Natural language to vendor-specific ACLs and firewall rules.
Transform plain-English policy descriptions into production-ready firewall configurations for Cisco IOS, JunOS, Arista EOS, and iptables.
policygen v0.1.0 - Network Policy Compiler
+------------------+
| Natural Lang |
| Policy Intent |
| |
| "block SSH from |
| 10.0.0.0/8 to |
| DMZ servers" |
+--------+---------+
|
v
+-------------+-------------+
| Intent Parser |
| |
| - Action extraction |
| - Protocol detection |
| - Network resolution |
| - Port mapping |
| - Service name lookup |
+-------------+-------------+
|
v
+--------+--------+
| PolicyRule |
| (canonical) |
+-+------+------+-+
| | |
+------------+ | +------------+
| | |
v v v
+---------+------+ +---------+------+ +---------+-------+
| Validator | | Compiler | | Diff Engine |
| | | | | |
| - Conflicts | | - Cisco IOS | | - Added rules |
| - Shadows | | - JunOS | | - Removed rules |
| - Permit-any | | - Arista EOS | | - Modified rules|
| - Lockout | | - iptables | | |
| - Deny-all | | | | |
+----------------+ +--------+-------+ +-----------------+
|
v
+------------+------------+
| Vendor-Specific ACL |
| |
| ip access-list ext ... |
| 10 deny tcp ... |
+-------------------------+
-
Intent Parser -- Parse natural language policy descriptions into structured rules. Recognizes actions, protocols, well-known services (SSH, HTTPS, DNS, etc.), CIDR notation, and port ranges.
-
Multi-Vendor Compiler -- Generate ACLs for:
- Cisco IOS (extended ACLs with remarks)
- JunOS (firewall filters with terms)
- Arista EOS (ip access-lists)
- iptables (chain rules with logging)
-
Policy Validation -- Detect conflicts, shadowed rules, missing deny-all, overly broad permits, and management lockout scenarios.
-
Safety Checks -- Guardrails that warn on permit-any, flag broad rules, and detect potential lockout before deployment.
-
Policy Diff -- Compare two policy sets side-by-side. See added, removed, and modified rules at a glance.
-
Batch Mode -- Process multiple policy intents from a YAML file for repeatable, auditable policy generation.
pip install .Or with Docker:
docker compose build# Cisco IOS (default)
policygen generate "block SSH from 10.0.0.0/8 to 192.168.1.0/24"
# JunOS
policygen generate -t junos "allow HTTPS from any to 10.1.0.0/16"
# iptables
policygen generate -t iptables "deny telnet from any to any"
# All vendors at once
policygen generate -a "permit DNS from 10.0.0.0/8 to 8.8.8.0/24"policygen validate \
"allow HTTPS from any to 10.0.0.0/8" \
"deny SSH from any to 10.0.0.0/8" \
"permit ip from any to any"policygen diff \
"allow SSH from 10.0.0.0/8 to 192.168.1.0/24" \
--new "allow SSH from 172.16.0.0/12 to 192.168.1.0/24" \
--new "allow HTTPS from any to 192.168.1.0/24"# policies.yml
name: dmz-acl
vendor: cisco_ios
intents:
- "allow HTTPS from any to 10.1.0.0/24"
- "allow SSH from 10.0.0.0/8 to 10.1.0.0/24"
- "block telnet from any to any"
- "deny from any to any"policygen batch policies.yml
policygen batch policies.yml --vendor junos# Build
docker compose build
# Generate
docker compose run policy-engine generate "block SSH from any to 10.0.0.0/8"
# Validate
docker compose run validatorSSH, HTTP, HTTPS, DNS, FTP, SMTP, POP3, IMAP, Telnet, SNMP, RDP, MySQL, PostgreSQL, NTP, Syslog, TFTP, BGP, LDAP, LDAPS, RADIUS, SIP, and more.
# Install in development mode
pip install -e .
# Run tests
pytest -v
# Lint
ruff check src/ tests/MIT License -- Copyright (c) 2026 Corey Wade