Skip to main content

Source-traceable structured IR for Huawei VRP configurations (parse-time SourceRef).

Project description

vrp-ir

Tests Release License: Apache-2.0 Python 3.9+

Source-traceable structured IR for Huawei VRP configurations.

vrp-ir parses an offline Huawei VRP configuration file (display current-configuration output / saved .cfg) into a structured, typed model where every parsed value carries a SourceRef back to the exact file + line it came from.

Huawei VRP .cfg  ──►  structured IR  ──►  every field knows its source line

Status: v0.6 / alpha. Routing/switching (VLAN, VRF RD/RT, interfaces, ACL, static routes) and USG firewall (firewall zone, security-policy, nat-policy, nat server, ip address-set / ip service-set objects, hrp, and the management planeuser-interface con/vty, ssh server cipher, aaa local-users, telnet/http switches) parsed with full source provenance, plus a security acceptance audit (vrp-ir audit, 13 checks) whose findings cite the exact config line. Roadmap below.

💼 Commercialvrp-ir is the open core of AegisTwin, a Huawei security-integration acceptance workbench. Need customer-grade acceptance reports, a readiness review, or multi-vendor coverage? See Commercial / support.

Why this exists (the gap)

The network-automation ecosystem is rich, but a specific combination is missing:

  • Batfish is excellent, but its source explicitly marks Huawei VRP as UNSUPPORTED.
  • ntc-templates has ~35 Huawei display show-command templates, but no display current-configuration (config-file) parser.
  • ciscoconfparse2 is Cisco-centric and only exposes an integer .linenum per line — not field-level provenance.
  • No open-source tool exposes field → file:line provenance for parsed config facts.

vrp-ir fills exactly that gap: Huawei VRP config file → semantic model with per-field source traceability. This is what acceptance/audit work needs — when a value looks wrong, jump straight to the line, don't grep the raw config.

Install

pip install vrp-ir            # once published to PyPI
# or, from source:
pip install -e .

Quick start (CLI)

vrp-ir parse examples/sample-vrp.cfg     # routing / switching
vrp-ir parse examples/sample-usg.cfg     # USG firewall (zones / policy / nat-policy / objects / hrp)
{
  "hostname": { "value": "CORE-FW-01", "source": { "file": "...", "line": 2, "col": 8 } },
  "interfaces": [
    {
      "name": { "value": "GigabitEthernet0/0/1", "source": { "line": 9 } },
      "ipv4": [
        { "address": { "value": "10.10.10.1", "source": { "line": 11 } },
          "prefix_length": { "value": 24, "source": { "line": 11 } } }
      ]
    }
  ]
}

Quick start (Python)

from vrp_ir import parse_file

cfg = parse_file("examples/sample-vrp.cfg")
print(cfg.hostname.value)                       # CORE-FW-01
ip = cfg.interfaces[0].ipv4[0]
print(ip.address.value, ip.prefix_length.value) # 10.10.10.1 24
print(ip.address.source)                        # examples/sample-vrp.cfg:11  ← provenance

Security acceptance audit (v0.6)

Turn the source-traceable IR into a security acceptance report: each check is a small test case (intent), and every finding cites the exact config line it is based on — so a reviewer jumps straight to the offending line.

vrp-ir audit examples/sample-usg-risky.cfg            # Markdown acceptance report
vrp-ir audit examples/sample-usg.cfg --format json    # machine-readable JSON
vrp-ir audit examples/sample-usg-risky.cfg --strict   # exit 1 if any check fails (CI gate)
### ❌ `FW-DEFAULT-DENY` [CRITICAL] — Security-policy default action denies unmatched traffic
Default action is 'permit': all traffic matching no rule is allowed (permit-any).
**Evidence**:
- `examples/sample-usg-risky.cfg:14` — `default action permit`

Checks (13): policy default-deny (permit-any); permit-scope (rules not narrowed by zone/address, dereferencing address-set references so an object that resolves to 0.0.0.0/0 is still flagged); permit rules without session logging; one-interface-per-zone; address-set equal to any; HRP enabled; HRP enabled but heartbeat interface/peer incomplete; management plane — Telnet/HTTP enabled (cleartext), VTY accepting Telnet, VTY without an inbound source ACL, weak SSH ciphers (CBC/3DES/DES), and local AAA users granted the Telnet service. See a full rendered report at docs/acceptance-report-example.md.

Design principles

  • Zero runtime dependencies in the core — easy to embed.
  • Reuse, don't reinvent. vrp-ir is a thin VRP-config + provenance layer. It complements (does not replace) ntc-templates (show-command parsing), hier_config (VRP diff/remediation), napalm (live-device collection) and Batfish (multi-vendor analysis). Topology/analysis layers will integrate these rather than rebuild them.
  • Provenance first. If we can't say where a value came from, we don't surface it.

Roadmap

  • v0.1: hostname + interface basics with SourceRef. ✅
  • v0.2: VLANs (batch ranges), VRF (RD/RT), interface enhancements (link-type, trunk allow-pass ranges, Eth-Trunk, dot1q subinterfaces, secondary IPv4, VRF binding), ACLs, static routes. ✅
  • v0.3: Huawei USG firewall objects — firewall zone, security-policy (rule name with zones / addresses / services / profiles / action / logging), nat server, hrp (the global OSS gap; Batfish drops VRP entirely). ✅
  • v0.4: security acceptance audit — test-case schema (testCase ↔ intent ↔ evidenceRef) + a Markdown/JSON report generator; vrp-ir audit with seed firewall checks, each citing its source line. ✅
  • v0.5: nat-policy blocks, ip address-set / ip service-set objects, telnet/http management switches; audit at 9 checks — address-set dereference in permit-scope, address-set-equals-any, HRP consistency, cleartext management (Telnet / HTTP). ✅
  • v0.6 (now): management-plane access baseline (driven by real-world config corpus) — user-interface con/vty (protocol inbound / inbound ACL / auth mode), ssh server cipher, aaa local-users; audit grows to 13 checks (VTY-accepts-Telnet, VTY-no-ACL, weak-SSH-cipher, AAA-user-Telnet). ✅
  • v0.6.x (next): SNMP community, NTP / Syslog presence, NAT correctness, vsys; widen the test corpus.
  • Later: Huawei security-device coverage (USG / WAF / AntiDDoS / 4A).

Commercial / support

vrp-ir is free and open source (Apache-2.0). It is the open foundation of AegisTwin — a carrier/data-center security-integration acceptance workbench (HLD/LLD → traceable topology → acceptance advisor → evidence chain → sign-off report). If you need:

  • Huawei security-device acceptance (USG/WAF/AntiDDoS/4A),
  • HLD/LLD → traceable acceptance test cases,
  • customer-grade, auditable acceptance reports (incl. MLPS / carrier formats),

→ open an issue tagged commercial, or reach out about a paid workflow review / design-partner pilot.

Contributing

See CONTRIBUTING.md. Real (de-identified) VRP config snippets that we parse incorrectly make the best issues.

License

Apache-2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vrp_ir-0.6.0.tar.gz (37.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vrp_ir-0.6.0-py3-none-any.whl (26.0 kB view details)

Uploaded Python 3

File details

Details for the file vrp_ir-0.6.0.tar.gz.

File metadata

  • Download URL: vrp_ir-0.6.0.tar.gz
  • Upload date:
  • Size: 37.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vrp_ir-0.6.0.tar.gz
Algorithm Hash digest
SHA256 f74a006440194badf3afa37375c5fca8f06bdf53a4ec88646976fc337b525967
MD5 e15b1026f8e7331e159350353009d6e4
BLAKE2b-256 a4fb92db2ff6538926c7750ec3f0f8b01507a8c91beee01fb1566bf038a002ca

See more details on using hashes here.

Provenance

The following attestation bundles were made for vrp_ir-0.6.0.tar.gz:

Publisher: publish.yml on zynovexllc/vrp-ir

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file vrp_ir-0.6.0-py3-none-any.whl.

File metadata

  • Download URL: vrp_ir-0.6.0-py3-none-any.whl
  • Upload date:
  • Size: 26.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vrp_ir-0.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f7715ac8b5acd445d73c55e55260e322db2af7ebfe89659b12b6b55fae0cbd5c
MD5 3f50cf5092c1cd2e89fa15ba9c8040ec
BLAKE2b-256 9d7060e692a7e02b9543a496f0d576e34fb964b0b152e30e2ab2ab7118392b88

See more details on using hashes here.

Provenance

The following attestation bundles were made for vrp_ir-0.6.0-py3-none-any.whl:

Publisher: publish.yml on zynovexllc/vrp-ir

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page