From a9cc428b32ce2e9a2dfdc58e39c276b51c038ace Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Mon, 10 Mar 2025 17:13:51 +1100
Subject: [PATCH] fix(connlib): clear NAT state when disabling DNS resource
 (#8398)

Proptests found this one. It can't happen in practice because we don't
expose disabling arbitrary resources to the Client's UI, only the
Internet Resource can be enabled / disabled.
---
 rust/connlib/tunnel/proptest-regressions/tests.txt |  1 +
 rust/connlib/tunnel/src/client.rs                  | 10 ++++++++++
 rust/connlib/tunnel/src/unique_packet_buffer.rs    |  4 +++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/rust/connlib/tunnel/proptest-regressions/tests.txt b/rust/connlib/tunnel/proptest-regressions/tests.txt
index 2a4035025..cb2ed7104 100644
--- a/rust/connlib/tunnel/proptest-regressions/tests.txt
+++ b/rust/connlib/tunnel/proptest-regressions/tests.txt
@@ -162,3 +162,4 @@ cc 16a8e929be616a64b36204ff393a1cf376db5559d051627ef4eff1055f9604a5
 cc b5dc48d89cc4f0c61ed3b7c58338f8f9f06654a5948bad62869ea4bbecf270d8
 cc 4b8aab1f09422751b66d7e46a968bb29fb9b11c8fff9bceb67cd5c8ddeab0a3d
 cc c48e5d18ae2cc7533bbe1d0cd155a1ec7bcaf00e8d029b0345c241ec3371dcca
+cc f2de44e6762e9a681d624467fd19ac9fc00f000dfc1c2a3bda05c905b01674c2
diff --git a/rust/connlib/tunnel/src/client.rs b/rust/connlib/tunnel/src/client.rs
index 899ea9617..d34048228 100644
--- a/rust/connlib/tunnel/src/client.rs
+++ b/rust/connlib/tunnel/src/client.rs
@@ -1758,6 +1758,16 @@ impl ClientState {
         peer.allowed_ips.retain(|_, r| !r.is_empty());
 
         self.resources_gateways.remove(&id);
+
+        // Clear DNS resource NAT state for all domains resolved for this DNS resource.
+        for domain in self
+            .stub_resolver
+            .resolved_resources()
+            .filter_map(|(domain, candidate, _)| (candidate == &id).then_some(domain))
+        {
+            self.dns_resource_nat_by_gateway
+                .retain(|(_, candidate), _| candidate != domain);
+        }
     }
 
     fn update_dns_mapping(&mut self) {
diff --git a/rust/connlib/tunnel/src/unique_packet_buffer.rs b/rust/connlib/tunnel/src/unique_packet_buffer.rs
index 60f6d8b21..9119fd63d 100644
--- a/rust/connlib/tunnel/src/unique_packet_buffer.rs
+++ b/rust/connlib/tunnel/src/unique_packet_buffer.rs
@@ -29,7 +29,9 @@ impl UniquePacketBuffer {
             return;
         }
 
-        tracing::debug!(num_buffered = %self.len(), packet = ?new, "Buffering packet");
+        let num_buffered = self.len() + 1;
+
+        tracing::debug!(%num_buffered, packet = ?new, "Buffering packet");
 
         self.buffer.push(new);
     }