Feature gap: time-based policy schedulers (Junos schedulers { ... }) not propagated to userspace-dp

[psaab]

Gap

Junos schedulers define time-of-day / weekday windows; policies reference them via then scheduler-name foo. The eBPF dataplane has a daemon goroutine that evaluates scheduler windows and toggles each policy rule's Active byte in the BPF policy_rules map. The userspace dataplane has no scheduler plumbing whatsoever — the snapshot DTO doesn't carry SchedulerName, the Rust PolicyRule has no active field, and the daemon's UpdatePolicyScheduleState only writes to BPF maps. Scheduled policies will not activate/deactivate when running on the userspace dataplane.

eBPF implementation (source of truth)

• pkg/dataplane/dataplane.go:134 — UpdatePolicyScheduleState(cfg, activeState) interface method
• pkg/dataplane/maps.go:1495-1537 — implementation: iterates cfg.Security.Policies, looks up each rule by policySetID*MaxRulesPerPolicy+i, toggles rule.Active, writes back to BPF map
• pkg/daemon/daemon_run.go:589 — d.dp.UpdatePolicyScheduleState(activeCfg, activeState) ticks per scheduler window change
• pkg/config/compiler.go:471 — config validation: policy %q: scheduler %q not defined
• bpf/xdp/xdp_policy.c reads the Active byte; inactive rules are skipped

Userspace-dp gap

• pkg/dataplane/userspace/protocol.go:351-360 PolicyRuleSnapshot has no SchedulerName and no Active field
• userspace-dp/src/policy.rs:47-83 PolicyRule has no active: bool or scheduler reference; evaluate_policy does not gate on time-of-day
• The userspace Manager embeds the eBPF DataPlane so UpdatePolicyScheduleState calls land in pkg/dataplane/maps.go:1497 and silently no-op (policy_rules BPF map is loaded but not actually consulted by the userspace XDP shim)

Recommended fix

1. Add SchedulerName string to PolicyRuleSnapshot (Go) and matching Rust field
2. Add Active: bool (or Inactive: bool to keep zero-valued default behavior) to the snapshot; emit current active state on every commit + on scheduler tick
3. In userspace-dp/src/policy.rs::evaluate_policy, skip rules with active == false
4. Daemon-side: re-publish a snapshot delta when scheduler windows change, OR add a fast-path update_policy_active(rule_idx, active) control socket call
5. Add capability check: bare-minimum verification that scheduler-referenced policies are admitted under userspace mode

Blocker for #1373

This must land before Phase 4 (BPF source removal) of #1373. The userspace path silently ignores scheduler state today; once eBPF is removed there's no fallback to mask the loss of scheduled access control.

---

Refined contract (added 2026-05-17 after triple-review of #1384)

See docs/pr/1373-retire-ebpf-dataplane/plan-1378-policy-schedulers.md for the full implementation contract refined through 4 rounds of Claude+Codex+Gemini Pro 3 review. New since the original issue body:

• Risks called out: time-source drift (monotonic clock for window evaluation, NTP rollback must not flap policies), apply-cycle race (scheduler window transition during config apply must produce either fully-old or fully-new policy decisions, not split), userspace/Go propagation latency (window changes must propagate within one snapshot cycle or operators see stale matches).

[psaab]

Implementation contract

Priority: silent correctness regression in production today. Time-based access control (Junos `schedulers { ... }`) referenced by policies does NOT activate or deactivate on the userspace cluster. Scheduled deny rules stay permanently active; scheduled permit rules stay permanently inactive.

Acceptance criteria

1. `PolicyRuleSnapshot` in `pkg/dataplane/userspace/protocol.go` gains `SchedulerName string` and `Inactive bool` fields.
2. Matching Rust fields in `userspace-dp/src/policy.rs::PolicyRule`.
3. `userspace-dp/src/policy.rs::evaluate_policy` skips rules where `inactive == true` and falls through to next rule.
4. `pkg/daemon/daemon_run.go::UpdatePolicyScheduleState` (currently writes to BPF map) gains a userspace branch: re-publish a snapshot delta with updated `Inactive` flags on scheduler tick, OR add a fast-path `update_policy_active(rule_idx, active)` control socket call.
5. Capability gate at `pkg/dataplane/userspace/snapshot.go` no longer rejects (or no longer silently degrades) configs that reference schedulers.
6. Active-state changes observable within ≤1 scheduler-tick window (default 30s) of the configured time boundary.

Test plan

• Cargo: `userspace-dp/src/policy.rs::evaluate_policy_skips_inactive_rules` — construct policy with rule[0].inactive=true, rule[1].inactive=false; assert evaluate returns rule[1].
• Go: `pkg/daemon/daemon_run_test.go` adds case for `UpdatePolicyScheduleState` on userspace mode → re-publishes snapshot with updated inactive bits.
• Go: `pkg/dataplane/userspace/snapshot_test.go` verifies `SchedulerName` + `Inactive` round-trip.
• Integration: configure scheduler with 30-second active window + policy referencing it + iperf to a denied dst; verify traffic passes during active window, blocked outside.

Dependencies

#1381 must land first — `UpdatePolicyScheduleState` is currently a method on the embedded `DataPlane` interface; the userspace branch needs the split or stub from #1381 to dispatch correctly.

Size estimate

M (2-4 days). Protocol field + Rust evaluate gate + daemon dispatch + 3 tests + integration.

[psaab]

Plan-review round 1 — PLAN-NEEDS-MAJOR

Reviewer	Verdict
Codex	PLAN-NEEDS-MAJOR (10 concrete gaps + indexing bug in existing eBPF)
Gemini Pro 3	PLAN-KILL (3 valid concerns; KILL framing overreaches — see below)

Convergent findings

1. Scheduler granularity is 60s (pkg/scheduler/scheduler.go:35), not 1s. Callback fires only on state change. Full userspace snapshot is JSON over control socket plus build_forwarding_state(). At 60s, snapshot republish is acceptable. Gemini's "high-churn CPU spike" concern doesn't apply at this granularity.
2. Junos semantics: inactive scheduled policy blocks new lookups; existing sessions only flush with policy-rematch. Userspace policy is evaluated on miss/new-flow only (poll_descriptor.rs:997); flow-cache hits bypass. "Block new, preserve existing" is correct AND matches Junos default — Gemini's "infinite forwarding" KILL claim is contradicted by Junos docs.
3. Hit counter survival — both reviewers caught this. Currently policy_counters is preserved across BPF Active flips. Userspace PolicyRule.hit_count lives inside rebuilt PolicyState and resets on full snapshot rebuild (policy.rs:62). Real correctness gap; needs stable rule-id keyed counter storage outside rebuilt rules.
4. Multi-scheduler-per-rule is invalid per Junos docs. Junos allows multiple policies per scheduler but NOT multiple schedulers per policy. Current xpf config has single SchedulerName (types.go:1189). Plan v2 keeps single-scheduler.
5. 30s test in contract is invalid against 60s evaluator. Use deterministic isWithinWindow(now, sched) unit tests + clock injection. Integration windows span multiple 60s ticks.
6. Atomic transaction semantics required. Same-instant activate/deactivate for different rules must be one ArcSwap publish, not individual update_policy_active fast-path calls. First-match policy ordering demands batch atomicity.
7. Missing scheduler must fail closed, not warn-and-default-active (pkg/config/compiler.go:465 only warns today; pkg/dataplane/maps.go:1511 defaults missing to active). Commit-error or capability-unsupported.
8. Existing indexing bug in UpdatePolicyScheduleState — increments policySetID inside the per-policy loop for unscheduled policies (maps.go:1503), can target wrong rule index. Userspace design needs stable rule identity. Do NOT copy this indexing.

Gemini's KILL — overreach on 2 of 3

• "Existing sessions stay forever" — false; Junos default is "block new, preserve existing", which is what the plan does. policy-rematch is an opt-in additional feature.
• "Hot-path branch cost" — one branch per rule on the miss path is acceptable; this isn't the bottleneck.
• Valid concern: hit-counter-zero-on-snapshot. Gemini caught this; Codex also caught it; converged.

Recommended plan v2

• ArcSwap-published inactive: bool (immutable on the published Arc) — checked before app/address matching on miss path
• Stable rule identity by config-driven UUID or (policy_set_id, name) — used for counter migration across snapshots
• Counter storage keyed by stable id, persists across rebuilds
• Single-scheduler-per-rule (matches Junos)
• Missing-scheduler = commit-error
• Snapshot delta on scheduler tick (not individual rule updates); ArcSwap atomicity
• 60s granularity acknowledged; deterministic clock-injection tests

Size: M (4-6 days) — Rust evaluate gate + counter-migration plumbing + scheduler-tick dispatch + commit-error capability + 4 tests.

This is the 2nd-priority production correctness regression after #1377.

Codex task: `task-mp8rfu0d-bh77qs`. Gemini Pro 3 task: `task-mp8rg46w-zhbaix`.

[psaab]

Update after #1396: keep open, but narrow to the remaining scheduler contract gaps. Landed: scheduler_name/inactive/rule_id snapshot fields, Rust inactive-rule skip, daemon scheduler republish path. Remaining: hit-counter survival across scheduler snapshot rebuilds, wire strict missing-scheduler commit errors, and integration/failover validation.