Skip to content

Batfish 2021-04-12
Compare
Choose a tag to compare
@dhalperi dhalperi released this 12 Apr 23:46
v2021.04.12
6668c2e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release notes

This release brings a huge number of new features including support for Fortigate devices and IOS cross-VRF leaking, major performance improvements to parsers, and hundreds more changes. We also upgrade to more secure versions of some dependencies with known issues.

New features and noteworthy improvements

We are excited to announce basic support for Fortigate firewalls. We thank the community for sharing anonymized configurations to get us started. In this release, we focused on getting L3 interfaces up and running, with simple firewall policy and basic static or BGP routing. This FortiOS support includes support for validating changes to firewall policy out of the box -- just append your candidate change to the end of the file. Please try it out and let us know how it goes, here or on Slack!

We have also added support for cross-VRF leaking in Cisco IOS, via route-target extended communities. This new feature enables further modeling and validation of sophisticated network isolation policies.

We have also made major improvements to the accuracy and performance of the Arista and IOS-XR parsers. Parsing files is up to 30x faster for large configurations, and the Batfish grammar more precisely models the real devices.

We are continuing to expand our support for incremental changes. In addition to the existing Juniper support (insert, deactivate, reactivate, delete) and Palo Alto (move and delete), the new Fortigate support (including rename, delete, clone), we are continuing to flesh out incremental changes to all platforms including in this release Arista, FRR, and IOS. If you have change syntax that is not being properly modeled, please file an issue!

In addition to the huge amount of work in the above, other improvements include:

  • Security upgrades to dependencies (#6547, #6666, #6668)
  • Added bfq.bgpRib and bfq.evpnRib: new questions equivalent to running bfq.routes(rib='bgp') but with better documentation on pybatfish.readthedocs.io (#6795)
  • bfq.testRoutePolicies, bfq.searchRoutePolicies can now model changes to BGP origin type (#6855)
  • We updated bfq.ospfSessionCompatibility to add support for sessions established e.g., over tunnels (#6561)
  • bfq.fileParseStatus now includes the detected vendor and OS of each file, making it easier to diagnose mis-identification (typically, for small Cisco files missing Software Version information) (#6659)
  • bfq.searchRoutePolicies now supports more operations on community sets and thus more vendors (#6750, #6751, #6784, #6812)
  • Better warning when there are problems in the user-supplied Layer 1 topology (#6611)
  • We have begun a rewrite of IOS-XR that is faster and more accurate (#6837, #6875, #6884, #6886, #6887 and a whole lot more). We've seen improved extraction for vlans, interface IP addresses, static routes, and more.
  • OSPF: better support for OSPF Inter-Area Summary on FRR, IOS, JunOS, and NX-OS (#6665, #6667, #6717, #6724, #6805). Thanks, @brotobia @kylehoferamzn and @racsoce
  • Support setting BGP properties on generated routes during activation (#6728), thanks @kmjmartin!

Noteworthy vendor-specific enhancements include:

  • FRR: Added max-metric router-lsa administrative support (#6577), thanks @kylehoferamzn!
  • FRR: Added support for adding interfaces to OSPF process via the network area command, thanks @kylehoferamzn!
  • FRR: Added more route-map match and set commands (#6617, #6618, #6656, #6657), thanks @kylehoferamzn!
  • FRR: new BGP parsing for IPv6 and EVPN neighbors: (#6587, #6604, #6654), thanks @jawyoonis!
  • IOS: Advanced support for NAT (#6527, #6567, #6568, #6570, #6573, #6653, and a lot more)
  • IOS: Support for vrf leaking (#6554, #6556, #6571, #6673, #6688, #6694, and a lot more)
  • JunOS: improved parsing for no-prepend-global-as (#6711), thanks Grisha Levitin on Slack!
  • JunOS: very basic support for 'from condition' (#6658, #6749)
  • JunOS: implement recursive static routes and resolution policy (#6799)
  • JunOS: support for then local-preference (add|substract) (#6638), thanks @bcavns01!
  • NX-OS: support for system vlan reserve, thanks MiniMe on Slack!
  • PAN: better modeling of application-override rules (#6651, #6626)
  • PAN: improved BGP support (#6558, #6563, #6578, #6601)
  • PAN: extract system domain name (#6678), thanks @kmjmartin!
  • PAN: loopback interfaces can have units and produce only local routes (#6622, #6677)

Bug fixes

  • Batfish will now crash, rather than running forever, in certain networks where OSPF computation loops (#6823). If you encounter this, please share reports!
  • Static Routes: fix a case where a static route would incorrectly resolve its own next hop (#6824)
  • JunOS: allow / in names without quotes (#6825), thanks @racsoce!
  • BGP: ensure local-pref clips when adding or subtracting (#6639), thanks @brotobia!
  • BGP: ensure all existing routes are exchanged when new BGP sessions come up (#6606)
  • EIGRP: improve metric computation on NX-OS, which uses higher precision (#6532)
  • FRR: Guard against BGP interface neighbor on an undefined interface (#6588)
  • IOS: fix interpretation of standard access-list when matching routes (#6534). Thanks @Tachashi and @sriatom!
  • IOS: improver parser recovery after unrecognized line in router ospf (#6862). Thanks, anonymous Slack user!
  • IPsec: Ignore misconfigured peers instead of crashing when computing topology (#6581)
  • JunOS: fix reference tacking for as-path-group as-path (#6649), thanks @bcavns01!
  • JunOS: fix very high values for local preference, from-color, then-tag, from-tag, then-color (#6644, #6645), thanks @brotobia!

Breaking changes

For users:

  • Cumulus: we now consider parsing NCLU files deprecated and encourage everyone to use the concatenated FRR format (#6630). NCLU simply does not model enough of the configuration on these devices to replace full show command output.
  • The updated bfq.ospfSessionCompatibility (#6561) now requires the Batfish data plane to be computed before it can be run.

For developers:

  • We have deleted the legacy bash adaptors for developers. Instead, we suggest developers use IntelliJ to both compile and run development versions of Batfish (#6591)
  • We have also removed the unmaintained, unsupported research code from the Minesweeper project. The last working version of this code has been tagged 2021-03-16-minesweeper. (#6741)

We thank @bcavns01, @bellresearch, @brotobia, @jawyoonis, @kmjmartin, @kylehoferamzn, @racsoce, @sriatom, @Tachashi, and our Slack user base! This release also brings the first external code contributions from Dell via @jawyoonis. Welcome!

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Assets 2