From f9721a1da68fc79df91d537c1a704e2e74f045fa Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Thu, 24 Jul 2025 22:37:47 +1000
Subject: [PATCH] fix(snownet): only idle when we are fully connected (#9987)

Now that we are capable of migrating a connection to another relay with
#9979, our test suite exposed an edge-case: If we are in the middle of
migrating a connection, it could be that the idle timer triggers because
we have not seen any application traffic in the last 20s.

Moving to idle mode drastically reduces the number of STUN bindings we
send and if this happens whilst we are still checking candidates, the
nomination doesn't happen in time for our boringtun handshake to
succeed.

Thus, we add a condition to our idle timer to not trigger unless ICE has
completed and reports us as `connected`.
---
 rust/connlib/snownet/src/node.rs                   | 12 ++++++++++--
 rust/connlib/tunnel/proptest-regressions/tests.txt |  1 +
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/rust/connlib/snownet/src/node.rs b/rust/connlib/snownet/src/node.rs
index e21a2c545..d46affc49 100644
--- a/rust/connlib/snownet/src/node.rs
+++ b/rust/connlib/snownet/src/node.rs
@@ -1660,7 +1660,11 @@ enum ConnectionState {
 }
 
 impl ConnectionState {
-    fn poll_timeout(&self) -> Option<(Instant, &'static str)> {
+    fn poll_timeout(&self, agent: &IceAgent) -> Option<(Instant, &'static str)> {
+        if agent.state() != IceConnectionState::Connected {
+            return None;
+        }
+
         match self {
             ConnectionState::Connected {
                 last_incoming,
@@ -1690,6 +1694,10 @@ impl ConnectionState {
             return;
         }
 
+        if agent.state() != IceConnectionState::Connected {
+            return;
+        }
+
         let peer_socket = *peer_socket;
 
         self.transition_to_idle(cid, peer_socket, agent);
@@ -1886,7 +1894,7 @@ where
                 self.disconnect_timeout()
                     .map(|instant| (instant, "disconnect timeout")),
             )
-            .chain(self.state.poll_timeout())
+            .chain(self.state.poll_timeout(&self.agent))
             .min_by_key(|(instant, _)| *instant)
     }
 
diff --git a/rust/connlib/tunnel/proptest-regressions/tests.txt b/rust/connlib/tunnel/proptest-regressions/tests.txt
index 45559acf1..1f49096b7 100644
--- a/rust/connlib/tunnel/proptest-regressions/tests.txt
+++ b/rust/connlib/tunnel/proptest-regressions/tests.txt
@@ -188,3 +188,4 @@ cc d10aa7e820d45043912bf5bf48405d5487a3d9e4a1476d21e4189f964ba8e968
 cc a18f8702ecec7ce39aea445251697b7884cd2d38734a07d1e5400bb45f90f03b
 cc 4a61f62e36ecaa6fdb937a7ba599c6f6a83c364db009b4ba5912bbab1f75f8ff
 cc 1e1bbfd953f0662e602c94082c63ba50bec19aab95711a9de262ab3e4b146ef1
+cc 000ae850850a75c30a36de2216c8f7ddec2c281f8beaf4f2797822b59895ecd1