初始化时间过长

CEGUI在初始化的时候，会便利一个字体中所有的Glyph，并在d_cp_map容器中初始化所有的FontGlyph对象。这个在英文字体下没有什么问题，因为一个字体中大约只有几百Glyph，但是在中文字体中这个值一般是65535个，所以初始化的时间过长。准备废除这个初始化的过程。

CEGUI使用一个bitmap，d_glyphPageLoaded作为一个codepoint有没有载入的标志，在这里废弃这个变量，直接使用d_cp_map容器中有没有对应的FontGlyph对象作为这个codepoint有没有载入的标志。

字体缓冲的贴图占用过多

CEGUI中的字体缓冲有一个算法，就是把字体中的Glyph分页，每个页是256个文字，一旦要渲染一个文字的时候，就把这个文字前后一共256个Glyph都渲染到一张贴图上。对于英文字体来说这样不是问题，一个字体最多渲染5到6张贴图就完事了，而且采用这种策略渲染好的贴图就不需要修改了。但是对于中文字体来说这不是一个好的策略，中文字体中文字个数繁多，而且不是采用使用频率在字体中排列的，你渲染的一个文字的前后255个文字说不定在整个过程中就不会使用得到，如果讨论在极端情况下，一个中文字体一共需要65535/256=256张贴图才可以完整的渲染完，这样我们可怜的显存里面就全部都是文字了，明显不可以接受。

计划使用一个简单的缓冲机制，就是一开始设定好一个字体可以使用多少张缓冲贴图，和每张贴图的尺寸（这里暂定512*512）。这样的策略实现起来比较简单，相对来说修改的代码量也不是很大，缺点是：

1. CEGUI的贴图接口中并没有锁定或修改已存在的贴图内容，需要自己实现。
2. 原始的贴图生成之后不需要修改了，现在需要经常修改，会有一定的效率损失。

print("simple test: ")
print((10000 + 123456789) - 123456789)

程序打印出来的值竟然是10003，顿时被雷到了。虽然我知道lua用的是double作为基础的lua_number，但是人家已经很耐心的教育我们double是双精度类型，不会出现什么四舍五入的问题。于是打开linux上的终端运行lua进行同样的计算，这次得到的是正确的结果：10000。

想想也知道lua不会有这种低级的错误的，要不还不立刻被人骂死，于是开始找自己的问题，首先怀疑是我们的lua嵌入包裹代码的问题，仔细review了一遍代码，觉得不会影响到这么底层的问题。接着开始做实验，发现在服务器上的同样lua代码，运行的结果是正确的。经过无尽的折腾，最后发现了这么一个事实：

在directX的sdk文档里面，D3DCREATE这个条目里面有这么一条：

D3DCREATE_FPU_PRESERVE Set the precision for Direct3D floating-point calculations to the precision used by the calling thread. If you do not specify this flag, Direct3D defaults to single-precision round-to-nearest mode for two reasons:
- Double-precision mode will reduce Direct3D performance.
- Portions of Direct3D assume floating-point unit exceptions are masked; unmasking these exceptions may result in undefined behavior

D3D默认在创建设备的时候，会把双精度改成单精度，增加渲染的效率，所以lua也被殃及了，这也算是蝴蝶效应的一个体现吧。。。。。

恶心的问题只要原因找到了解决总是相对容易的，现在有两个方案：

1. 将lua_number定义为int，缺点是lua内就不能使用小数
2. 在D3D初始化的时候添加参数，让他不要改变计算精度，缺点是不知道对性能有多大影响

1. 调用栈全部混乱，一堆问号出现在这里，你明明知道自己编译的时候有放入符号，现在却什么信息都看不到
2. 莫名其妙的调用了一个代码里面没有调用的函数
3. 重复的free或者delete某块内存，然后崩溃
4. 部分静态或者全局的数据混乱了，代码里面除了初始化就没啥地方写过他们了
5. 莫名的某个对象的数据全部混乱了

其实有经验的程序员看到我上面这堆牢骚就知道，归根结底，这些问题都是一个原因：内存混乱。可以直接操作内存是C/C++的效率之源也是一切的罪恶之源。没有个两三年的编程经验，很难深刻的理解内存、指针和引用这些看起来没啥深奥的问题。关于可能出现的内存混乱我大概的归纳一下：

• 使用没有初始化的内存
• 内存越界
• 内存泄漏

为了理解如何处理这些情况，我们先稍微总结一下程序的内存的使用会出现在什么地方：

• 静态，全局内存：静态和全局对象会在main函数之前由libc进行初始化和分配，他们因该会出现在运行的数据段上，一般来说是数据段的开头部分。问题2， 4和5可能由这种内存的混乱引起。
• 栈内存：基本上可以认为是局部变量初始化的内存了，在程序入栈的时候分配，出栈的时候丢弃。这种内存混乱可能会引起问题1, 2, 4, 5
• 堆内存：由malloc、new分配，由free、delete回收的内存。这种内存混乱的话，会引起2、3、4、5

基本上想要彻底在机制上解决内存问题，肯定是没有希望的，因为如果这是可行的，那么早就有nb的人做出来，并放到标准里面了。于是他们做出了java。。。。。所以我们现在追求的就是如何能够快速的追踪到问题的源头。

不像是其他的逻辑bug，内存混乱引起的问题，现象是千奇百怪的，而且发生问题的源头往往和现象不在同一个调用栈里面，或者是整个调用栈全部乱掉，让你无从可查。所以必须要使用一些其他手段来帮助我们。根据不同的内存使用种类，我说一下自己的思路，和目前已经有的做法：

• 堆内存：为什么先从堆开始说起，因为堆上的内存分配和删除是完全控制在我们自己手里面的，说实话，这块东西早就有很多的工具和代码进行跟踪保护和分配了。而且相关的原理基本相通。
  • 最完整的办法解决这个问题是建立自己的内存管理体系，使用内存池，托管系统的malloc、free或者是new、delete。这样不仅仅可以在犯错的时候我们有机会去监测或者记录。还可以通过内存池来增加系统的效率。
  • 如果暂时没有成体系的内存管理系统，也可以使用第三方工具，比如非侵入式的valgrin或者是编译到代码里面的efence。这些工具都可以很好的帮你监控报告这些内存的混乱。
  • 对于内存溢出这个问题，不论是自己的内存管理体系还是第三方的监测工具，基本上都是一个原理。在分配内存的时候多申请一定的字节，比如20个bytes，并将他们初始化为一些特殊的字节。然后去检查这块内存有没有变化。如果有变化就是出现了溢出。最佳的方法是用cpu或者是操作系统提供的内存保护机制，这样一旦有任何的要对这块内存的操作指令，就会立刻break出来，这时再用gdb等的debug工具就可以直接查看调用栈找到元凶。较差的方法是定期或者是析构的时候监测，不过这样效果不好，只能知道到底有没有溢出，或者是哪块内存溢出。到底是谁干的，还是要大海捞针。
• 栈内存：栈内存的混乱基本上会死的很直接，不会让问题慢慢的慢慢的变大。不过栈内存的特殊性，会导致他把案发现场的很多痕迹抹去，因为栈混乱了，所以你看到的调用栈完全是混乱的。你不知道出现的原因是什么。
  • 对于这种情况，我暂时使用了一种看起来有点简陋的方法。就是使用一个buffer来手动的存储目前的调用栈。入栈的时候通过宏把函数名加入buffer，退栈的时候通过宏把函数名移除。坏处是增加了入栈出栈的代价，同时要记录的函数需要在开始和结束的时候添加宏。
• 静态、全局内存混乱：这块是比较复杂的，特别是出现了这种内存的溢出，他会悄无声息的抹去你很多的全局，静态变量，但是系统依然可以运行，不过很多依赖于这些变量的行为都会变的无法预测，天知道这时候会做出什么变态的事情。同时这种内存的分配是在进入main之前发生的，我们完全无能为力。想要对付这种内存我建议。。。。。
  • 在开发小组中规定。。。。不要使用这种内存。

# IBUS was confilict with OOO3 under awesomedon’t know why, but add the blow  
# line, everything OK then~ cheers

OOO_FORCE_DESKTOP=gnome export OOO_FORCE_DESKTOP 

So you’ve published your Flex application that accesses local XML, but when you try to run it outside of your Flex Builder folder, you might get a Flash Player Debugger error #2148. I ran into this problem while on a tight deadline, and am reposting here to get the word out.

To fix this, you need:

1. to right/control click your Flex Project folder in the Navigator
2. Select properties
3. Choose Flex Compiler in the popup window
4. Add “-use-network=false” under Additional compiler arguments

Hopefully, this’ll save someone some time…

iptables is a command line tool which allow system administrators to configure Linux packet filtering ruleset.

Using iptables, you are able to tweak packet filtering, Network Address Translation (NAT) and packet mangling which in the end are going to allow you to secure your server, share your Internet connection and log unwanted traffic.

iptables is not really what we could call an easy to get with tool, but once you know the basis, it won’t be that scary .

This tutorial will provide a sample script you can use to share your Internet access and will give an overview on how to use iptables

1. Introduction

Most people will be freaked out when you pronounce the name iptables because it is not much of an easy to understand software, man page is huge as well as iptables capabilities.
To be able to set up a home router, you don’t actually need to spend nights and nights going through iptables man page, a grasp of the basis is enough to get your firewall up and running.

This tutorial provides a sample script you should be able to use out of the box or at most, changing 2 parameters will be able to get you running.

2. Iptables

To be able to understand what the firewall do, there is some basis you need to know. Here I’m going to go over what make iptables handle network packets.

2.1. Chain Rules

Iptables use a set of chain rules to check weather or not a packet should be accepted. By default, there is 3 chains:

• INPUT: packet is destinate to the machine running iptables
• FORWARD: packet needs to be forwarded to another machine
• OUTPUT: packet going out of the machine running iptables

So when a packet reaches the firewall, the first thing the kernel is going to do is to determine where the packet is going. According to the destination, the kernel will check the packet against the rules of the appropriate chain.

2.2. Actions (TARGET)

For each chain we define a list of rules and actions (called targets in iptables’jargon) to take when a packet match a rule. Main actions are:

• ACCEPT: accept the packet
• REJECT: discard the packet and inform the source
• DROP: discard the packet but don’t say anything to the source

As soon as a packet has matched a rule, the kernel will apply the action it is said to do and won’t go further. If the packet did not match any rules, the kernel will use the default policy defined for that chain.

This beeing said, we can now get into the script.

3. Iptables Script

OK, now that we know the really basis, let see what the script is going to look like.

In this example, I assume that eth0 is the interface connected to the Internet, eth1 is the one connected to our local network.

#!/bin/sh
#
# this script requires iptables package to be
# installed on your machine

# Where to find iptables binary
IPT="/sbin/iptables"

# The network interface you will use
# WAN is the one connected to the internet
# LAN the one connected to your local network
WAN="eth0"
LAN="eth1"
# First we need to clear up any existing firewall rules
# and chain which might have been created
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# Default policies: Drop any incoming packets
# accept the rest.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# To be able to forward traffic from your LAN
# to the Internet, we need to tell the kernel
# to allow ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Masquerading will make machines from the LAN
# look like if they were the router
$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# If you want to allow traffic to specific port to be
# forwarded to a machine from your LAN
# here we forward traffic to an HTTP server to machine 192.168.0.2
#$IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.0.2:80
#$IPT -A FORWARD -i $WAN -p tcp  --dport 80 -m state --state NEW -j ACCEPT
# For a whole range of port, use:
#$IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 1200:1300 -j DNAT --to 192.168.0.2
#$IPT -A FORWARD -i $WAN -p tcp  --dport 1200:1300 -m state --state NEW -j ACCEPT

# Do not allow new or invalid connections to reach your internal network
$IPT -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP

# Accept any connections from the local machine
$IPT -A INPUT -i lo -j ACCEPT
# plus from your local network
$IPT -A INPUT -i $LAN -j ACCEPT

# Here we define a new chain which is going to handle
# packets we don't want to respond to
# limit the amount of logs to 10/min
$IPT -N Firewall
$IPT -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "Firewall: "
$IPT -A Firewall -j DROP

# log those packets and inform the sender that the packet was rejected
$IPT -N Rejectwall
$IPT -A Rejectwall -m limit --limit 10/minute -j LOG --log-prefix "Rejectwall: "
$IPT -A Rejectwall -j REJECT
# use the following instead if you want to simulate that the host is not reachable
# for fun though
#$IPT -A Rejectwall -j REJECT  --reject-with icmp-host-unreachable

# here we create a chain to deal with unlegitimate packets
# and limit the number of alerts to 10/min
# packets will be drop without informing the sender
$IPT -N Badflags
$IPT -A Badflags -m limit --limit 10/minute -j LOG --log-prefix "Badflags: "
$IPT -A Badflags -j DROP

# A list of well known combination of Bad TCP flags
# we redirect those to the Badflags chain
# which is going to handle them (log and drop)
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

# Accept certain icmp message, drop the others
# and log them through the Firewall chain
# 0 => echo reply
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# 3 => Destination Unreachable
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
# 11 => Time Exceeded
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# 8 => Echo
# avoid ping flood
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j Firewall

# Accept ssh connections from the Internet
$IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
# or only accept from a certain ip
#$IPT -A INPUT -i $WAN -s 125.124.123.122 -p tcp --dport 22 -j ACCEPT

# Accept related and established connections
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop netbios from the outside, no log, just drop
$IPT -A INPUT -p udp --sport 137 --dport 137 -j DROP

# Finally, anything which was not allowed yet
# is going to go through our Rejectwall rule
$IPT -A INPUT -j Rejectwall

3.1. Iptables default settings

First of all, we define where iptables binary is located and to make the script easier to attapt to other situation, we define the interface as WAN and LAN.
So, if your machine uses eth1 as the interface connected to the Internet and eth0 connected to your local network, simply change:

WAN=”eth0″
LAN=”eth1″

to

WAN=”eth1″
LAN=”eth0″

Then we clean up iptables by flushing all the chain and tables:

$IPT -F xxx

and deleting all the optional user-defined chains:

$IPT -X

Then we define the default policies:

$IPT -P xxx

Which is to DROP any packet which is destinated to the local machine if they were not accepting, ACCEPT any packet which is going out of the local machine or going to/coming from our LAN if they were not discarded yet.

3.2. To and From Local Network

Because we want to be able to forward traffic, we need to say so to the kernel. This is what is done by setting /proc/sys/net/ipv4/ip_forward to 1.

Then, we need to tell the kernel to masquerade all outgoing traffic. This is what is achieved by triggering:

$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE

Masquerading has the effect of allowing all computer from your internal network to access the internet. These machines will be seen as if there were the router itself.

Now, suppose you want your apache server on machine 192.168.0.2 to be visible from the outside. You need to tell the firewall to send those packets to machine 192.168.0.2 on port 80, this is what is achieved with:

$IPT -t nat -A PREROUTING -i $WAN -p tcp –dport 80 -j DNAT –to 192.168.0.2:80

But then, you also need to accept new connection on that specific port because, as you will see later on, we by default forbid NEW and INVALID connections coming from the outside to be forwarded.
So, for that specific service, we will allow NEW connections (RELATED and ESTABLISHED being allowed by default) to be forwarded:

$IPT -A FORWARD -i $WAN -p tcp –dport 80 -m state –state NEW -j ACCEPT

And now, let discard any NEW and INVALID connections:

$IPT -A FORWARD -i $WAN -m state –state NEW,INVALID -j DROP

To be able to have your local connection to work properly, you need to accept everything on localhost. This is done with:

# Accept any connections from the local machine
$IPT -A INPUT -i lo -j ACCEPT

We do not need to use the statement $IPT -A OUTPUT -i lo -j ACCEPT because the default OUTPUT policy is set to ACCEPT
If your default policy is different, you might have to add this statement

Then, because in our example we trust our local network (not a wise thing to do though), we need to allow any incoming connections from our LAN:

# plus from your local network
$IPT -A INPUT -i $LAN -j ACCEPT

3.3. Defining custom chains

In order to get a easier to maintain iptables script, it is handy to define some custom chains, also called user-defined chains. This way, you can gather common actions into 1 chain, then, using our target switch (-j) we will be able to send packets that match specific rules to that target.
In order to create a user-defined chain, we need to use:

iptables -N chain_name

and then simply add rules to that chain using the usual:

iptables -A chain_name [rules ...] -j target

Okie, now that this is explained, we are going to create 3 user-defined chains which are going to log packet matching rules to be sent to this specific chain:

• Firewall: is going to log packets by prepending “Firewall: ” and DROP them, as you will see, this will only deal with ICMP
• Rejectwall: is going to log packets (prepending “Rejectwall: “) that were not accepted my any previous rules
• Badflags: is going to log packets which TCP flags are not properly set. Some kind of packets are usually used during attack. (prepending “Badflags: “)

The bit of code that deals with the chain creation and which append rules to it is:

# Here we define a new chain which is going to handle
# packets we don’t want to respond to
# limit the amount of logs to 10/min
$IPT -N Firewall
$IPT -A Firewall -m limit –limit 10/minute -j LOG –log-prefix “Firewall: ”
$IPT -A Firewall -j DROP

# log those packets and inform the sender that the packet was rejected
$IPT -N Rejectwall
$IPT -A Rejectwall -m limit –limit 10/minute -j LOG –log-prefix “Rejectwall: ”
$IPT -A Rejectwall -j REJECT
# use the following instead if you want to simulate that the host is not reachable
# for fun though
#$IPT -A Rejectwall -j REJECT –reject-with icmp-host-unreachable

# here we create a chain to deal with unlegitimate packets
# and limit the number of alerts to 10/min
# packets will be drop without informing the sender
$IPT -N Badflags
$IPT -A Badflags -m limit –limit 10/minute -j LOG –log-prefix “Badflags: ”
$IPT -A Badflags -j DROP

As you can see, there is a new target (action), namely LOG. LOG is a specific target that logs the packet to /var/log/messages usually. LOG is a non-terminating target, this means that the packet is going to continue to the next rule after being logged.
by using the –log-prefix you can specify what is going to be prepended to your log.

So let’s take the example of chain “Firewall”.
First we create the chain: $IPT -N Firewall
Then, we ask the kernel to log the packet and to prepend “Firewall: ” to the log string. But because we don’t want our logs to be flooded by such logs, we cap the number of logs related to the Firewall chain to 10/minute: $IPT -A Firewall -m limit –limit 10/minute -j LOG –log-prefix “Firewall: “
Finally, after we logged the packet, we are simply going to DROP it: $IPT -A Firewall -j DROP

3.4. Using those rules

Creating user-defined chain will now make it easier and faster for us to operate specific actions on packets.
Let’s go through the block of statements related to bad TCP flags:

# A list of well known combination of Bad TCP flags
# we redirect those to the Badflags chain
# which is going to handle them (log and drop)
$IPT -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j Badflags
$IPT -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j Badflags
$IPT -A INPUT -p tcp –tcp-flags ACK,URG URG -j Badflags
$IPT -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j Badflags
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j Badflags
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j Badflags
$IPT -A INPUT -p tcp –tcp-flags ALL ALL -j Badflags
$IPT -A INPUT -p tcp –tcp-flags ALL NONE -j Badflags
$IPT -A INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j Badflags
$IPT -A INPUT -p tcp –tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$IPT -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

As you can see, for any of the packet matching a rule, we simply have to send the packet to the “Badflags” chain. If we were not using user-defined chains, the first statement would look like:

$IPT -A INPUT -p tcp –tcp-flags ACK,FIN FIN -m limit –limit 10/minute -j LOG –log-prefix “Badflags: ”
$IPT -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP

So this would be twice as much work :s. Now, imagine you want to change the target from DROP to REJECT, you simply have to edit 1 line instead of 11

Those badflags rules are well known combinations of illegitimated TCP flags settings. Normal application should not use those, this is why we can DROP those packets safely.

Now, we are going to allow only a small set of ICMP packets. In our example, we want our firewall to be able to receive information such as Timeout (type 11), Host unreachable (type 3) and we want it to reply to pings (type 8 ) and get replies to ping initiated from our firewall (type 0).
In order to do this, we ACCEPT any ICMP packets which contains one of the following code type and then pass all other ICMP packets code to our Firewall chain.

# Accept certain icmp message, drop the others
# and log them through the Firewall chain
# 0 => echo reply
$IPT -A INPUT -p icmp –icmp-type 0 -j ACCEPT
# 3 => Destination Unreachable
$IPT -A INPUT -p icmp –icmp-type 3 -j ACCEPT
# 11 => Time Exceeded
$IPT -A INPUT -p icmp –icmp-type 11 -j ACCEPT
# 8 => Echo
# avoid ping flood
$IPT -A INPUT -p icmp –icmp-type 8 -m limit –limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j Firewall

Note the -m limit –limit 1/second, by doing such, our firewall is going to reply to only 1 ping per second, any other ping will be logged (up to 10/min and then DROPped) through the Firewall chain

3.5. Traffic from the Internet

After we have dealt with not well formed packets and icmp packets, we should apply some global rules to streams coming from the outside (remember that our default policy for OUTPUT packets is ACCEPT, so we don’t have to allow those).

The basic idea here is to only allow streams that are related to a previous connection (useful for FTP for instance) or already established.
But, we are going to make one exception for SSH because we want to be able to connect to our box from the outside.

We achieve this by accepting any ssh packets from the outside and then only connections in state RELATED or ESTABLISHED

# Accept ssh connections from the Internet
$IPT -A INPUT -i $WAN -p tcp –dport 22 -j ACCEPT
# or only accept from a certain ip
#$IPT -A INPUT -i $WAN -s 125.124.123.122 -p tcp –dport 22 -j ACCEPT

# Accept related and established connections
$IPT -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

Then we are going to DROP silently netbios scan from the outside:

# Drop netbios from the outside, no log, just drop
$IPT -A INPUT -p udp –sport 137 –dport 137 -j DROP

And finally, REJECT any other packet through our user-defined chain Rejectwall:

$IPT -A INPUT -j Rejectwall

4. Using iptables’script

4.1. From the command line

One way to apply the rules we define, is simply to run the script from the command line like:

sudo sh /path/to/firewall-script.sh

but this has the bad effect of not being restore on reboot :s, but still, this will be of great help while tweaking up your firewall.

4.2. Using /etc/rc.local

/etc/rc.local is a custom file where you can add scripts to be executed at the end of each multiuser runlevel.

By default, this file only contain exit 0.
In order to have your iptables firewall script executed on reboot, simply add the path to your firewall script before exit 0.

Copy your firewall script file to /etc/firewall-script.sh for instance. Then make it executable:

sudo chmod 700 /etc/firewall-script.sh

Then edit /etc/rc.local and add /etc/firewall-script.sh before exit 0

Next time you are going to reboot, this script is going to be executed and therefore, your firewall set up restored.

4.3. Using /etc/network/if-up.d/ directory

This one is a bit more tricky.
Once you are done with setting up your firewall script, you will save it to the iptables format by trigerring:

$sudo sh /path/to/firewall/script.sh
$sudo iptables-save > /etc/firewall-iptables.conf

Now, open and edit /etc/network/if-up.d/iptables and make it look like:

#!/bin/sh
iptables-restore < /etc/firewall-iptables.conf

Then make it executable:

sudo chmod +x /etc/network/if-up.d/iptables

Finally, we need a way to set up /proc/sys/net/ipv4/ip_forward to 1. This can be achieved through /etc/sysctl.conf.
Simply add the following entry if not already there:

net.ipv4.ip_forward=1

which will set /proc/sys/net/ipv4/ip_forward to 1 next time you reboot.

We could have also used /etc/firewall-script.sh instead of the iptables-restore trick, but this way, you can see another way to do it

Reboot, your firewall should be up again

4.4. Once upon a time

Debian used to have this great /etc/init.d/iptables init script which allowed you to restore iptables settings on boot up, stop your firewall …
This script is now gone… so we have got to do it by ourself now

4.5. Rescue script

A handy script to have around is a script that can erase all chains and rules in case you are getting lost with your firewall breakages. The following script will clear up all rules and reset all chain so your firewall will be inactive. I suggest you copy it and keep it somewhere close to you in case of emergency.

#!/bin/bash
IPT=’/sbin/iptables’

for a in `cat /proc/net/ip_tables_names`; do
${IPT} -F -t $a
${IPT} -X -t $a

if [ $a = nat ]; then
${IPT} -t nat -P PREROUTING ACCEPT
${IPT} -t nat -P POSTROUTING ACCEPT
${IPT} -t nat -P OUTPUT ACCEPT
elif [ $a = mangle ]; then
${IPT} -t mangle -P PREROUTING ACCEPT
${IPT} -t mangle -P INPUT ACCEPT
${IPT} -t mangle -P FORWARD ACCEPT
${IPT} -t mangle -P OUTPUT ACCEPT
${IPT} -t mangle -P POSTROUTING ACCEPT
elif [ $a = filter ]; then
${IPT} -t filter -P INPUT ACCEPT
${IPT} -t filter -P FORWARD ACCEPT
${IPT} -t filter -P OUTPUT ACCEPT
fi

done

5. Conclusion

This tutorial covered iptables in order to set up a linux firewall which will share your internet connection amongst computer from your local network.
By explaining iptables basis, you should now be able to improve your script so you can allow or disallow specific types of traffic.

This is not the most secure set up though. Best practice would be to set up a policy which disallow all traffic by default and then only allow the traffic you believe that should be permitted.

Finally we went through different ways of recovering iptables setting on reboot.

Hope this helps and will give you enough basis to customize your firewall.

firewall-simple.txt
firewall-stop.txt

You might have wondered how comes that your mp3 player is automatically mounted under a nice name like JUKEBOX for instance, while you usb stick simply get a name like USB_BAR and USB_BAR-1… for its partitions.
This is actually due to hal automatically mounting the device.
This tutorial will show you how to give a label to your partitions in order to have your removable devices mounted under an explicit location such as: /media/red-usb-disk or /media/my-big-fat-partition.

When automatically mounting a device, it happens that hal already know about this device, in which case, the device is going to be mounted under, let say for an Ipod, /media/Ipod. But if you have an external hard-drive that you connect through usb, chances are that your external hard-drive partitions are mounted under /media/usbdisk, /media/usbdisk-1 and so on.
And actually, partition one might be mounted under usbdisk-1 on day and usbdisk the day after :s.
Imagine you stock all you music on your external hardrive. Today, you hardrive get mounted under /media/usbdisk and you create a playlist. Tomorrow, when you plug you hardrive, your music partition might get mounted under /media/usbdisk-1, you start your music player, this one kept your last playlist in memory, but you simply can’t replay it because the files have moved from /media/usbdisk to /media/usbdisk-1 .
This is where labeling a partition will become handy.

Here is a menu that will let you jump directly to a specific filesystem type:

• ext2 and ext3
• reiserfs
• vfat
• XFS: not tested, need your feedback
• JFS: not tested, need your feedback

Because linux comes with a whole range of file systems, we are going to need different tools depending on which filesystem you are using.
From now on, I will suppose you know which file system your device is formated to. If you don’t know yet, simply plug you device in order to get it mounted, the run:

$ df -T

This will output something like:

…..
…..
/dev/scd0 iso9660 3011040 3011040 0 100% /media/cdrom0
/dev/sdb1 vfat 244480 20756 223724 9% /media/USBDRIVE

You can find the file system type on the second column: here iso9660 for the cdrom and vfat for the usb disk. The device name is found in the first column: here /dev/scd0 and /dev/sdb1

From now on, we are going to work on device /dev/sdaX, you will have to adjust this in accordance with the device you want to rename. Let’s get into it now .

Ext2 and ext3 file systems

back to file systems menu

In order to change the label of an ext2 or ext3 partition, you will need to use: e2fsprogs program utilities. If it is not yet install on your computer, run the following command to install it:

$ sudo apt-get install e2fsprogs

Retrieving the existing label

In order to retrieve the existing label of your partition, simply run:

$ sudo e2label /dev/sdaX
my label

Setting a new label

To set up a new label, you simply have to append the label name at the end of the command line, so it will look like:

$ sudo e2label /dev/sdaX “my new label”

ext2/3 label has to be at most 16 characters long, if longer, label will be truncated

In order to confirm that your changes where properly applied, you can retrieve the partition’s label with:

$ sudo e2label /dev/sdaX
my new label

The new label should be output on the next line.

Deleting an existing label

Label can be deleted by supplying an empty label to e2label with this command line:

$ sudo e2label /dev/sdaX “”

Reiserfs file system

back to file systems menu

First of all, you need to have reiserfsprogs package installed. If it not yet present on your machine, please run:

$ sudo apt-get install reiserfsprogs

While working on a reiserfs partition, the partition needs to be unmounted.

Now that you made sure that your partition is unmounted, let see how it works.

Retrieving the existing label

To retrieve the existing label, run:

$ sudo reiserfstune /dev/sdaX | grep LABEL
…
LABEL:

The label is going to be apended to “LABEL: “, if there is no label yet, only “LABEL: ” will appear.

Setting a new label

To set up a new label, you will need to use the -l switch like:

$ sudo reiserfstune /dev/sdaX -l “my new label”

Check for the “LABEL: ” entry in the output, this one should now print:

LABEL: my new label

Reiserfs label has to be at most 16 characters long, if longer, label will be truncated

Removing an existing label

To do so, simply supply an empty label with this command line:

$ sudo reiserfstune /dev/sdaX -l “”

VFAT file system

back to file systems menu

This one is a bit more tricky as you can’t simply use the command line, but you will need to edit a file in order to let the tool know the name of the device.

The package we are going to use here is mtools. If the package is not installed on your machine, please run:

$ sudo apt-get install mtools

Informing mtools about your device

mtools needs to be told an “windows like” device name (something like G:) to match a linux device name. To do so, create and edit file ~/.mtoolsrc and add:

drive i: file="/dev/sdaX"

Where i: is the “windows name” and /dev/sdaX is the linux file system associated to it.

Retrieving the existing label

Now, you can use mlabel, provided by mtools package to retrieve the existing label. To do so, trigger the folowin command:

$ mlabel -s i:

Depending if the device already had a label or not, mlabel will output either:

Volume has no label

or

Volume label is MY LABEL

Setting a new label

Setting a new label is done via the following command line:

$ mlabel i:”my new label”

Deleting an existing label

Deleting an existing label can be done with:

$ mlabel -c i:

Doing so, you won’t be prompt and the label will be removed.

XFS file system

back to file systems menu

The tool used here is xfs_admin provided by xfsprogs package, so in the first place you need to have it installed:

$ sudo apt-get install xfsprogs

Retrieving an existing label

To retrieve an existing label, run:

$ sudo xfs_admin -l /dev/sdaX

Setting a new label

A new label can be set with this command line:

$ sudo xfs_admin -L “my new label” /dev/sdaX

XFS file system can only hold a label of at most 12 characters, if the label supplied is longer, the label will be truncated and a warning will be printed.

Deleting an existing label

To delete a label, simply supplied an empty label with this command:

$ sudo xfs_admin -L “” /dev/sdaX

JFS file system

back to file systems menu

Here, we are going to use jfs_tune provided by the jfsutils package. Install it with:

$ sudo apt-get install jfsutils

Retrieving an existing label

An existing label can be retrieve with:

$ sudo jfs_tune -l /dev/sdaX | grep label
Volume label: ‘mylabel’

Setting a new label

A new label can be set with the following command line:

$ sudo jfs_tune -L “my new label” /dev/sdaX

JFS file system can only hold a label of at most 16 characters, if the label supplied is longer, the label will be truncated and a warning will be printed.

Deleting a label

A label should be deletable using the following command:

$ sudo jfs_tune -L “” /dev/sdaX

Conclusion

By using labels, you will be able to have your removable device mounted under persistent names as well as more user friendly names.
For instance, having to usb stick plugged in, it will be easier for you to manipulate datas on the right device, if one is mounted under /media/blue-usbstick and the other one under /media/red-usbstick instead or /dev/disk1 and /dev/disk2 (mainly when those names can be swapped depending which device you plugged in first).

A standard Linux system has an incredible amount of files installed. Looking for a file location can be a painful task to do though a file browser.

Fortunately, there is a nifty command line available by default on any Linux distribution: find.

find can virtually find anything on your computer and comes with a lot of options. This tutorial will introduce a basic use of it and show how you can search your filesystem for file names matching a name pattern.

On Debian based distros, find is part of the package findutils. find allow one to search for files on a filesystem based on different condition, creation date, modified date, file size, file type, permissions, name ….

In this tutorial, I will be focused on finding files/directories based on their name, in order to explain in more depth the syntax of find, I will also show how you can narrow down your search by adding condition on size and file modification time.

This will suit most searches, if you need more details, I would recommend looking at the find’s manpage.

1. Find basis

The default syntax of find is as such:

find [path] [expression]

where path is the path used as root for searching pattern and expression the expression we want the file to match.

2. Finding a file based on filename

Let say for instance you want to find all .avi files in users home directories. Search files can be found with the following command:

# find /home -name ‘*.avi’

If you want to search for *.mpg and *.avi files, you will use the following:

find /home -name ‘*.mpg’ -o -name ‘*.avi’

Case insensitive searches can be achieved by using the -iname switch:

find /home -iname ‘*.mpg’ -o -iname ‘*.avi’

3. Adding some more criterias

Those kind of searches might returns far too many results, making it hard to find waht you were looking for in the first place.

Fortunately, you can narrow down the search by adding criteria such as the file size and the file modification date.

Let’search for .avi files bigger than 700M. This can be done with:

find /home/ -name ‘*.avi’ -a -size +700M

Now, let’s find the same subset of files that were modified less than 15 days ago:

find /home/ -name ‘*.avi’ -a -size +700M -mtime -15

4. Adding some actions

Grand, we can now find files based on a subset of criteria. What would be even better is to apply some actions on those files. Action can be done with the use of -exec switch.
We can now find .avi file that are newer that 15 days, in this example, we are going to move those file to another location: /my/new/movies . I consider that this directory already exist on your system.
Moving .avi files bigger than 700M and younger than 15 days to /my/new/movies can be done with:

find /home/ -name ‘*.avi’ -a -size +700M -mtime -15 -exec mv ‘{}’ /my/new/movies/ \;

Mind the use of ‘{}’ and  \; (there is a space before \;).
‘{}’ matches the file that was found, while  \; terminate the exec statement.

5. Conclusion

find is a powerful tool with an extensive set of statement. This article only covered a small subset of available features. For more information on the find command I recommend checking out its man page.

I have wrote a post regarding on how to access ftp host using curl. And this time, let us look at how to mount the ftp host to a local directory on top of FUSE.

FUSE (Filesystem in userland) is a userland build on top of virtual filesystem, it allows you to implement functional filesystem in userspace application. Robson Braga Araujo wrote an app based on fuse and curl that allows you to mount a ftp host to a local directory, curlftpfs.

What is the benefit of mounting ftp host to a local directory?
The most obvious benefit is easing file management in ftp host. After mounting ftp host to a local dir, you can simply copy, move and delete files using command such as cp, mv, rm. You can easily transfer files from your localhost to ftp host and vice versa.

To mount ftp host to your local directory, first you need to create a local directory, I created a folder ‘myftp’ and mounting it like this

sudo curlftpfs -o allow_other ftp://myusername:mypassword@ftp.mydomain.com myftp

As simple as that, you are now able to access your ftp host locally.

How to unmount it?
Unmount works as usual.

sudo umount myftp

The command line is lengthy for me, can I auto mount my ftp host by putting it to /etc/fstab ?
Yes, curlftpfs support that.
Inject this line to /etc/fstab

curlftpfs#myusername:mypassword@ftp.mydomain.com /mnt/myftp fuse allow_other,rw,user,noauto 0 0

With noauto option, this mount point will not be auto mount when your system restart, you need mount it manually. But this time, you do not need to type the long command line, you now can do this:

sudo mount /mnt/myftp

You may observed that I use allow_other in the option, so that I can access /mnt/myftp without need to change myself to root.

Security Issues
Try to run the command line below:

ps aux | grep curlftpfs

OMG! my username and password of my ftp host is visible. I am very sensitive about this, I don’t want it to be so visible, what should I do?

You can create .netrc under root directory and modified the mount line in /etc/fstab.

1. Create /root/.netrc and paste these lines in it.

machine ftp.byexamples.com
login myusername
password mypassword

2. Modified the user mode of the file

sudo chmod o-rw /root/.netrc

3. Modified /etc/fstab

curlftpfs#ftp.mydomain.com /mnt/myftp fuse allow_other,rw,user,noauto 0 0

Although your /root/.netrc is in plain text, but you will need to gain root privilege in order to access the file.

Search though google, there are a tons of tutorial for accessing a remote site through ssh without a password. I found some tutorial gives too much details. Sometimes, detail’s explanation may confuse the beginners. I just want to make things done, I don’t want to know too much about the public key, private key and network authentication’s stuff. Therefore, I am here to provide the clean steps without further explanation .

Let say you want to access to a machine with IP 10.0.0.4, and make sure you have command ssh, ssh-keygen, ssh-copy-id.

First, generate the ‘key’, the key will be used to open the remote machine’s door.

ssh-keygen

You will see something like that

Enter file in which to save the key (/home/myname/.ssh/id_rsa):

Whatever it appears just press enter until it ends, press enter for passphase as well.

Okay, the ‘key’ will be generated, something looks like ~/.ssh/id_rsa.pub

Copy over the ‘key’ to remote machine, and enter your password

ssh-copy-id -i ~/.ssh/id_rsa.pub mysurface@10.0.0.4

Done. Now you can ssh 10.0.0.4 with username mysurface without password.

ssh mysurface@10.0.0.4

1. 安装FCITX包，直接使用sudo apt-get install fcitx即可，现在源中的文件版本是3.4.3
2. 安装im-switch，直接使用sudo apt-get install im-switch即可
3. 因为是英文环境，所以需要修改Xinput文件：
   sudo vi /usr/lib/gtk-2.0/2.10.0/immodule-files.d/libgtk2.0-0.immodules
   在该文件中找到
   “xim” “X Input Method” “gtk20″ “/usr/share/locale” “ko:ja:th:zh”
   替换为：
   “xim” “X Input Method” “gtk20″ “/usr/share/locale” “en:ko:ja:th:zh”
4. im-switch -s fcitx
5. 重新启动Xwindow即可

A very common operation with strings, is to tokenize it with a delimiter of your own choice. This way you can easily split the string up in smaller pieces, without fiddling with the find() methods too much. In C, you could use strtok() for character arrays, but no equal function exists for strings. This means you have to make your own. Here is a couple of suggestions, use what suits your best.

The advanced tokenizer:

void Tokenize(const string& str,
vector& tokens,
const string& delimiters = ” “)
{
// Skip delimiters at beginning.
string::size_type lastPos = str.find_first_not_of(delimiters, 0);
// Find first “non-delimiter”.
string::size_type pos = str.find_first_of(delimiters, lastPos);

while (string::npos != pos || string::npos != lastPos)
{
// Found a token, add it to the vector.
tokens.push_back(str.substr(lastPos, pos – lastPos));
// Skip delimiters. Note the “not_of”
lastPos = str.find_first_not_of(delimiters, pos);
// Find next “non-delimiter”
pos = str.find_first_of(delimiters, lastPos);
}
}

The tokenizer can be used in this way:

#include
#include
#include

using namespace std;

int main()
{
vector tokens;

string str(“Split me up! Word1 Word2 Word3.”);

Tokenize(str, tokens);

copy(tokens.begin(), tokens.end(), ostream_iterator(cout, “, “));
}

The above code will use the Tokenize function, take the first argument str and split it up. And because we didn’t supply a third parameter to the function, it will use the default delimiter ” “, that is – a whitespace. All elements will be inserted into the vector tokens we created.

In the end we copy() the whole vector to standard out, just to see the contents of the vector on the screen.

Another approach is to let stringstreams do the work. streams in C++ have the special ability, that they read until a whitespace, meaning the following code works if you only want to split on spaces:

#include
#include
#include

using namespace std;

int main()
{
string str(“Split me by whitespaces”);
string buf; // Have a buffer string
stringstream ss(str); // Insert the string into a stream

vector tokens; // Create vector to hold our words

while (ss >> buf)
tokens.push_back(buf);
}

And that’s it! The stringstream will use the output operator (>>) and put a string into buf everytime a whitespace is met, buf is then used to push_back() into the vector. And afterwards our vector tokens will contain all the words in str.

现代计算机中内存空间都是按照byte划分的，从理论上讲似乎对任何类型的变量的访问可以从任何地址开始，但实际情况是在访问特定类型变量的时候经常在特定的内存地址访问，这就需要各种类型数据按照一定的规则在空间上排列，而不是顺序的一个接一个的排放，这就是对齐。
对齐的作用和原因：各个硬件平台对存储空间的处理上有很大的不同。一些平台对某些特定类型的数据只能从某些特定地址开始存取。比如有些架构的CPU在访问一个没有进行对齐的变量的时候会发生错误,那么在这种架构下编程必须保证字节对齐.其他平台可能没有这种情况，但是最常见的是如果不按照适合其平台要求对数据存放进行对齐，会在存取效率上带来损失。比如有些平台每次读都是从偶地址开始，如果一个int型（假设为32位系统）如果存放在偶地址开始的地方，那么一个读周期就可以读出这32bit，而如果存放在奇地址开始的地方，就需要2个读周期，并对两次读出的结果的高低字节进行拼凑才能得到该32bit数据。显然在读取效率上下降很多。
二.字节对齐对程序的影响:

先让我们看几个例子吧(32bit,x86环境,gcc编译器):
设结构体如下定义：
struct A
{
int a;
char b;
short c;
};
struct B
{
char b;
int a;
short c;
};
现在已知32位机器上各种数据类型的长度如下:
char:1(有符号无符号同)
short:2(有符号无符号同)
int:4(有符号无符号同)
long:4(有符号无符号同)
float:4 double:8
那么上面两个结构大小如何呢?
结果是:
sizeof(strcut A)值为8
sizeof(struct B)的值却是12

结构体A中包含了4字节长度的int一个，1字节长度的char一个和2字节长度的short型数据一个,B也一样;按理说A,B大小应该都是7字节。
之所以出现上面的结果是因为编译器要对数据成员在空间上进行对齐。上面是按照编译器的默认设置进行对齐的结果,那么我们是不是可以改变编译器的这种默认对齐设置呢,当然可以.例如:
#pragma pack (2) /*指定按2字节对齐*/
struct C
{
char b;
int a;
short c;
};
#pragma pack () /*取消指定对齐，恢复缺省对齐*/
sizeof(struct C)值是8。
修改对齐值为1：
#pragma pack (1) /*指定按1字节对齐*/
struct D
{
char b;
int a;
short c;
};
#pragma pack () /*取消指定对齐，恢复缺省对齐*/
sizeof(struct D)值为7。
后面我们再讲解#pragma pack()的作用.
三.编译器是按照什么样的原则进行对齐的?

先让我们看四个重要的基本概念：
1.数据类型自身的对齐值：
对于char型数据，其自身对齐值为1，对于short型为2，对于int,float,double类型，其自身对齐值为4，单位字节。
2.结构体或者类的自身对齐值：其成员中自身对齐值最大的那个值。
3.指定对齐值：#pragma pack (value)时的指定对齐值value。
4.数据成员、结构体和类的有效对齐值：自身对齐值和指定对齐值中小的那个值。
有了这些值，我们就可以很方便的来讨论具体数据结构的成员和其自身的对齐方式。有效对齐值N是最终用来决定数据存放地址方式的值，最重要。有效对齐N，就是表示“对齐在N上”，也就是说该数据的”存放起始地址%N=0″.而数据结构中的数据变量都是按定义的先后顺序来排放的。第一个数据变量的起始地址就是数据结构的起始地址。结构体的成员变量要对齐排放，结构体本身也要根据自身的有效对齐值圆整(就是结构体成员变量占用总长度需要是对结构体有效对齐值的整数倍，结合下面例子理解)。这样就不能理解上面的几个例子的值了。
例子分析：
分析例子B；
struct B
{
char b;
int a;
short c;
};
假设B从地址空间0×0000开始排放。该例子中没有定义指定对齐值，在笔者环境下，该值默认为4。第一个成员变量b的自身对齐值是1，比指定或者默认指定对齐值4小，所以其有效对齐值为1，所以其存放地址0×0000符合0×0000%1=0.第二个成员变量a，其自身对齐值为4，所以有效对齐值也为4，所以只能存放在起始地址为0×0004到0×0007这四个连续的字节空间中，复核0×0004%4=0,且紧靠第一个变量。第三个变量c,自身对齐值为 2，所以有效对齐值也是2，可以存放在0×0008到0×0009这两个字节空间中，符合0×0008%2=0。所以从0×0000到0×0009存放的都是B内容。再看数据结构B的自身对齐值为其变量中最大对齐值(这里是b）所以就是4，所以结构体的有效对齐值也是4。根据结构体圆整的要求， 0×0009到0×0000=10字节，（10＋2）％4＝0。所以0×0000A到0×000B也为结构体B所占用。故B从0×0000到0×000B 共有12个字节,sizeof(struct B)=12;其实如果就这一个就来说它已将满足字节对齐了, 因为它的起始地址是0,因此肯定是对齐的,之所以在后面补充2个字节,是因为编译器为了实现结构数组的存取效率,试想如果我们定义了一个结构B的数组,那么第一个结构起始地址是0没有问题,但是第二个结构呢?按照数组的定义,数组中所有元素都是紧挨着的,如果我们不把结构的大小补充为4的整数倍,那么下一个结构的起始地址将是0×0000A,这显然不能满足结构的地址对齐了,因此我们要把结构补充成有效对齐大小的整数倍.其实诸如:对于char型数据，其自身对齐值为1，对于short型为2，对于int,float,double类型，其自身对齐值为4，这些已有类型的自身对齐值也是基于数组考虑的,只是因为这些类型的长度已知了,所以他们的自身对齐值也就已知了.
同理,分析上面例子C：
#pragma pack (2) /*指定按2字节对齐*/
struct C
{
char b;
int a;
short c;
};
#pragma pack () /*取消指定对齐，恢复缺省对齐*/
第一个变量b的自身对齐值为1，指定对齐值为2，所以，其有效对齐值为1，假设C从0×0000开始，那么b存放在0×0000，符合0×0000%1= 0;第二个变量，自身对齐值为4，指定对齐值为2，所以有效对齐值为2，所以顺序存放在0×0002、0×0003、0×0004、0×0005四个连续字节中，符合0×0002%2=0。第三个变量c的自身对齐值为2，所以有效对齐值为2，顺序存放
在0×0006、0×0007中，符合 0×0006%2=0。所以从0×0000到0×00007共八字节存放的是C的变量。又C的自身对齐值为4，所以C的有效对齐值为2。又8%2=0,C 只占用0×0000到0×0007的八个字节。所以sizeof(struct C)=8.
四.如何修改编译器的默认对齐值?

1.在VC IDE中，可以这样修改：[Project]|[Settings],c/c++选项卡Category的Code Generation选项的Struct Member Alignment中修改，默认是8字节。
2.在编码时，可以这样动态修改：#pragma pack .注意:是pragma而不是progma.
五.针对字节对齐,我们在编程中如何考虑?

如果在编程的时候要考虑节约空间的话,那么我们只需要假定结构的首地址是0,然后各个变量按照上面的原则进行排列即可,基本的原则就是把结构中的变量按照类型大小从小到大声明,尽量减少中间的填补空间.还有一种就是为了以空间换取时间的效率,我们显示的进行填补空间进行对齐,比如:有一种使用空间换时间做法是显式的插入reserved成员：
struct A{
char a;
char reserved[3];//使用空间换时间
int b;
}

reserved成员对我们的程序没有什么意义,它只是起到填补空间以达到字节对齐的目的,当然即使不加这个成员通常编译器也会给我们自动填补对齐,我们自己加上它只是起到显式的提醒作用.
六.字节对齐可能带来的隐患:

代码中关于对齐的隐患，很多是隐式的。比如在强制类型转换的时候。例如：
unsigned int i = 0×12345678;
unsigned char *p=NULL;
unsigned short *p1=NULL;

p=&i;
*p=0×00;
p1=(unsigned short *)(p+1);
*p1=0×0000;
最后两句代码，从奇数边界去访问unsignedshort型变量，显然不符合对齐的规定。
在x86上，类似的操作只会影响效率，但是在MIPS或者sparc上，可能就是一个error,因为它们要求必须字节对齐.
七.如何查找与字节对齐方面的问题:

如果出现对齐或者赋值问题首先查看
1. 编译器的big little端设置
2. 看这种体系本身是否支持非对齐访问
3. 如果支持看设置了对齐与否,如果没有则看访问时需要加某些特殊的修饰来标志其特殊访问操作。

八.相关文章:转自http://blog.csdn.net/goodluckyxl/archive/2005/10/17/506827.aspx

ARM下的对齐处理
from DUI0067D_ADS1_2_CompLib

3.13 type qulifiers

有部分摘自ARM编译器文档对齐部分

对齐的使用:
1.__align(num)
这个用于修改最高级别对象的字节边界。在汇编中使用LDRD或者STRD时
就要用到此命令__align(8)进行修饰限制。来保证数据对象是相应对齐。
这个修饰对象的命令最大是8个字节限制,可以让2字节的对象进行4字节
对齐,但是不能让4字节的对象2字节对齐。
__align是存储类修改,他只修饰最高级类型对象不能用于结构或者函数对象。

2.__packed
__packed是进行一字节对齐
1.不能对packed的对象进行对齐
2.所有对象的读写访问都进行非对齐访问
3.float及包含float的结构联合及未用__packed的对象将不能字节对齐
4.__packed对局部整形变量无影响
5.强制由unpacked对象向packed对象转化是未定义,整形指针可以合法定
义为packed。
__packed int* p; //__packed int 则没有意义
6.对齐或非对齐读写访问带来问题
__packed struct STRUCT_TEST
{
char a;
int b;
char c;
} ; //定义如下结构此时b的起始地址一定是不对齐的
//在栈中访问b可能有问题,因为栈上数据肯定是对齐访问[from CL]
//将下面变量定义成全局静态不在栈上
static char* p;
static struct STRUCT_TEST a;
void Main()
{
__packed int* q; //此时定义成__packed来修饰当前q指向为非对齐的数据地址下面的访问则可以

p = (char*)&a;
q = (int*)(p+1);

*q = 0×87654321;
/*
得到赋值的汇编指令很清楚
ldr r5,0×20001590 ; = #0×12345678
[0xe1a00005] mov r0,r5
[0xeb0000b0] bl __rt_uwrite4 //在此处调用一个写4byte的操作函数

[0xe5c10000] strb r0,[r1,#0] //函数进行4次strb操作然后返回保证了数据正确的访问
[0xe1a02420] mov r2,r0,lsr #8
[0xe5c12001] strb r2,[r1,#1]
[0xe1a02820] mov r2,r0,lsr #16
[0xe5c12002] strb r2,[r1,#2]
[0xe1a02c20] mov r2,r0,lsr #24
[0xe5c12003] strb r2,[r1,#3]
[0xe1a0f00e] mov pc,r14
*/

/*
如果q没有加__packed修饰则汇编出来指令是这样直接会导致奇地址处访问失败
[0xe59f2018] ldr r2,0×20001594 ; = #0×87654321
[0xe5812000] str r2,[r1,#0]
*/
//这样可以很清楚的看到非对齐访问是如何产生错误的
//以及如何消除非对齐访问带来问题
//也可以看到非对齐访问和对齐访问的指令差异导致效率问题
}

mysql> desc test;
+——-+————-+——+—–+———+——-+
| Field | Type | Null | Key | Default | Extra |
+——-+————-+——+—–+———+——-+
| uid | int(11) | NO | PRI | | |
| uname | varchar(20) | YES | | NULL | |
+——-+————-+——+—–+———+——-+
2 rows in set (0.00 sec)

mysql> select * from test;
+—–+——–+
| uid | uname |
+—–+——–+
| 1 | uname1 |
| 2 | uname2 |
| 3 | me |
+—–+——–+
3 rows in set (0.00 sec)

mysql> INSERT INTO test values ( 3,’insertName’ )
-> ON DUPLICATE KEY UPDATE uname=’updateName’;
Query OK, 2 rows affected (0.03 sec)

mysql> select * from test;+—–+————+
| uid | uname |
+—–+————+
| 1 | uname1 |
| 2 | uname2 |
| 3 | updateName |
+—–+————+
3 rows in set (0.00 sec)

mysql> create index i_test_uname on test(uname);
Query OK, 3 rows affected (0.20 sec)
Records: 3 Duplicates: 0 Warnings: 0

mysql> INSERT INTO test VALUES ( 1 , ‘uname2′) -> ON DUPLICATE KEY UPDATE uname=’update2records’;Query OK, 2 rows affected (0.00 sec)

mysql> select * from test;+—–+—————-+
| uid | uname |
+—–+—————-+
| 2 | uname2 |
| 1 | update2records |
| 3 | updateName |
+—–+—————-+
3 rows in set (0.00 sec)

插入时会与两条记录发生冲突，分别由主键和唯一索引引起。但最终只UPDATE了其中一条。这在手册中也说明了，有多个唯一索引（或者有键也有唯一索引）的情况下，不建议使用该语句。

but you can’t just cast a member function to a pointer, because the member function need context.

But there is a way to make it real:

Define the function pointer:

typedef int (CGameObject::*TClassCmdFunc)(DWORD param1);


this line define a function pointer for the CGameObject class member function

class CGameObject
{
int OneFunction(DWORD param1);
};


when you use it, you need save the pointer to the class object instance and this function pointer:

CGameObject* pObject = &SomeGameObject;
TClassCmdFunc func = (TClassCmdFunc)&CGameObject::OneFunction;


and when U use it, do this:

(pObject->*func)(param1);


当游戏服务器群达到一定规模后，让用户只从一个入口连入会给这个入口带来很大的压力。这样，我们就需要让服务器群中的多台机器都允许用户直接连接。

当服务器开放给用户直接登陆后，必须面临的一个问题就是用户身份认证的问题。

大多数提供网络服务的公司都做了一套统一的用户认证系统，比如微软的 passport ，网易的通行证，等等。为了避免重复验证用户身份而给用户认证系统带来过大的负担，云风在这里给出一个参考解决方案。

登陆服务器可以只有一台，专门用于用户第一次登陆的身份认证。它认证完用户的身份后，则发放一个游戏系统内部用的临时通行证给用户，用户可以拿着这个临时通行证到指定的地点玩游戏。

我们需要讨论的是，以上流程中的安全问题，以及如何加强安全性。

用户认证过程自然不能传送用户密码的全部信息，这跟密码是否加密无关。简单的安全措施是先由登陆服务器发送一个随机串给用户，用户把这个字符串同自己的密码连接起来，并 md5 以后传回服务器做验证。（这里用 md5 指代一种特定的不可逆 hash 算法）

临时通行证的生成可以是这样：登陆服务器从数据库中取得用户所属的服务器 id （通常是他最后一次登陆的位置，或者游戏逻辑认为他所在位置）、用户的游戏 id （往往不同于他的用户名）、一个约定字符串、一个顺序版本号、一些随机字节、把它们连在作一次 des 加密（这里用 des 指代一种特定的可逆密匙加密算法）。每生成一次临时通行证，版本号递增。加密临时通行证的密码由登陆服务器与每个可以接受用户直接连接的服务器约定，永远不传送给用户。

用户拿到这个临时通行证后，可以用之一次性登陆指定服务器。直到从服务器正常登出，若需切入新服务器，可由老服务器生成下一份临时通行证。临时通行证由于被服务器加密，所以对用户来说是一串无意义字符串，所以无法伪造。

临时通行证传送给用户时，可用用户自己的密码之 md5 值（或者连接一个约定串增加安全性）做密匙加密。这样不知道密匙的人截获数据包也不能获得临时身份证。而临时身份证总是一次有效，且只针对特定服务器（服务器会检查临时通行证中包含的版本号、服务器 id ），企图用临时身份证多次登陆也会失败。

以前用VC6和VS2003的话, 如果缺少库文件，是会提示缺少“**.dll”，但是用VS2005却没有这样的提示。

自己实验了一下，感觉以下几种解决办法是可行的：
方法一：
在类似C:\Program Files\Microsoft Visual Studio 8\VC\redi
st\Debug_NonRedist\x86\Microsoft.VC80.DebugCRT 下找到了下列文件：

msvcm80d.dll
msvcp80d.dll
msvcr80d.dll
Microsoft.VC80.DebugCRT.manifest

把这几个文件拷贝到目标机器上，与运行程序同一文件夹或放到system32下，就可以正确运行了。

其他release版、MFC程序什么的都是拷redist下相应文件夹下的文件就可以了,文件夹后都有标识!

方法二：
修改编译选项，将/MD或/MDd 改为 /MT或/MTd，这样就实现了对VC运行时库的静态链接，在运行时就不再需要VC的dll了。

方法三:

工程－》属性－》配置属性－》常规－》MFC的使用，选择“在静态库中使用mfc”
这样生成的exe文件应该就可以在其他机器上跑了。

方法四:

你的vc8安装盘上找到再分发包vcredist_xxx.exe和你的程序捆绑安装

`make’ uses the last modification time on the files to
figure out what to build. For example, if the modification
time of a.c is later than the modification time of a.out,
then a.c needs to me recomplied to create a new a.out.

Sometimes the last modified time on the files is wrong:
because it is greater than the time of day clock. `make’
then issues the above message.

Given a standard make system, the quickest fix is:

cd directory
# Remove output files
make clean
# Put timestamps on all files equal to current time
find . -exec touch {} \;
# Rebuild all output files
make

You usually see these sort of problems in programming
enviroments that use NFS to share files but don’t sync
clocks using NTP.

Similarly, if you wind the clock back you will see these
messages. For that reason, when you wind back the clock
a moderate amount most UNIXen slow the clock ticks rather
than turn back time.

许多Visual C++的使用者都碰到过LNK2005:symbol already defined和LNK1169:one or more multiply defined symbols found这样的链接错误，而且通常是在使用第三方库时遇到的。对于这个问题，有的朋友可能不知其然，而有的朋友可能知其然却不知其所以然，那么本文就试图为大家彻底解开关于它的种种疑惑。

大家都知道，从C/C++源程序到可执行文件要经历两个阶段:(1)编译器将源文件编译成汇编代码，然后由汇编器(assembler)翻译成机器指令 (再加上其它相关信息)后输出到一个个目标文件(object file,VC的编译器编译出的目标文件默认的后缀名是.obj)中；(2)链接器(linker)将一个个的目标文件(或许还会有若干程序库)链接在一起生成一个完整的可执行文件。

编译器编译源文件时会把源文件的全局符号(global symbol)分成强(strong)和弱(weak)两类传给汇编器，而随后汇编器则将强弱信息编码并保存在目标文件的符号表中。那么何谓强弱呢？编译器认为函数与初始化了的全局变量都是强符号，而未初始化的全局变量则成了弱符号。比如有这么个源文件:

extern int errorno;
int buf[2] = {1,2};
int *p;

int main()
{
return 0;
}

其中main、buf是强符号，p是弱符号，而errorno则非强非弱，因为它只是个外部变量的使用声明。

有了强弱符号的概念，链接器(Unix平台)就会按如下规则(参考[1]，p549~p550)处理与选择被多次定义的全局符号:

规则1: 不允许强符号被多次定义(即不同的目标文件中不能有同名的强符号)；

规则2: 如果一个符号在某个目标文件中是强符号，在其它文件中都是弱符号，那么选择强符号；

规则3: 如果一个符号在所有目标文件中都是弱符号，那么选择其中任意一个；

虽然上述3条针对的是Unix平台的链接器，但据作者试验，至少VC6.0的linker也遵守这些规则。由此可知多个目标文件不能重复定义同名的函数与初始化了的全局变量，否则必然导致LNK2005和LNK1169两种链接错误。可是，有的时候我们并没有在自己的程序中发现这样的重定义现象，却也遇到了此种链接错误，这又是何解？嗯，问题稍微有点儿复杂，容我慢慢道来。

众所周知，ANSI C/C++ 定义了相当多的标准函数，而它们又分布在许多不同的目标文件中，如果直接以目标文件的形式提供给程序员使用的话，就需要他们确切地知道哪个函数存在于哪个目标文件中，并且在链接时显式地指定目标文件名才能成功地生成可执行文件，显然这是一个巨大的负担。所以C语言提供了一种将多个目标文件打包成一个文件的机制，这就是静态程序库(static library)。开发者在链接时只需指定程序库的文件名，链接器就会自动到程序库中寻找那些应用程序确实用到的目标模块，并把(且只把)它们从库中拷贝出来参与构建可执行文件。几乎所有的C/C++开发系统都会把标准函数打包成标准库提供给开发者使用(有不这么做的吗？)。

程序库为开发者带来了方便，但同时也是某些混乱的根源。我们来看看链接器(Unix平台)是如何解析(resolve)对程序库的引用的(参考[1]，p556)。

在符号解析(symbol resolution)阶段，链接器按照所有目标文件和库文件出现在命令行中的顺序从左至右依次扫描它们，在此期间它要维护若干个集合:(1)集合E是将被合并到一起组成可执行文件的所有目标文件集合；(2)集合D是所有之前已被加入E的目标文件定义的符号集合；(3)集合U是未解析符号 (unresolved symbols，即那些被E中目标文件引用过但在D中还不存在的符号)的集合。一开始，E、D、U都是空的。

(1): 对命令行中的每一个输入文件f，链接器确定它是目标文件还是库文件，如果它是目标文件，就把f加入到E，并把f中未解析的符号和已定义的符号分别加入到U、D集合中，然后处理下一个输入文件。

(2): 如果f是一个库文件，链接器会尝试把U中的所有未解析符号与f中各目标模块定义的符号进行匹配。如果某个目标模块m定义了一个U中的未解析符号，那么就把 m加入到E中，并把m中未解析的符号和已定义的符号分别加入到U、D集合中。不断地对f中的所有目标模块重复这个过程直至到达一个不动点(fixed point)，此时U和D不再变化。而那些未加入到E中的f里的目标模块就被简单地丢弃，链接器继续处理下一输入文件。

(3): 当扫描完所有输入文件时如果U非空或者有同名的符号被多次加入D，链接器报告错误信息并退出。否则，它把E中的所有目标文件合并在一起生成可执行文件。

上述规则针对的是Unix平台链接器，而VC(至少VC6.0)linker则有相当的不同: 它首先依次处理命令行中出现的所有目标文件，然后依照顺序不停地扫描所有的库文件，直至U为空或者某遍(从头到尾依次把所有的库文件扫描完称为一遍)扫描过程中U、D无任何变化时结束扫描，此刻再根据U是否为空以及是否有同名符号重复加入D来决定是出错退出还是生成可执行文件。很明显Unix链接器对输入文件在命令行中出现的顺序十分敏感，而VC的算法则可最大限度地减少文件顺序对链接的影响。作者不清楚Unix下新的开发工具是否已经改进了相应的做法，欢迎有实践经验的朋友补充这方面的信息(补充于2005年10月10日: 经试验，使用gcc 3.2.3的MinGW 3.1.0的链接器表现与参考[1]描述的一致)。

VC带的编译器是cl.exe，它有这么几个与标准程序库有关的选项: /ML、/MLd、/MT、/MTd、/MD、/MDd。这些选项告诉编译器应用程序想使用什么版本的C标准程序库。/ML(缺省选项)对应单线程静态版的标准程序库(libc.lib)；/MT对应多线程静态版标准库(libcmt.lib)，此时编译器会自动定义_MT宏；/MD对应多线程DLL版 (导入库msvcrt.lib，DLL是msvcrt.dll)，编译器自动定义_MT和_DLL两个宏。后面加d的选项都会让编译器自动多定义一个 _DEBUG宏，表示要使用对应标准库的调试版，因此/MLd对应调试版单线程静态标准库(libcd.lib)，/MTd对应调试版多线程静态标准库 (libcmtd.lib)，/MDd对应调试版多线程DLL标准库(导入库msvcrtd.lib，DLL是msvcrtd.dll)。虽然我们的确在编译时明白无误地告诉了编译器应用程序希望使用什么版本的标准库，可是当编译器干完了活，轮到链接器开工时它又如何得知一个个目标文件到底在思念谁？为了传递相思，我们的编译器就干了点秘密的勾当。在cl编译出的目标文件中会有一个专门的区域(关心这个区域到底在文件中什么地方的朋友可以参考COFF和 PE文件格式)存放一些指导链接器如何工作的信息，其中有一项就叫缺省库(default library)，它指定了若干个库文件名，当链接器扫描该目标文件时将按照它们在目标模块中出现的顺序处理这些库名: 如果该库在当前输入文件列表中还不存在，那么便把它加入到输入文件列表末尾，否则略过。说到这里，我们先来做个小实验。写个顶顶简单的程序，然后保存为 main.c :

/* main.c */
int main() { return 0; }

用下面这个命令编译main.c(什么？你从不用命令行来编译程序？这个……) :

cl /c main.c

/c 是告诉cl只编译源文件，不用链接。因为/ML是缺省选项，所以上述命令也相当于: cl /c /ML main.c 。如果没什么问题的话(要出了问题才是活见鬼！当然除非你的环境变量没有设置好，这时你应该去VC的bin目录下找到vcvars32.bat文件然后运行它。)，当前目录下会出现一个main.obj文件，这就是我们可爱的目标文件。随便用一个文本编辑器打开它(是的，文本编辑器，大胆地去做别害怕)，搜索”defaultlib”字符串，通常你就会看到这样的东西: “-defaultlib:LIBC -defaultlib:OLDNAMES”。啊哈，没错，这就
是保存在目标文件中的缺省库信息。我们的目标文件显然指定了两个缺省库，一个是单线程静态版标准库libc.lib(这与/ML选项相符)；一个是oldnames.lib(它是为了兼容微软以前的C/C++开发系统，基本不用了，为了简化讨论可以忽略它)。另外，如果在源程序中用了

/* xxxx代表实际的库文件名 */
#pragma comment(lib,”xxxx”)

编译指示命令(compiler directive)指定要链接的库，那么这个信息也会被保存到目标文件的缺省库信息项中，且位于缺省标准库之前。如果有多个这样的命令，那么对应库名在目标文件中出现的顺序与它们在源程序中出现的顺序完全一致(且都在缺省标准库之前)。

VC的链接器是link.exe，因为main.obj保存了缺省库信息，所以可以用

link main.obj libc.lib

或者

link main.obj

来生成可执行文件main.exe，这两个命令是等价的。但是如果你用

link main.obj libcd.lib

的话，链接器会给出一个警告: “warning LNK4098: defaultlib “LIBC” conflicts with use of other libs; use /NODEFAULTLIB:library”，因为你显式指定的标准库版本与目标文件的缺省值不一致。通常来说，应该保证链接器合并的所有目标文件指定的缺省标准库版本一致，否则编译器一定会给出上面的警告，而LNK2005和LNK1169链接错误则有时会出现有时不会。那么这个有时到底是什么时候？呵呵，别着急，下面的一切正是为喜欢追根究底的你准备的。

建一个源文件，就叫mylib.c，内容如下:

/* mylib.c */
#include

void foo(void)
{
printf(“%s”,”I am from mylib!\n”);
}

用

cl /c /MLd mylib.c

命令编译，注意/MLd选项是指定libcd.lib为默认标准库。lib.exe是VC自带的用于将目标文件打包成程序库的命令，所以我们可以用

lib /OUT:my.lib mylib.obj

将mylib.obj打包成库，输出的库文件名是my.lib。接下来把main.c改成:

/* main.c */
void foo(void);

int main()
{
foo();
return 0;
}

用

cl /c main.c

编译，然后用

link main.obj my.lib

进行链接。这个命令能够成功地生成main.exe而不会产生LNK2005和LNK1169链接错误，你仅仅是得到了一条警告信息:”warning LNK4098: defaultlib “LIBCD” conflicts with use of other libs; use /NODEFAULTLIB:library”。我们根据前文所述的扫描规则来分析一下链接器此时做了些啥(加一个/VERBOSE选项就可以看到详尽的链接过程，但要注意，几乎所有的C编译器都会在符号前加一个下划线后再输出，所以在目标文件和链接输出信息中看到的符号名都比在源程序中见到的多出一个 ‘_’，此点不可不察。)。

一开始E、U、D都是空集。链接器首先扫描main.obj，把它的默认标准库libc.lib加入到输入文件列表末尾，它自己加入E集合，同时未解析的 foo加入U，main加入D。接着扫描my.lib，因为这是个库，所以会拿当前U中的所有符号(当然现在就一个foo)与my.lib中的所有目标模块(当然也只有一个mylib.obj)依次匹配，看是否有模块定义了U中的符号。结果mylib.obj确实定义了foo，于是它加入到E，foo从U 转移到D，未解析的printf加入到U，指定的默认标准库libcd.lib也加到输入文件列表末尾(在libc.lib之后)。不断地在my.lib 库的各模块上进行迭代以匹配U中的符号，直到U、D都不再变化。很明显，现在就已经到达了这么一个不动点，所以接着扫描下一个输入文件，就是 libc.lib。链接器发现libc.lib里的printf.obj里定义有printf，于是printf从U移到D，printf.obj加入到 E，它定义的所有符号加入到D，它里头的未解析符号加入到U。如果链接时没有指定/ENTRY(程序入口点选项)，那么链接器默认的入口点就是函数 mainCRTStartup(GUI程序的默认入口点则是WinMainCRTStartup)，它在crt0.obj中被定义，所以crt0.obj 及它直接或间接引用的模块(比如malloc.obj、free.obj等)都被加入到E中，这些目标模块指定的默认库(只crt0init.obj指定了kernel32.lib)加到输入文件列表末尾，同时更新U和D。不断匹配libc.lib中各模块直至到达不动点，然后处理libcd.lib，但是它里面的所有目标模块都没有定义U中的任何一个符号，所以链接器略过它进入到最后一个输入文件kernel32.lib。事实上，U中已有和将要加入的未解析符号都可以在其中找到定义，那么当处理完kernel32.lib时，U必然为空，于是链接器合并E中的所有模块生成可执行文件。

上文描述了虽然各目标模块指定了不同版本的缺省标准库但仍然链接成功的例子，接下来你将目睹因为这种不严谨而导致的悲惨失败。

修改mylib.c成这个样子:

#include

void foo(void)
{
// just a test , don’t care memory leak
_malloc_dbg( 1, _NORMAL_BLOCK, __FILE__, __LINE__ );
}

其中_malloc_dbg不是ANSI C的标准库函数，它是VC标准库提供的malloc的调试版，与相关函数配套能帮助开发者抓各种内存错误。使用它一定要定义_DEBUG宏，否则预处理器会把它自动转为malloc。继续用

cl /c /MLd mylib.c
lib /OUT:my.lib mylib.obj

编译打包。当再次用

link main.obj my.lib

进行链接时，我们看到了什么？天哪，一堆的LNK2005加上个贵为”fatal error”的LNK1169垫底，当然还少不了那个LNK4098。链接器是不是疯了？不，你冤枉可怜的链接器了，我拍胸脯保证它可是一直在尽心尽责地照章办事。

一开始E、U、D为空，链接器扫描main.obj，把libc.lib加到输入文件列表末尾，把main.obj加进E，把foo加进U，把main加进D。接着扫描my.lib，于是mylib.obj加入E，libcd.lib加到输入文件列表末尾，foo从U转移到D，_malloc_dbg加进 U。然后扫描libc.lib，这时会发现libc.lib里任何一个目标模块都没有定义_malloc_dbg(它只在调试版的标准库中存在)，所以不会有任何一个模块因为_malloc_dbg而加入E。但因为libc.lib中的crt0.obj定义了默认入口点函数mainCRTStartup，所以crt0.obj及它直接或间接引用的模块(比如malloc.obj、free.obj等)都被加入到E中，这些目标模块指定的默认库(只 crt0init.obj指定了kernel32.lib)加到输入文件列表末尾，同时更新U和D。不断匹配libc.lib中各模块直至到达不动点后再处理libcd.lib，发现dbgheap.obj定义了_malloc_dbg，于是dbgheap.obj加入到E，它的未解析符号加入U，它定义的所有其它符号加入D，这时灾难便来了。之前malloc等符号已经在D中(随着libc.lib里的malloc.obj加入E而加入的)，而 dbgheap.obj及因它而引入的其它模块又定义了包括malloc在内的许多同名符号，导致了重定义冲突。所以链接器在处理完所有输入文件(是的，即使中途有重定义冲突它也会处理所有的文件以便生成一个完整的冲突列表)后只好报告: 这活儿没法儿干。

现在我们该知道，链接器完全没有责任，责任在我们自己的身上。是我们粗心地把缺省标准库版本不一致的目标文件(main.obj)与程序库 (my.lib)链接起来，引发了大灾难。解决办法很简单，要么用/MLd选项来重编译main.c；要么用/ML选项重编译mylib.c；再或者干脆在链接时用/NODEFAULTLIB:XXX选项忽略默认库XXX，但这种方法非常不保险(想想为什么？)，所以不推荐。

在上述例子中，我们拥有库my.lib的源代码(mylib.c)，所以可以用不同的选项重新编译这些源代码并再次打包。可如果使用的是第三方的库，它并没有提供源代码，那么我们就只有改变自己程序的编译选项来适应这些库了。但是如何知道库中目标模块指定的默认库呢？其实VC提供的一个小工具便可以完成任务，这就是dumpbin.exe。运行下面这个命令

dumpbin /DIRECTIVES my.lib

然后在输出中找那些”Linker Directives”引导的信息，你一定会发现每一处这样的信息都会包含若干个类似”-defaultlib:XXXX”这样的字符串，其中XXXX便代表目标模块指定的缺省库名(注意，如果在编译时指定了/Zl选项，那么目标模块中将不会有defaultlib信息)。

知道了第三方库指定的默认标准库，再用合适的选项编译我们的应用程序，就可以避免LNK2005和LNK1169链接错误。喜欢IDE的朋友，你一样可以到 “Project属性” -> “C/C++” -> “代码生成(code generation)” -> “运行时库(run-time library)” 项下设置应用程序的默认标准库版本，这与命令行选项的效果是一样的。

参考资料:

[1] 《Computer Systems: A Programmer’s Perspective》
著: Randal E. Bryant, David R. O’Hallaron
电子工业出版社，2004