Safely bypass the flow-filter

[Fredi-raspall]

• Augments pipeline with some PipelineData so that all NFs that are part of the pipeline can have access to it on their creation.
• Currently the pipeline data only includes the generation Id. We use this so that NFs can easily know the generation id of the currently applied config, with minimal changes.
• Augment flows to have a generation Id. The generation id of a flow is the config generation when the flow was created (or subsequently validated).
• Augment NAT NFs so that they create flows with generation ids
• Implement bypass of flow-filter so that:
  • packets that refer to flows can bypass the filter if the configuration has not changed.
  • on config changes, if a packet refers to a flow set up with a previous config, the packet does not bypass the filter.
    If the packet survives, the flow is upgraded and subsequent packets bypass, because the flow conforms to the new config.
    If the packet is not allowed, that means that the flow should not be allowed and it gets invalidated.

These changes not only expedite packet processing but also simplify the flow-filter implementation.
E.g. with these, the extra checks in PR #1341 should no longer be needed.

This fixes #1312

[qmonnet]

This is a great addition, but I've got a concern about concurrency. Could it be that we bump the config while the packet is being processed, for example after we've agreed to bypass flow-filter or after we've looked at the NAT context, and that we pick the genid for a new config that no longer allows it when creating the sessions? Should we attach the genid to the packet in the flow-filter instead, and pass it along to be sure that it doesn't change while we process the packet?

[Fredi-raspall]

This is a great addition, but I've got a concern about concurrency. Could it be that we bump the config while the packet is being processed, for example after we've agreed to bypass flow-filter or after we've looked at the NAT context, and that we pick the genid for a new config that no longer allows it when creating the sessions? Should we attach the genid to the packet in the flow-filter instead, and pass it along to be sure that it doesn't change while we process the packet?

I did a first implementation with that idea, but later thought that this was cleaner. (I can re-add the marking of packets with the genid). In the case you mentioned, yes, we'd allowing a packet that should not longer be allowed. But is that a problem? I mean, if the config was applied 1ns later, tons of packets would be allowed. Sure, NFs may not find the right state to process it, but all are (should otherwise) be prepared for that, right?

[qmonnet]

In the case you mentioned, yes, we'd allowing a packet that should not longer be allowed.

I agree, that part is a non-issue.

But is that a problem?

I'm not sure we're talking of the same thing. My issue is the following: let's consider a change of config from gen X to X+1, and a packet valid for gen X but invalid for gen X+1.

1. Packet goes through flow-filter, config X is applied, there's no flow established: packet is supposed to be port-forwarded, gets sent to port-forwarding stage
2. Packet goes through port-forwarding stage, we retrieve the rule based on packet flow info and port-forwarding context; flow table entry has not been created yet.
3. Change of config happens, we're now at gen X+1, for which the packet is invalid.
4. We retrieve the genid and create new session for the flow (forward and reverse), labelling the flow with gen X+1.
5. Packet gets translated and goes through.
6. Follow-up packets match the existing flow table entry, tagged for gen X+1, they bypass the flow-filter and go through.

The issue is not at step 5, it's fine that this packet goes through. The issue is at step 4 (then 6): if we retrieve the genid after we've switched to X+1 but before we create the flow table entry, we might tag the packet for the wrong generation and allow subsequent packets to go through.

Looking again at the code I think you're right that we don't need to pass the genid to the packet, and it's fine if we have a mismatch between the genid found in flow-filter and in NAT; but I believe that inside of the NAT stages we should move the call to self.pipeline_data.genid() to the beginning of the processing function (with a comment advising caution if moving it) to avoid retrieving it after we've been through the NAT context lookup logic?

[Fredi-raspall]

In the case you mentioned, yes, we'd allowing a packet that should not longer be allowed.

I agree, that part is a non-issue.

But is that a problem?

I'm not sure we're talking of the same thing. My issue is the following: let's consider a change of config from gen X to X+1, and a packet valid for gen X but invalid for gen X+1.

1. Packet goes through flow-filter, config X is applied, there's no flow established: packet is supposed to be port-forwarded, gets sent to port-forwarding stage
2. Packet goes through port-forwarding stage, we retrieve the rule based on packet flow info and port-forwarding context; flow table entry has not been created yet.
3. Change of config happens, we're now at gen X+1, for which the packet is invalid.
4. We retrieve the genid and create new session for the flow (forward and reverse), labelling the flow with gen X+1.
5. Packet gets translated and goes through.
6. Follow-up packets match the existing flow table entry, tagged for gen X+1, they bypass the flow-filter and go through.

The issue is not at step 5, it's fine that this packet goes through. The issue is at step 4 (then 6): if we retrieve the genid after we've switched to X+1 but before we create the flow table entry, we might tag the packet for the wrong generation and allow subsequent packets to go through.

Looking again at the code I think you're right that we don't need to pass the genid to the packet, and it's fine if we have a mismatch between the genid found in flow-filter and in NAT; but I believe that inside of the NAT stages we should move the call to self.pipeline_data.genid() to the beginning of the processing function (with a comment advising caution if moving it) to avoid retrieving it after we've been through the NAT context lookup logic?

That's the exact example I was thinking about. I have to think of a solution to that.

[Fredi-raspall]

In the case you mentioned, yes, we'd allowing a packet that should not longer be allowed.

I agree, that part is a non-issue.

But is that a problem?

I'm not sure we're talking of the same thing. My issue is the following: let's consider a change of config from gen X to X+1, and a packet valid for gen X but invalid for gen X+1.

1. Packet goes through flow-filter, config X is applied, there's no flow established: packet is supposed to be port-forwarded, gets sent to port-forwarding stage
2. Packet goes through port-forwarding stage, we retrieve the rule based on packet flow info and port-forwarding context; flow table entry has not been created yet.
3. Change of config happens, we're now at gen X+1, for which the packet is invalid.
4. We retrieve the genid and create new session for the flow (forward and reverse), labelling the flow with gen X+1.
5. Packet gets translated and goes through.
6. Follow-up packets match the existing flow table entry, tagged for gen X+1, they bypass the flow-filter and go through.

The issue is not at step 5, it's fine that this packet goes through. The issue is at step 4 (then 6): if we retrieve the genid after we've switched to X+1 but before we create the flow table entry, we might tag the packet for the wrong generation and allow subsequent packets to go through.
Looking again at the code I think you're right that we don't need to pass the genid to the packet, and it's fine if we have a mismatch between the genid found in flow-filter and in NAT; but I believe that inside of the NAT stages we should move the call to self.pipeline_data.genid() to the beginning of the processing function (with a comment advising caution if moving it) to avoid retrieving it after we've been through the NAT context lookup logic?

That's the exact example I was thinking about. I have to think of a solution to that.

Ok. I've had the time now to think about this. Yes, this needs to be addressed, good catch.
Marking packets with the generation Id when they entered (or were evaluated by the filter) does not help. The problem is if NAT (for example) learns a generation Id larger than (before) the flow-filter, for a given packet. I think the window where that could happen is tiny (it would need to be for a packet establishing a new flow before a new config was applied but after it was learnt and NAT should learn that config is X+1 while the flow filter didn't). That being said, it has to be addressed.

With that in mind, the problem is that the condition to bypass (flow.genid = current.genid) is insufficient to tell that the flow is okay for the new genid, because by the time the flow was created, we skipped the validation in the case of the race.
So, the NAT module assumes that the packet was validated with the configuration that it sees (X+1), but in reality the packet may have been validated with X. Given that:

• this is only an issue when transitioning from allowed -> disallowed
• this only happens if a flow is created between X and X+1
• we can't go back in time to re-evaluate the packet (forget recirculation)
• labeling packets would not help (we could label a packet as "validated by X" but then if NAT saw X+1 what would it do?)

... a simple solution involves augmenting the flow with a new field that says that it was actually validated under the current genid.
Sample workflow:

* config transitions X -> X+1, but, for a packet, flow-filter sees X and NAT sees X+1
* NAT creates flow with X+1, "not-validated"
* flow-filter eventually sees that generation is X+1. When it gets packet, 
it sees flow is X+1 but "not-validated". So, it does NOT bypass the flow-filter.
If config X+1 would allow packet, the flow is marked as validated. Else, it is invalidated as before.

[qmonnet]

... a simple solution involves [...]

I need to think more about it, too, but I think your proposal should work

[Fredi-raspall]

... a simple solution involves [...]

I need to think more about it, too, but I think your proposal should work

Ok!. There's actually a simpler one that involves the same variables, repurposed.
Instead of letting NAT set the generation Id, let the flow-filter do so:

• nat would create flow, without generation id or maybe zero.
• when seeing zero (or anything < current genid), flow filter would validate and then set the "valid_for(genid)" annotation. This way a single atomic is needed as before.

[qmonnet]

There's actually a simpler [solution] [...]

Yes, I think it looks correct. The flows are tagged with the right genid, it means we can only bypass starting from the 3rd packet (1st creates the flow, 2nd gets validated and sets the genid) but it's still better than no bypass or a flawed bypass.

Please make sure to address, or reply to/resolve all comments from the first review.

[qmonnet]

Looks good to me, thank you!