OF815 · pull · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
diff --git a/projects/batfish/src/main/antlr4/org/batfish/grammar/flatjuniper/FlatJuniperLexer.g4 b/projects/batfish/src/main/antlr4/org/batfish/grammar/flatjuniper/FlatJuniperLexer.g4
@@ -54,6 +54,8 @@ ACCEPTED_PREFIX_LIMIT: 'accepted-prefix-limit';
 
 ACCESS: 'access';
 
+ACCESS_DISABLE_EXTERNAL: 'access-disable-external';
+
 ACCESS_INTERNAL: 'access-internal';
 
 ACCESS_PROFILE: 'access-profile' -> pushMode(M_Name);
@@ -186,6 +188,8 @@ ALLOW_DUPLICATES: 'allow-duplicates';
 
 ALLOW_SNOOPED_CLIENTS: 'allow-snooped-clients';
 
+ALLOW_TCP_FORWARDING: 'allow-tcp-forwarding';
+
 ALLOW_V4MAPPED_PACKETS: 'allow-v4mapped-packets';
 
 ALWAYS_COMPARE_MED: 'always-compare-med';
@@ -601,6 +605,8 @@ DOMAIN_NAME: 'domain-name' -> pushMode(M_Name);
 
 DOMAIN_SEARCH: 'domain-search';
 DOMAIN_TYPE: 'domain-type';
+DROP: 'drop';
+DROP_AND_LOG: 'drop-and-log';
 DROP_PATH_ATTRIBUTES: 'drop-path-attributes';
 
 DROP_PROFILES: 'drop-profiles' -> pushMode(M_Name);
@@ -1087,6 +1093,7 @@ INTERFACE
    'interface' -> pushMode ( M_Interface )
 ;
 
+INTERFACE_MAC_LIMIT: 'interface-mac-limit';
 INTERFACE_MODE: 'interface-mode';
 
 INTERFACE_RANGE: 'interface-range' -> pushMode(M_Name);
@@ -1991,6 +1998,7 @@ NO_ANTI_REPLAY: 'no-anti-replay';
 
 NO_ARP: 'no-arp';
 NO_AUTO_NEGOTIATION: 'no-auto-negotiation';
+NO_CHALLENGE_RESPONSE: 'no-challenge-response';
 NO_CLIENT_REFLECT: 'no-client-reflect';
 NO_DECREMENT_TTL: 'no-decrement-ttl';
 NO_ECMP_FAST_REROUTE: 'no-ecmp-fast-reroute';
@@ -2010,6 +2018,8 @@ NO_NEXT_HEADER: 'no-next-header';
 
 NO_NEXTHOP_CHANGE: 'no-nexthop-change';
 
+NO_PASSWORD_AUTHENTICATION: 'no-password-authentication';
+
 NO_PASSWORDS: 'no-passwords';
 
 NO_PEER_LOOP_CHECK: 'no-peer-loop-check';
@@ -2022,6 +2032,8 @@ NO_PREEMPT: 'no-preempt';
 
 NO_PREPEND_GLOBAL_AS: 'no-prepend-global-as';
 
+NO_PUBLIC_KEYS: 'no-public-keys';
+
 NO_READVERTISE: 'no-readvertise';
 
 NO_REDIRECTS: 'no-redirects';
@@ -2087,6 +2099,7 @@ OVERRIDES: 'overrides';
 P2MP: 'p2mp';
 P2MP_OVER_LAN: 'p2mp-over-lan';
 P2P: 'p2p';
+PACKET_ACTION: 'packet-action';
 PACKET_LENGTH: 'packet-length' -> pushMode(M_SubRange);
 PACKET_LENGTH_EXCEPT: 'packet-length-except' -> pushMode(M_SubRange);
 
@@ -2643,7 +2656,7 @@ SHARED_IKE_ID: 'shared-ike-id';
 SHIM6_HEADER: 'shim6-header';
 
 SHORTCUTS: 'shortcuts';
-
+SHUTDOWN: 'shutdown';
 SIGNALING: 'signaling';
 
 SIMPLE: 'simple';

diff --git a/...cts/batfish/src/main/antlr4/org/batfish/grammar/flatjuniper/FlatJuniper_switch_options.g4 b/...cts/batfish/src/main/antlr4/org/batfish/grammar/flatjuniper/FlatJuniper_switch_options.g4
@@ -10,7 +10,8 @@ s_switch_options
 :
   SWITCH_OPTIONS
     (
-      so_vtep_source_interface
+      so_interface
+      | so_vtep_source_interface
       | so_route_distinguisher
       | so_vrf_target
       | so_vrf_export
@@ -42,3 +43,37 @@ so_vrf_import
 :
   VRF_IMPORT null_filler
 ;
+
+so_interface
+:
+  INTERFACE interface_id
+  (
+    soi_interface_mac_limit
+  )
+;
+
+soi_interface_mac_limit
+:
+  INTERFACE_MAC_LIMIT
+  (
+    soiiml_limit_null
+    | soiiml_packet_action_null
+  )
+;
+
+soiiml_limit_null
+:
+  uint16
+;
+
+soiiml_packet_action_null
+:
+  PACKET_ACTION
+  (
+    DROP
+    | DROP_AND_LOG
+    | LOG
+    | NONE
+    | SHUTDOWN
+  )
+;
diff --git a/projects/batfish/src/main/antlr4/org/batfish/grammar/flatjuniper/FlatJuniper_system.g4 b/projects/batfish/src/main/antlr4/org/batfish/grammar/flatjuniper/FlatJuniper_system.g4
@@ -254,29 +254,54 @@ sy_services
 :
    SERVICES
    (
-      sy_services_linetype
-      | sy_services_null
+      syserv_ftp
+      | syserv_ssh
+      | syserv_telnet
+      | syserv_null
    )
 ;
 
-sy_services_linetype
+syserv_ftp
 :
-   linetype = line_type
+   FTP
    (
       apply_groups
       | sy_authentication_order
-      | sysl_null
+      | syserv_common_null
    )?
 ;
 
-line_type
+syserv_ssh
 :
-  FTP
-  | SSH
-  | TELNET
+   SSH
+   (
+      apply_groups
+      | sy_authentication_order
+      | syserv_common_null
+      | syservs_access_disable_external_null
+      | syservs_allow_tcp_forwarding_null
+      | syservs_no_challenge_response_null
+      | syservs_no_password_authentication_null
+      | syservs_no_passwords_null
+      | syservs_no_public_keys_null
+      | syservs_no_tcp_forwarding_null
+      | syservs_root_login_null
+      | syservs_tcp_forwarding_null
+      | syservs_null
+   )?
+;
+
+syserv_telnet
+:
+   TELNET
+   (
+      apply_groups
+      | sy_authentication_order
+      | syserv_common_null
+   )?
 ;
 
-sy_services_null
+syserv_null
 :
    (
       DATABASE_REPLICATION
@@ -343,31 +368,80 @@ syr_encrypted_password
    ENCRYPTED_PASSWORD password = secret_string
 ;
 
-sysl_null
+syserv_common_null
 :
+   // Options shared by SSH, FTP, and TELNET
+   (
+      CONNECTION_LIMIT
+      | RATE_LIMIT
+   ) null_filler
+;
+
+syservs_access_disable_external_null
+:
+   ACCESS_DISABLE_EXTERNAL
+;
+
+syservs_allow_tcp_forwarding_null
+:
+   ALLOW_TCP_FORWARDING
+;
+
+syservs_no_challenge_response_null
+:
+   NO_CHALLENGE_RESPONSE
+;
+
+syservs_no_password_authentication_null
+:
+   NO_PASSWORD_AUTHENTICATION
+;
+
+syservs_no_public_keys_null
+:
+   NO_PUBLIC_KEYS
+;
+
+syservs_null
+:
+   // Other SSH-only options (not yet extracted)
    (
       AUTHORIZED_KEYS_COMMAND
       | AUTHORIZED_KEYS_COMMAND_USER
       | CIPHERS
       | CLIENT_ALIVE_COUNT_MAX
       | CLIENT_ALIVE_INTERVAL
-      | CONNECTION_LIMIT
       | FINGERPRINT_HASH
       | HOSTKEY_ALGORITHM
       | KEY_EXCHANGE
       | MACS
       | MAX_PRE_AUTHENTICATION_PACKETS
       | MAX_SESSIONS_PER_CONNECTION
-      | NO_PASSWORDS
-      | NO_TCP_FORWARDING
       | PROTOCOL_VERSION
-      | RATE_LIMIT
       | REKEY
-      | ROOT_LOGIN
-      | TCP_FORWARDING
    ) null_filler
 ;
 
+syservs_no_passwords_null
+:
+   NO_PASSWORDS
+;
+
+syservs_no_tcp_forwarding_null
+:
+   NO_TCP_FORWARDING
+;
+
+syservs_root_login_null
+:
+   ROOT_LOGIN null_filler
+;
+
+syservs_tcp_forwarding_null
+:
+   TCP_FORWARDING
+;
+
 sysp_logical_system
 :
   LOGICAL_SYSTEM name = junos_name

diff --git a/projects/batfish/src/main/java/org/batfish/grammar/flatjuniper/ConfigurationBuilder.java b/projects/batfish/src/main/java/org/batfish/grammar/flatjuniper/ConfigurationBuilder.java
@@ -458,7 +458,6 @@
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Junos_applicationContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Junos_application_setContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Junos_nameContext;
-import org.batfish.grammar.flatjuniper.FlatJuniperParser.Line_typeContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Mpls_admin_groupsContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Mpls_pathContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Mpls_rib_nameContext;
@@ -806,14 +805,16 @@
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Sy_portsContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Sy_porttypeContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Sy_security_profileContext;
-import org.batfish.grammar.flatjuniper.FlatJuniperParser.Sy_services_linetypeContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Sy_tacplus_serverContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syn_serverContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syn_server_routing_instanceContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syn_source_addressContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syp_disableContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syr_encrypted_passwordContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Sys_hostContext;
+import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syserv_ftpContext;
+import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syserv_sshContext;
+import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syserv_telnetContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Sysh_routing_instanceContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Sysp_logical_systemContext;
 import org.batfish.grammar.flatjuniper.FlatJuniperParser.Syt_routing_instanceContext;
@@ -4200,9 +4201,7 @@ public void enterSy_security_profile(Sy_security_profileContext ctx) {
     _configuration.defineFlattenedStructure(SECURITY_PROFILE, toString(ctx.name), ctx, _parser);
   }
 
-  @Override
-  public void enterSy_services_linetype(Sy_services_linetypeContext ctx) {
-    String name = toString(ctx.linetype);
+  private void enterServiceLine(String name) {
     _currentLogicalSystem.getJf().getLines().computeIfAbsent(name, Line::new);
     _currentLine = _currentLogicalSystem.getJf().getLines().get(name);
 
@@ -4216,6 +4215,21 @@ public void enterSy_services_linetype(Sy_services_linetypeContext ctx) {
     }
   }
 
+  @Override
+  public void enterSyserv_ftp(Syserv_ftpContext ctx) {
+    enterServiceLine("ftp");
+  }
+
+  @Override
+  public void enterSyserv_ssh(Syserv_sshContext ctx) {
+    enterServiceLine("ssh");
+  }
+
+  @Override
+  public void enterSyserv_telnet(Syserv_telnetContext ctx) {
+    enterServiceLine("telnet");
+  }
+
   @Override
   public void enterSy_tacplus_server(Sy_tacplus_serverContext ctx) {
     String hostname = toString(ctx.tacplus_server_host());
@@ -7534,7 +7548,17 @@ public void exitSy_ports(Sy_portsContext ctx) {
   }
 
   @Override
-  public void exitSy_services_linetype(Sy_services_linetypeContext ctx) {
+  public void exitSyserv_ftp(Syserv_ftpContext ctx) {
+    _currentLine = null;
+  }
+
+  @Override
+  public void exitSyserv_ssh(Syserv_sshContext ctx) {
+    _currentLine = null;
+  }
+
+  @Override
+  public void exitSyserv_telnet(Syserv_telnetContext ctx) {
     _currentLine = null;
   }
 
@@ -8250,10 +8274,6 @@ private AsPath toAsPath(As_path_exprContext path) {
     return unquote(ctx.getText(), ctx);
   }
 
-  private static @Nonnull String toString(Line_typeContext ctx) {
-    return ctx.getText();
-  }
-
   private @Nonnull Optional<String> toString(Bgp_description_textContext ctx) {
     String description = unquote(ctx.getText(), ctx.getParent());
     // Juniper requires BGP descriptions to be between 1 and 255 characters

diff --git a/projects/batfish/src/test/java/org/batfish/grammar/flatjuniper/FlatJuniperGrammarTest.java b/projects/batfish/src/test/java/org/batfish/grammar/flatjuniper/FlatJuniperGrammarTest.java
@@ -1011,6 +1011,16 @@ public void testClassOfServiceParsing() {
     parseJuniperConfig("juniper-class-of-service");
   }
 
+  @Test
+  public void testInterfaceMacLimitParsing() {
+    parseJuniperConfig("interface-mac-limit");
+  }
+
+  @Test
+  public void testSystemServicesSshParsing() {
+    parseJuniperConfig("system-services-ssh");
+  }
+
   @Test
   public void testL2Topology() throws IOException {
     /*