派 ︰《【了凡四訓】》有言︰

…

何謂真假？昔有儒生數輩，謁中峰和尚，

問曰︰「佛氏論善惡報應，如影隨 形。今某人善，而子孫不興；某人惡，而家門隆盛︰佛說無稽矣。」

中峰云︰「凡情未滌，正眼未開，認善為惡，指惡為善，往往有之 。不憾己之是非顛倒，而反怨 天之報應有差乎？」

眾曰︰「善惡何致相反？」

中峰令試言。

一人謂「詈人毆人是惡；敬人禮人是善。」

中峰云︰「未必然也。」

一人謂「貪財妄取是惡，廉潔有守是善。」

中峰云︰「未必然也。」

眾人歷言其狀，中峰皆謂不然。因請問。

中峰告之曰︰「有益於人，是善；有益於己，是惡。有益於人，則毆人，詈人皆善也；有益於己，則敬人，禮人皆惡也。 是故人之行善，利人者公，公則為真；利己者私，私則為假。又根心者真，襲跡者假；又無為而為者真，有為而為者假；皆當自考。」

何謂端曲？今人見謹愿之士,，類稱為善而取之；聖人則寧取狂狷。至於謹愿之士，雖一鄉皆好，而必以為德之賊；是世人之善惡，分明與聖人相反。推此一端,種種取舍，無有不謬；天地鬼神之福善禍淫，皆與聖人同是非，而不與世俗同取舍。凡欲積善，決不可徇耳目，惟從心源隱微處，默默洗滌，純是濟世之心，則為端；苟有一毫媚世之心，即為曲；純是愛人之心，則為端；有一毫憤世之心，即為曲；純是敬人之心，則為端；有一毫玩世之心，即為曲；皆當細辨。

……

生︰昔有『唐鳳』者，能文善語『珍珠串』☿☺︰

=head1 NAME
Lingua::Sinica::PerlYuYan – 中書珨 – Perl in Classical Chinese in Perl
=head1 VERSION
our nat-traverse 40000:natgw-of-right:40001
user@right $ nat-traverse 40001:natgw-of-left:40000
where 40000 is an unused UDP port on left and 40001 is an unused UDP port on right.

Description

nat-traverse establishes connections between nodes which are behind NAT gateways, i.e. hosts which do not have public IP addresses. Additionally, you can setup a small VPN by using pppd on top of nat-traverse. nat-traverse does not need an external server on the Internet, and it isn’t necessary to reconfigure the involved NAT gateways, either. nat-traverse works out-of-the-box.

See below for how this is achieved.

In other words: nat-traverse is a bit like Harm, but doesn’t have Harm’s limitation that one peer has to have a public IP address.

Limitation: nat-traverse does not work with gateways which change the port numbers. This is a fundamental problem of nat-traverse’s design, as the changed port numbers are (in general) not predictable.

……

Changelog

v0.7, 2017-10-28

Fixed a minor syntactical issue which caused a warning on modern Perl and relicensed under GPL version 3 or later.

………

v0.1, 2005-06-25

Initial release.

Author

Copyright (C) 2005, 2012, 2017 Ingo Blechschmidt, <iblech@speicherleck.de>.

The source code repository is hosted at GitLab.

 

與 Perl 結緣︰

名稱

Perl 原名叫「Pearl」。拉里·沃爾想給這個語言起一個有正面意思的短的名字；他考慮了（並且否定了）字典里每一個 3—4 個字母的詞 。他也考慮用他的妻子 Gloria 的名字命名。沃爾在 Perl 官方釋出之前發現了現有的 PEARL 語言，並且改變了這個名字^[23]。

當指代這個語言的時候，名字通常是大寫的（Perl），就像專有名詞一樣。當指代這個直譯器本身的時候，這個名字通常是小寫的（perl），因為大部分類 Unix 檔案系統都是區分大小寫的。在《Programming Perl》的第一版釋出之前，用 perl 指代這個語言也很普遍；Randal L. Schwartz 排版時將這個語言的名字在書中寫成大寫的以便理解。後來，這個大小寫的區別就成為正規的了^[24]。

全大寫的「PERL」是有爭議的，而文件中說明「PERL」是不對的^[24]，一些核心的社群成員將其視為外行的標誌^[25]。這個名字偶爾會被視為「Practical Extraction and Report Language」的縮寫，就像文件^[23]頂端和一些紙質書本說的那樣^[26]。一些全稱被建議作為正式名稱，包括沃爾自己的幽默的「Pathologically Eclectic Rubbish Lister」^[27]。的確，沃爾要求這個名字啟示許多不同的擴充^[28]。

駱駝標誌

《Programming Perl》，由奧萊理媒體釋出，特色是封面有一張駱駝的圖片，因而被稱作「駱駝書」^[29]。這張駱駝的圖片已經成為了Perl非官方的標誌和一個駭客的標誌，這出現在T恤衫和其它衣服上 。

歐萊禮擁有此圖像之商標，並且宣稱，唯有在捍衛「符號之完整性 」時，才會行使其法律上的權力^[30]。歐萊禮允許此商標在非商業目的之前提下被使用，並同時供了Programming Republic of Perl 的圖像以及 Powered by Perl 的按鈕圖。^[31]Perl的另一個識別符號是羊駝。因為《Intermediate Perl》一書的封面是一隻羊駝^[32]。

 

開始了UDP 打洞之旅哩！

UDP hole punching

UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for client-to-client networking applications on the Internet involving hosts connected in private networks, especially in peer-to-peer, Direct Client-to-Client (DCC) and Voice over Internet Protocol (VoIP) deployments.^[1]

UDP hole punching establishes connectivity between two hosts communicating across one or more network address translators. Typically, third-party hosts on the public transit network are used to establish UDP port states that may be used for direct communications between the communicating hosts. Once port state has been successfully established and the hosts are communicating, port state may be maintained either by normal communications traffic, or in the prolonged absence thereof, by keep-alive packets, usually consisting of empty UDP packets or packets with minimal non-intrusive content.

Overview

UDP hole punching is a method for establishing bidirectional UDP connections between Internet hosts in private networks using network address translators. The technique is not applicable in all scenarios or with all types of NATs, as NAT operating characteristics are not standardized.

Hosts with network connectivity inside a private network connected via a NAT to the Internet typically use the Session Traversal Utilities for NAT (STUN) method or Interactive Connectivity Establishment (ICE) to determine the public address of the NAT that its communications peers require. In this process another host on the public network is used to establish port mapping and other UDP port state that is assumed to be valid for direct communication between the application hosts. Since UDP state usually expires after short periods of time in the range of tens of seconds to a few minutes,^[2] and the UDP port is closed in the process, UDP hole punching employs the transmission of periodic keep-alive packets, each renewing the life-time counters in the UDP state machine of the NAT.

UDP hole punching will not work with symmetric NAT devices (also known as bi-directional NAT) which tend to be found in large corporate networks. In symmetric NAT, the NAT’s mapping associated with the connection to the well-known STUN server is restricted to receiving data from the well-known server, and therefore the NAT mapping the well-known server sees is not useful information to the endpoint.

In a somewhat more elaborate approach both hosts will start sending to each other, using multiple attempts. On a Restricted Cone NAT, the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from this IP address and port number through. This technique is widely used in peer-to-peer software and Voice over Internet Protocol telephony. It can also be used to assist the establishment of virtual private networksoperating over UDP. The same technique is sometimes extended to Transmission Control Protocol (TCP) connections, though with less success because TCP connection streams are controlled by the host OS, not the application, and sequence numbers are selected randomly; thus any NAT device that performs sequence-number checking will not consider the packets to be associated with an existing connection and drop them.

Flow

Let A and B be the two hosts, each in its own private network; N_A and N_B are the two NAT devices with globally reachable IP addresses EIP_A and EIP_B respectively; S is a public server with a well-known, globally reachable IP address.

1. A and B each begin a UDP conversation with S; the NAT devices N_A and N_B create UDP translation states and assign temporary external port numbers EP_A and EP_B
2. S examines the UDP packets to get the source port used by N_A and N_B (the external NAT ports EP_A and EP_B)
3. S passes EIP_A:EP_A to B and EIP_B:EP_B to A
4. A sends a packet to EIP_B:EP_B.
5. N_A examines A’s packet and creates the following tuple in its translation table: (Source-IP-A, EP_A, EIP_B, EP_B)
6. B sends a packet to EIP_A:EP_A
7. N_B examines B’s packet and creates the following tuple in its translation table: (Source-IP-B, EP_B, EIP_A, EP_A)
8. Depending on the state of N_A‘s translation table when B’s first packet arrives (i.e. whether the tuple (Source-IP-A, EP_A, EIP_B, EP_B) has been created by the time of arrival of B’s first packet), B’s first packet is dropped (no entry in translation table) or passed (entry in translation table has been made).
9. Depending on the state of N_B‘s translation table when A’s first packet arrives (i.e. whether the tuple (Source-IP-B, EP_B, EIP_A, EP_A) has been created by the time of arrival of A’s first packet), A’s first packet is dropped (no entry in translation table) or passed (entry in translation table has been made).
10. At worst, the second packet from A reaches B; at worst the second packet from B reaches A. Holes have been “punched” in the NAT and both hosts can directly communicate.

• If both hosts have Restricted cone NATs or Symmetric NATs, the external NAT ports will differ from those used with S. On some routers, the external ports are picked sequentially making it possible to establish a conversation through guessing nearby ports.

 

今日故地重遊，景色依舊咦？

peer A 5.168.168.6 ─── OpenWrt 路由器 5.168.168.20 ─── peer B 5.168.128.250

※ 執行︰

【peer A】

root@kali-pi:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         5.168.168.1     0.0.0.0         UG    0      0        0 eth0
5.168.168.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

 

root@kali:~/test# ./nat-traverse 40000:5.168.168.6:40001
> Creating socket localhost:40000 <-> 5.168.168.6:40001... done.
> Sending 10 initial packets... .......... done.
> Waiting for ACK (timeout: 10s)... ........... done.
> Connection established.
> Type ahead.
Hello World

 

【peer B】

root@kali:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         5.168.128.66    0.0.0.0         UG    0      0        0 eth0
5.168.128.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

 

root@kali-pi:~/test# ./nat-traverse-0.7.pl 40001:5.168.168.20:40000
> Creating socket localhost:40001 <-> 5.168.168.20:40000... done.
> Sending 10 initial packets... .......... done.
> Waiting for ACK (timeout: 10s)... ......... done.
> Connection established.
> Type ahead.
Hello World