Switch to EnableNAT to make it much more explicit, default is now disabled

oskarszoon · oskarszoon · commit 1335ba553114 · 2025-11-18T15:24:38.000+01:00
diff --git a/client.go b/client.go
@@ -258,14 +258,17 @@ func createHost(_ context.Context, hostOpts []libp2p.Option, config Config, rela
 		),
 	)
 
-	// Only enable NAT traversal features if not disabled
-	// NAT features can cause data races in tests due to libp2p's NAT manager using non-thread-safe global state
-	if !config.DisableNAT {
+	// Enable NAT features only if explicitly enabled
+	// UPnP/NAT-PMP scans the local gateway which triggers network scanning alerts
+	if config.EnableNAT {
 		hostOpts = append(hostOpts,
 			libp2p.NATPortMap(),
 			libp2p.EnableNATService(),
 			libp2p.EnableHolePunching(),
 		)
+		log.Infof("UPnP/NAT-PMP enabled (will scan local gateway for port mapping)")
+	} else {
+		log.Infof("UPnP/NAT-PMP disabled (production safe default)")
 	}
 
 	hostOpts = append(hostOpts,
diff --git a/config.go b/config.go
@@ -98,11 +98,13 @@ type Config struct {
 	// The cleanup frequency trades off between memory usage (stale records) and CPU usage.
 	DHTCleanupInterval time.Duration
 
-	// DisableNAT disables NAT traversal features (UPnP/NAT-PMP port mapping, NAT service, hole punching).
-	// Set to true in test environments where NAT traversal is not needed and can cause data races
-	// due to libp2p's NAT manager using non-thread-safe global state.
-	// Default: false (NAT features enabled)
-	DisableNAT bool
+	// EnableNAT enables UPnP/NAT-PMP automatic port mapping features.
+	// When true, the node will scan the local gateway (e.g., 10.0.0.1) to configure port forwarding.
+	// IMPORTANT: This triggers network scanning alerts on shared hosting (Hetzner, AWS, etc.).
+	// Only enable for local development behind a home router/NAT.
+	// Default: false (NAT features disabled for production safety)
+	// Note: Hole punching (relay-based NAT traversal) remains enabled and doesn't scan local network.
+	EnableNAT bool
 
 	// EnableMDNS enables multicast DNS peer discovery on the local network.
 	// When true, the node broadcasts mDNS queries to discover peers on the same LAN.

Original file line number	Diff line number	Diff line change
`@@ -258,14 +258,17 @@ func createHost(_ context.Context, hostOpts []libp2p.Option, config Config, rela`
`258`	`258`	`),`
`259`	`259`	`)`
`260`	`260`
`261`		`- // Only enable NAT traversal features if not disabled`
`262`		`- // NAT features can cause data races in tests due to libp2p's NAT manager using non-thread-safe global state`
`263`		`- if !config.DisableNAT {`
	`261`	`+ // Enable NAT features only if explicitly enabled`
	`262`	`+ // UPnP/NAT-PMP scans the local gateway which triggers network scanning alerts`
	`263`	`+ if config.EnableNAT {`
`264`	`264`	`hostOpts = append(hostOpts,`
`265`	`265`	`libp2p.NATPortMap(),`
`266`	`266`	`libp2p.EnableNATService(),`
`267`	`267`	`libp2p.EnableHolePunching(),`
`268`	`268`	`)`
	`269`	`+ log.Infof("UPnP/NAT-PMP enabled (will scan local gateway for port mapping)")`
	`270`	`+ } else {`
	`271`	`+ log.Infof("UPnP/NAT-PMP disabled (production safe default)")`
`269`	`272`	`}`
`270`	`273`
`271`	`274`	`hostOpts = append(hostOpts,`