Aclgen will render the policy file sample_arista_tp.pol differently on each run. The order of counter terms is not consistent.

E   -    counter ipsec-esp ssh ospf ipsec-ike tacacs-requests icmp-loopback ntp-replies tacacs-replies default-discard reject-imap-requests ssh-replies dns-replies bgp-replies bgp-requests radius-replies vrrp ntp-request wonky-prots-loopback large-dns-counter
E   +    counter large-dns-counter tacacs-replies tacacs-requests bgp-requests vrrp ssh dns-replies ipsec-esp radius-replies ntp-request icmp-loopback reject-imap-requests ntp-replies ipsec-ike default-discard wonky-prots-loopback bgp-replies ospf ssh-replies

Steps to reproduce

Run aclgen.py which will process all sample policy files. You may wish to temporarily remove all policy files besides sample_arista_tp.pol to speed things up. Run multiple times and notice that on each run the contents of the output file sample_arista_tp.atp will vary.

https://github.com/ankben/aerleon/blob/main/aerleon/lib/cisco.py#L1006

• Every file that contains copyrighted Google code needs to say so (including docs and README)
• Every file that contains a mix of Google content and our content needs an additional message (including docs and README)

Presently there is no validation around forwarding_class beyond "one or more strings". It's a Juniper-only field with some documentation available online¹. If we can do so accurately let's implement some validation on the field.

Processing the sample policy files takes about 5 minutes. A review of a perf trace showed that a single call to RenderFile runs for the majority of those 5 minutes. Some significant time is spent in _TranslatePolicy for the paloalto generator.

Fortinet has been a requested generator by the community for a long time. Multiple people have asked for it over the NTC slack. Batfish has asked for progress and would likely wish to use it for their own customers.

Currently the implementation of the 'expiration' property is handled through a block of copy-paste code in every generator. Should a generator author forget to paste in this code, expiration won't work.

The core application should handle the expiration implementation and not even pass it through to the generator.

The Term data model has some fields that must not be set by users and are for internal use only. These fields are listed here with a brief summary and a suggestion for how to migrate the workload that relies on them.

• term.translated: Used internally to indicate processing was already performed on this Term. Ignored by all generators. I will remove this as part of the parser / model builder cleanup currently underway.
• term.inactive: Set by Juniper generators when the option 'inactive' is present in term.options. Ignored by all non-Juniper generators. It does not serve any real purpose besides unnecessarily memoizing the expression if 'inactive' in term.option. It can be removed from the core data model with no loss of function as it is not an error for Juniper generators to set garbage attributes on the object.
• term.flattened
• term.flattened_addr
• term.flattened_saddr
• term.flattened_daddr: Used internally to memoize the result of address flattening, which is somewhat expensive. Some generators actually read these values directly. The model cleanup change currently underway will move these out of the model and into the view model (PolicyView / TermView).

Verify this issue exists still

When ACLs are deployed it is desired to make sure that the firewall continues to have the desired set of ACLs present. This can be complex given firewalls may be updated on a cadence that does not match updates to the files output by aerleon. We also would want to allow an analyst to be able to recreate the inputs.

We are discussing solutions to this and have come up with a couple

1. Logging information that allows an analyst to understand how an ACL was created
2. Provide the ability to check some amount of the integrity of the ACL with hashing

This can be complicated by the fact that our ACLs will likely be consumed by other tools and we have no guarantees that they will not be mangled. We also know of platforms where comments where this metadata would exist is not preserved.

six was made to help ease the transition between python 2 to python 3. We will never support python 2 so we should remove these where present.

Seems this is the newer way to define project dependencies and metadata.
https://peps.python.org/pep-0621/
https://peps.python.org/pep-0660/
https://stackoverflow.com/questions/62983756/what-is-pyproject-toml-file-for

fstrings are new in python 3.0 and offer a lot of improvements to string manipulation. There are also templating frameworks that offer some advanced functionality. A lot of what we are doing could be assisted by templating. We should profile the current generators and compare that to implementations using those newer features. Comparing usability/readability to performance gains/losses will indicate if this is a path to go down for all generators.

We want to make it easy for people to import IPs and other information into the address book. Investigating IPAM solutions and their export functionality will let us know what is available. JSON, CSV, YAML, etc

Developers creating new generators will use a few internal interfaces that are not intended for end users. The goal here is to create some light documentation of these interfaces for the audience of generator developers.

Suggested interfaces include:

• policy.Policy
• policy.Term
• aclgenerator.ACLGenerator
• aclgenerator.Term
• nacaddr.IP

Will add more soon but this is to cover our talks about ways to optimize policy. Policy can be optimized for # of rules, TCAM space, etc.

@jtwb Capirca does not want to change this

We'd prefer to not modify the parser to handle * as a legal character.

Their solution is to add a special string to signify the * character being used as a wildcard for juniper srx zone names. I was not even aware of this feature myself.

Believe this should be fine since we are using poetry. Should comb the documentation for where this may be mentioned though.

stateless_reply is a field on the Term data model. Its addition was motivated by the desire to have stateful firewalls ignore terms that contain the reverse rules needed by stateless firewalls. ¹ It allows a single policy to be shared by both stateful and stateless firewalls.

The question of what to do with stateless_reply arises from some gaps in the existing implementation:

1. stateless_reply cannot actually be set in Policy files. The file parser has no support for this field. Similarly it cannot be set by Python users creating a Policy data model from a string representation of a Policy file.
2. stateless_reply cannot be set by Python users constructing a Policy data model through the AddObject / AddFilter methods. Users can set fields on Policy data models directly but in doing so bypass code in the model that performs validation, sanity checking, address collapsing, and address book assembly.
3. stateless_reply is implemented as a boolean value but Policy files have no canonical value expression that represents a boolean.
4. It is implemented for each firewall at the discretion of each firewall generator. I haven't done a full pass over the code, but it feels like there could be one or more stateful firewalls that don't support this field.

A couple suggestions have been made from early discussion. The field is only partially user-facing. Dropping the option completely would certainly break Google's use-case. Rolling the option out as-is to all users by adding support in Policy files is possible. In any case this is a good opportunity for a thoughtful proposal on how reverse routes might best be represented in Aerleon.

To start the conversation I would ask whether return path rules should be expressed as Terms in the conventional sense or whether they make more sense in the context of another Term. They cannot stand alone and wouldn't need to use the full range of options available to a normal rule. I wonder whether it might be possible to invert the procedure and produce them automatically from a Term when some field is set.

For example, maybe there is some key value like 'stateless_reply: auto' which you can set on a Term to have Aerleon automatically generate return. Other values on the right hand side could potentially select from different modes of return path generation. In YAML we can even have sub-flags should the user need to provide configuration options.

I would also suggest that the knowledge of whether a firewall is stateless / stateful should be known to Aerleon's core. If it were we could use an approach similar to what we are doing with address books where the core system pre-processes the Policy before handing it off to a Generator. In this case we would generate or eliminate return path rules before the Generator sees them (depending on which approach we choose, whether return routes should be generated from other Terms or if we continue to have one Term per return route but use the 'stateless_reply' field to flag them).

arista_tp.py has a duplicate function that wraps lines. Change this to use the general one and check for other functions serving similar purposes.