annet 3.15.0__py3-none-any.whl → 3.16.0__py3-none-any.whl

annet/rulebook/h3c/vlandb.py

@@ -0,0 +1,118 @@
+from annet.annlib.lib import huawei_collapse_vlandb as collapse_vlandb
+from annet.annlib.lib import huawei_expand_vlandb as expand_vlandb
+from annet.annlib.types import Op
+
+from annet.rulebook import common
+from annet.rulebook.common import DiffItem
+
+
+# =====
+def single(rule, key, diff, **_):
+    yield from _process_vlandb(rule, key, diff, False, False, None)
+
+
+def multi(rule, key, diff, **_):
+    yield from _process_vlandb(rule, key, diff, True, False, 10)
+
+
+def multi_all(rule, key, diff, **_):
+    yield from _process_vlandb(rule, key, diff, True, True, 10)
+
+
+def vlan_diff(old, new, diff_pre, _pops):
+    batch_new = set()  # vlan batch ... vlan ids
+    for row in new:
+        prefix, vlans = _parse_vlancfg(row)
+        if prefix == "vlan batch":
+            batch_new.update(vlans)
+    ret = []
+    for item in common.default_diff(old, new, diff_pre, _pops):
+        prefix, vlan_ids = _parse_vlancfg(item.row)
+        # If a VLAN was declared globally and still remains in the batch,
+        # the command "undo vlan ..." will attempt to completely remove it from the device
+        # as well as from the batch. However, using "undo vlan ... ; vlan batch ..." is not a solution,
+        # since to delete it, the CLI requires removing all VLAN interfaces and related elements first.
+
+        if prefix == "vlan" and item.op == Op.REMOVED and batch_new.intersection(vlan_ids):
+            result_item = DiffItem(Op.AFFECTED, item.row, item.children, item.diff_pre)
+        # If a VLAN is declared both globally and in the batch,
+        # and the global declaration block has no additional options,
+        # we don’t include it — it would just hang there unnecessarily.
+        # This way, we preserve symmetry with the previous logic,
+        # and both invariants will produce an empty patch.
+
+        elif prefix == "vlan" and batch_new.intersection(vlan_ids) and not item.children:
+            result_item = None
+        # We don’t touch "vlan batch" or anything else.
+        else:
+            result_item = item
+        if result_item:
+            ret.append(result_item)
+    return ret
+
+
+# =====
+def _process_vlandb(rule, key, diff, multi, multi_all, multi_chunk):  # pylint: disable=unused-argument,redefined-outer-name
+    assert len(diff[Op.AFFECTED]) == 0, "WTF? Affected signle: %r" % (diff[Op.AFFECTED])
+    if not multi:
+        for op in (Op.ADDED, Op.REMOVED):
+            assert 0 <= len(diff[op]) <= 1, "Too many actions: %r" % (diff)
+
+    if diff[Op.REMOVED] and not diff[Op.ADDED]:  # Removed
+        if multi and multi_all:
+            yield (False, rule["reverse"].format(*key) + " all", None)
+            return
+        elif not multi and not multi_all:
+            yield (False, rule["reverse"].format(*key), None)
+            return
+
+    (prefix_add, new) = _parse_vlancfg_actions(diff[Op.ADDED])
+    (prefix_del, old) = _parse_vlancfg_actions(diff[Op.REMOVED])
+    removed = old.difference(new)
+    added = new.difference(old)
+
+    if removed:
+        collapsed = collapse_vlandb(removed)
+        for chunk in (_chunked(collapsed, multi_chunk) if multi else [collapsed]):
+            yield (False, "undo %s %s" % (prefix_del, " ".join(chunk)), None)
+
+    if added:
+        collapsed = collapse_vlandb(added)
+        for chunk in (_chunked(collapsed, multi_chunk) if multi else [collapsed]):
+            yield (True, "%s %s" % (prefix_add, " ".join(chunk)), None)
+
+
+def _chunked(items, size):
+    for offset in range(0, len(items), size):
+        yield items[offset:offset + size]
+
+
+def _parse_vlancfg_actions(actions):
+    prefix = None
+    vlandb = set()
+    for action in actions:
+        (prefix, part) = _parse_vlancfg(action["row"])
+        vlandb.update(part)
+    return (prefix, vlandb)
+
+
+def _parse_vlancfg(row):
+    parts = row.split()
+    assert len(parts) > 0, row
+    index = None
+    for (index, item) in reversed(list(enumerate(parts))):
+        if not (item.isdigit() or item == "to"):
+            break
+    prefix = " ".join(parts[:index + 1])
+    vlandb = expand_vlandb(" ".join(parts[index + 1:]))
+    return (prefix, vlandb)
+
+
+def _find_new_vlans(root_pre):
+    ret = set()
+    for (rule, pre) in root_pre.items():
+        if not rule.startswith("vlan batch"):
+            continue
+        new = _parse_vlancfg_actions(pre["items"][tuple()][Op.ADDED])[1]
+        ret.update(new)
+    return ret

annet/rulebook/texts/h3c.deploy

@@ -0,0 +1,196 @@
+# Рулбук деплоя на устройства
+#
+# Операторы:
+#   *  Один аргумент
+#   ~  Несколько аргументов (минимум один)
+#
+# Параметры:
+#   %timeout=...  Таймаут выполнения команды (в секундах, по умолчанию 30)
+#
+# Ответы на вопросы
+#
+# <команда>
+#   dialog: <вопрос> ::: <ответ> <параметры>
+#
+# Если <вопрос> заключён в слеши (//), то воспринимается как регулярка, иначе - точное совпадение.
+# Параметы:
+#   %send_nl=...  Посылать ли перевод строки после ответа (bool, по умолчанию true)
+# -----
+
+undo bgp
+    dialog: Warning: The BGP process will be deleted. Continue? [Y/N]: ::: Y
+undo peer *
+    dialog: Warning: All the configurations related to the BGP peer will be deleted. Continue? [Y/N]: ::: Y
+    dialog: Warning: This operation will reset the peer session. Continue? [Y/N]: ::: Y
+peer * enable
+    dialog: Warning: This operation will reset the peer session. Continue? [Y/N]: ::: Y
+peer * timer
+    dialog: Warning: Changing the parameter in this command resets the peer session. Continue? [Y/N]: ::: Y
+undo route-distinguisher *
+    dialog: Warning: RTs of VPN instance and IPv6 related configurations under BGP will be deleted. Continue? [Y/N]: ::: Y
+    dialog: Warning: All the VPN targets in the VPN instance IPv6 address family will be deleted. Continue? [Y/N]: ::: Y
+    dialog: Warning: All VPN targets of this EVPN instance and all EVPN address family-related configurations under BGP will be deleted. Continue? [Y/N]: ::: Y
+
+save
+    dialog: /Warning: The current configuration will be written to the device. Continue\? \[Y/N\]:?/ ::: Y
+    dialog: Warning: The current configuration will be written to the device. Are you sure to continue? [Y/N]: ::: Y
+    dialog: Are you sure to continue?[Y/N] ::: Y
+    dialog: Are you sure to continue? [Y/N] ::: Y
+    dialog: Please input the file name(*.cfg, *.zip, *.dat): ::: vrpcfg.zip
+undo rsa peer-public-key
+    dialog: /Do you want to remove the public key named .*\? \[Y/N\]:/ ::: Y
+undo stelnet server enable
+    dialog: Warning: The operation will stop the STelnet server. Do you want to continue? [Y/N]: ::: Y
+undo telnet * server enable
+    dialog: Warning: The operation will stop the .*Telnet server. Continue? [Y/N]: ::: Y
+undo stelnet * server enable
+    dialog: Warning: The operation will stop the STelnet server. Do you want to continue? [Y/N]: ::: Y
+telnet ipv6 server-source all-interface
+    dialog: Warning: Telnet server source configuration will take effect in the next login. Do you want to continue? [Y/N]: ::: Y
+telnet server-source all-interface
+    dialog: Warning: Telnet server source configuration will take effect in the next login. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: Telnet server source configuration will take effect in the next login. Continue? [Y/N]: ::: Y
+telnet ipv6 server-source all-interface
+    dialog: Warning: The IPv6 Telnet server source configuration will take effect in the next login. Continue? [Y/N]: ::: Y
+undo telnet server-source ~
+    dialog: Warning: The operation will delete the Telnet server source configuration and may cause the service to be unavailable. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: The operation will delete the Telnet server source configuration and may cause the service to be unavailable. Continue? [Y/N]: ::: Y
+undo telnet ipv6 server-source ~
+    dialog: Warning: The operation will delete the Telnet server source configuration and may cause the service to be unavailable. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: The operation will delete the Telnet server source configuration and may cause the service to be unavailable. Continue? [Y/N]: ::: Y
+telnet ipv6 server disable
+    dialog: Warning: The operation will stop the IPv6 Telnet server. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: The operation will stop the IPv6 Telnet server. Continue? [Y/N]: ::: Y
+telnet server disable
+    dialog: Warning: The operation will stop the Telnet server. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: The operation will stop the Telnet server. Continue? [Y/N]: ::: Y
+ssh ipv6 server-source all-interface
+    dialog: Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: SSH server source configuration will take effect in the next login. Continue? [Y/N]: ::: Y
+ssh server-source all-interface
+    dialog: Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: SSH server source configuration will take effect in the next login. Continue? [Y/N]: ::: Y
+undo ssh server-source ~
+    dialog: Warning: The operation will delete the SSH server source configuration and may cause the service to be unavailable. Do you want to continue? [Y/N]: ::: Y
+undo protocol inbound ssh port *
+    dialog: Warning: The operation will stop the ssh port 830 service. Do you want to continue? [Y/N]: ::: Y
+undo sftp server enable
+    dialog: Warning: The operation will stop the SFTP server. Do you want to continue? [Y/N]: ::: Y
+(ftp|FTP) *
+    dialog: Warning: FTP server source configuration will take effect in the next login. Do you want to continue? [Y/N]: ::: Y
+undo (ftp|FTP) server enable
+    dialog: Warning: The operation will stop the FTP server. Do you want to continue? [Y/N]: ::: Y
+undo (ftp|FTP) ipv6 server enable
+    dialog: Warning: The operation will stop the FTP server. Do you want to continue? [Y/N]: ::: Y
+undo (ftp|FTP) (server source|server-source)
+    dialog: Warning: The operation will delete the FTP server source configuration and may cause the service to be unavailable. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: To make the server source configuration take effect, the FTP server will be restarted. Continue? [Y/N]: ::: Y
+undo (ftp|FTP) ipv6 (server source|server-source)
+    dialog: Warning: The operation will delete the FTP server source configuration and may cause the service to be unavailable. Do you want to continue? [Y/N]: ::: Y
+    dialog: Warning: To make the server source configuration take effect, the FTP server will be restarted. Continue? [Y/N]: ::: Y
+undo http server enable
+    dialog: Warning: The operation will stop HTTP service. Continue? [Y/N]: ::: Y
+undo sftp * server enable
+    dialog: Warning: The operation will stop the SFTP server. Do you want to continue? [Y/N]: ::: Y
+undo scp server enable
+    dialog: Warning: The operation will stop the SCP server. Continue? [Y/N]: ::: Y
+undo scp * server enable
+    dialog: Warning: The operation will stop the SCP server. Continue? [Y/N]: ::: Y
+undo dhcp enable
+    dialog: Warning: All DHCP functions will be disabled. Continue? [Y/N] ::: Y
+undo dhcpv6 enable
+    dialog: Warning: All DHCPv6 functions will be disabled. Continue? [Y/N]: ::: Y
+system tcam acl
+    dialog: Warning: Enabling the TCAM ACL will cause ACL resources to be replanned. Incorrectly using these commands will cause some services to be unavailable. Therefore, use these commands with the guidance of Huawei engineers. Continue? [Y/N] ::: Y
+local-user * privilege level
+    dialog: Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N] ::: Y
+    dialog: Warning: This operation may affect online users and will change the user privilege level, Continue? [Y/N]: ::: Y
+local-user * password
+    dialog: Warning: The user using this account will be logged out, and needs to log in again. Do you want to continue? [Y/N] ::: Y
+
+stp *
+    dialog: Warning: The global STP state will be changed. Continue? [Y/N] ::: Y
+
+ntp server disable
+    dialog: /.*Continue\?/ ::: Y
+ntp * server disable
+    dialog: /.*Continue\?/ ::: Y
+
+ntp-service server disable
+    dialog: /.*Continue\?/ ::: Y
+ntp-service * server disable
+    dialog: /.*Continue\?/ ::: Y
+
+undo telnet server-source all-interface
+    dialog: /.*continue\?/ ::: Y
+undo telnet ipv6 server-source all-interface
+    dialog: /.*continue\?/ ::: Y
+telnet server disable
+    dialog: /.*continue\?/ ::: Y
+telnet ipv6 server disable
+    dialog: /.*continue\?/ ::: Y
+
+undo vlan
+    dialog: Warning: The configurations of the VLAN will be deleted. Continue? [Y/N]: ::: Y
+
+port link-type *
+    dialog: Warning: This command will delete VLANs on this port. Continue?[Y/N]: ::: Y
+
+port mode 200GE  ~
+    dialog: /Warning: This operation will delete current ports.*/ ::: Y
+
+port mode *
+    dialog: /Warning: The interfaces.* will be converted to .* mode/ ::: Y
+undo port mode *
+    dialog: /Warning: The interfaces.* will be converted to .* mode/ ::: Y
+
+mpls lsr-id *
+    dialog: Warning: All MPLS services will be deleted and services related to LSR-ID will fail. Continue? [Y/N]: ::: Y
+
+undo router-id
+    dialog: Warning: Changing the parameter in this command resets the peer session. Continue? [Y/N]: ::: Y
+
+router-id
+    dialog: Warning: Changing the parameter in this command resets the peer session. Continue? [Y/N]: ::: Y
+
+undo bfd
+    dialog: Warning: The BFD process will be deleted. Continue? [Y/N]: ::: Y
+
+undo dcn
+    dialog: Warning: This operation will disable DCN function. Continue? [Y/N]: ::: Y
+
+undo ospf *
+    dialog: Warning: The OSPF process will be deleted. Continue? [Y/N]: ::: Y
+
+undo mpls ldp transport-address
+    dialog: Warning: All the related sessions will be deleted if the operation is performed! Continue? [Y/N]: ::: Y
+
+ldp-sync enable
+    dialog: Warning: This will cause all the interfaces enabled the ISIS process to enter ldp-sync state. Continue? [Y/N]: ::: Y
+    dialog: Warning: This will cause all the interfaces enabled the OSPF process to enter ldp-sync state. Continue? [Y/N]: ::: Y
+
+association-type enable
+    dialog: Warning: The PCE sessions will be restarted. Continue? [Y/N]: ::: Y
+
+info-center max-logfile-number *
+    dialog: Warning: The operation will probably delete the redundant logs. Continue? [Y/N]: ::: Y
+
+rsa peer-public-key * 
+    dialog: Do you really want to replace it? [Y/N]: ::: Y
+
+ip binding vpn-instance
+    dialog: Warning: This operation will modify the router ID to 0.0.0.0, which may affect the establishment of BGP peer relationships. Continue? [Y/N]: ::: Y
+
+force transceiver *
+    dialog: /.*Continue\?/ ::: Y
+
+undo force transceiver *
+    dialog: /.*Continue\?/ ::: Y
+
+undo local-aaa-user change-password verify
+    dialog: Warning: This command will disable the function of verifying the old password when administrators changes their own passwords. Continue?[Y/N] ::: Y
+
+undo local-user ~
+    dialog: Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N] ::: Y
+
+# vim: set syntax=annrulebook:

annet/rulebook/texts/h3c.order

@@ -0,0 +1,390 @@
+# vim: set syntax=annrulebook:
+# В этом файле определяется порядок команд, в котором их следует подавать на устройство.
+# - Если порядок команды не важен - ее можно не писать сюда совсем.
+# - Если команда начинается с undo и прописан параметр %order_reverse - команда считается
+#   обратной, но занимает место между прямыми там, где указано (т.е. undo vlan batch
+#   будет стоять после блоков interface).
+
+sysname
+
+m-lag
+
+# переключаем режим BFD с софта на аппаратный
+undo hardware-resource firmware-mode *
+hardware-resource firmware-mode *   %order_reverse
+
+#clock
+#info-center
+
+# на vpn-instance OOB/MLAG есть много ссылок отовсюду, так что создадим как можно раньше
+ip vpn-instance */[OoMm][OoLl][BbAa].*/
+
+#ntp
+#dns
+
+#mac-address timer aging
+
+#rsa
+#ecc
+
+# из-за того, что h3c не позволяет иметь в одном prefix-list 2 одинаковых правила,
+# нужно сначала удалить все несовпадающие, а затем заполнить их заново
+# в таком случае нужно расскомментить эту строчку, но она не позволяет снести plist целиком
+# сначала мы добавляем stub-правило в рулсет чтобы оно не позволяло prefix-list'у "пропасть"
+# индекс референсится в логике патчинга префикс-листа h3c.misc.prefix_list
+*/(ip|ipv6)/ prefix-list * index 99999999
+undo */(ip|ipv6)/ prefix-list * index *   %order_reverse
+*/(ip|ipv6)/ prefix-list
+
+# common block для фабрики
+bfd peer-ip
+ip unreachables
+ip ttl-expires
+lldp global 
+vxlan vlan-based
+stp global
+l2vpn enable
+vxlan tunnel mac-learning
+vxlan tunnel arp-learning
+hardware-resource vxlan
+vxlan ip-forwarding
+
+
+line vty
+    ~
+ssh server 
+netconf ssh server
+sftp server
+scp server
+
+# далее если у нас МЛАГ надо это указать vvtep
+evpn m-lag group 10.203.78.1
+
+# дальше идут тенанты vsi
+vsi
+
+ip vpn-instance
+    route-distinguisher
+    address-family evpn
+        ~
+    address-family ipv4
+        ~
+    address-family ipv6
+        ~
+    ~
+
+# это должно идти после vpn-instance
+ntp
+
+#stp mode
+#stp bpdu-protection
+#stp enable
+#stp region-configuration
+
+acl port-pool
+acl ip-pool
+acl ipv6-pool
+acl ~
+    undo rule * description %order_reverse
+    undo rule ~ %order_reverse
+    rule * */deny|permit/
+    rule * description
+
+system tcam
+
+undo system tcam acl template * all %order_reverse
+undo system tcam acl template * %order_reverse
+undo system tcam acl$ %order_reverse
+
+traffic classifier
+traffic behavior
+traffic policy
+qos group
+qos schedule-profile
+port-wred
+
+dhcp
+
+vlan all
+vlan 
+
+hwtacacs-server
+hwtacacs server
+radius-server
+
+local-user ~
+    password hash *  %logic=h3c.aaa.user
+    service-type ~   
+    ~ %global
+
+ssh user
+
+user-interface
+drop-profile
+
+interface */(?i)(M-GigabitEthernet[^.]*)[^.]\d*$/
+FTP client
+ftp client
+sflow
+
+# SR глобально -> MPLS -> IS-IS -> IS-IS и SID на интерфейсах
+segment-routing
+    sr-te policy *
+        candidate-path * *
+            undo segment-list * %order_reverse
+    undo segment-list *  %order_reverse
+
+# Сначала глобально mpls включаем, потом на интерфейсы
+mpls
+    mpls te cspf
+    mpls te cspf preferred-igp
+
+mpls ldp
+mpls ldp remote-peer *
+
+explicit-path
+
+vsi *
+    mtu 
+    vxlan
+    evpn encapsulation vxlan
+        route-distinguisher
+        vpn-target
+
+interface */Vsi\d+/
+interface */Bridge-Aggregation\d+/
+interface */LoopBack\d+/
+
+interface *
+    port link-mode * %order_reverse
+    undo ip address * * sub  %order_reverse
+    undo ip address * *  %order_reverse
+    description
+    port link-mode * %order_reverse
+    ip binding
+    ipv6 enable
+    ipv6 nd ra prefix
+    ipv6
+    ip address * *
+    ip address * * sub
+    dhcpv6
+    isis enable
+    isis
+    undo isis *
+    undo isis enable  %order_reverse
+    mpls
+    mpls ldp
+    mpls ldp transport-address interface
+    mpls rsvp-te
+    mpls rsvp-te bfd
+    port link-type
+    port trunk pvid
+    port trunk permit
+    undo port trunk permit vlan all
+    undo port trunk permit vlan 1 %order_reverse
+    port hybrid
+    undo port hybrid vlan
+    port hybrid tagged
+    port hybrid untagged
+    port hybrid vlan
+    port hybrid pvid
+    voice-vlan */\d+/
+    voice-vlan
+    undo port link-aggregation
+    port link-aggregation
+    mode
+    qos (wfq|drr)
+    qos queue
+    vrrp6 vrid [11|12] virtual-ip FE80*
+    vrrp6 vrid [11|12] virtual-ip
+    vrrp6 vrid [11|12]
+    vrrp vrid [11|12] virtual-ip
+    vrrp vrid [11|12]
+    ~
+    poe
+
+# Нужно чтобы subif'ы портов шли после конфигурации самих портов, иначе свитч ругнется на то что порт l2
+interface */\S+\.\d+/
+
+# Некоторые команды требуют сначала определить конфигурацию на L2 интерфейсах, а потом уже на vlanif
+interface */Vlan-interface\d+/
+
+# Должны быть после interface потому что в нем ссылается traffic-policy
+# И именно в данном порядке
+# policy ссылаются на behavior и classifier, они на acl'и
+undo qos group          %order_reverse
+undo qos schedule-profile	%order_reverse
+undo traffic policy     %order_reverse
+undo traffic behavior   %order_reverse
+undo traffic classifier %order_reverse
+
+# Должен быть после interface потому что в нем ссылается на diffserv domain
+undo diffserv domain * 	%order_reverse
+
+# маршруты идут после интерфейсов
+ip route-static
+ipv6 route-static
+
+route-policy
+
+ospf
+    opaque-capability enable
+    area
+
+bgp
+    router-id
+    graceful-restart
+    timer keepalive
+    # [NOCDEV-1182] у load-balancing есть несколько взаимоисключающих флейверов
+    undo undo maximum load-balancing %order_reverse
+    maximum load-balancing
+    # [NOCDEV-2043] Тут только декларируем пиров и группы
+    # поскольку на них есть ссылки из family блоков
+    group
+    peer * as-number *
+    peer * local-as *
+    address-family ipv[46]|l2vpn evpn
+        balance
+        pic
+        additional-paths
+        import-route
+        group
+        peer * as-number *
+        peer * enable
+        peer * ~
+    l2vpn-ad-family
+        peer * enable
+        peer * ~
+    # [NOCDEV-2043] Остальное в глобальном блоке делаем тут
+    undo peer * description %order_reverse
+    undo peer * * * %order_reverse
+    undo peer * * %order_reverse
+    undo peer * %order_reverse
+    undo group * %order_reverse
+    peer * ~
+
+
+# Вырубаем bfd после bgp, но до vpn
+undo bfd * %order_reverse
+undo bfd %order_reverse
+
+undo ip vpn-instance %order_reverse
+undo route-policy %order_reverse
+undo route-policy */VRF_.*/ %order_reverse
+undo ip community-filter %order_reverse
+undo ip extcommunity-filter %order_reverse
+undo ip as-path-filter %order_reverse
+
+# Вырубаем bfd после bgp
+undo bfd * %order_reverse
+undo bfd %order_reverse
+
+info-center
+
+# Should be after acl definition
+snmp-agent sys-info
+snmp-agent mib-view
+snmp-agent community complexity-check
+snmp-agent community
+snmp-agent target-host
+snmp-agent trap source
+snmp-agent
+#ifindex constant
+
+cpu-defend policy
+cpu-defend-policy
+slot *
+    cpu-defend-policy %order_reverse
+undo cpu-defend policy  %order_reverse
+
+ssh server rsa-key min-length
+rsa peer-public-key
+ssh user
+ssh user * assign
+ssh user * authentication-type
+ssh user * service-type
+
+local-user * password
+local-user * service-type
+local-user * level
+local-user * ftp-directory
+
+stelnet server
+stelnet ipv4 server
+stelnet ipv6 server
+
+telnet server acl
+ssh server acl
+*/(ftp|FTP)/ server acl
+*/(ftp|FTP)/ acl
+telnet ipv6 server acl
+ssh ipv6 server acl
+*/(ftp|FTP)/ ipv6 server acl
+*/(ftp|FTP)/ ipv6 acl
+
+ssh server-source all-interface
+ssh ipv6 server-source all-interface
+telnet server-source all-interface
+telnet ipv6 server-source all-interface
+
+#lldp
+
+#stelnet
+#ssh
+
+#header
+
+#command-privilege
+#user-interface maximum-vty
+#user-interface
+
+domain
+default-domain
+telemetry
+    sensor-group *
+    destination-group *
+    subscription *
+
+diffserv domain *
+    ip-dscp-inbound ~
+
+#Удаляем acl в самом конце
+undo acl                %order_reverse
+
+# Удаляем iface совсем в конце
+# сначала subif
+undo interface */.*[.]\d+/ %order_reverse
+# vlanif
+undo interface */Vlanif\d+/ %order_reverse
+undo interface */Vbdif\d+/ %order_reverse
+
+# удалять eth-trunk можно только после того, как вычистим member interfaces
+undo interface */Eth-Trunk\d+/  %order_reverse
+undo interface             %order_reverse
+
+# interface Tunnel* ссылается на 'explicit-path'
+undo interface */Tunnel.*/ %order_reverse
+undo explicit-path %order_reverse
+
+# drop-profile можно удалять только после удаления референсов на него в интерфейсах
+undo drop-profile %order_reverse
+
+# vlan'ы удаляем после vlanif/subif
+undo vlan %order_reverse
+undo vlan batch %order_reverse
+undo observe-port %order_reverse
+
+#sflow может висеть а subif/eth-trunk
+undo sflow %order_reverse
+
+# Данное стаб-правило должно удаляться в самую посленюю очередь
+# поскольку если префикс-лист должен уходить из конфигурации полностью
+# перед этим должны быть удалены все его референсы в конфиге
+# индекс референсится в логике патчинга префикс-листа h3c.misc.prefix_list
+undo */(ip|ipv6)/ prefix-list * index 99999999  %order_reverse
+
+#remove template only after all references will be cleared
+undo radius-server template %order_reverse
+undo hwtacacs-server template %order_reverse
+
+~