Skip to main content

Source-traceable structured IR for Huawei VRP configurations (parse-time SourceRef).

Project description

vrp-ir

Tests PyPI Python License: Apache-2.0

Source-traceable structured IR for Huawei VRP configurations.

vrp-ir: parse a Huawei config with field-level provenance, then run a line-cited security audit

vrp-ir parses an offline Huawei VRP configuration file (display current-configuration output / saved .cfg) into a structured, typed model where every parsed value carries a SourceRef back to the exact file + line it came from.

Huawei VRP .cfg  ──►  structured IR  ──►  every field knows its source line

Status: v0.6 / alpha. Routing/switching (VLAN, VRF RD/RT, interfaces, ACL, static routes) and USG firewall (firewall zone, security-policy, nat-policy, nat server, ip address-set / ip service-set objects, hrp, and the management planeuser-interface con/vty, ssh server cipher, aaa local-users, telnet/http switches) parsed with full source provenance, plus a security acceptance audit (vrp-ir audit, 13 checks) whose findings cite the exact config line. Roadmap below.

💼 Commercialvrp-ir is the open core of AegisTwin, a Huawei security-integration acceptance workbench. Need customer-grade acceptance reports, a readiness review, or multi-vendor coverage? See Commercial / support.

Why this exists (the gap)

The network-automation ecosystem is rich, but a specific combination is missing:

  • Batfish is excellent, but its source explicitly marks Huawei VRP as UNSUPPORTED.
  • ntc-templates has ~35 Huawei display show-command templates, but no display current-configuration (config-file) parser.
  • ciscoconfparse2 is Cisco-centric and only exposes an integer .linenum per line — not field-level provenance.
  • No open-source tool exposes field → file:line provenance for parsed config facts.

vrp-ir fills exactly that gap: Huawei VRP config file → semantic model with per-field source traceability. This is what acceptance/audit work needs — when a value looks wrong, jump straight to the line, don't grep the raw config.

Install

pip install vrp-ir
# or, from source:
pip install -e .

Quick start (CLI)

vrp-ir parse examples/sample-vrp.cfg     # routing / switching
vrp-ir parse examples/sample-usg.cfg     # USG firewall (zones / policy / nat-policy / objects / hrp)
{
  "hostname": { "value": "CORE-FW-01", "source": { "file": "...", "line": 2, "col": 8 } },
  "interfaces": [
    {
      "name": { "value": "GigabitEthernet0/0/1", "source": { "line": 9 } },
      "ipv4": [
        { "address": { "value": "10.10.10.1", "source": { "line": 11 } },
          "prefix_length": { "value": 24, "source": { "line": 11 } } }
      ]
    }
  ]
}

Quick start (Python)

from vrp_ir import parse_file

cfg = parse_file("examples/sample-vrp.cfg")
print(cfg.hostname.value)                       # CORE-FW-01
ip = cfg.interfaces[0].ipv4[0]
print(ip.address.value, ip.prefix_length.value) # 10.10.10.1 24
print(ip.address.source)                        # examples/sample-vrp.cfg:11  ← provenance

Security acceptance audit (v0.6)

Turn the source-traceable IR into a security acceptance report: each check is a small test case (intent), and every finding cites the exact config line it is based on — so a reviewer jumps straight to the offending line.

vrp-ir audit examples/sample-usg-risky.cfg            # Markdown acceptance report
vrp-ir audit examples/sample-usg.cfg --format json    # machine-readable JSON
vrp-ir audit examples/sample-usg-risky.cfg --strict   # exit 1 if any check fails (CI gate)
### ❌ `FW-DEFAULT-DENY` [CRITICAL] — Security-policy default action denies unmatched traffic
Default action is 'permit': all traffic matching no rule is allowed (permit-any).
**Evidence**:
- `examples/sample-usg-risky.cfg:14` — `default action permit`

Checks (13): policy default-deny (permit-any); permit-scope (rules not narrowed by zone/address, dereferencing address-set references so an object that resolves to 0.0.0.0/0 is still flagged); permit rules without session logging; one-interface-per-zone; address-set equal to any; HRP enabled; HRP enabled but heartbeat interface/peer incomplete; management plane — Telnet/HTTP enabled (cleartext), VTY accepting Telnet, VTY without an inbound source ACL, weak SSH ciphers (CBC/3DES/DES), and local AAA users granted the Telnet service. See a full rendered report at docs/acceptance-report-example.md.

Design principles

  • Zero runtime dependencies in the core — easy to embed.
  • Reuse, don't reinvent. vrp-ir is a thin VRP-config + provenance layer. It complements (does not replace) ntc-templates (show-command parsing), hier_config (VRP diff/remediation), napalm (live-device collection) and Batfish (multi-vendor analysis). Topology/analysis layers will integrate these rather than rebuild them.
  • Provenance first. If we can't say where a value came from, we don't surface it.

Roadmap

  • v0.1: hostname + interface basics with SourceRef. ✅
  • v0.2: VLANs (batch ranges), VRF (RD/RT), interface enhancements (link-type, trunk allow-pass ranges, Eth-Trunk, dot1q subinterfaces, secondary IPv4, VRF binding), ACLs, static routes. ✅
  • v0.3: Huawei USG firewall objects — firewall zone, security-policy (rule name with zones / addresses / services / profiles / action / logging), nat server, hrp (the global OSS gap; Batfish drops VRP entirely). ✅
  • v0.4: security acceptance audit — test-case schema (testCase ↔ intent ↔ evidenceRef) + a Markdown/JSON report generator; vrp-ir audit with seed firewall checks, each citing its source line. ✅
  • v0.5: nat-policy blocks, ip address-set / ip service-set objects, telnet/http management switches; audit at 9 checks — address-set dereference in permit-scope, address-set-equals-any, HRP consistency, cleartext management (Telnet / HTTP). ✅
  • v0.6: management-plane access baseline (driven by real-world config corpus) — user-interface con/vty (protocol inbound / inbound ACL / auth mode), ssh server cipher, aaa local-users; audit grows to 13 checks (VTY-accepts-Telnet, VTY-no-ACL, weak-SSH-cipher, AAA-user-Telnet). ✅
  • v0.7: GB18030/GBK config support; parser coverage transparency (unparsed lines surfaced in the audit); info-center loghost; audit status semantics PASS / WARN / FAIL / NA / UNCHECKED; checks for weak SNMP community and missing NTP. ✅

What's next

The forward-looking roadmap is maintained as Now / Next / Later (no fixed dates) in ROADMAP.md. In short: Now — trust foundation (evidence policy, real de-identified corpus, richer reports, SARIF/JUnit, advisory standards anchoring incl. 等保 Level 3/4 advisory references); Next — check registry, corpus-driven parser hardening, coverage breadth; Later — a stable IR/check-id contract that defines 1.0.

See GOVERNANCE.md for how the project is run and the open-core boundary with AegisTwin.

Commercial / support

vrp-ir is free and open source (Apache-2.0), and it stays that way.

It is the open core of AegisTwin — an acceptance workbench for carrier and data-center security integration (HLD/LLD → traceable topology → acceptance advisor → evidence chain → sign-off report). If you liked vrp-ir, AegisTwin builds on top of it for teams that deliver acceptance at scale: Huawei security-device coverage (USG / WAF / AntiDDoS / 4A), HLD/LLD → traceable acceptance test cases, and customer-grade, auditable reports (incl. MLPS / carrier formats).

See the open-source vs. commercial comparison.

Talk to us about a paid workflow review or a design-partner pilot → support@zynovexllc.com.

Contributing

See CONTRIBUTING.md. Real (de-identified) VRP config snippets that we parse incorrectly make the best issues; follow the de-identification guide before sharing any snippet publicly.

License

Apache-2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vrp_ir-0.8.0.tar.gz (49.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vrp_ir-0.8.0-py3-none-any.whl (31.1 kB view details)

Uploaded Python 3

File details

Details for the file vrp_ir-0.8.0.tar.gz.

File metadata

  • Download URL: vrp_ir-0.8.0.tar.gz
  • Upload date:
  • Size: 49.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for vrp_ir-0.8.0.tar.gz
Algorithm Hash digest
SHA256 879f742e0839dac059eb57a8dde79bee540ea64379e64caa3c72492d57343d1c
MD5 9cbfbe300aaa1943181edb54a6db4990
BLAKE2b-256 2b7d279db65477683b99a070045c6aa5afe43e6437038bffcb59615f3edc1439

See more details on using hashes here.

Provenance

The following attestation bundles were made for vrp_ir-0.8.0.tar.gz:

Publisher: publish.yml on zynovexllc/vrp-ir

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file vrp_ir-0.8.0-py3-none-any.whl.

File metadata

  • Download URL: vrp_ir-0.8.0-py3-none-any.whl
  • Upload date:
  • Size: 31.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for vrp_ir-0.8.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6ea4b17a4094473fe1707bc8500e6770a7bcd7b475572e5107b1b04d175c3dff
MD5 5101c17b4eafcb7f0973735831265b17
BLAKE2b-256 3f4e0d23711e4297a19893bd4bc016d3e2da8ccebd746f67de3f5c2d300a4322

See more details on using hashes here.

Provenance

The following attestation bundles were made for vrp_ir-0.8.0-py3-none-any.whl:

Publisher: publish.yml on zynovexllc/vrp-ir

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page