sdn-controller: add optional cookie argument support

semarie · semarie · commit 10e95c10fe0c · 2026-03-16T11:29:25.000+01:00
if used, set cookie on OF rule to help deleting group of rules

Behaviour notes:
- add-rule : if the same rule is added twice but with a different cookie, the cookie information is updated (OpenvSwitch behaviour)
- del-rule : if cookie is used, others parameters are ignored and only the cookie information is used to delete rules

Signed-off-by: Sebastien Marie &lt;semarie@kapouay.eu.org&gt;
diff --git a/README.md b/README.md
@@ -347,6 +347,7 @@ Add, delete rules and dump openflow rules.
 
 Parameters for adding a rule:
 - *bridge* :  The name of the bridge to add rule to.
+- *cookie* (optional) : Hexdecimal number used to track the rule (in form `0x1234`). Sets to `0x0` by default.
 - *priority* (optional): A number between 0 and 65535 for the rule priority.
 - *mac* (optional): The MAC address of the VIF to create the rule for, if not
   specified, a network-wide rule will be created.
@@ -363,6 +364,7 @@ Parameters for adding a rule:
 $ xe host-call-plugin host-uuid<uuid> plugin=sdncontroller.py \
   fn=add-rule                   \
   args:bridge="xenbr0"          \
+  args:cookie="0x1234"          \
   args:priority="100"           \
   args:mac="6e:0b:9e:72:ab:c6"  \
   args:ipRange="192.168.1.0/24" \
@@ -372,10 +374,14 @@ $ xe host-call-plugin host-uuid<uuid> plugin=sdncontroller.py \
   args:allow="false"
 ```
 
+Please note that if the same rule is added twice but with a different `cookie`,
+the cookie information on th first rule is updated (it follows the OpenvSwitch behaviour).
+
 ##### Delete rule
 
 Parameters for removing a rule:
-- *bridge* :  The name of the bridge to delete the rule from.
+- *bridge* : The name of the bridge to delete the rule from.
+- *cookie* (optional) : if used, the others parameters are ignored and only the cookie information is used to delete the rule.
 - *mac* (optional): The MAC address of the VIF to delete the rule for.
 - *ipRange*: An IP or range of IPs in CIDR notation, for example `192.168.1.0/24`.
 - *direction*: can be **from**, **to** or **from/to**
@@ -389,6 +395,7 @@ Parameters for removing a rule:
 $ xe host-call-plugin host-uuid<uuid> plugin=sdncontroller.py \
   fn=del-rule                   \
   args:bridge="xenbr0"          \
+  args:cookie="0x1234"          \
   args:mac="6e:0b:9e:72:ab:c6"  \
   args:ipRange="192.168.1.0/24" \
   args:direction="from/to"      \
diff --git a/SOURCES/etc/xapi.d/plugins/sdncontroller.py b/SOURCES/etc/xapi.d/plugins/sdncontroller.py
@@ -161,6 +161,24 @@ def parse_priority(self):
                 E_PARSER, "'{}' is not a valid priority".format(priority)
             )
 
+    def parse_cookie(self):
+        COOKIE_REGEX = re.compile(
+            r"^0x0*([0-9a-fA-F]{1,16})$"
+        )
+
+        cookie = self.args.get("cookie")
+        if cookie is None:
+            return "0x0"
+
+        m = COOKIE_REGEX.match(cookie)
+        if m is None:
+            log_and_raise_error(
+                E_PARSER, "'{}' is not a valid cookie".format(cookie)
+            )
+
+        # normalize output (0x01Ff2 => 0x1ff2)
+        return "0x{}".format(m.group(1).lower())
+
     def read(self, key, parse_fn, dests=None):
         # parse_fn can return a single value or a tuple of values.
         # In this case we are expecting dests to match the expected
@@ -303,6 +321,7 @@ def build_rule_string(direction, ofport, args, uplink=False):
     rule_parts = {
         "priority": ("priority", "priority"),
         "protocol": (None, None),
+        "cookie": ("cookie", "cookie"),
         "ofport": ("in_port", "in_port"),
         "mac": ("dl_src", "dl_dst"),
         "iprange": ("nw_dst", "nw_src"),
@@ -318,6 +337,7 @@ def build_rule_string(direction, ofport, args, uplink=False):
     if args.get("priority"):
         rule += "priority={}".format(args["priority"]) + ","
     rule += args["protocol"]
+    rule += ",cookie={}".format(args["cookie"])
     if uplink:
         rule += ",dl_vlan={}".format(vlanid)
     if ofport:
@@ -342,6 +362,7 @@ def run_ofctl_cmd(cmd, bridge, rule):
             % (format(ofctl_cmd), cmd["stderr"]),
         )
     _LOGGER.info("Applied rule: {}".format(ofctl_cmd))
+    return cmd["stdout"]
 
 
 @error_wrapped
@@ -358,6 +379,7 @@ def add_rule(_session, args):
         parser.read("port", parser.parse_port)
         parser.read("allow", parser.parse_allow)
         parser.read("priority", parser.parse_priority)
+        parser.read("cookie", parser.parse_cookie)
     except XenAPIPlugin.Failure as e:
         log_and_raise_error(
             E_PARSER, "add_rule: Failed to get parameters: {}".format(e.params[1])
@@ -383,6 +405,14 @@ def add_rule(_session, args):
             E_PORTS, "No ports found for bridge: {}".format(rule_args["bridge"])
         )
 
+    # cleanup the cookie (if already used) to 'upgrade' the rule
+    if rule_args["cookie"] != "0x0":
+        run_ofctl_cmd(
+            "del-flows",
+            rule_args["parent-bridge"],
+            "cookie={}/-1".format(rule_args["cookie"]),
+        )
+
     # We can now build the open flow rule
     rules = build_rules_strings(rule_args)
     _LOGGER.info("Built rules: {}".format(rules))
@@ -408,6 +438,7 @@ def del_rule(_session, args):
         parser.read("protocol", parser.parse_protocol)
         parser.read("iprange", parser.parse_iprange)
         parser.read("port", parser.parse_port)
+        parser.read("cookie", parser.parse_cookie)
     except XenAPIPlugin.Failure as e:
         log_and_raise_error(
             E_PARSER, "del_rule: Failed to get parameters: {}".format(e.params[1])
@@ -427,12 +458,22 @@ def del_rule(_session, args):
             E_PARAMS, "del_rule: No port provided, tcp and udp requires one"
         )
 
+    # to match on a cookie, need to specify a mask
+    rule_args["cookie"] = "{}/-1".format(rule_args["cookie"])
+
     update_args_from_ovs(rule_args)
 
-    # We can now build the open flow rule
-    rules = build_rules_strings(rule_args)
-    _LOGGER.info("Built rules: {}".format(rules))
+    if rule_args["cookie"] == "0x0/-1":
+        # if no cookie, build the open flow rule
+        rules = build_rules_strings(rule_args)
 
+    else:
+        # if cookie value is meaningful, use it to remove all related rules
+        rules = [
+            "cookie={}".format(rule_args["cookie"]),
+        ]
+
+    _LOGGER.info("Built rules: {}".format(rules))
     for rule in rules:
         run_ofctl_cmd("del-flows", rule_args["parent-bridge"], rule)
 
diff --git a/tests/sdncontroller_test_cases/functions.py b/tests/sdncontroller_test_cases/functions.py
@@ -192,7 +192,7 @@
             },  # list-interfaces
         ],
         "calls": [
-            call("add-flow", "xenbr0", "ip,in_port=5,nw_dst=1.1.1.1,actions=drop"),
+            call("add-flow", "xenbr0", "ip,cookie=0x0,in_port=5,nw_dst=1.1.1.1,actions=drop"),
         ],
     },
     {  # subnet tcp 4242 allow
@@ -221,7 +221,7 @@
             call(
                 "add-flow",
                 "xenbr0",
-                "tcp,in_port=5,nw_dst=1.1.1.1/24,tp_dst=4242,actions=normal",
+                "tcp,cookie=0x0,in_port=5,nw_dst=1.1.1.1/24,tp_dst=4242,actions=normal",
             )
         ],
     },
@@ -252,7 +252,7 @@
             call(
                 "add-flow",
                 "xenbr0",
-                "udp,dl_dst=DE:AD:BE:EF:CA:FE,nw_src=4.4.4.4,tp_src=2121,actions=drop",
+                "udp,cookie=0x0,dl_dst=DE:AD:BE:EF:CA:FE,nw_src=4.4.4.4,tp_src=2121,actions=drop",
             ),
         ],
     },
@@ -283,7 +283,7 @@
             "type": XenAPIPlugin.Failure,
             "code": "3",
             "text": "Error running ovs-ofctl command: ['ovs-ofctl', '-O', 'OpenFlow11', 'add-flow', 'xenbr0', "
-            "'ip,in_port=5,nw_dst=1.1.1.1/24,actions=drop']: fake error",
+            "'ip,cookie=0x0,in_port=5,nw_dst=1.1.1.1/24,actions=drop']: fake error",
         },
         "cmd": [
             {"returncode": 0, "stdout": "xenbr0", "stderr": ""},  # br-to-parent
@@ -341,7 +341,7 @@
             },  # list-interfaces
         ],
         "calls": [
-            call("del-flows", "xenbr0", "ip,in_port=5,nw_dst=1.1.1.1"),
+            call("del-flows", "xenbr0", "ip,cookie=0x0/-1,in_port=5,nw_dst=1.1.1.1"),
         ],
     },
     {  # subnet tcp 4242 allow
@@ -370,7 +370,7 @@
             call(
                 "del-flows",
                 "xenbr0",
-                "tcp,in_port=5,nw_dst=1.1.1.1/24,tp_dst=4242",
+                "tcp,cookie=0x0/-1,in_port=5,nw_dst=1.1.1.1/24,tp_dst=4242",
             )
         ],
     },
@@ -401,7 +401,7 @@
             call(
                 "del-flows",
                 "xenbr0",
-                "udp,dl_dst=DE:AD:BE:EF:CA:FE,nw_src=4.4.4.4,tp_src=2121",
+                "udp,cookie=0x0/-1,dl_dst=DE:AD:BE:EF:CA:FE,nw_src=4.4.4.4,tp_src=2121",
             ),
         ],
     },
@@ -432,7 +432,7 @@
             "type": XenAPIPlugin.Failure,
             "code": "3",
             "text": "Error running ovs-ofctl command: ['ovs-ofctl', '-O', 'OpenFlow11', 'del-flows', 'xenbr0', "
-            "'ip,in_port=5,nw_dst=1.1.1.1/24']: fake error",
+            "'ip,cookie=0x0/-1,in_port=5,nw_dst=1.1.1.1/24']: fake error",
         },
         "cmd": [
             {"returncode": 0, "stdout": "xenbr0", "stderr": ""},  # br-to-parent
diff --git a/tests/sdncontroller_test_cases/parser.py b/tests/sdncontroller_test_cases/parser.py
@@ -370,3 +370,49 @@
     },
 ]
 PRIORITY_IDS = ["100", "0", "65535", "65536", "aoeui", "empty string", "no parameters"]
+
+
+COOKIE_PARAMS = [
+    {"input": {"cookie": "0x0"}, "result": "0x0", "exception": None},
+    {"input": {"cookie": "0x01234"}, "result": "0x1234", "exception": None},
+    {"input": {"cookie": "0xe4e59f746a3ce3db"}, "result": "0xe4e59f746a3ce3db", "exception": None},
+    {"input": {"cookie": "0xFFFFffffFFFFffff"}, "result": "0xffffffffffffffff", "exception": None},
+    {"input": {}, "result": "0x0", "exception": None},
+    {
+        "input": {"cookie": "0x"},
+        "result": None,
+        "exception": {
+            "type": XenAPIPlugin.Failure,
+            "code": "1",
+            "text": "'0x' is not a valid cookie",
+        },
+    },
+    {
+        "input": {"cookie": "1234"},
+        "result": None,
+        "exception": {
+            "type": XenAPIPlugin.Failure,
+            "code": "1",
+            "text": "'1234' is not a valid cookie",
+        },
+    },
+    {
+        "input": {"cookie": "0xAZ"},
+        "result": None,
+        "exception": {
+            "type": XenAPIPlugin.Failure,
+            "code": "1",
+            "text": "'0xAZ' is not a valid cookie",
+        },
+    },
+]
+COOKIE_IDS = [
+    "0x0",
+    "0x01234",
+    "0xe4e59f746a3ce3db",
+    "0xFFFFffffFFFFffff",
+    "no parameter",
+    "0x",
+    "1234",
+    "0xAZ",
+]
diff --git a/tests/test_sdn-controller.py b/tests/test_sdn-controller.py
@@ -21,6 +21,8 @@
     ALLOW_IDS,
     PRIORITY_PARAMS,
     PRIORITY_IDS,
+    COOKIE_PARAMS,
+    COOKIE_IDS,
 )
 
 from sdncontroller_test_cases.functions import (
@@ -112,6 +114,13 @@ def test_parse_priority(self, priority):
         p = Parser(priority["input"])
         parser_test(p.parse_priority, priority)
 
+    @pytest.fixture(params=COOKIE_PARAMS, ids=COOKIE_IDS)
+    def cookie(self, request):
+        return request.param
+
+    def test_parse_cookie(self, cookie):
+        p = Parser(cookie["input"])
+        parser_test(p.parse_cookie, cookie)
 
 @mock.patch("sdncontroller.run_command", autospec=True)
 class TestSdnControllerFunctions:
