From 480ede535a27caf2bbc82cecfdfbc25cc6d61e39 Mon Sep 17 00:00:00 2001
From: Hang Yang <hangyang@verizonmedia.com>
Date: Fri, 11 Dec 2020 12:16:05 -0600
Subject: [PATCH] Fix OVS conjunctive IP flows cleanup

 Currently when deleting a remote-group's member IPs, the deleted IPs'
 conjunctive flows are not cleaned up in OF tables. This is because
 the conjunctive flows' cookies don't match with the OVSBridge default
 cookie used by the delete flow method. This patch fixed the issue by
 using an ANY cookie that can always match with the cookies of the
 conjunctive flows.

Conflicts:
    neutron/agent/linux/openvswitch_firewall/firewall.py

Change-Id: I74916acf8311989dca267f23261ec4cf449a6abf
Closes-Bug: 1907491
(cherry picked from commit f4b64e519cdb9fd9c5046f21bc9f325341fd367f)
(cherry picked from commit 03f0a832a82f35286417e56d6071cfefe823a65c)
---
 neutron/agent/linux/openvswitch_firewall/firewall.py   |  5 +++++
 .../agent/linux/openvswitch_firewall/test_firewall.py  | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py
index 1b00c5e2d2d..e4b418fef4d 100644
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@@ -1494,4 +1494,9 @@ class OVSFirewallDriver(firewall.FirewallDriver):
             # the actions field is bogus anyway.
             del flow['actions']
             del flow['priority']
+            # NOTE(hangyang) If cookie is not set then _delete_flows will
+            # use the OVSBridge._default_cookie to filter the flows but that
+            # will not match with the ip flow's cookie so OVS won't actually
+            # delete the flow
+            flow['cookie'] = ovs_lib.COOKIE_ANY
             self._delete_flows(deferred=False, **flow)
diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
index d2e343c349d..53d5f5fbbb7 100644
--- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
+++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
@@ -1001,6 +1001,16 @@ class TestOVSFirewallDriver(base.BaseTestCase):
         addr_to_conj = {'addr1': {8, 16, 24}}
         self._test_delete_flows_for_flow_state(addr_to_conj, False)
 
+    def test_delete_flow_for_ip_using_cookie_any(self):
+        with mock.patch.object(self.firewall, '_delete_flows') as \
+                mock_delete_flows:
+            self.firewall.delete_flow_for_ip('10.1.2.3',
+                                             constants.INGRESS_DIRECTION,
+                                             constants.IPv4, 100, [0])
+            _, kwargs = mock_delete_flows.call_args
+            self.assertIn('cookie', kwargs)
+            self.assertIs(ovs_lib.COOKIE_ANY, kwargs['cookie'])
+
 
 class TestCookieContext(base.BaseTestCase):
     def setUp(self):