Releases: batfish/batfish
Batfish v2023.12.16
What's Changed ❄️
As usual, this release includes many performance improvements and dependency upgrades for security. It also includes support for several new and noteworthy features:
- Symbolic routing policy analysis via
bf.q.searchRoutePolicies
supports many new route attributes including next-hop changes, and it is much faster and more scalable. It also accepts input via named community-lists, new constraints on AS Path, and improved output such as picking sensible default values. - A new question
bf.q.snmpCommunityClients
to check if an SNMP community permits specified client IPs. - Routing policy can match on the cluster-list length or number of communities in a BGP advertisement.
Track
statements can now check for routes in the BGP RIB in addition to the Main RIB.- BGP, IBGP, confederation, and route reflection have been substantially improved for advanced use cases.
- OSPF supports vendors like FRR that can apply filtering specific to LSA type.
- OSPF area has been expanded from a signed 32-bit number to a signed 64-bit number to support areas >= 2^31.
- Administrative distance expanded from 8-bit (0-255) up to 32-bit administrative distances.
This release contains many bug fixes to many vendors, including:
- Arista: improved robustness to invalid configurations.
- Junos syntax improvements, especially relating to names, apply-groups, and hierarchical configuration. Improved support for conditional filtering, and the addition of small new features such as per-BGP-neighbor preference.
- Cisco IOS syntax for HSRP and interfaces, plus EIGRP improvements by @NobutakaNiiya.
- FRR: miscellaneous BGP improvements, especially regarding non-standard
network
statement androute-map
behavior prior to FRR 7.1. - Palo Alto Networks
App-ID
support. - SONiC YAML better tolerates extra unused whitespace.
New Contributors
- @rynogawa made their first contribution in #8596
- @ktaegyum made their first contribution in #8613
- @NobutakaNiiya made their first contribution in #8591
- @backesj made their first contribution in #8743
- @samarthdhingra made their first contribution in #8770
- @saidvandeklundert made their first contribution in #8828
- @eterny13 made their first contribution in #8795
- @zergling-aws made their first contribution in #8839
- @pranavbj-amzn made their first contribution in #8875
We also thank many users who reported bugs on Slack, via GitHub, or anonymously but who many not have been auto-tagged by GitHub in these release notes. A best effort list: Ryan Harden on Slack, @bcavns01, @jaswant6068, @pawelhaj, @racsoce, and @sebastianw.
Full Changelog: v2022.09.08...v2023.12.16
Batfish 2022-09-08
Release notes 🍂
In this release, we have focused on advanced BGP features such as BGP additional-paths and we have expanded support for validating incremental configuration changes before they are deployed. We have also focused on an easier user and developer experience.
We'd like to welcome new code contributor @Katsuya414, who has worked on Cisco EIGRP (#8364) and NAT support for Batfish!
New features and noteworthy improvements
- Batfish now has support for BGP additional-paths, focusing on simple configurations in Cisco IOS and Juniper.
bf.q.bgpRib
will showReceived_Path_Id
for such routes. (#8369, #8370, #8397, #8424, and many more) bf.q.bgpRib
andbf.q.evpnRib
have improved output when comparing two different snapshots (#8348, #8419)- When Batfish ISP Modeling fails to generate an ISP or its connection into the snapshot, Batfish will now log helpful error messages about the problem(s) (#8303). ISP Modeling also works in more configuration scenarios (#8307).
- BGP: we are very early in the process of adding support for extended tunnel encapsulation attributes. As of this release, some attributes can be applied in Juniper import policies and they will be reflected in the output of
bf.q.bgpRib
(#8352, #8359) - Cisco NX-OS: support for redistributing EIGRP into EIGRP (#8364, contributed by @Katsuya414!)
- PAN: added support for template variables (#8361)
We continue to focus on validating incremental changes to configurations:
- Arista: support deleting BGP neighbors (#8260)
- Arista: support deleting BGP peer groups (#8257)
- Arista: support deleting individual prefix-list seqs (#8259)
- Cisco NX-OS: support removing BGP
aggregate-address
(#8280) - Cisco IOS: support for interfaces defined in incremental changes after router OSPF (#8414)
- Cisco IOS-XR: support removing BGP
aggregate-address
(#8269)
Other noteworthy enhancements include:
- universal: better warning for the use of ttl in ACLs (#8324, thanks @jhammond-git!)
- Arista: fix a crash when using an undefined ACL in dynamic source nat (#8310)
- Arista: better MLAG parsing peer-address heartbeat VRF (#8426)
Cisco IOS: a variety of parser fixes and reference tracking improvements (#8293 and more, thanks @network-dave!) - Cisco NX-OS: handle permitting or anying all ICMP traffic in an ACL (#8267, thanks @Katsuya414 and @leopoul!)
- FRR/SONiC: improvements to BGP parsing and inheritance (#8301, #8320)
- JunOS: fixed handling of static routes with qualified-next-hops (#8323, thanks @pawelhaj!)
- JunOS: fix a crash when using OSPF area interface all (#8325)
- JunOS: improve parser support for dotted BGP ASNs (#8227)
- JunOS: support for filtering source interfaces in firewall filters (#8282)
- JunOS: @jeffkala has continued his work on VXLAN and EVPN support (#8283, others)
- PAN: improved reference tracking for addresses used in NAT (#8367)
- This release also brings many miscellaneous performance fixes and we have upgraded dependencies to the latest secure releases.
Updates and Deprecations
Easier deployment
Batfish clients can now access all the features of Batfish using only the V2 API port (by default, 9996
). If you have new pybatfish
(>= 2022.9.7
), then you no longer need to expose port 9997
.
For example: docker run --name batfish -v batfish-data:/data -p 9996:9996 batfish/batfish
.
We recommend all users upgrade to newer pybatfish
; a future release of Batfish will stop running the service on port 9997
by default.
Developers: The old V1 API can be disabled entirely by passing a coordinator argument of -uselegacyworkmgrv1 false
.
Easier bug reports
We have added GitHub Issue Templates so that it is now easier to produce a detailed, reproducible bug report! We hope this improves the user experience and reduces the time to fix your problems.
Developers, developers, developers 🪑
In an attempt to make it easier to contribute to Batfish:
- we have begun adding developer-facing documentation in the
docs/
subtree. Check it out, send improvements! - we have switched CI providers from Buildkite to GitHub Actions. Now you can view and edit the
.github/workflows/
easily! - we have completed the switch from Maven to Bazel for our entire build. No more juggling two build systems! See the developer getting started instructions at
docs/building_and_running
.
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
(or batfish/batfish
) then follow the standard instructions to get started.
Batfish 2022-04-06
Release notes 🖖🏻
This release brings security improvements for Java dependencies and container-level vulnerabilities. In addition, there are minor bug fixes and feature improvements.
We'd also like to welcome @drosarius, who has contributed new support for Arista VXLAN!
New features and noteworthy improvements
- Arista: support for new vlan to vni mapping syntax (#8197, contributed by @drosarius!)
- JunOS: Add definition for junos-smtps (#8161, thanks @jhammond-git!)
- PAN: Palo Alto firewall application definitions are now translated from real device database, so they do not need to be manually curated (#8178)
- SONiC: DNS servers are now extracted from resolv.conf (#8208)
- SONiC: SNMP communities and ACL linkages are now extracted from snmp.yml (#8214)
Other noteworthy enhancements include:
- Jackson: upgrade Java dependency for CVE-2020-36518 (#8201)
batfish/allinone
container updated for CVE-2022-0492 and for CVE-2022-1055 (batfish/batfish
unaffected)- FRR: Fix spurious warnings for BGP peer groups (#8157)
- IOS: AAA server group support more syntax and reference tracking (#8215)
- IOS-XR: fix spurious undefined references for interfaces (#8194)
- JunOS: fix quotes in
annotate
tool output (#8205) bf.q.searchRoutePolicies
: don't build string unnecessarily, fixing a possible crash (#8167, thanks @mxsasha!)
Updates and Deprecations
⚠️ As we continue to work on Layer-1 topology, Batfish will be increasingly strict about enforcing correct input. For example, Layer-1 edges should only be between physical interfaces; future versions of Batfish will ignore (rather than honor) Layer-1 edges where one endpoint is, say, an FRRbond
interface or an Aristaport-channel
.⚠️ We are also improving validation for layer-2 configurations (e.g., untagged frame delivery to subinterfaces), so mocked-up configs may experience changes as Batfish becomes more accurate.⚠️ For developers, we now only support development with Bazel. See the updated instructions on the Batfish wiki
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.
Batfish 2022-03-16
Release notes 🍀
This release brings major new features including initial support for:
- two new platforms: A10 Load Balancers and for SONiC software routers
- transitive routing over EVPN (Type 5 route exchange and accompanying forwarding)
- interface, route, and reachability tracking as applied to HSRP/VRRP priority and static route activation
- plus new questions, improvements to existing questions, more secure versions of some dependencies with known issues, and hundreds more changes that improve Batfish functionality and performance.
We'd also like to welcome two new code contributors to Batfish since the last release:
- Welcome @jeffkala, who is beginning EVPN/VXLAN support for JunOS! (#8112)
- Welcome Donatas Abraitis (@ton31337), who has contributed both fixes and new features for FRR!
New features and noteworthy improvements
Batfish now has initial support for A10 load balancers! We've implemented a variety of features including BGP routing, access-lists, virtual servers, NAT, and VRRP-A. A10 VRRP configuration can be retrieved via bf.q.vrrpProperties
and you can inspect A10 virtual service configuration via bf.q.a10VirtualServerConfiguration
. Please try it out and let us know how it goes, here or on Slack!
Batfish now has initial support for SONiC devices, mostly mirroring the existing support for Cumulus/FRR routers but via the SONiC config_db.json
and frr.conf
files. To try it out, see the packaging instructions for SONiC configurations here. Please try it out and let us know how it goes, here or on Slack!
We have added support for full routing and forwarding over EVPN/VXLAN including layer-3 tunnel establishment, Type-5 route exchange, and routing and forwarding via these tunnels. (Prior versions of Batfish could only establish layer-2 broadcast domain adjacency and exchange limited EVPN routes). In this release, Batfish supports these features for Cisco NX-OS, but support for JunOS is being contributed by @jeffkala via Network To Code and Juniper Networks.
Batfish now supports interface, route, and reachability tracks, so that VRRP/HSRP priorities and static routes activation, can be adjusted dynamically. These features are modeled for several Cisco platforms: IOS, IOS-XR, and NX-OS, and are used internally for A10 VRRP-A.
Improvements to Batfish questions include:
bf.q.interfaceProperties
will now explain why an interface is down. (#7939). See the 'Inactive_Reason' column, which may indicate things like an autostate VLAN with no active ports, a port-channel with no active members, and other reasons.bf.q.routes
,bf.q.bgpRib
,bf.q.evpnRib
all have a newNextHop
column (#7838), which explains in an unambiguous way the next hop of the route. The legacyNext_Hop_Ip
andNext_Hop_Interface
were confusing for discard routes, next-VRF routes, and VXLAN tunnels.bf.q.routes
added theprefixMatchType
parameter to enable users to search not just for an exact match to the inputnetwork
, but also longer or shorter prefixes (#7714). See the linked documentation for more information.bf.q.ipOwners
now supports filtering of results via the newips
parameter. (#7888)bf.q.bgpRib
now reports the received from IP (#7781).bf.q.vrrpProperties
now supports filtering by address via thevirtualAddresses
parameter. (#7889)- Added
bf.q.hsrpProperties
, a new question to analyze HSRP configuration (#7967). - Added
bf.q.userProvidedLayer1Topology
, a new question that returns a normalized version of user provided Layer 1 topology. Use it to validate whetherlayer1_topology.json
is correctly formed.
Pre-change validation:
We continue to support pre-change validation via appended configuration changes. If there are changes you'd like to validate but the incremental commands are not recognized in Batfish, please let us know by filing an issue or joining Batfish Slack!
- Cisco IOS-XR: support appended changes to ipv4 access-lists (#7798)
- Cisco NX-OS: support appended changes to interfaces, routes, and bgp (various).
Other noteworthy enhancements include:
- General: The data plane and reachability engines have been updated for improved memory usage and scalability.
- General: ensure 32-bit ASNs are allowed in all configuration contexts (#8011, thanks @BouchardClaude!)
- JunOS: rewritten Lexer that speeds up reading files by up to 20x
- JunOS: improved ACL modeling including more "from" clauses (address, icmp-type-except, icmp-code-except, etc)
- Arista EOS: Fix OSPF network statement processing (#7943, thanks @jeffkala!)
- Arista EOS: Do not treat vxlan multicast-groups as VTEPs (#8085, thanks @rmcmilli!)
- Cisco IOS-XR: support IPv4 and IPv6 access-lists with the same name (#7827)
- Cisco NX-OS: improved tracking of trunk allowed vlans based on configured vlans (#7936,#7953)
- JunOS: fix a bug using mixed IPv4-IPv6 prefix-lists (#8060, thanks @rugvedapande!)
- JunOS: add support for new built-in applications (#8007, thanks
@boost
on Batfish Slack!) - JunOS: handle then permit application-services (#8127, thanks
@Justin H
on Batfish Slack!) - Cisco IOS: Support for portgroup in extended ACLs (#7684, thanks @urskog84!)
- SearchRoutePolicies: do not crash when analyzing Juniper AS-path regexes (#7984, thanks @djabar!)
- Cisco ASA: improve dependence tracking for named interfaces (#7810, thanks
Dustin Rosarius
on Batfish Slack!) - Cisco ASA: handle next-hop interface routes (#8138, thanks @jhammond-git!)
- Cisco IOS: fix parsing dotted ASNs (#8079, thanks @adosztal!)
- Cisco IOS: Fix missing extraction case for pfs group20 (#7994, thanks @empusas!)
- Cisco IOS: implement route-map set as-path replace (#8081, thanks @kefins!)
- Arista EOS: extract 25gfull (#8106, thanks @adosztal!)
- Cisco IOS: do not model nve1 as an interface (#8107, thanks @adosztal!)
Updates and Deprecations
⚠️ Pybatfish no longer supports Python 3.6.⚠️ As we continue to work on Layer-1 topology, Batfish will be increasingly strict about enforcing correct input. For example, Layer-1 edges should only be between physical interfaces; future versions of Batfish will ignore (rather than honor) Layer-1 edges where one endpoint is, say, an FRRbond
interface or an Aristaport-channel
. See the newbf.q.userProvidedLayer1Topology
question described above.
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.
Batfish 2021-12-13
This release is a pure hotfix release for CVE-2021-44228. It is exactly the same as v2021.11.04 but it includes an upgrade to the new version of log4j.
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.
Batfish 2021-11-04
Release notes 🎃
This release brings major new features including initial support for Check Point Firewalls, a new ability to trace route-map processing of routes, updated ISP modeling, and hundreds more changes. We also upgrade to more secure versions of some dependencies with known issues.
We'd also like to welcome a new contributor, @lukaskoenen, who has submitted a first two features for FRR!
New features and noteworthy improvements
We are delighted to announce initial support for Check Point Firewalls! Batfish merges configuration from gateways with configuration from the management server. Most basic features including L3 physical and trunk interfaces, with static routes, access rulebase and NAT rulebase, and management servers with multiple domains and packages. Please try it out and let us know how it goes, here or on Slack!
We have added tracing to the bf.q.testRoutePolicies
and bf.q.searchRoutePolicies
questions, enabling users to understand which statements in the route-maps actually match the given route advertisement. See the linked question documentation for more info, as well as the Analyzing BGP Route Policies
example. Tracing support is provided for Arista EOS, Cisco IOS, Cisco NX-OS, JunOS, and FRR.
Batfish's ISP modeling functionality has been extended to support Backbone Networks (which do not connect to the Internet) and to support (multihop) BGP Peers that are not directly configured on the ISP-facing interface.
Batfish's now takes Layer-1 information into account when performing failure analysis, and Layer-1 modeling (when users provide layer1_topology.json
) is now faster, more accurate, and better documented. For example, if an Ethernet interface is down and that interface has a Layer-1 edge, then its paired physical advice will also be taken down.
We built a tool that annotates configuration files to reveal how Batfish treats each line in your device configuration files.
Other improvements include:
bf.q.bgpRib
andbf.q.evpnRib
can now returnBACKUP
routes instead of or in addition to theBEST
(including multipath-best) routes that they currently return.- Batfish now has more responsive deletion of data when networks or snapshots are deleted (#5281 (comment))
- BGP external announcements can now be used in policies that depend on knowing the peer's identity (#7230, thanks @raveranj)!
- BGP route reflector should reflect RIB-failure routes (#7398 thanks, @kefins!)
- CompareFilters: use differentialBDDSourceManager (#7014 thanks, @racsoce!)
- Layer-1 edges can be used to disambiguate devices reusing VRRP in different parts of the network (#7423)
- Many upgrades to performance, especially in BGP
- Security upgrades to dependencies (#6940, #7046, #7183, #7522, #7523, #7569)
Noteworthy vendor-specific enhancements include:
- Arista: implement interface ip nat source static (#7050), thanks @rmcmilli!)
- Arista: support for more new syntax (versions 4.23, 4.24, 4.25)
- FRR: OSPF unnumbered support (#7038 thanks, @raveranj!)
- FRR: support route map set as-path exclude (#7251) - Contributed by @lukaskoenen!
- FRR: add regex to as path access lists (#7250) - Contributed by @lukaskoenen!
- IOS: only generating BGP aggregates when there is a BGP contributor (#7075, thanks @brotobia!)
- IOS-XR: we have continued the rewrite we began in the last release. IOS-XR now has many new features including VRF leaking, comprehensive support for route-policy, and more.
- JunOS: fix a crash when using named ribs (#7043, thanks @xiaozheshao!)
- JunOS: handle ## SECRET-DATA after semicolon (#7226, thanks @DDinVA!)
- JunOS: implement more
then next-hop
variants (#7149, thanks @raveranj!) - PAN: static route discard support
Updates and Deprecations
- Our examples and documentation have been updated to use Pybatfish
Session
s. ⚠️ This will be the last release of Pybatfish that supports Python 3.6, which is End-Of-Life this year.⚠️ As we continue to work on Layer-1 topology, Batfish will be increasingly strict about enforcing correct input. For example, Layer-1 edges should only be between physical interfaces; future versions of Batfish will ignore (rather than honor) Layer-1 edges where one endpoint is, say, an FRRbond
interface or an Aristaport-channel
.
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.
Batfish 2021-04-12
Release notes
This release brings a huge number of new features including support for Fortigate devices and IOS cross-VRF leaking, major performance improvements to parsers, and hundreds more changes. We also upgrade to more secure versions of some dependencies with known issues.
New features and noteworthy improvements
We are excited to announce basic support for Fortigate firewalls. We thank the community for sharing anonymized configurations to get us started. In this release, we focused on getting L3 interfaces up and running, with simple firewall policy and basic static or BGP routing. This FortiOS support includes support for validating changes to firewall policy out of the box -- just append your candidate change to the end of the file. Please try it out and let us know how it goes, here or on Slack!
We have also added support for cross-VRF leaking in Cisco IOS, via route-target extended communities. This new feature enables further modeling and validation of sophisticated network isolation policies.
We have also made major improvements to the accuracy and performance of the Arista and IOS-XR parsers. Parsing files is up to 30x faster for large configurations, and the Batfish grammar more precisely models the real devices.
We are continuing to expand our support for incremental changes. In addition to the existing Juniper support (insert
, deactivate
, reactivate
, delete
) and Palo Alto (move
and delete
), the new Fortigate support (including rename
, delete
, clone
), we are continuing to flesh out incremental changes to all platforms including in this release Arista, FRR, and IOS. If you have change syntax that is not being properly modeled, please file an issue!
In addition to the huge amount of work in the above, other improvements include:
- Security upgrades to dependencies (#6547, #6666, #6668)
- Added
bfq.bgpRib
andbfq.evpnRib
: new questions equivalent to runningbfq.routes(rib='bgp')
but with better documentation on pybatfish.readthedocs.io (#6795) bfq.testRoutePolicies
,bfq.searchRoutePolicies
can now model changes to BGP origin type (#6855)- We updated
bfq.ospfSessionCompatibility
to add support for sessions established e.g., over tunnels (#6561) bfq.fileParseStatus
now includes the detected vendor and OS of each file, making it easier to diagnose mis-identification (typically, for small Cisco files missing Software Version information) (#6659)bfq.searchRoutePolicies
now supports more operations on community sets and thus more vendors (#6750, #6751, #6784, #6812)- Better warning when there are problems in the user-supplied Layer 1 topology (#6611)
- We have begun a rewrite of IOS-XR that is faster and more accurate (#6837, #6875, #6884, #6886, #6887 and a whole lot more). We've seen improved extraction for vlans, interface IP addresses, static routes, and more.
- OSPF: better support for OSPF Inter-Area Summary on FRR, IOS, JunOS, and NX-OS (#6665, #6667, #6717, #6724, #6805). Thanks, @brotobia @kylehoferamzn and @racsoce
- Support setting BGP properties on generated routes during activation (#6728), thanks @kmjmartin!
Noteworthy vendor-specific enhancements include:
- FRR: Added max-metric router-lsa administrative support (#6577), thanks @kylehoferamzn!
- FRR: Added support for adding interfaces to OSPF process via the
network area
command, thanks @kylehoferamzn! - FRR: Added more route-map match and set commands (#6617, #6618, #6656, #6657), thanks @kylehoferamzn!
- FRR: new BGP parsing for IPv6 and EVPN neighbors: (#6587, #6604, #6654), thanks @jawyoonis!
- IOS: Advanced support for NAT (#6527, #6567, #6568, #6570, #6573, #6653, and a lot more)
- IOS: Support for vrf leaking (#6554, #6556, #6571, #6673, #6688, #6694, and a lot more)
- JunOS: improved parsing for no-prepend-global-as (#6711), thanks
Grisha Levitin
on Slack! - JunOS: very basic support for 'from condition' (#6658, #6749)
- JunOS: implement recursive static routes and resolution policy (#6799)
- JunOS: support for then local-preference (add|substract) (#6638), thanks @bcavns01!
- NX-OS: support for
system vlan reserve
, thanksMiniMe
on Slack! - PAN: better modeling of application-override rules (#6651, #6626)
- PAN: improved BGP support (#6558, #6563, #6578, #6601)
- PAN: extract system domain name (#6678), thanks @kmjmartin!
- PAN: loopback interfaces can have units and produce only local routes (#6622, #6677)
Bug fixes
- Batfish will now crash, rather than running forever, in certain networks where OSPF computation loops (#6823). If you encounter this, please share reports!
- Static Routes: fix a case where a static route would incorrectly resolve its own next hop (#6824)
- JunOS: allow
/
in names without quotes (#6825), thanks @racsoce! - BGP: ensure local-pref clips when adding or subtracting (#6639), thanks @brotobia!
- BGP: ensure all existing routes are exchanged when new BGP sessions come up (#6606)
- EIGRP: improve metric computation on NX-OS, which uses higher precision (#6532)
- FRR: Guard against BGP interface neighbor on an undefined interface (#6588)
- IOS: fix interpretation of standard access-list when matching routes (#6534). Thanks @Tachashi and @sriatom!
- IOS: improver parser recovery after unrecognized line in router ospf (#6862). Thanks, anonymous Slack user!
- IPsec: Ignore misconfigured peers instead of crashing when computing topology (#6581)
- JunOS: fix reference tacking for as-path-group as-path (#6649), thanks @bcavns01!
- JunOS: fix very high values for local preference, from-color, then-tag, from-tag, then-color (#6644, #6645), thanks @brotobia!
Breaking changes
For users:
- Cumulus: we now consider parsing NCLU files deprecated and encourage everyone to use the concatenated FRR format (#6630). NCLU simply does not model enough of the configuration on these devices to replace full show command output.
- The updated
bfq.ospfSessionCompatibility
(#6561) now requires the Batfish data plane to be computed before it can be run.
For developers:
- We have deleted the legacy
bash
adaptors for developers. Instead, we suggest developers use IntelliJ to both compile and run development versions of Batfish (#6591) - We have also removed the unmaintained, unsupported research code from the Minesweeper project. The last working version of this code has been tagged
2021-03-16-minesweeper
. (#6741)
We thank @bcavns01, @bellresearch, @brotobia, @jawyoonis, @kmjmartin, @kylehoferamzn, @racsoce, @sriatom, @Tachashi, and our Slack user base! This release also brings the first external code contributions from Dell via @jawyoonis. Welcome!
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.
Batfish 2020-12-23
Release notes
This release brings new features, improved performance and lower resource consumption across the board, and as always a variety of miscellaneous vendor-specific improvements.
New features and noteworthy improvements
We have revamped EIGRP support across Cisco IOS, IOS-XE, and NX-OS platforms. We would love for users to try out their networks that use EIGRP and send us any problems they find!
While this functionality has always been partially supported, we have begun a focus for correctly implementing incremental changes appended to the end of configuration files. In this release, we added new support for Palo Alto Networks delete
and move rule base security
commands, to go along with existing support for Juniper deactivate
, delete
, and replace
. Various incremental commands are also well-supported in Cisco, Arista, and Cumulus, especially as they relate to BGP and interface configuration. Please give it a whirl and let us know how it goes.
In addition to the huge amount of work in the above, other improvements include:
bgpPeerConfiguration
now includes the Peer's BGP description. (#6403)testFilters
andsearchFilters
now provide more human-friendly flows by default. (#6362)- Batfish now cleans up some temporary directories created during snapshot initialization. (#6358)
- Batfish now has much better performance in networks that supply L1 topology.
- Batfish now honors minimum packet sizes for common IP protocols including TCP, UDP, and ICMP. (#6420, #6422)
- BGP redistribution: correctly set MED to IGP metric (#6425)
- PAN: support the
rule-type
clause in security rules (#6291). - PAN: improved support for BGP configuration (#6370, among others. Thanks @skeiffer!)
- Arista: improve route-map parsing on older EOS (#6384, thanks @dannypetrov!)
- Arista: improve scalability for route-maps with thousands of terms (#6433, #6465, #6469, thanks @dannypetrov!)
- Arista and IOS/IOS-XE: implement the
set tag
route-map command (#6466) - ASA: extract snmp source-interface and trap servers (#6456, thanks @cwaszkiewicz!)
- Cumulus/FRR: support route maps for BGP network statements (#6316, thanks @kylehoferamzn!)
- FRR: update route-map semantics when matching on a property set earlier in execution (#6412, thanks @kylehoferamzn and @raveranj!)
- IOS: bgp route-maps that are undefined deny all (#6523)
- IOS: Improved reference tracking for interface names in more places (#6345, thanks @AlexLardschneider!)
- IOS: Improved reference tracking for track commands (#6378, thanks @AlexLardschneider!)
- IOS: Improved reference tracking for service policies (#6484, thanks @AlexLardschneider!)
- IOS-XE: support for vasileft/vasiright interfaces (#6375)
- IOS/IOS-XE: improve OSPF->BGP redistribution including matching on route types (#6392)
- IOS/IOS-XR: improved policy map parsing and reference tracking (#6432, #6341 thanks @AlexLardschneider!)
- Juniper GroupWildcard: treat carat like ! in a character class (#6342, thanks @craized!)
- Juniper: Support for "all" interface in OSPF area config (#6372, thanks @kylehoferamzn!)
- Juniper: Support
vtnet
interfaces (#6476) - NX-OS: support route-map
set weight
(#6386)
Bug fixes
- BGP: fix an issue where IBGP routes could be redistributed one extra hop (#6501, thanks @kylehoferamzn!)
- FRR: fix NPE in routemaps for non-bgp routes (#6453, thanks @raveranj!)
- CumulusNclu: be robust to bad name for an interface neighbor (#6471, thanks anonymous open source user!)
- IOS-XR: fix a crash in ExtcommunitySetRt (#6319, thanks @sflowers0!)
- Juniper interfaces: inherit more OSPF settings from parents (#6374, thanks @kylehoveramzn!)
- Juniper: fix a tricky crash in
apply-groups
(#6487, thanks @sflowers0!) - Juniper: support apply-groups in more configuration locations (#6519, thanks
@Digvijay Singh
on Slack!) - Batfish properly uses the GRE Ip Protocol when checking that tunnels can be established. (#6521)
- Fix a crash when using partially-configured HSRP groups (#6349, thanks
@Flavio Junior
on Slack!) - Batfish: fix an issue where an L3 Vlan interface would incorrectly stay up when all ethernet interfaces providing it were shut down (#6368)
Breaking changes
None known.
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.
Batfish 2020-10-08
Release notes
This release brings security improvements, new analysis capabilities, major performance optimizations,
and as always a variety of miscellaneous vendor-specific improvements.
Security
This release has important security fixes, and everyone is recommended to upgrade.
- We have fixed a potential vulnerability when ingesting (maliciously constructed) AWS data (#6094).
- We have changed the defaults in Java so that only the coordinator listens for incoming connections. This change only affects developers: when running the
batfish/batfish
orbatfish/allinone
Docker containers as recommend the other services were not exposed.
We are phasing out the old and unmaintained security-related APIs from Batfish. Users are advised to provide their own security layer, to run the service in local-only mode, or to upgrade to Batfish Enterprise. In this release, we have removed the overly-permissive Cross-Origin-Resource-Sharing (CORS) headers from the service (#6172). Note that pybatfish
is unaffected.
Performance optimizations
In this release, we focused on a number improvements to the dataplane and traceroute engines. They both use less CPU and RAM during computation.
- The traceroute engine is now able to handle much higher degrees of EMCP, while using a fraction of the memory (#6175)
- BGP neighbor computation is significantly faster for large networks (#6093).
- BGP route propagation has also been improved to handle larger networks (#6251, #6226, #6123, ...).
We've also made some general memory efficiency improvements across the stack (#6249, #6253, #6245).
New features and noteworthy improvements
- The new
bfq.searchRoutePolicies
question (#6224, #6180, #6168, ...) allows users to search for BGP route advertisements that would be permitted or denied by a given routing policy. This allows for exhaustive validation of routing policies and will find concrete violations of policy intent. We encourage you to try this feature out yourself! Follow this example notebook for a walkthrough on how to usesearchRoutePolicies
. - FRR support, all thanks to @kylehoferamzn
- Better filter tracing of security rules in Palo-alto firewalls.
More detailed results are displayed intestFilters
for Palo-alto devices
(#6213, #6208, #6141) - NX-OS: support route-map match as-number (#6231, #6232)
- OSPF: improvements to inter-area route propagation (#6156)
- BGP: better reflect semantics, do not merge routes with unreachable next hops (#6274)
- Arista, NX-OS: improved parsing for SNMP constructs (#6227, #6220, #6219, #6205, #6204)
- Arista: support for route-map
set distance
(#6126) - Arista: more complete support for logging servers (#6090)
Bug fixes
- FRR: fix a bug in BGP best-path selection (#6057), add support for interface shutdown command(#6169) Thanks, @kylehoferamzn!
- Cisco IOS: parsing improvements for EIGRP (#6276, #6275, #6271, #6269) Thanks, @AlexLardschneider!
- Cisco IOS: fix redistribution of non-classful networks (#6192) Thanks, @brotobia!
- Cisco IOS: fix some interface names during parsing (#6199, #6198, #6104)
- Arista, Cisco: Fix handling of large (32-bit) local-preference values (#6089) Thanks, @brotobia!
- Arista: Fix a crash when using source nat on an interface with no IP address (#6107)
and with nat pools where the broadcast IP is the only pool address (#6108) Thanks, @dannypetrov! - AWS: handle route table entries pointing at NAT gateways (#6263)
- Juniper: process sub-interface Vlan config (#6184) Thanks,
Sharon Saadon
on Slack! - Batfish: Better error message when a snapshot has no files (#6139)
Breaking changes
During our optimization work we removed an experimental feature called Prefix Tracer. It was not widely used but contributed a lot of overhead. Developers can re-enable this feature by changing the PrefixSet
to be traced in PrefixTracer.java
.
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.
Batfish 2020-08-11
Release notes
This release brings important security improvements. Everyone is recommended to update!
- (#5740, #5718, #5792) When using the file-based storage system (the default, for Open Source Batfish), authorized users could provide arbitrary data used to generate file paths to read or write files as the Batfish process. We have completely rewritten the storage to ensure that no paths read or written contain user-provided strings.
- Several of our Java dependencies had known security issues. We have upgraded the affected dependencies (#5736, #5742, #5918). To ensure we upgrade promptly in the future, we have added nightly scans with the OWASP dependency-check scanner (#5738).
- (#6022) We have hardened the service against a potential regular-expression based denial of service (REDOS) by switching to the re2j regular expression library.
We continue to recommend running Batfish in a containerized environment with custom access controls, or upgrading to Batfish Enterprise.
Noteworthy new features and improvements in this release include:
-
This release brings dozens of improvements to Amazon Web Services (AWS) modeling. We focused on improved support for Transit Gateways, VPC Peering, and many more features, with a special focus on asymmetric and cross-account connectivity. Try out the Batfish Enterprise trial for your AWS account today at https://www.intentionet.com/trial!
-
Our collaborators at Amazon have contributed several features to this release (thanks, @kylehoferamzn and @raveranj!), including:
- (#5698, #5839) FRR support for configuring attributes of static routes.
- (#5857) BGP Routes now provides information about ClusterList and OriginatorId.
- (#5800) FRR: Add support for "force"/"all" with next-hop-self.
- (#5856) FRR: BGP Cluster-Id Support (#5856, thanks kylehoferamzn!)
- (#6033) FRR: Support for setting weight in a route-map.
-
We have added support for directly building an entire Palo Alto Networks (PAN) deployment from the configuration dump from Panorama.
To try it out, using the utilities from the pan-python library.
-
Download the entire Panorama config backup as XML:
panxapi.py -t <panorama_name> -sxr > active_config.xml
Here,
panorama_name
comes from a device defined in.panrc
. -
Convert the XML file to “set line” file:
panconf.py --config active_config.xml --set > active_config.set
Then you can upload
active_config.set
to Batfish and it will generate all the devices. This functionality is brand new and may still has some kinks to work out. If you do try it out, let us know (@sfraint) on Slack or GitHub!
We have also improved NAT support for destination port translation (#5989).
-
-
(#5827, #5828) Parts of the code that choose arbitrary flows (e.g., traceroute and reachability) will now choose more human-friendly flows. For example, a well-known application like DNS will be preferred over an arbitrary UDP port when finding flows that match a certain criteria. Batfish will also prefer common TCP flag combinations such as SYN or SYN+ACK over others.
-
We have continued improving the Arista-focused parser with better reference tracking, a more complete and precise grammar, and other new additions. These include:
- (#5940) Added support for BGP peer-filters.
- (#6058) Fix handling of
router bgp
stanzas with dotted AS numbers. Thanks, @dannypetrov!
Bug fixes:
- (#5723, #5726) F5: Fix structure tracking and BGP inheritance. Thanks, @brucedewald!
- (#5747) Traceroute now correctly includes a denied-in step when dropping a packet due to policy-based routing.
- (#5810) IOS: track support ACL references in snmp-server group v3.
- (#5830) IOS: implement bgp confederations. Thanks @oneryalcin!
- (#5833) IOS: added parsing for multiple VTY lines. Thanks @rickdonato!
- (#5851) IOS: fix a crash in malformed ISAKMP profiles. Thanks @rickdonato!
- (#5837) IOS: correct support for interface encapsulation vlan. Thanks @rickdonato!
- (#5843) Dataplane: Fix a next-hop IP computation in uncommon cases for BGP dynamic (passive) sessions.
- (#5860) Juniper: improve ethernet switching parsing. Thanks @rickdonato!
- (#5956) Juniper: add support for more characters in GroupWildcard. Thanks @SivaKesava1!
- (#5887) ASA: support service-object ip. Thanks @rickdonato!
- (#6006) IOS-XR: fix a crash when using ACL udf statements. Thanks @SivaKesava1!
- (#6008) IOS-XR: fix a crash when using
as-path-set passes-through
. Thanks @SivaKesava1! - (#6016) IOS-XR: update interface names. Thanks, @dgarros for contributing!
- (#6019) IOS-XR: added support for bundle interfaces. Thanks @dgarros!
- (#6051) JunOS: fix a crash when an interface is referenced but not defined. Thanks,
Mohammed Reehan
on Slack! - (#6043) ASA: track ACLs used in crypto map matching address (#6043, thanks @dannypetrov!)
Breaking changes:
- During our security work, we deleted a number of deprecated APIs. Anyone using the latest pybatfish release should have no issues.
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.