suhoan/EasyTier
1
0
Fork 0
mirror of https://mirror.suhoan.cn/https://github.com/EasyTier/EasyTier.git synced 2025-12-14 13:47:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

disable nat4 hole punch (#1277)

Browse Source
This commit is contained in:
Sijie.Sun
2025-08-22 23:33:21 +08:00
committed by GitHub
parent 08a92a53c3
commit 5b7384fddd
13 changed files with 62 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.lock generated
View File

@@ -9244,7 +9244,7 @@ checksum = "877c5b330756d856ffcc4553ab34a5684481ade925ecc54bcd1bf02b1d0d4d52"
dependencies = [ dependencies = [
"async-stream", "async-stream",
"async-trait", "async-trait",
"axum", "axum 0.7.7",
"base64 0.22.1", "base64 0.22.1",
"bytes", "bytes",
"h2", "h2",

1
easytier-web/frontend-lib/src/components/Config.vue
View File

@@ -165,6 +165,7 @@ const bool_flags: BoolFlag[] = [
{ field: 'proxy_forward_by_system', help: 'proxy_forward_by_system_help' }, { field: 'proxy_forward_by_system', help: 'proxy_forward_by_system_help' },
{ field: 'disable_encryption', help: 'disable_encryption_help' }, { field: 'disable_encryption', help: 'disable_encryption_help' },
{ field: 'disable_udp_hole_punching', help: 'disable_udp_hole_punching_help' }, { field: 'disable_udp_hole_punching', help: 'disable_udp_hole_punching_help' },
{ field: 'disable_sym_hole_punching', help: 'disable_sym_hole_punching_help' },
{ field: 'enable_magic_dns', help: 'enable_magic_dns_help' }, { field: 'enable_magic_dns', help: 'enable_magic_dns_help' },
{ field: 'enable_private_mode', help: 'enable_private_mode_help' }, { field: 'enable_private_mode', help: 'enable_private_mode_help' },
] ]

3
easytier-web/frontend-lib/src/locales/cn.yaml
View File

@@ -127,6 +127,9 @@ disable_encryption_help: 禁用对等节点通信的加密默认为false
disable_udp_hole_punching: 禁用UDP打洞 disable_udp_hole_punching: 禁用UDP打洞
disable_udp_hole_punching_help: 禁用UDP打洞功能 disable_udp_hole_punching_help: 禁用UDP打洞功能
disable_sym_hole_punching: 禁用对称NAT打洞
disable_sym_hole_punching_help: 禁用对称NAT的打洞生日攻击将对称NAT视为锥形NAT处理
enable_magic_dns: 启用魔法DNS enable_magic_dns: 启用魔法DNS
enable_magic_dns_help: | enable_magic_dns_help: |
启用魔法DNS允许通过EasyTier的DNS服务器访问其他节点的虚拟IPv4地址 如 node1.et.net。 启用魔法DNS允许通过EasyTier的DNS服务器访问其他节点的虚拟IPv4地址 如 node1.et.net。

3
easytier-web/frontend-lib/src/locales/en.yaml
View File

@@ -126,6 +126,9 @@ disable_encryption_help: Disable encryption for peers communication, default is
disable_udp_hole_punching: Disable UDP Hole Punching disable_udp_hole_punching: Disable UDP Hole Punching
disable_udp_hole_punching_help: Disable udp hole punching disable_udp_hole_punching_help: Disable udp hole punching
disable_sym_hole_punching: Disable Symmetric NAT Hole Punching
disable_sym_hole_punching_help: Disable special hole punching handling for symmetric NAT (based on birthday attack), treat symmetric NAT as cone NAT
enable_magic_dns: Enable Magic DNS enable_magic_dns: Enable Magic DNS
enable_magic_dns_help: | enable_magic_dns_help: |
Enable magic dns, all nodes in the network can access each other by domain name, e.g.: node1.et.net. Enable magic dns, all nodes in the network can access each other by domain name, e.g.: node1.et.net.

2
easytier-web/frontend-lib/src/types/network.ts
View File

@@ -51,6 +51,7 @@ export interface NetworkConfig {
proxy_forward_by_system?: boolean proxy_forward_by_system?: boolean
disable_encryption?: boolean disable_encryption?: boolean
disable_udp_hole_punching?: boolean disable_udp_hole_punching?: boolean
disable_sym_hole_punching?: boolean
enable_relay_network_whitelist?: boolean enable_relay_network_whitelist?: boolean
relay_network_whitelist: string[] relay_network_whitelist: string[]
@@ -122,6 +123,7 @@ export function DEFAULT_NETWORK_CONFIG(): NetworkConfig {
proxy_forward_by_system: false, proxy_forward_by_system: false,
disable_encryption: false, disable_encryption: false,
disable_udp_hole_punching: false, disable_udp_hole_punching: false,
disable_sym_hole_punching: false,
enable_relay_network_whitelist: false, enable_relay_network_whitelist: false,
relay_network_whitelist: [], relay_network_whitelist: [],
enable_manual_routes: false, enable_manual_routes: false,

3
easytier/locales/app.yml
View File

@@ -151,6 +151,9 @@ core_clap:
disable_udp_hole_punching: disable_udp_hole_punching:
en: "disable udp hole punching" en: "disable udp hole punching"
zh-CN: "禁用UDP打洞功能" zh-CN: "禁用UDP打洞功能"
disable_sym_hole_punching:
en: "if true, disable udp nat hole punching for symmetric nat (NAT4), which is based on birthday attack and may be blocked by ISP."
zh-CN: "如果为true则禁用基于生日攻击的对称NAT (NAT4) UDP 打洞功能,该打洞方式可能会被运营商封锁"
relay_all_peer_rpc: relay_all_peer_rpc:
en: "relay all peer rpc packets, even if the peer is not in the relay network whitelist. this can help peers not in relay network whitelist to establish p2p connection." en: "relay all peer rpc packets, even if the peer is not in the relay network whitelist. this can help peers not in relay network whitelist to establish p2p connection."
zh-CN: "转发所有对等节点的RPC数据包即使对等节点不在转发网络白名单中。这可以帮助白名单外网络中的对等节点建立P2P连接。" zh-CN: "转发所有对等节点的RPC数据包即使对等节点不在转发网络白名单中。这可以帮助白名单外网络中的对等节点建立P2P连接。"

1
easytier/src/common/config.rs
View File

@@ -49,6 +49,7 @@ pub fn gen_default_flags() -> Flags {
foreign_relay_bps_limit: u64::MAX, foreign_relay_bps_limit: u64::MAX,
multi_thread_count: 2, multi_thread_count: 2,
encryption_algorithm: "aes-gcm".to_string(), encryption_algorithm: "aes-gcm".to_string(),
disable_sym_hole_punching: false,
} }
} }

22
easytier/src/connector/udp_hole_punch/common.rs
View File

@@ -111,7 +111,24 @@ impl UdpNatType {
} }
} }
pub(crate) fn get_punch_hole_method(&self, other: Self) -> UdpPunchClientMethod { pub(crate) fn get_punch_hole_method(
&self,
other: Self,
global_ctx: ArcGlobalCtx,
) -> UdpPunchClientMethod {
// Check if symmetric NAT hole punching is disabled
let disable_sym_hole_punching = global_ctx.get_flags().disable_sym_hole_punching;
// If symmetric NAT hole punching is disabled, treat symmetric as cone
if disable_sym_hole_punching && self.is_sym() {
// Convert symmetric to cone type for hole punching logic
if other.is_sym() {
return UdpPunchClientMethod::None;
} else {
return UdpPunchClientMethod::ConeToCone;
}
}
if other.is_unknown() { if other.is_unknown() {
if self.is_sym() { if self.is_sym() {
return UdpPunchClientMethod::SymToCone; return UdpPunchClientMethod::SymToCone;
@@ -163,8 +180,9 @@ impl UdpNatType {
other: Self, other: Self,
my_peer_id: PeerId, my_peer_id: PeerId,
dst_peer_id: PeerId, dst_peer_id: PeerId,
global_ctx: ArcGlobalCtx,
) -> bool { ) -> bool {
match self.get_punch_hole_method(other) { match self.get_punch_hole_method(other, global_ctx) {
UdpPunchClientMethod::None => false, UdpPunchClientMethod::None => false,
UdpPunchClientMethod::ConeToCone | UdpPunchClientMethod::SymToCone => true, UdpPunchClientMethod::ConeToCone | UdpPunchClientMethod::SymToCone => true,
UdpPunchClientMethod::EasySymToEasySym => my_peer_id < dst_peer_id, UdpPunchClientMethod::EasySymToEasySym => my_peer_id < dst_peer_id,

9
easytier/src/connector/udp_hole_punch/mod.rs
View File

@@ -466,7 +466,9 @@ impl PeerTaskLauncher for UdpHolePunchPeerTaskLauncher {
continue; continue;
} }
if !my_nat_type.can_punch_hole_as_client(peer_nat_type, my_peer_id, peer_id) { let global_ctx = data.peer_mgr.get_global_ctx();
if !my_nat_type.can_punch_hole_as_client(peer_nat_type, my_peer_id, peer_id, global_ctx)
{
continue; continue;
} }
@@ -493,7 +495,10 @@ impl PeerTaskLauncher for UdpHolePunchPeerTaskLauncher {
item: Self::CollectPeerItem, item: Self::CollectPeerItem,
) -> JoinHandle<Result<Self::TaskRet, Error>> { ) -> JoinHandle<Result<Self::TaskRet, Error>> {
let data = data.clone(); let data = data.clone();
let punch_method = item.my_nat_type.get_punch_hole_method(item.dst_nat_type); let global_ctx = data.peer_mgr.get_global_ctx();
let punch_method = item
.my_nat_type
.get_punch_hole_method(item.dst_nat_type, global_ctx);
match punch_method { match punch_method {
UdpPunchClientMethod::ConeToCone => tokio::spawn(data.cone_to_cone(item)), UdpPunchClientMethod::ConeToCone => tokio::spawn(data.cone_to_cone(item)),
UdpPunchClientMethod::SymToCone => tokio::spawn(data.sym_to_cone(item)), UdpPunchClientMethod::SymToCone => tokio::spawn(data.sym_to_cone(item)),

11
easytier/src/easytier-core.rs
View File

@@ -288,7 +288,6 @@ struct NetworkOptions {
long, long,
env = "ET_ENCRYPTION_ALGORITHM", env = "ET_ENCRYPTION_ALGORITHM",
help = t!("core_clap.encryption_algorithm").to_string(), help = t!("core_clap.encryption_algorithm").to_string(),
default_value = "aes-gcm",
value_parser = get_avaliable_encrypt_methods() value_parser = get_avaliable_encrypt_methods()
)] )]
encryption_algorithm: Option<String>, encryption_algorithm: Option<String>,
@@ -425,6 +424,15 @@ struct NetworkOptions {
)] )]
disable_udp_hole_punching: Option<bool>, disable_udp_hole_punching: Option<bool>,
#[arg(
long,
env = "ET_DISABLE_SYM_HOLE_PUNCHING",
help = t!("core_clap.disable_sym_hole_punching").to_string(),
num_args = 0..=1,
default_missing_value = "true"
)]
disable_sym_hole_punching: Option<bool>,
#[arg( #[arg(
long, long,
env = "ET_RELAY_ALL_PEER_RPC", env = "ET_RELAY_ALL_PEER_RPC",
@@ -919,6 +927,7 @@ impl NetworkOptions {
f.enable_relay_foreign_network_kcp = self f.enable_relay_foreign_network_kcp = self
.enable_relay_foreign_network_kcp .enable_relay_foreign_network_kcp
.unwrap_or(f.enable_relay_foreign_network_kcp); .unwrap_or(f.enable_relay_foreign_network_kcp);
f.disable_sym_hole_punching = self.disable_sym_hole_punching.unwrap_or(false);
cfg.set_flags(f); cfg.set_flags(f);
if !self.exit_nodes.is_empty() { if !self.exit_nodes.is_empty() {

4
easytier/src/launcher.rs
View File

@@ -771,6 +771,10 @@ impl NetworkConfig {
flags.disable_udp_hole_punching = disable_udp_hole_punching; flags.disable_udp_hole_punching = disable_udp_hole_punching;
} }
if let Some(disable_sym_hole_punching) = self.disable_sym_hole_punching {
flags.disable_sym_hole_punching = disable_sym_hole_punching;
}
if let Some(enable_magic_dns) = self.enable_magic_dns { if let Some(enable_magic_dns) = self.enable_magic_dns {
flags.accept_dns = enable_magic_dns; flags.accept_dns = enable_magic_dns;
} }

3
easytier/src/proto/common.proto
View File

@@ -52,6 +52,9 @@ message FlagsInConfig {
// encryption algorithm to use, empty string means default (aes-gcm) // encryption algorithm to use, empty string means default (aes-gcm)
string encryption_algorithm = 29; string encryption_algorithm = 29;
// disable symmetric nat hole punching, treat symmetric as cone when enabled
bool disable_sym_hole_punching = 30;
} }
message RpcDescriptor { message RpcDescriptor {

2
easytier/src/proto/web.proto
View File

@@ -73,6 +73,8 @@ message NetworkConfig {
optional bool enable_quic_proxy = 45; optional bool enable_quic_proxy = 45;
optional bool disable_quic_input = 46; optional bool disable_quic_input = 46;
repeated PortForwardConfig port_forwards = 48; repeated PortForwardConfig port_forwards = 48;
optional bool disable_sym_hole_punching = 49;
} }
message PortForwardConfig { message PortForwardConfig {