maf

Oh, I don't dislike them. I love them actually. I just wish that vulkan drivers loved them as much as I do :P

I think of demoscene, game jams, desktop pets and other sorts of small home-brew software written by & for small groups of people. There is nothing embarrassing about one-off programs. I understand that what you said is just a figure of speech and you don't really think so (and thank you for a well thought comment) but it still makes me kind of sad to see this kind of shaming. It's discouraging people from being creative.

I'd say my bar is already low. A toy GUI program that draws a triangle and plays a sound should work on my friend's machine (with a different set of system libraries) and it shouldn't randomly break when OS update bumps some library version. AFAIK something like that would require a static binary (INTERP is a no-go) and an ability to dlopen stuff at runtime.

Writing software that "just works" shouldn't be as hard as it is.

I'll also add that I'm aware of glibc's stance on dynamic linking from static binaries. I don't buy the whole NSS argument. It's easily solvable by a basic request/response protocol through some local socket. IMO that argument is just a cheap excuse to justify status quo.

You can try the "Advanced Search" below the predefined search presets now. It requires some understanding of JavaScript but should be fairly flexible. Unfortunately I didn't figure out any JavaScript-free interface :/

Unfortunately not. Somebody also asked me about finding the best fighters elsewhere. Like you say, it would be cool to be able to search for any trait combination. I think that would be more general and also easier to understand. Also requesting specific pals or using some custom scoring functions would be nice.

I'm still thinking how to do this. Maybe the user could write a snippet of JavaScript and the C++ side could call it to score the Pals... It would be pretty flexible but also rather difficult to use... I'm traveling so I can only theorize now. If you have any ideas, let me know. I'll probably have some time to code tomorrow.

Update: it was a bit of work but should be working now :) Drag the Level.sav file from %LOCALAPPDATA%\Pal\Saved\SaveGames\ onto the page and it should load all of your Pals automatically. Thanks for the tip!

I just looked at https://github.com/cheahjs/palworld-save-tools and I guess it should be possible :) Palworld uses a format called gvas (part of Unreal Engine) which seems to be a zlib-compressed sequence of key/value pairs. When get some time to play again I'll probably look into this. Entering this data through a website is pretty annoying! 😅

This restriction is meant to protect high definition content from being ripped by pirates. Open systems don't offer the same DRM guarantees as the locked ones.

Oh, yeah that would make sense. I think that would solve the whole security aspect :)

Yeah. LetsEncrypt usually verifies whether the client asking for a certificate owns the domain by sending a HTTP-based challenge. Gatekeeper could pass it by intercepting traffic on port 80. But any LAN device could also pass it by asking for port 80 to be temporarily forwarded. This means that LetsEncrypt TLS certificates are not worth much in LAN environment. Malicious IoT device could convince other LAN hosts that it owns the router IP be sending spoofed ARP announcements. Whenever any LAN device would try to visit Gatekeeper web UI, it would actually visit a fake web UI hosted by the malicious IoT device. The IoT device could then sniff the administrator password and perform privileged actions in the real web UI.

Thank you for the feedback! I have to admit I wasn't aware of how important port forwarding is. Stepping back I guess I'll need a better way of gauging how important specific features are to people. I'll have to think about this a little bit more...

Your question about security is something that I think about a lot. I don't think of LAN & internet as significantly different in terms of security. I also worry about potentially malicious LAN devices attempting to exploit local DNS, DHCP or web UI. I've profesionally worked on anti-malware and I've seen malware preloaded on new phones by factory workers & resellers, suspiciously exploitable flaws in stock firmware (which I guess was a backdoor with plausible deniability), fake monetization SDKs that are actually botnets (so application developers have been unknowingly attaching bots to their apps). There is also the problem of somebody gaining the physical access to your LAN network (for example by connecting a prepared device to an ethernet port for a couple of seconds). While those things may seem far fetched and commercial routers ignore them, I'd like to do something better here.

In terms of preventing C++ footguns, I'm relying on compilation arguments (-fstack-protector, -D_FORTIFY_SOURCE=2), safe abstractions (for example std::unique_ptr, std::span, std::array...), readability (single-threaded, avoiding advanced primitives or external libraries) & patience (I think that time pressure is the biggest source of bugs).

In terms of protocol level security, so far I've been able to secure the update path (so that MITM attackers can't inject malicious code). The web UI is a big problem for me because to do any privileged operations I'll have to authenticate the user first. Firstly I'm not exactly sure how to even do that. Password seems like the best option but I'm still trying to think of something better. There is this new WebAuthn thing which I'll have to look into. Second issue with web UI is that I need to protect the authentication channel. This means that local web UI will need TLS. And this in turn means that I'll have to somehow obtain a TLS cert somehow. Self-signed certs produce nasty security warnings. Obtaining one from LetsEncrypt seems easy - assuming the router has public IP (which may not always be the case). But even if I obtain a LetsEncrypt cert, any LAN device can do the same thing, so the whole TLS can still be MITM-ed. It would be really great if web browsers could "just establish encrypted channel" and not show any security warnings along the way...

So you’re not remapping the source ports to be unique? There’s no mechanism to avoid collisions when multiple clients use the same source port?

Regarding port collisions. In Gatekeeper there are both - a Symmetric NAT & Full Cone NAT. Both are used in tandem. I didn't mention the former before. Symmetric NAT takes precedence over Full Cone NAT when a connection has already been established (we observed the remote host and have a record of which LAN IP they're talking to). You're 100% correct that without Symmetric NAT there would be port collisions and computers in LAN would fight over ports. I actually started out with just the Full Cone NAT only (where collisions can happen) and used it on my network for a couple of weeks. It seemed to work in my home environment but I was a little worried about potential flakiness so I've implemented a backup mechanism eventually.

Full Cone NAT implies that you have to remember the mapping (potentially indefinitely—if you ever reassign a given external IP:port combination to a different internal IP or port after it’s been used you’re not implementing Full Cone NAT) (...)

Ah, I also recalled something like that! What you're saying about NAT assignments being permanent & requiring multiple IPs to avoid collisions. I think there was a course at my university or some Cisco course that taught that... I haven't been able to find any online sources that would confirm those definitions today but I also remember something along the lines of what you're describing. I have no idea what happened with those terms. Maybe the "permanent assignments" don't make much sense in wireless networks WiFi devices can appear and disappear at any time?

Edit: I found it - the proper term for this was "Static NAT" (as opposed to "Dynamic NAT" where the redirections expire).

(...) but not that the internal and external ports need to be identical.

Right. Port preservation is not a strictly necessary part of Full Cone NAT. It's a nice feature though. I guess the technical classification would be "Full Cone NAT with port preservation".

(If you do have sufficient external IPs the Linux kernel can do Full Cone NAT by translating only the IP addresses and not the ports, via SNAT/DNAT prefix mapping. The part it lacks, for very practical reasons, is support for attempting to create permanent unique mappings from a larger number of unconstrained internal IP:port combinations to a smaller number of external ones.)

This is very cool indeed. I didn't knew that. Thanks!