test(connlib): filter disabled resources before longest match (#6340)

In `connlib`, when a CIDR resource gets disabled, we remove it from the
`IpNetworkTable` that does the routing for the packets. This ensures
that when we check for the `longest_match` of a packet, disabled
resources are not considered.

In
https://github.com/firezone/firezone/actions/runs/10449400486/job/28931681264?pr=6339,
CI found a bug where the reference implementation in the tests diverged
from this behaviour because it implements this behaviour slightly
differently. To ensure we don't match against a disabled resource, we
match all resources, filter out the disabled ones and then pick the one
with the highest netmask which should be the most specific one.

rust/connlib/tunnel/proptest-regressions/tests.txt

@@ -84,3 +84,4 @@ cc 28c9fbe9572e61da2342347e3e5c159f3d4a62e90f3d85d6b7911fd015845656
 cc ec2f348067458f6a7d3f2fbd1ab708a53fc27708440a3fcb6ed8557adc6db7d3
 cc 2984b737f902f82c96ffec888a624afd7117078c125822b85de908c05f8e0b4c
 cc 51ad9fe7ef585d42bd1a6369da810a5adb6d756e71aa393362e542f1560d0273
+cc b926f32ea3b2a04753bddd37be4804fd38fe35646e08507e68565883bd9fe2ed

rust/connlib/tunnel/src/tests/sim_client.rs

@@ -566,10 +566,13 @@ impl RefClient {
     }
 
     pub(crate) fn cidr_resource_by_ip(&self, ip: IpAddr) -> Option<ResourceId> {
+        // Manually implement `longest_match` because we need to filter disabled resources _before_ we match.
         self.cidr_resources
-            .longest_match(ip)
+            .matches(ip)
+            .filter(|(_, r)| !self.disabled_resources.contains(&r.id))
+            .sorted_by(|(n1, _), (n2, _)| n1.netmask().cmp(&n2.netmask()).reverse()) // Highest netmask is most specific.
+            .next()
             .map(|(_, r)| r.id)
-            .filter(|id| !self.disabled_resources.contains(id))
     }
 
     pub(crate) fn resolved_ip4_for_non_resources(