From ead1f4010109336bf2d13b59b81fc72a89a7ef43 Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Fri, 5 Sep 2025 07:12:46 +1000
Subject: [PATCH] chore(gateway): only log skipped NAT entry if IP differs
 (#10285)

When we resolve a DNS resource domain name on the Gateway, we establish
the mapping between proxy IPs and resolved IPs in order to correctly NAT
traffic. These domains are re-resolved every time the Client sees a DNS
query for it. Thus, established connections could be interrupted if the
IPs returned by consecutive DNS queries are different.

Many SaaS products (GitHub for example) use DNS to load balance between
different IPs. In order to not interrupt those connections, we check
whether we have an open NAT session for an existing mapping every time
we re-resolve DNS.

This log is currently printed too often though because it doesn't take
into account whether the IPs actually changed. If the IP is the same, we
don't need to print this because the update is a no-op.
---
 rust/connlib/tunnel/src/peer.rs | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/rust/connlib/tunnel/src/peer.rs b/rust/connlib/tunnel/src/peer.rs
index 216b98794..4fa5722e4 100644
--- a/rust/connlib/tunnel/src/peer.rs
+++ b/rust/connlib/tunnel/src/peer.rs
@@ -148,13 +148,16 @@ impl ClientOnGateway {
         let ip_maps = ipv4_maps.chain(ipv6_maps);
 
         for (proxy_ip, real_ip) in ip_maps {
-            tracing::debug!(%name, %proxy_ip, %real_ip);
-
-            if self.nat_table.has_entry_for_inside(*proxy_ip) {
-                tracing::debug!(%name, %proxy_ip, %real_ip, "Skipping DNS resource NAT entry because we have open NAT sessions for it");
+            if let Some(state) = self.permanent_translations.get(proxy_ip)
+                && self.nat_table.has_entry_for_inside(*proxy_ip)
+                && state.resolved_ip != real_ip
+            {
+                tracing::debug!(%name, %proxy_ip, new_real_ip = %real_ip, current_real_ip = %state.resolved_ip, "Skipping DNS resource NAT entry because we have open NAT sessions for it");
                 continue;
             }
 
+            tracing::debug!(%name, %proxy_ip, %real_ip);
+
             self.permanent_translations
                 .insert(*proxy_ip, TranslationState::new(resource_id, real_ip));
         }