Feature gap: dataplane events (PolicyDeny, ScreenDrop, FilterLog) not emitted by userspace-dp

[psaab]

Gap

The eBPF dataplane emits per-event records into a ring buffer at policy-deny, screen-drop, and filter-log decision points. pkg/logging/ringbuf.go consumes the ring buffer and produces RT_FLOW_SESSION_DENY, screen-drop, and filter-log syslog messages in vSRX-compatible format. The userspace dataplane's event stream (userspace-dp/src/event_stream/) emits ONLY SessionOpen/Close/Update. Once eBPF is removed, syslog will lose per-flow deny / screen-drop / filter-log telemetry — operators rely on these for IDS visibility and audit.

eBPF implementation (source of truth)

• bpf/headers/xpf_common.h:226-231 — six event types: EVENT_TYPE_SESSION_OPEN/CLOSE/POLICY_DENY/SCREEN_DROP/ALG_REQUEST/FILTER_LOG
• bpf/xdp/xdp_screen.c / bpf/xdp/xdp_policy.c — call emit_event(meta, EVENT_TYPE_*, ...) to ringbuf at drop/deny points
• pkg/logging/ringbuf.go:466-488 — type dispatch consuming these event types
• pkg/logging/ringbuf.go:603 — RT_FLOW_SESSION_DENY ... emitted from EventTypePolicyDeny
• pkg/daemon/daemon_run.go:352-388 — daemon wires dp.NewEventSource() ring buffer into EventReader

Userspace-dp gap

• userspace-dp/src/event_stream/codec.rs:17-27 — defines MSG_SESSION_OPEN/CLOSE/UPDATE/ACK/PAUSE/RESUME/DRAIN_REQUEST/DRAIN_COMPLETE/FULL_RESYNC/KEEPALIVE; NO PolicyDeny / ScreenDrop / FilterLog frames
• grep -rn 'EVENT_TYPE_POLICY_DENY\\|EVENT_TYPE_SCREEN_DROP\\|EVENT_TYPE_FILTER_LOG' userspace-dp/src/ — zero matches
• Counter rollups are sent (pkg/dataplane/userspace/manager_ha.go:500-530) but those are aggregate, not per-event with src/dst/zone/policy_id needed for RT_FLOW_SESSION_DENY
• The userspace Manager embeds the eBPF DataPlane so NewEventSource() still works today via the legacy BPF programs (which the userspace XDP shim tail-calls into for fallback). Once those programs are removed, the ring buffer has no producer

Recommended fix

Two-part change:

1. Rust side (userspace-dp/src/event_stream/): extend EventFrame with new message types MSG_POLICY_DENY=11, MSG_SCREEN_DROP=12, MSG_FILTER_LOG=13; emit at the same decision points the legacy BPF programs did (policy denial in policy.rs, screen drop in screen.rs, filter log term in filter/engine.rs). Frame should carry src/dst/proto/zone-pair/policy-id/rule-id/timestamp.
2. Go side (pkg/dataplane/userspace/eventstream.go + pkg/logging/): add a userspace EventSource implementation that consumes these new frame types and produces the same dataplane.Event records pkg/logging/ringbuf.go already handles. Alternatively rewrite ringbuf.go to consume the userspace JSON/binary protocol directly when dp.Mode() == ModeUserspace.

Blocker for #1373

This must land before Phase 4 (BPF source removal) of #1373 (retire eBPF dataplane). Loss of per-flow deny/screen-drop/filter-log syslog is a security visibility regression that breaks operator IDS/audit workflows.

---

Refined contract (added 2026-05-17 after triple-review of #1384)

See docs/pr/1373-retire-ebpf-dataplane/plan-1379-dataplane-events.md for the full implementation contract refined through 4 rounds of Claude+Codex+Gemini Pro 3 review. New since the original issue body:

• Risks called out: event-loss accounting (drop counters per event-type when ring-buffer backpressure trips), syslog dedup (cluster failover must not duplicate events across peers, must not lose them), identity stability (PolicyDeny/ScreenDrop/FilterLog must carry the same RT_FLOW-shaped fields across both backends so syslog consumers don't regress).

[psaab]

Implementation contract

Acceptance criteria

1. userspace-dp/src/event_stream/codec.rs defines new frame types: MSG_POLICY_DENY=11, MSG_SCREEN_DROP=12, MSG_FILTER_LOG=13.
2. Each frame carries: src_ip, src_port, dst_ip, dst_port, proto, zone_from, zone_to, policy_id, rule_id, application, timestamp_ns.
3. Emission points: userspace-dp/src/policy.rs (policy deny path), userspace-dp/src/screen.rs (screen drop path), userspace-dp/src/filter/engine.rs (filter log term).
4. pkg/dataplane/userspace/eventstream.go provides an EventSource implementation that consumes these frames and produces dataplane.Event records compatible with pkg/logging/ringbuf.go.
5. pkg/logging/ringbuf.go produces identical RT_FLOW_SESSION_DENY / screen-drop / filter-log syslog messages whether the dataplane is eBPF or userspace.
6. Capability check at pkg/dataplane/userspace/snapshot.go: configs that depend on per-event syslog (security log mode event, etc.) admit cleanly under userspace mode.

Test plan

• Cargo: new test in userspace-dp/src/event_stream/codec_tests.rs for each new frame type's encode/decode roundtrip
• Cargo: integration test that deny path produces an event frame with correct fields (mock evaluate_policy returning Deny → assert frame written)
• Go: pkg/logging/ringbuf_test.go adds case for consuming userspace event source → produces RT_FLOW_SESSION_DENY in expected format
• Integration: configure policy with deny action, send matching traffic, verify syslog has matching RT_FLOW_SESSION_DENY record on userspace cluster
• Smoke: full matrix passes; no regression in existing event types (SessionOpen/Close/Update)

Dependencies

#1381 must land first — the new userspace EventSource registration on the daemon side needs the ConfigSink/ControlPlane split (or stub) to wire cleanly into pkg/daemon/daemon_run.go. Without it, the userspace EventSource competes with the embedded eBPF event source.

Size estimate

M (3-7 days). Rust-side frame additions are straightforward; Go-side consumer needs careful round-trip testing to match the existing syslog format byte-for-byte.

[psaab]

Plan-review round 1 — PLAN-NEEDS-MAJOR

Reviewer	Verdict
Codex	PLAN-NEEDS-MAJOR (10 concrete gaps)
Gemini Pro 3	PLAN-NEEDS-MAJOR (convergent: rate limiter + dispatch wiring)

Convergent findings

1. Frame field set incomplete for vSRX RT_FLOW_SESSION_DENY parity. Missing: ingress_ifindex / interface name (consumed by pkg/logging/ringbuf.go:602), policy/app name resolution path, drop reason, NAT-rewritten addresses, source-zone-instance. eBPF event struct at bpf/headers/xpf_common.h:521 is the real contract.
2. No rate limiter in the plan. Deny-event storms at Mpps will saturate the MPSC channel (userspace-dp/src/event_stream/mod.rs:32, capacity 8192) AND starve legitimate session events. Must add per-source-zone / per-event token bucket + dropped-event counter.
3. Hot-path budget unaddressed. evaluate_policy is called from the RX descriptor path for new/session-miss traffic (poll_descriptor.rs:997). Event emission must be fixed-size, no heap, non-blocking, capped around the existing 256-byte EventFrame.
4. Daemon dispatch needs new wire-up. pkg/logging/ringbuf.go (daemon_run.go:352) consumes ONE dataplane.EventSource. Userspace event stream is currently consumed by HA session sync (daemon_ha_userspace.go:480), not logging. Need new userspace logging EventSource adapter OR fan-in source.
5. No dual-source fan-in. Phase 1-3 overlap (both eBPF + userspace event sources running) needs composite source or explicit selection. Today's EventReader reads single source.
6. FilterLog trigger semantics: BPF emits only when rule->log_flag is set (xpf_helpers.h:1790), tied to then log / then syslog, NOT then count. Plan must match.
7. Feature gap: DataPlane interface contract is BPF-shaped; userspace Manager embeds eBPF Manager #1381 coupling is TIGHT. Rust evaluate_policy returns only PolicyAction (policy.rs:274) — no rule/policy ID, log flags, app ID. Without these, Feature gap: dataplane events (PolicyDeny, ScreenDrop, FilterLog) not emitted by userspace-dp #1379 ships a low-fidelity shim.
8. Backward compat: existing MSG_TYPE values 4/5/6 are ACK/PAUSE/RESUME (protocol.go:1051). Use values 11/12/13 for new types, with golden codec tests for existing frames.

Recommended plan v2

• Add a complete RT_FLOW_SESSION_DENY field-budget design with byte layout
• Specify per-zone token-bucket rate limiter + drop counter
• Define hot-path emission: pre-allocated frame, copy-by-value, try_send non-blocking, no heap
• Pick: fan-in source OR explicit eBPF→userspace migration cutover during phases
• Add policy/rule/app ID plumbing to PolicyAction enum (depends on Feature gap: DataPlane interface contract is BPF-shaped; userspace Manager embeds eBPF Manager #1381)
• Add golden codec tests for existing frames

#1379 has tight coupling to #1381 — they should land together OR #1379 needs an explicit low-fidelity shim phase.

Codex task: `task-mp8rf3ci-7nhs2g`. Gemini Pro 3 task: `task-mp8rfe1q-2h5jex`.

[psaab]

Update after #1394: keep open, but narrow to producer/runtime telemetry. Landed: event-stream frame types 11/12/13, RT_FLOW payload codec, Go decode/dispatch into logging. Remaining: non-blocking Rust emission at policy deny/screen drop/filter log points, rate limiting, per-event loss accounting, and end-to-end syslog validation.