The README.md mentioned:
This stateful firewall is implemented 100% in the dataplane using a simple bloom filter. Thus there is some probability of hash collisions that would let unwanted flows to pass through.
With bloom filters the hash collision can always happen. So my question is, how to implement a reliable firewall? How to block all unwanted flows? Thanks.
The short answer is that if you want exact answers, you need some kind of table or P4 register in the data plane that is capable of holding one entry per rule/IP-address/MAC-address/5-tuple-flow-id/whatever, not a Bloom filter. Designed appropriately, such tables (or perhaps a sequence of multiple table lookups is advantageous for the task at hand) can guarantee that you match exactly the set of packets that you wish.
Thanks. Is there any built-in data structures to hold these mappings in P4?
Yes, as he said, tables or registers … but preferably tables
Hmm but is there a way to create new table entries in P4? In this FW case, we need to create an entry to store the 5-tuple on outgoing TCP SYNC packet so it can be later used to match the return traffic.
So far I can only see examples of applying pre-defined tables to trigger corresponding actions.
Not without controller interaction (at least not in any real P4 architecture that I am aware of - of course there are proposals but they are not really available). Depending on your network speed and number of new flows, you could report the first packet of any new flow to the control plane that sets up the appropriate entry. Only problem is a possible overload of the controller, but with only the first packet you should be fine.
I.c. So it looks like an area that isn’t standardized in P4 yet. Thanks for your replies!
P4 tends to standardize lower-level mechanisms, like tables, counters, meters, registers, etc., rather than implementations of particular features.
This is analogous to programming languages like C++, Java, Python, etc. that standardize variables, types, functions, standard libraries, etc., but do not standardize what kinds of program features you can implement using them.