51.100.255 scope global eth0
        valid_lft forever preferred_lft forever
The main routing table:
default via 192.0.2.1 dev eth0 onlink
First, we disable reverse path filter on eth1:
sudo sysctl net.ipv4.conf.eth1.rp_filter=0
You may want to write the sysctl configuration to /etc/sysctl.d to execute it automatically on boot. If you are worried about whether disabling rp_filter causes security issues, you can use additional firewall rules to protect you.
Next, we set up routing policies:
sudo ip rule add fwmark 0x42 pref 42 table 42
sudo ip route add default table 42 via 198.51.100.1 dev eth1
Then we set up connection tracking and DNAT for the UDP packets:
sudo iptables -t mangle -A INPUT -i eth1 -j MARK --set-mark 0x42
sudo iptables -t mangle -A INPUT -i eth1 -j CONNMARK --save-mark
sudo iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
sudo iptables -t nat -A PREROUTING -i eth1 -m addrtype --dst-type LOCAL -p udp -j DNAT --to-destination 192.0.2.2
sudo conntrack -F
The nftables equivalents are:
sudo nft add table mangle
sudo nft add table nat

sudo nft add chain ip mangle input { type filter hook input priority mangle \; }
sudo nft add chain ip mangle output { type route hook output priority mangle \; }
sudo nft add chain nat prerouting { type nat hook prerouting priority dstnat \; }

sudo nft add rule ip mangle input iifname "eth1" counter meta mark set 0x42
sudo nft add rule ip mangle input counter ct mark set mark
sudo nft add rule ip mangle output counter meta mark set ct mark
sudo nft add rule ip nat prerouting iifname "eth1" meta l4proto udp fib daddr type local counter dnat 192.0.2.2

sudo conntrack -F

Why SNAT may not work

You might have attempted to use an SNAT on outgoing packets and failed. That is because SNAT causes the request packet and the reponse packet being considered as separate connections by conntrack.
For example, your server listens on 0.0.0.0:53, and a request sents from 203.0.113.1:1024 to 198.51.100.2:53. Conntrack tracks a connection from 203.0.113.1:1024 to 198.51.100.2:53.
The server accepts the request, but replies with 192.0.2.2:53. This time, conntrack adds another connection from 192.0.2.2:53 to 203.0.113.1:1024, not merging with the previous one.
When the packet travels through the firewall, SNAT only applies to the second connection. To get things worse, the outgoing port number may be changed because the kernel thinks port 53 is already occupied!

If we use the DNAT method, conntrack will instead track a connection from 203.0.113.1:1024 to 192.0.2.2:53, even though the packet is actually sent to 198.51.100.2:53.
Then, when the server replies with 192.0.2.2:53, the reply packet directly matches the conntrack record, causing the source address to be restored to 198.51.100.2:53.

How to match and filter NATed packets

Since the filter chain comes after mangle and nat chain, we are unable to determine the intended destination address using the iptables -d switch.
Instead, you should use -m conntrack --ctorigdst. You can also use -m conntrack --ctstatus DNAT to determine whether the packet is DNATed or not.
For nftables uesrs, ct original daddr and ct status have the same usage.