Add a new sdn controller plugin

This plugin allows to add and delete rules. A rule will be converted
into one or more openflow rules. Once converted they are applied using
ovs-vsctl command. To be able to validate the application of openflow
rules the plugins allows to dump them.

Signed-off-by: Guillaume <[email protected]>

Author: gthvn1

Diff for: README.md

@@ -338,6 +338,100 @@ Restart a service only if it is already running.
 $ xe host-call-plugin host-uuid<uuid> plugin=service.py fn=try_restart_service args:service=<service>
 ```
 
+
+### `sdn-controller`
+
+Add, delete rules and dump openflow rules.
+
+#### Add rule
+
+Expected parameters when adding a rule are:
+- *bridge* :  The name of the bridge on XAPI side
+- *mac*: The MAC address of the VIF
+- *iprange*: A range of IPs, for example `192.168.1.0/24`
+- *direction*: can be **from**, **to** or **from/to**
+  - *to*: means the parametres **port** and **iprange** are to
+          be used as destination
+  - *from*: means they will be use as source
+  - *from/to*: we create 2 openflow rules, on per direction
+- *protocol*: IP, TCP, UDP, ICMP or ARP
+- *port*: only valid for TCP/UDP protocol
+- *allow*: If set to false the packets are dropped.
+
+```
+$ xe host-call-plugin host-uuid<uuid> plugin=sdn-controller.py \
+  fn=add-rule                   \
+  args:bridge="xenbr0"          \
+  args:mac="6e:0b:9e:72:ab:c6"  \
+  args:iprange="192.168.1.0/24" \
+  args:direction="from/to"      \
+  args:protocol="tcp"           \
+  args:port="22"                \
+  args:allow="true"
+```
+
+##### Delete rule
+
+Expected the same arguments than adding rule
+
+```
+$ xe host-call-plugin host-uuid<uuid> plugin=sdn-controller.py \
+  fn=del-rule                   \
+  args:bridge="xenbr0"          \
+  args:mac="6e:0b:9e:72:ab:c6"  \
+  args:iprange="192.168.1.0/24" \
+  args:direction="from/to"      \
+  args:protocol="tcp"           \
+  args:port="22"                \
+  args:allow="true"
+```
+
+##### Dump flows
+
+- This command will return all flows entries in the bridge passed as a parameter.
+```
+$ xe host-call-plugin host-uuid=<uuid> plugin=sdn-controller.py fn=dump-flows args:bridge=xenbr0 | jq .
+{
+  "returncode": 0,
+  "command": [
+    "ovs-ofctl",
+    "dump-flows",
+    "xenbr0"
+  ],
+  "stderr": "",
+  "stdout": "NXST_FLOW reply (xid=0x4):\n cookie=0x0, duration=248977.339s, table=0, n_packets=24591786, n_bytes=3278442075, idle_age=0, hard_age=65534, priority=0 actions=NORMAL\n"
+}
+```
+
+- This error is raised when the bridge parameter is missing:
+```
+$ xe host-call-plugin host-uuid=<uuid> plugin=sdn-controller.py fn=dump-flows | jq .
+{
+  "returncode": 1,
+  "command": [
+    "ovs-ofctl",
+    "dump-flows"
+  ],
+  "stderr": "bridge parameter is missing",
+  "stdout": ""
+}
+```
+
+- If the bridge is unknown, the following error will occur:
+```
+$ xe host-call-plugin host-uuid=<uuid> plugin=sdn-controller.py args:bridge=xenbr10 fn=dump-flows | jq .
+{
+  "returncode": 1,
+  "command": [
+    "ovs-ofctl",
+    "dump-flows",
+    "xenbr10"
+  ],
+  "stderr": "ovs-ofctl: xenbr10 is not a bridge or a socket\n",
+  "stdout": ""
+}
+```
+
 ## Tests
 
 To run the plugins' unit tests you'll need to install `pytest`, `pyfakefs` and `mock`.

Diff for: SOURCES/etc/xapi.d/plugins/sdn-controller.py

@@ -0,0 +1,254 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import json
+import re
+
+import XenAPIPlugin
+
+from xcpngutils import configure_logging, error_wrapped, run_command
+
+OPENFLOW_PROTOCOL = "OpenFlow11"
+
+# All functions starting with `parse_` are helper functions compatible with the `Parser` class.
+# Each should accept `args` as input and return either (result, None) on success,
+# or (None, error_message) on failure.
+
+
+def parse_bridge(args):
+    bridge = args.get("bridge")
+    if bridge is None:
+        return None, "bridge parameter is missing"
+
+    return bridge, None
+
+
+def parse_mac(args):
+    MAC_REGEX = re.compile(r"^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$")
+    mac_addr = args.get("mac")
+
+    if mac_addr is None:
+        return None, "mac address is missing"
+
+    if not MAC_REGEX.match(mac_addr) or MAC_REGEX.match(mac_addr).group(0) != mac_addr:
+        return None, "{} is not a valid MAC".format(mac_addr)
+
+    return mac_addr, None
+
+
+def parse_iprange(args):
+    IPRANGE_REGEX = re.compile(
+        r"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}"
+        r"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/\d{1,2})?$"
+    )
+    ip_range = args.get("iprange")
+
+    if ip_range is None:
+        return None, "ip range is missing"
+
+    if not IPRANGE_REGEX.match(ip_range):
+        return None, "{} is not a valid IP range".format(ip_range)
+
+    return ip_range, None
+
+
+def parse_direction(args):
+    direction = args.get("direction")
+
+    if direction is None:
+        return None, None, "direction is missing"
+
+    dir = direction.lower().split("/")
+    has_to = "to" in dir
+    has_from = "from" in dir
+
+    if not (has_to or has_from):
+        return None, None, "{} is not a valid direction".format(direction)
+
+    return (has_to, has_from), None
+
+
+def parse_protocol(args):
+    VALID_PROTOCOLS = {"tcp", "udp", "icmp", "ip", "arp"}
+    protocol = args.get("protocol")
+
+    if protocol is None:
+        return None, "protocol is missing"
+
+    if protocol.lower() not in VALID_PROTOCOLS:
+        return None, "{} is not supported".format(protocol)
+
+    return protocol, None
+
+
+def parse_port(args):
+    port = args.get("port")
+    if port is None:
+        return None, None  # Port is optional
+
+    try:
+        p = int(port)
+        if not (0 <= p <= 65536):
+            raise ValueError
+        return port, None
+    except ValueError:
+        return None, "{} is not a valid port".format(port)
+
+
+def parse_allow(args):
+    allow = args.get("allow")
+    if allow is None:
+        return None, "allow parameter is required"
+
+    if allow.lower() not in ["true", "false"]:
+        return None, "allow expects to be true or false, not {}".format(allow)
+
+    if allow.lower() == "true":
+        return True, None
+
+    return False, None
+
+
+class Parser:
+    def __init__(self, args):
+        self.args = args
+        self.values = {}
+        self.errors = []
+
+    def read(self, key, parse_fn, dests=None):
+        # parse_fn can return a single value or a tuple of values.
+        # In this case we are expecting dests to match the expected
+        # returned tuple
+        val, err = parse_fn(self.args)
+        if err:
+            self.errors.append(err)
+            return self
+
+        if dests is not None:
+            if not isinstance(val, tuple):
+                self.errors.append(
+                    "Internal error: parse {}: doesn't return a tuple while dests is set".format(
+                        key
+                    )
+                )
+                return self
+
+            if len(dests) != len(val):
+                self.errors.append(
+                    "Internal error: parse {}: dests is {} while {} was expected".format(
+                        key, len(dests), len(val)
+                    )
+                )
+                return self
+
+            for d, v in zip(dests, val):
+                self.values[d] = v
+
+            return self
+
+        self.values[key] = val
+        return self
+
+
+def json_error(name, desc):
+    return json.dumps(
+        {
+            "returncode": 1,
+            "command": name,
+            "stderr": "\n".join(desc),
+            "stdout": "",
+        }
+    )
+
+
+@error_wrapped
+def add_rule(_session, args):
+    _LOGGER.info("Calling add rule with args {}".format(args))
+
+    parser = (
+        Parser(args)
+        .read("bridge", parse_bridge)
+        .read("mac", parse_mac)
+        .read("destination", parse_direction, dests=["has_to", "has_from"])
+        .read("protocol", parse_protocol)
+        .read("iprange", parse_iprange)
+        .read("port", parse_port)
+        .read("allow", parse_allow)
+    )
+
+    if parser.errors:
+        _LOGGER.error("add_rule: Failed to get parameters: {}".format(parser.errors))
+        return json_error("add_rule", parser.errors)
+
+    rule_args = parser.values
+    _LOGGER.info("successfully parsed: {}".format(rule_args))
+
+    ofctl_cmd = ["ovs-ofctl", "-O", OPENFLOW_PROTOCOL, "add-flow", rule_args["bridge"]]
+
+    # We can now build the open flow rule
+    #  tcp,dl_dst=26:bf:26:f0:4f:50,nw_src=192.168.38.0/24,tp_src=22 actions=NORMA
+    if rule_args["has_to"]:
+        rule = rule_args["protocol"]
+        rule += ",dl_dst=" + rule_args["mac"]
+        rule += ",nw_src=" + rule_args["iprange"]
+        rule += ",tp_src=" + rule_args["port"]
+        rule += ",actions=" + ("normal" if rule_args["allow"] else "drop")
+        _LOGGER.info("generates command: {}".format(ofctl_cmd + [rule]))
+
+    # tcp,in_port=3,dl_src=26:bf:26:f0:4f:50,nw_dst=192.168.38.0/24,tp_dst=2
+    if rule_args["has_from"]:
+        rule = rule_args["protocol"]
+        rule += ",dl_src=" + rule_args["mac"]
+        rule += ",nw_dst=" + rule_args["iprange"]
+        rule += ",tp_dst=" + rule_args["port"]
+        rule += ",actions=" + ("normal" if rule_args["allow"] else "drop")
+        _LOGGER.info("generates command: {}".format(ofctl_cmd + [rule]))
+
+    return json.dumps(True)
+
+
+@error_wrapped
+def del_rule(_session, args):
+    _LOGGER.info("Calling delete rule with args {}".format(args))
+
+    parser = (
+        Parser(args)
+        .read("bridge", parse_bridge)
+        .read("mac", parse_mac)
+        .read("destination", parse_direction, dests=["has_to", "has_from"])
+        .read("protocol", parse_protocol)
+        .read("iprange", parse_iprange)
+        .read("port", parse_port)
+    )
+
+    if parser.errors:
+        _LOGGER.error("del_rule: Failed to get parameters: {}".format(parser.errors))
+        return json_error("del_rule", parser.errors)
+
+    return json.dumps(True)
+
+
+@error_wrapped
+def dump_flows(_session, args):
+    _LOGGER.info("Calling dump flows with args {}".format(args))
+
+    bridge, err = parse_bridge(args)
+
+    if err:
+        _LOGGER.error("dump flows: {}".format(err))
+        return json_error("dump_flows", [err])
+
+    ofctl_cmd = ["ovs-ofctl", "-O", OPENFLOW_PROTOCOL, "dump-flows", bridge]
+    cmd = run_command(ofctl_cmd, check=False)
+    return json.dumps(cmd)
+
+
+_LOGGER = configure_logging("sdn-controller")
+if __name__ == "__main__":
+    XenAPIPlugin.dispatch(
+        {
+            "add-rule": add_rule,
+            "del-rule": del_rule,
+            "dump-flows": dump_flows,
+        }
+    )