Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parse failures causing later false positives #6637

Open
bcavns01 opened this issue Feb 17, 2021 · 5 comments
Open

Parse failures causing later false positives #6637

bcavns01 opened this issue Feb 17, 2021 · 5 comments
Assignees
@dhalperi

Comments

@bcavns01
Copy link

We're seeing parse failures for lines related to routing and firewall ACLs. When we later check for things like unusedStructures, we get results for things that are actually in use, but they are undetected because the structures using them failed to parse:

Examples of lines that failed parsing::

as-path-group
set policy-options policy-statement OVERFLOW-LOCAL-IN term import_overflow then local-preference subtract 10
set policy-options policy-statement REJECT-ROUTES term in_overflow_rib_5_3_4_0-24 from condition in-overflow-rib_5_3_4_0-24
set interfaces gr-0/1/10 unit 204 family inet address 10.255.0.9/32 destination 10.255.0.8
set firewall family inet filter NSP term SMALL filter SMALL-PACKETS
@dhalperi dhalperi self-assigned this Feb 17, 2021
dhalperi added a commit to dhalperi/batfish that referenced this issue Feb 17, 2021
@dhalperi
JunOS: support for then local-preference (add|substract)
a8b4f81 
This is for batfish#6637.
@dhalperi dhalperi mentioned this issue Feb 17, 2021
Merged
dhalperi added a commit that referenced this issue Feb 17, 2021
@dhalperi
JunOS: support for then local-preference (add|substract) (#6638)
f9ef848 
This is for #6637.
@dhalperi
Copy link
Member

Hi @bcavns01 - I'm not quite sure I grok this.

E.g., I'm not sure how

set policy-options policy-statement OVERFLOW-LOCAL-IN term import_overflow then local-preference subtract 10

failing to parse (which it did!) causes a reference to be lost. That line doesn't reference anything else.

Other questions:

You can sync with us on Batfish Slack if you want a real-time interaction.

Thanks!

@bcavns01
Copy link
Author

bcavns01 commented Feb 18, 2021
edited

Hi @dhalperi ,

Thanks for the quick follow-up. Sorry for the ambiguity in the OP. I think I got too excited by the free-form format for posting issues to this repo. :)

Not all the examples in the OP were related to unused structures. They were just examples of failures to parse that would seem to directly impact routing and ACLs.

For the issue of unused structures, as-path-group will probably be one of the larger sources of trouble for us, so I'll try for a clearer example of that:

Related Issue seen:

(This seems to be the only related issue)

14,,"[configs/config:[1059, 4695]]",Parse warning,This feature is not currently supported,as-path-group 15133-PATH,[popsf_as_path_group pops_from pops_common pops_term po_policy_statement s_policy_options s_common statement set_line_tail set_line flat_juniper_configuration]

Example of what was seen as as unused:

63,as-path-group as-path,ap15133_13,configs/config:[7097]

What the config actually has: (ignore the XXXXXs, those are just redactions.)

        neighbor XXXXXX {
            import [ IMPORT-15133 ];

policy-statement IMPORT-15133 {
    ...
    term AS15133-IN {
        from policy 15133-AS-FILTER

policy-statement 15133-AS-FILTER {
    term EXEMPT {
        from as-path-group 15133-PATH;
        then reject;
    }
    
    
as-path-group 15133-PATH {
    ...
    as-path ap15133_13 "^15133.*(XXXXXXXXXXXXX)$";

It's possible that I'm misunderstanding something, but the ap15133_13 is definitely in use, and it looks like it's only being see as not in use because of the failure to parse as-path-group 15133-PATH.

To answer your other question, this is being tested on a QFX5100.

@dhalperi
Copy link
Member

@bcavns01 -- thanks! This is very helpful.

Dumb question: is it legal to actually use the name ap15133_13 anywhere? I see you refer to as-path-group 15133-PATH in 15133-AS-FILTER term EXEMPT, but there's no way to directly refer to ap15133_13, right?

If so, the issue (with reference tracking) is that we need to call the ap15133_13 used as soon as it is defined.

@dhalperi dhalperi mentioned this issue Feb 20, 2021
Merged
@bcavns01
Copy link
Author

Dumb question: is it legal to actually use the name ap15133_13 anywhere? I see you refer to as-path-group 15133-PATH in 15133-AS-FILTER term EXEMPT, but there's no way to directly refer to ap15133_13, right?

I wouldn't expect to be able to directly refer to it, but I'm not sure I've ever needed to try, so I can't say for sure. Looks like you've already merged in a potential fix for this, though. Great!

@dhalperi
Copy link
Member

dhalperi commented Dec 6, 2022

FYI as-path-group is now supported: #8613

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dhalperi dhalperi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dhalperi @bcavns01