feat(netprobe): move p0f encoding to userspace; fix eBPF verifier (#3425) #3514

Merged

mfreeman451 merged 1 commit from feat/netprobe-p0f-userspace-ebpf-verifier into staging

2026-06-02 06:05:15 +00:00

mfreeman451 commented

2026-06-02 05:55:51 +00:00

Owner

Summary

Part of the native add-on rollout (#3425). The netprobe eBPF object could not load on the target kernel: the TCP-SYN / p0f path first exceeded the BPF verifier's 1M-instruction complexity limit (the p0f::encode option/quirk string builder), and once that was removed it hit the 512-byte BPF stack limit. This moves p0f signature encoding out of the eBPF program into userspace and restructures the eBPF datapath so every program verifies cheaply, while making p0f matching actually work.

eBPF (`rust/netprobe/ebpf/src/lib.rs`)

Drop p0f from the kernel: remove p0f::encode, emit_p0f_signature, the P0fRecord struct and the p0f_signatures ring buffer. The TC-SYN path now only parses the SYN into a raw TcpSynSignatureRecord and emits it to tcp_syn_signatures. The record gains source_endpoint + df/id+/id- IP-level quirk bits and a deterministic #[repr(C)] 104-byte layout.
Tail-call split for stack budget: the SYN parse is a tail-call target (netprobe_tc_syn_signature) so it verifies with its own fresh 512-byte stack; the entry classifiers do flow accounting then bpf_tail_call. The tail call lives in the entry program because the verifier rejects bpf_tail_call inside bpf-to-bpf subprograms.
Stack reductions: split the flow_table update out of the parse chain, de-inline the IPv4/IPv6 parse + SYN-header helpers, and compare 16-byte addresses as a single big-endian u128 instead of a byte loop. The byte loop unrolled into per-byte stack spills (~392-byte frames); the u128 compare dropped parse_ipv6_flow_key 392→64 and record_flow_pid 480→168 bytes.

Userspace

New rust/netprobe/src/p0f_encode.rs: the no_std/no-alloc p0f encoder moved from the eBPF crate, extended to render df/id+/id- quirks.
fingerprint.rs reads the raw tcp_syn_signatures records, builds the p0f signature string in userspace, and matches the bundled corpus exactly as before (P0fSignatureRuntime repointed from p0f_signatures → tcp_syn_signatures).
The df/id+ quirks make real SYNs match the bundled corpus — the old eBPF-encoded path emitted no IP-level quirks and therefore matched nothing.

Verification

Built hermetically (RBE) and validated on a kernel-6.8 box (agent-sr-test-pve04, amd64):

All eBPF programs load (no verifier grind: ~12k insns / 64ms; no stack overflow) and attach (TC ingress/egress, XDP, kprobes, tracepoints).
Flow accounting populates flow_table; p0f fingerprint events flow via the userspace path (netprobe_events_emitted_total{stream="fingerprint"} increments).
netprobe idles at ~0% CPU / ~7 MB RSS.

Unit tests updated for the raw-record format; bazel test //rust/netprobe:netprobe_test passes.

🤖 Generated with Claude Code

## Summary Part of the native add-on rollout (#3425). The netprobe eBPF object could not load on the target kernel: the TCP-SYN / p0f path first exceeded the BPF verifier's **1M-instruction complexity limit** (the `p0f::encode` option/quirk string builder), and once that was removed it hit the **512-byte BPF stack limit**. This moves p0f signature *encoding* out of the eBPF program into userspace and restructures the eBPF datapath so every program verifies cheaply, while making p0f matching actually work. ## eBPF (`rust/netprobe/ebpf/src/lib.rs`) - **Drop p0f from the kernel**: remove `p0f::encode`, `emit_p0f_signature`, the `P0fRecord` struct and the `p0f_signatures` ring buffer. The TC-SYN path now only parses the SYN into a raw `TcpSynSignatureRecord` and emits it to `tcp_syn_signatures`. The record gains `source_endpoint` + `df`/`id+`/`id-` IP-level quirk bits and a deterministic `#[repr(C)]` 104-byte layout. - **Tail-call split for stack budget**: the SYN parse is a tail-call target (`netprobe_tc_syn_signature`) so it verifies with its own fresh 512-byte stack; the entry classifiers do flow accounting then `bpf_tail_call`. The tail call lives in the entry program because the verifier rejects `bpf_tail_call` inside bpf-to-bpf subprograms. - **Stack reductions**: split the `flow_table` update out of the parse chain, de-inline the IPv4/IPv6 parse + SYN-header helpers, and compare 16-byte addresses as a single big-endian `u128` instead of a byte loop. The byte loop unrolled into per-byte stack spills (~392-byte frames); the `u128` compare dropped `parse_ipv6_flow_key` 392→64 and `record_flow_pid` 480→168 bytes. ## Userspace - New `rust/netprobe/src/p0f_encode.rs`: the `no_std`/no-alloc p0f encoder moved from the eBPF crate, extended to render `df`/`id+`/`id-` quirks. - `fingerprint.rs` reads the raw `tcp_syn_signatures` records, builds the p0f signature string in userspace, and matches the bundled corpus exactly as before (`P0fSignatureRuntime` repointed from `p0f_signatures` → `tcp_syn_signatures`). - The `df`/`id+` quirks make real SYNs match the bundled corpus — the old eBPF-encoded path emitted no IP-level quirks and therefore matched nothing. ## Verification Built hermetically (RBE) and validated on a **kernel-6.8 box** (`agent-sr-test-pve04`, amd64): - All eBPF programs **load** (no verifier grind: ~12k insns / 64ms; no stack overflow) and **attach** (TC ingress/egress, XDP, kprobes, tracepoints). - Flow accounting populates `flow_table`; p0f **fingerprint events flow** via the userspace path (`netprobe_events_emitted_total{stream="fingerprint"}` increments). - netprobe idles at **~0% CPU / ~7 MB RSS**. Unit tests updated for the raw-record format; `bazel test //rust/netprobe:netprobe_test` passes. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Rows
Columns

feat(netprobe): move p0f encoding to userspace; fix eBPF verifier (#3425) #3514

Summary

eBPF (rust/netprobe/ebpf/src/lib.rs)

Userspace

Verification

eBPF (`rust/netprobe/ebpf/src/lib.rs`)