Juniper: warn on filter-based-forwarding with next-ip (#3816)

batfish · May 8, 2019 · d316d2b · d316d2b
1 parent b5a9dde
commit d316d2b
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 12 deletions.
diff --git a/projects/batfish/src/main/java/org/batfish/grammar/flatjuniper/ConfigurationBuilder.java b/projects/batfish/src/main/java/org/batfish/grammar/flatjuniper/ConfigurationBuilder.java
@@ -4009,6 +4009,7 @@ public void exitFftt_next_ip(Fftt_next_ipContext ctx) {
     _currentFwTerm.getThens().add(then);
     _currentFwTerm.getThens().add(FwThenAccept.INSTANCE);
     _currentFilter.setUsedForFBF(true);
+    todo(ctx, "Filter-based forwarding with next-hop-ip is not currently supported");
   }
 
   @Override

diff --git a/tests/parsing-tests/networks/unit-tests/configs/juniper_firewall b/tests/parsing-tests/networks/unit-tests/configs/juniper_firewall
@@ -32,6 +32,8 @@ set firewall family inet filter blah term blorp from icmp-code 2
 #
 set firewall family inet filter blah term t2 then routing-instance OTHER_INSTANCE
 #
+set firewall family inet filter blah term t3 then next-ip 1.2.3.4/5
+#
 set firewall family inet6 filter blah6 term blorp6 from icmp-type packet-too-big
 set firewall family inet6 filter blah6 term blorp6 from icmp-type neighbor-advertisement
 set firewall family inet6 filter blah6 term blorp6 from icmp-type neighbor-solicit

diff --git a/tests/parsing-tests/unit-tests-unused.ref b/tests/parsing-tests/unit-tests-unused.ref
@@ -2625,7 +2625,7 @@
         "Source_Lines" : {
           "filename" : "configs/juniper_firewall",
           "lines" : [
-            40
+            42
           ]
         }
       },
@@ -2660,7 +2660,8 @@
             27,
             30,
             31,
-            33
+            33,
+            35
           ]
         }
       },
@@ -2670,9 +2671,9 @@
         "Source_Lines" : {
           "filename" : "configs/juniper_firewall",
           "lines" : [
-            35,
-            36,
-            37
+            37,
+            38,
+            39
           ]
         }
       },

diff --git a/tests/parsing-tests/unit-tests-vimodel.ref b/tests/parsing-tests/unit-tests-vimodel.ref
@@ -21684,6 +21684,16 @@
                   }
                 },
                 "name" : "blorp"
+              },
+              {
+                "action" : "PERMIT",
+                "matchCondition" : {
+                  "class" : "org.batfish.datamodel.acl.MatchHeaderSpace",
+                  "headerSpace" : {
+                    "negate" : false
+                  }
+                },
+                "name" : "t3"
               }
             ],
             "sourceName" : "blah",
@@ -21804,6 +21814,28 @@
                     }
                   }
                 }
+              },
+              {
+                "class" : "org.batfish.datamodel.packet_policy.If",
+                "actions" : [
+                  {
+                    "class" : "org.batfish.datamodel.packet_policy.Return",
+                    "action" : {
+                      "class" : "org.batfish.datamodel.packet_policy.FibLookup",
+                      "vrfName" : "default"
+                    }
+                  }
+                ],
+                "trueStatements" : {
+                  "class" : "org.batfish.datamodel.packet_policy.PacketMatchExpr",
+                  "expression" : {
+                    "class" : "org.batfish.datamodel.acl.MatchHeaderSpace",
+                    "description" : "Firewall filter term t3",
+                    "headerSpace" : {
+                      "negate" : false
+                    }
+                  }
+                }
               }
             ]
           }

diff --git a/tests/parsing-tests/unit-tests-warnings.ref b/tests/parsing-tests/unit-tests-warnings.ref
@@ -2205,6 +2205,13 @@
         "Parser_Context" : "[s_ip_default_gateway stanza cisco_configuration]",
         "Comment" : "This feature is not currently supported"
       },
+      {
+        "Filename" : "configs/juniper_firewall",
+        "Line" : 35,
+        "Text" : "next-ip 1.2.3.4/5",
+        "Parser_Context" : "[fftt_next_ip fft_then ff_term f_filter f_common f_family s_firewall s_common statement set_line_tail set_line flat_juniper_configuration]",
+        "Comment" : "Filter-based forwarding with next-hop-ip is not currently supported"
+      },
       {
         "Filename" : "configs/juniper_interfaces",
         "Line" : 19,
@@ -2333,10 +2340,10 @@
       }
     ],
     "summary" : {
-      "notes" : "Found 327 results",
+      "notes" : "Found 328 results",
       "numFailed" : 0,
       "numPassed" : 0,
-      "numResults" : 327
+      "numResults" : 328
     }
   }
 ]
diff --git a/tests/parsing-tests/unit-tests.ref b/tests/parsing-tests/unit-tests.ref
@@ -58765,6 +58765,31 @@
             "            FIREWALL:'firewall'",
             "            (f_family",
             "              FAMILY:'family'",
+            "              INET:'inet'",
+            "              (f_common",
+            "                (f_filter",
+            "                  FILTER:'filter'",
+            "                  name = (variable",
+            "                    text = VARIABLE:'blah')",
+            "                  (ff_term",
+            "                    TERM:'term'",
+            "                    name = (variable",
+            "                      text = VARIABLE:'t3')",
+            "                    (fft_then",
+            "                      THEN:'then'",
+            "                      (fftt_next_ip",
+            "                        NEXT_IP:'next-ip'",
+            "                        prefix = IP_PREFIX:'1.2.3.4/5'))))))))))",
+            "    NEWLINE:'\\n')",
+            "  (set_line",
+            "    SET:'set'",
+            "    (set_line_tail",
+            "      (statement",
+            "        (s_common",
+            "          (s_firewall",
+            "            FIREWALL:'firewall'",
+            "            (f_family",
+            "              FAMILY:'family'",
             "              INET6:'inet6'",
             "              (f_common",
             "                (f_filter",
@@ -74727,6 +74752,14 @@
           ]
         },
         "configs/juniper_firewall" : {
+          "Parse warnings" : [
+            {
+              "Comment" : "Filter-based forwarding with next-hop-ip is not currently supported",
+              "Line" : 35,
+              "Parser_Context" : "[fftt_next_ip fft_then ff_term f_filter f_common f_family s_firewall s_common statement set_line_tail set_line flat_juniper_configuration]",
+              "Text" : "next-ip 1.2.3.4/5"
+            }
+          ],
           "Red flags" : [
             {
               "tag" : "MISCELLANEOUS",
@@ -80297,7 +80330,7 @@
           "firewall filter" : {
             "ISP-INBOUND-L2" : {
               "definitionLines" : [
-                40
+                42
               ],
               "numReferrers" : 0
             },
@@ -80328,15 +80361,16 @@
                 27,
                 30,
                 31,
-                33
+                33,
+                35
               ],
               "numReferrers" : 0
             },
             "blah6" : {
               "definitionLines" : [
-                35,
-                36,
-                37
+                37,
+                38,
+                39
               ],
               "numReferrers" : 0
             },