fix(connlib): only update the interface when setting dns if the effective dns changed

[conectado]

Supersedes #4320, closes #4318

Updates the interface if effective dns have changed.

Fixes a bug where we could set upstream_dns to have sentinel dns

Adds corresponding unit tests.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
firezone	⬜️ Ignored (Inspect)	Visit Preview		Mar 27, 2024 4:42pm

[github-actions]

Terraform Cloud Plan Output

Plan: 9 to add, 8 to change, 26 to destroy.

Terraform Cloud Plan

[github-actions]

Performance Test Results

TCP

Test Name	Received/s	Sent/s	Retransmits
direct-tcp-client2server	224.0 MiB (+0%)	226.2 MiB (+0%)	122 (-36%)
direct-tcp-server2client	224.3 MiB (-0%)	225.9 MiB (-0%)	310 (-4%)
relayed-tcp-client2server	148.6 MiB (+4%)	149.3 MiB (+4%)	167 (+25%)
relayed-tcp-server2client	153.3 MiB (-2%)	153.7 MiB (-2%)	164 (-32%)

UDP

Test Name	Total/s	Jitter	Lost
direct-udp-client2server	50.0 MiB (+0%)	0.04ms (-87%)	0.00% (NaN%)
direct-udp-server2client	50.0 MiB (-0%)	0.02ms (+160%)	0.00% (NaN%)
relayed-udp-client2server	50.0 MiB (-0%)	0.09ms (-12%)	0.00% (-100%)
relayed-udp-server2client	50.0 MiB (+0%)	0.06ms (+13%)	0.00% (NaN%)

[ReactorScram]

If the unit tests can prove that it does everything we need (Ignores sentinels, doesn't update if the upstream resolvers are set and stay the same, correctly updates when the upstream is enabled and disabled, etc.) then it's fine.

But for some reason I find it really hard to follow this part of the code, so I asked a lot of questions to make sure I'm understanding it.

[ReactorScram]

I don't know this code well so I'll just write what I think is happening, like I did for the macOS network PR

So this function has changed to always set the DNS, the logic is moving up from RoleState to whatever this struct is. (ClientTunnel?)

[conectado]

well, the function called just below this, which is still in role_state checks for changes.

[ReactorScram]

The change check moved over to this function, so far so good..

[ReactorScram]

These are the current new effective DNS servers

This function is called after the DNS servers are updated in role_state? So the role state is out of sync until its owner calls this?

And this is where the filtering happens, in effective_dns_servers, and that also means we won't spuriously update anything if the system DNS changes while an upstream DNS is set.

[conectado]

well, the system's resolvers are right before this in role_state but we haven't updated the dns mappings considering the newest one.

And this is where the filtering happens, in effective_dns_servers, and that also means we won't spuriously update anything if the system DNS changes while an upstream DNS is set.

yup!

[conectado]

@ReactorScram fixed a bug where the effective dns would contain sentinels if they were in the upstream and added the unit tests.

I think those should cover everything