{"id":25340129,"url":"https://github.com/ag4ve/nf-save","last_synced_at":"2025-06-21T10:08:02.077Z","repository":{"id":14123439,"uuid":"16828533","full_name":"ag4ve/NF-Save","owner":"ag4ve","description":"Take in a data structure and output nf/iptables and ipset save data","archived":false,"fork":false,"pushed_at":"2017-11-06T00:46:17.000Z","size":275,"stargazers_count":3,"open_issues_count":2,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-21T10:07:44.416Z","etag":null,"topics":["firewall","firewall-configuration","firewall-framework","firewall-management","firewall-rules","firewall-template","internal-data","ipset","ipset-data","iptables","netfilter","perl"],"latest_commit_sha":null,"homepage":null,"language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ag4ve.png","metadata":{"files":{"readme":"README.md","changelog":"Changes","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-02-14T05:55:43.000Z","updated_at":"2023-05-12T16:40:13.000Z","dependencies_parsed_at":"2022-09-21T04:10:37.579Z","dependency_job_id":null,"html_url":"https://github.com/ag4ve/NF-Save","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ag4ve/NF-Save","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ag4ve%2FNF-Save","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ag4ve%2FNF-Save/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ag4ve%2FNF-Save/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ag4ve%2FNF-Save/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ag4ve","download_url":"https://codeload.github.com/ag4ve/NF-Save/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ag4ve%2FNF-Save/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261103451,"owners_count":23109932,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall","firewall-configuration","firewall-framework","firewall-management","firewall-rules","firewall-template","internal-data","ipset","ipset-data","iptables","netfilter","perl"],"created_at":"2025-02-14T07:52:37.015Z","updated_at":"2025-06-21T10:07:57.065Z","avatar_url":"https://github.com/ag4ve.png","language":"Perl","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NAME\n\nNF::Save - Module for storing, parsing, and restoring iptables and \nipset data.\n\n# SYNOPSIS\n\n    use NF::Save;\n\n    my $oIPT = NF::Save-\u003enew(\n      {\n        'Policy'  =\u003e\n        {\n          'filter'    =\u003e\n          {\n            'INPUT'       =\u003e 'DROP',\n            'OUTPUT'      =\u003e 'DROP',\n            'FORWARD'     =\u003e 'DROP',\n          },\n        }\n      }\n    );\n\n    my $paStruct = \n    [\n      {\n        'in' =\u003e \"eth0\",\n        'udp' =\u003e \n        {\n          'sport' =\u003e \"1024:65535\",\n          'dport' =\u003e \"53\",\n        }, \n        'dst' =\u003e \"192.168.15.1\",\n        'comment' =\u003e [qw/nameserver/],\n        'jump' =\u003e \"ACCEPT\",\n      },\n      {\n        # more rules\n      },\n    ];\n\n    # Add rules to the OUTPUT chain.\n    foreach my $phRule (@$paStruct)\n    {\n      $oIPT-\u003erule('OUTPUT', $phRule);\n    }\n\n    # Get a set of rules that could be used with: \n    # $ ./firewall.pl | iptables-restore\n\n    # And to get the ipset set\n    print \"$_\\n\" for ($oIPT-\u003esave());\n\n# DESCRIPTION\n\nNF-Save is intended to let perl import/export firewall rules and ipsets\nin the exact syntax used by iptables-save / iptables-restore and ipset\nsave / ipset restore: same order of arguments, same way of expanding\ntokens, same defaults when things weren't explicitly specified, etc.\n\nThat way, existing policies can be imported easily and completely, and\npolicies composed in perl code can be written out in a way that is 100%\ndiff-compatible with iptables-save output.\n\nMore less used methods are documented in [NF::Save::Misc](https://metacpan.org/pod/NF::Save::Misc). If you wish \nto create new modules, see [NF::Save::ModuleDoc](https://metacpan.org/pod/NF::Save::ModuleDoc).\n\n# Common methods\n\n## new(%Options)\n\n%Options:\n\n- `%UIDs` contains a hash of {'username' =\u003e #id}\n- `@IPTLookup` contains replacement data to be used to handle the data \nstructure (an index with an undefined value will not effect the \noriginal array).\n- `@Flags` contains a hash of flags to be used when --syn/mss/etc would \nhave been used - (arbitrary names can be defined).\n- `$UseIPSET` boolean - whether or not to default lists as ipset.\n- `%Policy` default policy to use.\n- `$Trace` boolean - whether or not to print a stack trace with warnings.\n- `$PreCheck` boolean - whether or not to pre-check the structure passed \nto rule().\n- `@Modules` list of NF::Save modules to use. If this is a string, all \nmodules in this namespace will be loaded.\n\n## get($sChain, $sTable)\n\nReturn the internal data structure used to store iptables information.\n\n## useipset($sBool)\n\nReturn whether ipset is used by default and optionally change whether\nor not ipset is used by default. So:\n`$ipt-\u003euseipset(1);`\nis the same as:\n`$ipt-\u003enew({UseIPSET =\u003e 1});`\n\n## rule($sChain, $sRule, $sTable, $sFunc)\n\nAn interface designed to look fairly similar to the iptables CLI.\n\nThe tcp '--syn' and '! --syn' options add masks from individual from\nthe $rhFlags hashref.\n\nThe big difference is that the chain is seperate from the action.\n\n- This:\n`iptables -I INPUT 5 -j ACCEPT`\n- Turns into this:\n`$ipt-\u003erule('INPUT', {jump =\u003e 'ACCEPT'}, undef, 'I 5');`\n- The default is to APPEND to the filter table, which means the pattern is:\n`$ipt-\u003erule('INPUT', {jump =\u003e 'ACCEPT'});`\n- Delete and replace have been implemented for completeness - for replace:\n`$ipt-\u003erule('OUTPUT', {jump =\u003e 'ACCEPT'}, 'filter', 'R 5');`\n\n## get\\_ipset\\_data($sName)\n\nReturn internal data for an ipset or all sets if no name was given.\n\n## save()\n\nReturn an array that can pe passed to iptables-restore. This data \nshould duplicate iptables-save so that data generated with this and \nrestored into iptables would show no differece when compared to the\noutput of:\n\niptables-save\n\n## assemble(%$phParams, $sChain, $check)\n\nCreate an iptables rule for a data structure definition.\nThe chain name and whether to check the ruleset are optional.\n\n# DOCUMENTATION SYNTAX\n\nWhen defining the values in a hash, perl data types are used to \ndescribe the value type and variable names that are used to define \nthe key name. Documentation may define an alternative data type not\nself documented in this syntax. A hash that looks like:\n\n{\n  array   =\u003e \\[qw/1 2 3/\\],\n  hash    =\u003e {\"a\" =\u003e \"1\", \"b\" =\u003e \"2\"},\n  string  =\u003e \"foo\",\n}\n\nWould be defined as:\n\n- `@array` description\n- `%hash` description\n- `$string` description\n\n# TODO\n\n- Need more tests (branch coverage is ~40%) and use cases\n    - Need to handle more modules\n- Integration with libiptc using FFI or similar instead of using IPC\n- Make NF::RuleParser to make a NF::Save structure from iptables\n- IPT allows deletion on exact rule match - not supported here\n\n# AUTHOR\n\nShawn Wilson \u003cag4ve.us@gmail.com\u003e\n\n# THANKS\n\nA special thanks to Korelogic for giving inspiration and funding for most\nof this work and allowing it to be open sourced.\n\n# COPYRIGHT\n\nCopyright 2017 - Shawn Wilson\n\n# LICENSE\n\nThe GNU Lesser General Public License, version 3.0 (LGPL-3.0)\nhttp://opensource.org/licenses/LGPL-3.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fag4ve%2Fnf-save","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fag4ve%2Fnf-save","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fag4ve%2Fnf-save/lists"}