fix(connlib): clear NAT state when disabling DNS resource (#8398)

Proptests found this one. It can't happen in practice because we don't expose disabling arbitrary resources to the Client's UI, only the Internet Resource can be enabled / disabled.
2026-01-27 18:18:55 +00:00 · 2025-03-10 17:13:51 +11:00
parent c51488bda4
commit a9cc428b32
3 changed files with 14 additions and 1 deletions
--- a/rust/connlib/tunnel/proptest-regressions/tests.txt
+++ b/rust/connlib/tunnel/proptest-regressions/tests.txt
@@ -162,3 +162,4 @@ cc 16a8e929be616a64b36204ff393a1cf376db5559d051627ef4eff1055f9604a5
 cc b5dc48d89cc4f0c61ed3b7c58338f8f9f06654a5948bad62869ea4bbecf270d8
 cc 4b8aab1f09422751b66d7e46a968bb29fb9b11c8fff9bceb67cd5c8ddeab0a3d
 cc c48e5d18ae2cc7533bbe1d0cd155a1ec7bcaf00e8d029b0345c241ec3371dcca
+cc f2de44e6762e9a681d624467fd19ac9fc00f000dfc1c2a3bda05c905b01674c2
--- a/rust/connlib/tunnel/src/client.rs
+++ b/rust/connlib/tunnel/src/client.rs
@@ -1758,6 +1758,16 @@ impl ClientState {
        peer.allowed_ips.retain(|_, r| !r.is_empty());

        self.resources_gateways.remove(&id);
+
+        // Clear DNS resource NAT state for all domains resolved for this DNS resource.
+        for domain in self
+            .stub_resolver
+            .resolved_resources()
+            .filter_map(|(domain, candidate, _)| (candidate == &id).then_some(domain))
+        {
+            self.dns_resource_nat_by_gateway
+                .retain(|(_, candidate), _| candidate != domain);
+        }
    }

    fn update_dns_mapping(&mut self) {
--- a/rust/connlib/tunnel/src/unique_packet_buffer.rs
+++ b/rust/connlib/tunnel/src/unique_packet_buffer.rs
@@ -29,7 +29,9 @@ impl UniquePacketBuffer {
            return;
        }

-        tracing::debug!(num_buffered = %self.len(), packet = ?new, "Buffering packet");
+        let num_buffered = self.len() + 1;
+
+        tracing::debug!(%num_buffered, packet = ?new, "Buffering packet");

        self.buffer.push(new);
    }