sdn-controller: add optional cookie argument support

semarie · semarie · commit 062681961d9e · 2026-02-12T08:49:59.000+01:00
if used, set cookie on OF rule to help deleting group of rules

Behaviour notes:
- add-rule : if the same rule is added twice but with a different cookie, the cookie information is updated (OpenvSwitch behaviour)
- del-rule : if cookie is used, others parameters are ignored and only the cookie information is used to delete rules

Signed-off-by: Sebastien Marie &lt;semarie@kapouay.eu.org&gt;
diff --git a/SOURCES/etc/xapi.d/plugins/sdncontroller.py b/SOURCES/etc/xapi.d/plugins/sdncontroller.py
@@ -19,6 +19,7 @@
 E_PARAMS = 2
 E_OVSCALL = 3
 E_PORTS = 4
+E_COOKIEINUSE = 5
 
 # rules names per direction
 TO = 0
@@ -161,6 +162,23 @@ def parse_priority(self):
                 E_PARSER, "'{}' is not a valid priority".format(priority)
             )
 
+    def parse_cookie(self):
+        COOKIE_REGEX = re.compile(
+            r"^0x[0-9a-fA-F]{1,16}$"
+        )
+
+        cookie = self.args.get("cookie")
+        if cookie is None:
+            return "0x0"
+
+        if not COOKIE_REGEX.match(cookie):
+            log_and_raise_error(
+                E_PARSER, "'{}' is not a valid cookie".format(cookie)
+            )
+
+        # normalize output (0x01Ff2 => 0x1ff2)
+        return hex(int(cookie, 16))
+
     def read(self, key, parse_fn, dests=None):
         # parse_fn can return a single value or a tuple of values.
         # In this case we are expecting dests to match the expected
@@ -303,6 +321,7 @@ def build_rule_string(direction, ofport, args, uplink=False):
     rule_parts = {
         "priority": ("priority", "priority"),
         "protocol": (None, None),
+        "cookie": ("cookie", "cookie"),
         "ofport": ("in_port", "in_port"),
         "mac": ("dl_src", "dl_dst"),
         "iprange": ("nw_dst", "nw_src"),
@@ -318,6 +337,8 @@ def build_rule_string(direction, ofport, args, uplink=False):
     if args.get("priority"):
         rule += "priority={}".format(args["priority"]) + ","
     rule += args["protocol"]
+    if args.get("cookie"):
+        rule += ",cookie={}".format(args["cookie"])
     if uplink:
         rule += ",dl_vlan={}".format(vlanid)
     if ofport:
@@ -342,6 +363,7 @@ def run_ofctl_cmd(cmd, bridge, rule):
             % (format(ofctl_cmd), cmd["stderr"]),
         )
     _LOGGER.info("Applied rule: {}".format(ofctl_cmd))
+    return cmd["stdout"]
 
 
 @error_wrapped
@@ -358,6 +380,7 @@ def add_rule(_session, args):
         parser.read("port", parser.parse_port)
         parser.read("allow", parser.parse_allow)
         parser.read("priority", parser.parse_priority)
+        parser.read("cookie", parser.parse_cookie)
     except XenAPIPlugin.Failure as e:
         log_and_raise_error(
             E_PARSER, "add_rule: Failed to get parameters: {}".format(e.params[1])
@@ -383,6 +406,18 @@ def add_rule(_session, args):
             E_PORTS, "No ports found for bridge: {}".format(rule_args["bridge"])
         )
 
+    # validate cookie isn't already used
+    if rule_args["cookie"] != "0x0":
+        out = run_ofctl_cmd(
+            "dump-flows",
+            rule_args["parent-bridge"],
+            "cookie={}/-1".format(rule_args["cookie"]),
+        )
+        if len(out.split('\n')) != 2:
+            log_and_raise_error(
+                E_COOKIEINUSE, "add_rule: this cookie is already used"
+            )
+
     # We can now build the open flow rule
     rules = build_rules_strings(rule_args)
     _LOGGER.info("Built rules: {}".format(rules))
@@ -408,6 +443,7 @@ def del_rule(_session, args):
         parser.read("protocol", parser.parse_protocol)
         parser.read("iprange", parser.parse_iprange)
         parser.read("port", parser.parse_port)
+        parser.read("cookie", parser.parse_cookie)
     except XenAPIPlugin.Failure as e:
         log_and_raise_error(
             E_PARSER, "del_rule: Failed to get parameters: {}".format(e.params[1])
@@ -427,12 +463,22 @@ def del_rule(_session, args):
             E_PARAMS, "del_rule: No port provided, tcp and udp requires one"
         )
 
+    # to match on a cookie, need to specify a mask
+    rule_args["cookie"] = "{}/-1".format(rule_args["cookie"])
+
     update_args_from_ovs(rule_args)
 
-    # We can now build the open flow rule
-    rules = build_rules_strings(rule_args)
-    _LOGGER.info("Built rules: {}".format(rules))
+    if rule_args["cookie"] == "0x0/-1":
+        # if no cookie, build the open flow rule
+        rules = build_rules_strings(rule_args)
 
+    else:
+        # if cookie value is meanful, use it to remove all related rules
+        rules = [
+            "cookie={}".format(rule_args["cookie"]),
+        ]
+
+    _LOGGER.info("Built rules: {}".format(rules))
     for rule in rules:
         run_ofctl_cmd("del-flows", rule_args["parent-bridge"], rule)
 
diff --git a/tests/sdncontroller_test_cases/functions.py b/tests/sdncontroller_test_cases/functions.py
@@ -192,7 +192,7 @@
             },  # list-interfaces
         ],
         "calls": [
-            call("add-flow", "xenbr0", "ip,in_port=5,nw_dst=1.1.1.1,actions=drop"),
+            call("add-flow", "xenbr0", "ip,cookie=0x0,in_port=5,nw_dst=1.1.1.1,actions=drop"),
         ],
     },
     {  # subnet tcp 4242 allow
@@ -221,7 +221,7 @@
             call(
                 "add-flow",
                 "xenbr0",
-                "tcp,in_port=5,nw_dst=1.1.1.1/24,tp_dst=4242,actions=normal",
+                "tcp,cookie=0x0,in_port=5,nw_dst=1.1.1.1/24,tp_dst=4242,actions=normal",
             )
         ],
     },
@@ -252,7 +252,7 @@
             call(
                 "add-flow",
                 "xenbr0",
-                "udp,dl_dst=DE:AD:BE:EF:CA:FE,nw_src=4.4.4.4,tp_src=2121,actions=drop",
+                "udp,cookie=0x0,dl_dst=DE:AD:BE:EF:CA:FE,nw_src=4.4.4.4,tp_src=2121,actions=drop",
             ),
         ],
     },
@@ -283,7 +283,7 @@
             "type": XenAPIPlugin.Failure,
             "code": "3",
             "text": "Error running ovs-ofctl command: ['ovs-ofctl', '-O', 'OpenFlow11', 'add-flow', 'xenbr0', "
-            "'ip,in_port=5,nw_dst=1.1.1.1/24,actions=drop']: fake error",
+            "'ip,cookie=0x0,in_port=5,nw_dst=1.1.1.1/24,actions=drop']: fake error",
         },
         "cmd": [
             {"returncode": 0, "stdout": "xenbr0", "stderr": ""},  # br-to-parent
@@ -341,7 +341,7 @@
             },  # list-interfaces
         ],
         "calls": [
-            call("del-flows", "xenbr0", "ip,in_port=5,nw_dst=1.1.1.1"),
+            call("del-flows", "xenbr0", "ip,cookie=0x0/-1,in_port=5,nw_dst=1.1.1.1"),
         ],
     },
     {  # subnet tcp 4242 allow
@@ -370,7 +370,7 @@
             call(
                 "del-flows",
                 "xenbr0",
-                "tcp,in_port=5,nw_dst=1.1.1.1/24,tp_dst=4242",
+                "tcp,cookie=0x0/-1,in_port=5,nw_dst=1.1.1.1/24,tp_dst=4242",
             )
         ],
     },
@@ -401,7 +401,7 @@
             call(
                 "del-flows",
                 "xenbr0",
-                "udp,dl_dst=DE:AD:BE:EF:CA:FE,nw_src=4.4.4.4,tp_src=2121",
+                "udp,cookie=0x0/-1,dl_dst=DE:AD:BE:EF:CA:FE,nw_src=4.4.4.4,tp_src=2121",
             ),
         ],
     },
@@ -432,7 +432,7 @@
             "type": XenAPIPlugin.Failure,
             "code": "3",
             "text": "Error running ovs-ofctl command: ['ovs-ofctl', '-O', 'OpenFlow11', 'del-flows', 'xenbr0', "
-            "'ip,in_port=5,nw_dst=1.1.1.1/24']: fake error",
+            "'ip,cookie=0x0/-1,in_port=5,nw_dst=1.1.1.1/24']: fake error",
         },
         "cmd": [
             {"returncode": 0, "stdout": "xenbr0", "stderr": ""},  # br-to-parent
diff --git a/tests/sdncontroller_test_cases/parser.py b/tests/sdncontroller_test_cases/parser.py
@@ -370,3 +370,47 @@
     },
 ]
 PRIORITY_IDS = ["100", "0", "65535", "65536", "aoeui", "empty string", "no parameters"]
+
+
+COOKIE_PARAMS = [
+    {"input": {"cookie": "0x0"}, "result": "0x0", "exception": None},
+    {"input": {"cookie": "0x01234"}, "result": "0x1234", "exception": None},
+    {"input": {"cookie": "0xFFFFffffFFFFffff"}, "result": "0xffffffffffffffff", "exception": None},
+    {"input": {}, "result": "0x0", "exception": None},
+    {
+        "input": {"cookie": "0x"},
+        "result": None,
+        "exception": {
+            "type": XenAPIPlugin.Failure,
+            "code": "1",
+            "text": "'0x' is not a valid cookie",
+        },
+    },
+    {
+        "input": {"cookie": "1234"},
+        "result": None,
+        "exception": {
+            "type": XenAPIPlugin.Failure,
+            "code": "1",
+            "text": "'1234' is not a valid cookie",
+        },
+    },
+    {
+        "input": {"cookie": "0xAZ"},
+        "result": None,
+        "exception": {
+            "type": XenAPIPlugin.Failure,
+            "code": "1",
+            "text": "'0xAZ' is not a valid cookie",
+        },
+    },
+]
+COOKIE_IDS = [
+    "0x0",
+    "0x01234",
+    "0xFFFFffffFFFFffff",
+    "no parameter",
+    "0x",
+    "1234",
+    "0xAZ",
+]
diff --git a/tests/test_sdn-controller.py b/tests/test_sdn-controller.py
@@ -21,6 +21,8 @@
     ALLOW_IDS,
     PRIORITY_PARAMS,
     PRIORITY_IDS,
+    COOKIE_PARAMS,
+    COOKIE_IDS,
 )
 
 from sdncontroller_test_cases.functions import (
@@ -112,6 +114,13 @@ def test_parse_priority(self, priority):
         p = Parser(priority["input"])
         parser_test(p.parse_priority, priority)
 
+    @pytest.fixture(params=COOKIE_PARAMS, ids=COOKIE_IDS)
+    def cookie(self, request):
+        return request.param
+
+    def test_parse_cookie(self, cookie):
+        p = Parser(cookie["input"])
+        parser_test(p.parse_cookie, cookie)
 
 @mock.patch("sdncontroller.run_command", autospec=True)
 class TestSdnControllerFunctions:
