Batfish marks Huawei VRP as unsupported — so I built a source-traceable IR for it

If you do network automation, you reach for Batfish. And if you've ever pointed it at a Huawei box, you've hit the wall: Batfish's own source marks Huawei VRP as UNSUPPORTED. ntc-templates helps, but only for display show-command output — there's no open parser for the saved display current-configuration file. And ciscoconfparse2 is Cisco-shaped and only gives you an integer line number, not field-level provenance.

So for anyone doing Huawei acceptance / audit work, a basic capability was just missing: turn a saved config into a structured model you can reason about, where you can always trace a value back to the exact line it came from.

That's the gap vrp-ir fills.

Provenance is the whole point

vrp-ir parses a Huawei VRP/USG config into a typed model where every parsed value carries aSourceRef back to its file:line:

from vrp_ir import parse_file

cfg = parse_file("edge-fw.cfg")
ip = cfg.interfaces[0].ipv4[0]
print(ip.address.value, ip.prefix_length.value)  # 10.10.10.1 24
print(ip.address.source)                          # edge-fw.cfg:11  <- provenance

When a value looks wrong, you jump straight to the line — you don't grep the raw config. That sounds small until you're reviewing a 4,000-line firewall dump and every claim in your report needs to be defensible.

From IR to a line-cited security audit

Provenance pays off the moment you turn the IR into findings. vrp-ir audit runs 13 security acceptance checks, and every finding cites the exact config line it's based on:

$ vrp-ir audit edge-fw.cfg
### FW-DEFAULT-DENY [CRITICAL] — default action denies unmatched traffic
Default action is 'permit': all traffic matching no rule is allowed.
Evidence:
- edge-fw.cfg:14 — default action permit

The checks cover the boring-but-deadly stuff: permit-any rules, a non-default permit default action, cleartext management (Telnet/HTTP), VTY accepting Telnet or missing an inbound ACL, weak SSH ciphers (CBC/3DES/DES), local AAA users with Telnet, address-sets that resolve to 0.0.0.0/0, and HRP consistency.

And because --strict exits non-zero on any failure, it drops straight into CI as an acceptance gate:

$ vrp-ir audit edge-fw.cfg --strict || echo "acceptance failed"

No more "the report says it's fine" with nothing to point at — each line of the report points at a line of the config.

Design choices

• Zero-dependency core , Python 3.9+, pip install vrp-ir. Easy to embed.
• Reuse, don't reinvent. It complements ntc-templates (show-command parsing), napalm (live collection) and Batfish (multi-vendor analysis) — it doesn't try to replace them.
• No garbage facts. If a value can't be parsed cleanly, it's skipped rather than surfaced wrong. Provenance or nothing.

Where it's going — and how to help

It's v0.6 / alpha and moving fast. Next up: SNMP communities, NTP/Syslog presence, vsys, and a wider real-world test corpus. The best contributions are real, de-identified configs it parses wrong — those become the best issues. There are a handful of good first issues open right now (parsing SNMP/NTP/syslog with provenance) if you want a gentle on-ramp.

vrp-ir is Apache-2.0 and stays that way. It's the open core of AegisTwin, a Huawei security-acceptance workbench I'm building — but the parser and the audit are useful on their own today.

→ Repo + 30-second demo: https://github.com/zynovexllc/vrp-ir