userspace: add port mirror snapshot foundation

[psaab]

Summary

• add userspace mirror snapshot DTO with ingress ifindex, output ifindex, and rate
• build mirror snapshots from forwarding-options port-mirroring while rejecting duplicate ingress ifindexes and skipping unresolved outputs
• keep userspace capability admission fail-closed until runtime cross-binding clone/inject delivery is wired

References #1376.

Tests

• go test ./pkg/dataplane/userspace -run 'TestConfigSnapshotMirrorConfigsRoundTrip|TestDeriveUserspaceCapabilitiesKeepsPortMirroringFailClosed|TestBuildMirrorConfigSnapshots'
• git diff --check

Remaining gaps

• runtime mirror clone/inject path and mirror drop counters are not implemented in this foundation
• no TUN-based mirror sink is added; cross-binding inject remains the required runtime path

[Copilot]

Pull request overview

Adds the initial Go-side “port mirroring” snapshot representation for the userspace dataplane, deriving per-ingress mirror mappings from forwarding-options port-mirroring while keeping capability admission fail-closed until runtime clone/inject support exists.

Changes:

• Extend the userspace control-plane snapshot protocol with mirror_configs entries (ingress ifindex, output ifindex, sampling rate).
• Build mirror config snapshots from config + resolved interface ifindexes, rejecting duplicate ingress ifindexes and skipping unresolved outputs.
• Add Go tests for JSON wire stability and mirror snapshot building; keep the userspace capability gate rejecting port mirroring.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
pkg/dataplane/userspace/snapshot.go	Adds mirror snapshot derivation and wires it into buildSnapshot().
pkg/dataplane/userspace/protocol.go	Adds MirrorConfigs to ConfigSnapshot and defines MirrorConfigSnapshot.
pkg/dataplane/userspace/protocol_test.go	Adds JSON round-trip / wire-key pin test for mirror_configs.
pkg/dataplane/userspace/manager_test.go	Adds tests for fail-closed capability gating and mirror snapshot builder behavior.

[psaab]

Claude round-1 review on ac0a04e0

Verdict: MERGE-READY (foundation only — Go-side scaffolding for #1376)

Snapshot + admission plumbing only. No Rust dataplane impl. The userspace capability gate for port mirroring remains closed.

What's in scope

4 files +236/-0:

• pkg/dataplane/userspace/protocol.go — wire-format additions for port-mirror snapshot
• pkg/dataplane/userspace/snapshot.go — Go-side builder
• pkg/dataplane/userspace/protocol_test.go + manager_test.go — round-trip tests

Hostile checks

• Backward compat: new fields in protocol.go should be additive (omitempty) so older xpfd builds tolerate them — analogous to the CoS: make no-rate scheduler-map queues residual-only #1372/Userspace address-persistent SNAT pools #1385 audit lessons. Codex will verify.
• Missing reference handling: if a mirror config references a non-existent interface, does buildPortMirrorSnapshots fail closed (skip rule + warn) like Userspace address-persistent SNAT pools #1385's pool fix?
• Capability gate stays closed: deriveUserspaceCapabilities() should still reject port-mirror configs until Rust impl lands. Per Feature gap: port mirroring implemented in eBPF, missing from userspace-dp #1376 contract: "admit-only-after-wired."

Recommendation

Block on: nothing structural for the foundation slice.

Strongly consider: verify missing-instance/interface fail-closed pattern (Codex will).

Defer to follow-up PRs: Rust mirror egress path, buffer-doubling UMEM accounting, backpressure handling, failover semantics (no clone-state sync).

Awaiting Codex (task-mp9559w2-zumig4).

[psaab]

Round-1 review consolidated on ac0a04e0

Reviewer	Verdict
Claude	MERGE-READY (foundation)
Codex	MERGE-NEEDS-MINOR
Copilot	(no review yet on this HEAD)

Codex MINOR — Test coverage thinner than scope

"protocol_test.go:63 only proves Go self round-trip for mirror_configs. Current Rust ConfigSnapshot has no mirror_configs field and no deny_unknown_fields, so older/current xpfd should ignore the added JSON field, but this is not pinned by a Rust compatibility test."

And:

"manager_test.go:1903 tests buildMirrorConfigSnapshots directly, not the real buildSnapshot integration point."

Same "production publish path coverage" gap pattern as #1396. The mirror_configs field is built by the helper but not necessarily wired into the publishing path. A regression that stops wiring MirrorConfigs into the published snapshot wouldn't be caught.

What Codex verified clean

• Capability gate stays closed: manager.go:775 rejects port-mirroring configs ✓
• Missing-reference fail-closed: missing output/input ifindexes produce warn + skip, duplicate ingress errors. ✓
• Diff scope: exactly 4 files, +236/-0. ✓

Recommendation

Block on: nothing structural.

Strongly consider: add a Rust-side decode test confirming mirror_configs is tolerated by current ConfigSnapshot (forward-compat), and an integration test through buildSnapshot (not just buildMirrorConfigSnapshots helper).

Defer to follow-up PRs: Rust mirror egress path, UMEM buffer-doubling accounting, backpressure semantics, failover (no clone-state sync), capability gate removal.

Codex task: task-mp9559w2-zumig4. Not merging — author's decision.

[psaab]

Round-2 update pushed in ec4e9cb. Closed the review coverage gap with:

• Rust snapshot DTO + round-trip coverage for mirror_configs in userspace-dp/src/protocol.rs and userspace-dp/src/main_tests.rs
• Real Go buildSnapshot integration coverage that resolves loopback ifindex and verifies MirrorConfigs is emitted from the full snapshot path

Validation:

• go test ./pkg/dataplane/userspace -run 'TestConfigSnapshotMirrorConfigsRoundTrip|TestDeriveUserspaceCapabilitiesKeepsPortMirroringFailClosed|TestBuildMirrorConfigSnapshots|TestBuildSnapshotIncludesMirrorConfigsFromRealInterfaceSnapshot'
• cargo test --manifest-path userspace-dp/Cargo.toml config_snapshot_mirror_configs_roundtrip -- --nocapture
• git diff --check

[psaab]

Claude round-2 review on ec4e9cbd

Verdict: MERGE-READY (foundation slice, test coverage gap closed)

Round-1 MINOR addressed. 3 files, +90/-0:

• pkg/dataplane/userspace/manager_test.go (+33): real buildSnapshot integration test, not just helper
• userspace-dp/src/main_tests.rs (+45): Rust round-trip / forward-compat test for mirror_configs field
• userspace-dp/src/protocol.rs (+12): minor field plumbing for the test

The two specific gaps Codex flagged:

1. ✓ Rust compat test added (forward-compat — current ConfigSnapshot tolerates mirror_configs)
2. ✓ Go integration test exercises real buildSnapshot, not just the helper

Capability gate at manager.go:775 should still reject port-mirroring configs per #1376 contract — let Codex verify it's unchanged.

Awaiting Codex (task-mp96mlkx-0s1hx5).

[psaab]

Round-2 review consolidated on ec4e9cbd

Reviewer	Verdict
Claude	MERGE-READY
Codex	MERGE-READY

Round-1 MINOR (test coverage gap) closed cleanly. 3 files, +90/-0:

• Rust round-trip + forward-compat test for mirror_configs ✓
• Real buildSnapshot integration test ✓
• Capability gate unchanged at manager.go:775 ✓

Codex finding: no new MAJORs.

Recommendation: MERGE-READY. Defer to follow-up PRs: Rust mirror egress path, UMEM buffer-doubling accounting, backpressure semantics, failover, capability gate removal.

Codex task: task-mp96mlkx-0s1hx5. Not merging — author's decision.

[psaab]

Rebased after #1395 merge

Rebased the port-mirror snapshot PR onto current master after the three-color policer snapshot merge.

What changed in the conflict resolution:

• Kept both snapshot surfaces in the Go DTO/build path:
  • three_color_policers
  • mirror_configs
• Kept both Rust DTO wire fields and split the Rust round-trip coverage into independent tests.
• Preserved the existing Go port-mirror snapshot tests and the merged three-color policer snapshot test.

Validation run on 4586233e:

• go test ./pkg/dataplane/userspace
• cargo test --manifest-path userspace-dp/Cargo.toml config_snapshot

Both passed. Cargo still emits the existing warning set.

[psaab]

@copilot review\n\nPlease re-review current HEAD after the latest fix-forward/rebase push.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.