disable nat4 hole punch (#1277)

easytier/src/common/config.rs

@@ -49,6 +49,7 @@ pub fn gen_default_flags() -> Flags {
         foreign_relay_bps_limit: u64::MAX,
         multi_thread_count: 2,
         encryption_algorithm: "aes-gcm".to_string(),
+        disable_sym_hole_punching: false,
     }
 }
 

easytier/src/connector/udp_hole_punch/common.rs

@@ -111,7 +111,24 @@ impl UdpNatType {
         }
     }
 
-    pub(crate) fn get_punch_hole_method(&self, other: Self) -> UdpPunchClientMethod {
+    pub(crate) fn get_punch_hole_method(
+        &self,
+        other: Self,
+        global_ctx: ArcGlobalCtx,
+    ) -> UdpPunchClientMethod {
+        // Check if symmetric NAT hole punching is disabled
+        let disable_sym_hole_punching = global_ctx.get_flags().disable_sym_hole_punching;
+
+        // If symmetric NAT hole punching is disabled, treat symmetric as cone
+        if disable_sym_hole_punching && self.is_sym() {
+            // Convert symmetric to cone type for hole punching logic
+            if other.is_sym() {
+                return UdpPunchClientMethod::None;
+            } else {
+                return UdpPunchClientMethod::ConeToCone;
+            }
+        }
+
         if other.is_unknown() {
             if self.is_sym() {
                 return UdpPunchClientMethod::SymToCone;
@@ -163,8 +180,9 @@ impl UdpNatType {
         other: Self,
         my_peer_id: PeerId,
         dst_peer_id: PeerId,
+        global_ctx: ArcGlobalCtx,
     ) -> bool {
-        match self.get_punch_hole_method(other) {
+        match self.get_punch_hole_method(other, global_ctx) {
             UdpPunchClientMethod::None => false,
             UdpPunchClientMethod::ConeToCone | UdpPunchClientMethod::SymToCone => true,
             UdpPunchClientMethod::EasySymToEasySym => my_peer_id < dst_peer_id,

easytier/src/connector/udp_hole_punch/mod.rs

@@ -466,7 +466,9 @@ impl PeerTaskLauncher for UdpHolePunchPeerTaskLauncher {
                 continue;
             }
 
-            if !my_nat_type.can_punch_hole_as_client(peer_nat_type, my_peer_id, peer_id) {
+            let global_ctx = data.peer_mgr.get_global_ctx();
+            if !my_nat_type.can_punch_hole_as_client(peer_nat_type, my_peer_id, peer_id, global_ctx)
+            {
                 continue;
             }
 
@@ -493,7 +495,10 @@ impl PeerTaskLauncher for UdpHolePunchPeerTaskLauncher {
         item: Self::CollectPeerItem,
     ) -> JoinHandle<Result<Self::TaskRet, Error>> {
         let data = data.clone();
-        let punch_method = item.my_nat_type.get_punch_hole_method(item.dst_nat_type);
+        let global_ctx = data.peer_mgr.get_global_ctx();
+        let punch_method = item
+            .my_nat_type
+            .get_punch_hole_method(item.dst_nat_type, global_ctx);
         match punch_method {
             UdpPunchClientMethod::ConeToCone => tokio::spawn(data.cone_to_cone(item)),
             UdpPunchClientMethod::SymToCone => tokio::spawn(data.sym_to_cone(item)),

easytier/src/easytier-core.rs

@@ -288,7 +288,6 @@ struct NetworkOptions {
         long,
         env = "ET_ENCRYPTION_ALGORITHM",
         help = t!("core_clap.encryption_algorithm").to_string(),
-        default_value = "aes-gcm",
         value_parser = get_avaliable_encrypt_methods()
     )]
     encryption_algorithm: Option<String>,
@@ -425,6 +424,15 @@ struct NetworkOptions {
     )]
     disable_udp_hole_punching: Option<bool>,
 
+    #[arg(
+        long,
+        env = "ET_DISABLE_SYM_HOLE_PUNCHING",
+        help = t!("core_clap.disable_sym_hole_punching").to_string(),
+        num_args = 0..=1,
+        default_missing_value = "true"
+    )]
+    disable_sym_hole_punching: Option<bool>,
+
     #[arg(
         long,
         env = "ET_RELAY_ALL_PEER_RPC",
@@ -919,6 +927,7 @@ impl NetworkOptions {
         f.enable_relay_foreign_network_kcp = self
             .enable_relay_foreign_network_kcp
             .unwrap_or(f.enable_relay_foreign_network_kcp);
+        f.disable_sym_hole_punching = self.disable_sym_hole_punching.unwrap_or(false);
         cfg.set_flags(f);
 
         if !self.exit_nodes.is_empty() {

easytier/src/launcher.rs

@@ -771,6 +771,10 @@ impl NetworkConfig {
             flags.disable_udp_hole_punching = disable_udp_hole_punching;
         }
 
+        if let Some(disable_sym_hole_punching) = self.disable_sym_hole_punching {
+            flags.disable_sym_hole_punching = disable_sym_hole_punching;
+        }
+
         if let Some(enable_magic_dns) = self.enable_magic_dns {
             flags.accept_dns = enable_magic_dns;
         }

easytier/src/proto/common.proto

@@ -52,6 +52,9 @@ message FlagsInConfig {
   
     // encryption algorithm to use, empty string means default (aes-gcm)
   string encryption_algorithm = 29;
+  
+  // disable symmetric nat hole punching, treat symmetric as cone when enabled
+  bool disable_sym_hole_punching = 30;
 }
 
 message RpcDescriptor {

easytier/src/proto/web.proto

@@ -73,6 +73,8 @@ message NetworkConfig {
     optional bool enable_quic_proxy = 45;
     optional bool disable_quic_input = 46;
     repeated PortForwardConfig port_forwards = 48;
+
+    optional bool disable_sym_hole_punching = 49;
 }
 
 message PortForwardConfig {