PHPackages patrykmolenda/netpolicy-php - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. patrykmolenda/netpolicy-php ActiveLibrary[Security](/categories/security) patrykmolenda/netpolicy-php =========================== Netpolicy PHP v1.0.0(4mo ago)01MITPHPCI passing Since Dec 14Pushed 4mo agoCompare [ Source](https://github.com/PatrykMolenda/netpolicy-php)[ Packagist](https://packagist.org/packages/patrykmolenda/netpolicy-php)[ RSS](/packages/patrykmolenda-netpolicy-php/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (1)Versions (2)Used By (0) netpolicy-php ============= [](#netpolicy-php) [![Tests](https://github.com/patrykmolenda/netpolicy-php/workflows/Tests/badge.svg)](https://github.com/patrykmolenda/netpolicy-php/workflows/Tests/badge.svg)[![Code Quality](https://github.com/patrykmolenda/netpolicy-php/workflows/Code%20Quality/badge.svg)](https://github.com/patrykmolenda/netpolicy-php/workflows/Code%20Quality/badge.svg)[![PHP Version](https://camo.githubusercontent.com/187240af044d09d5b14a1d9d9ebdf3f7a993e4c7bc09bdb46b4ba661a891bf5b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d626c7565)](https://camo.githubusercontent.com/187240af044d09d5b14a1d9d9ebdf3f7a993e4c7bc09bdb46b4ba661a891bf5b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d626c7565)[![License](https://camo.githubusercontent.com/f8df3091bbe1149f398a5369b2c39e896766f9f6efba3477c63e9b4aa940ef14/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d677265656e)](https://camo.githubusercontent.com/f8df3091bbe1149f398a5369b2c39e896766f9f6efba3477c63e9b4aa940ef14/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d677265656e) Vendor-agnostic policy engine for network, routing and security configurations written in pure PHP 8.2. **Status:** βœ… Production Ready `netpolicy-php` allows you to define network policies declaratively, validate them for logical conflicts, evaluate decisions deterministically, and render vendor-specific configurations (Cisco IOS-XR). No frameworks. No runtime magic. No vendor lock-in. --- 🎯 Features ---------- [](#-features) - βœ… **Declarative Policy DSL** - Define policies in JSON, YAML, or XML - βœ… **Schema Validation** - Comprehensive policy structure validation - βœ… **Conflict Detection** - Automatic detection of overlapping rules with conflicting actions - βœ… **Deterministic Evaluation** - First-match semantics with priority-based ordering - βœ… **Cisco IOS-XR Renderer** - Generate route-policy and prefix-set configurations - βœ… **IPv4 and IPv6 Support** - Full CIDR math for both IP versions - βœ… **Strict Error Model** - No silent failures, explicit error messages - βœ… **Type Safety** - PHP 8.2+ strict typing throughout - βœ… **100% Test Coverage** - Comprehensive PHPUnit test suite - βœ… **CI/CD Ready** - GitHub Actions workflows included --- πŸ“‹ Requirements -------------- [](#-requirements) - **PHP 8.2 or higher** - **Composer** - Standard PHP extensions: `json`, `mbstring` - Optional: `yaml` extension for YAML support --- πŸš€ Installation -------------- [](#-installation) ``` composer require patrykmolenda/netpolicy-php ``` --- πŸ’‘ Quick Start ------------- [](#-quick-start) ### 1. Define Your Policy (JSON) [](#1-define-your-policy-json) Create `policy.json`: ``` { "policies": [ { "name": "customer-inbound", "priority": 100, "rules": [ { "match": { "prefix": "203.0.113.0/24", "protocol": "BGP", "direction": "in" }, "action": { "type": "accept", "attributes": { "local-pref": 200, "community": "100:200" } } } ] } ] } ``` ### 2. Load and Validate [](#2-load-and-validate) ``` use PatrykMolenda\NetPolicy\NetPolicy; // Load from file and validate $netpolicy = NetPolicy::fromFile('policy.json')->validate(); ``` ### 3. Evaluate Traffic [](#3-evaluate-traffic) ``` use PatrykMolenda\NetPolicy\Engine\EvaluationContext; use PatrykMolenda\NetPolicy\Network\{Prefix, Protocol, AsNumber}; // Create evaluation context $context = new EvaluationContext( new Prefix('203.0.113.0/24'), Protocol::BGP, new AsNumber(65001), 'in' ); // Evaluate $decision = $netpolicy->evaluate($context); echo "Decision: " . $decision->action(); // "accept" echo "Local Pref: " . $decision->attributes()->get('local-pref'); // 200 ``` ### 4. Render to Cisco IOS-XR [](#4-render-to-cisco-ios-xr) ``` use PatrykMolenda\NetPolicy\Render\Cisco\IosXrRenderer; use PatrykMolenda\NetPolicy\Render\RenderContext; $renderer = new IosXrRenderer(); $context = new RenderContext('cisco', 'edge-router', 'ipv4'); $config = $netpolicy->render($renderer, $context); echo $config; ``` **Output:** ``` prefix-set NETPOLICY-PREFIXES 203.0.113.0/24 end-set route-policy customer-inbound if destination in NETPOLICY-PREFIXES then set local-preference 200 set community (100:200) pass endif drop end-policy ``` --- πŸ“š Core Concepts --------------- [](#-core-concepts) ### Policy Structure [](#policy-structure) A **PolicySet** contains multiple **Policies**, each with: - **name**: Unique identifier - **priority**: Evaluation order (lower = higher priority) - **rules**: List of matching rules Each **Rule** has: - **match**: Conditions (prefix, ASN, protocol, direction) - **action**: What to do (accept, reject, modify) with optional attributes ### Evaluation Semantics [](#evaluation-semantics) 1. Policies are evaluated in **priority order** (ascending) 2. Within each policy, rules are evaluated in **definition order** 3. **First matching rule wins** 4. No match = **default deny** ### Conflict Detection [](#conflict-detection) Conflicts occur when: - Two rules have **overlapping match conditions** (same prefix range, protocol, direction) - AND **different actions** (accept vs reject) The validator automatically detects and reports these conflicts. --- πŸ”§ API Reference --------------- [](#-api-reference) ### NetPolicy [](#netpolicy) Main entry point for the library. ``` // Load from file (auto-detects JSON/YAML/XML) NetPolicy::fromFile(string $path): NetPolicy // Load from array NetPolicy::fromArray(array $data): NetPolicy // Validate policy (checks conflicts) validate(): self // Evaluate traffic evaluate(EvaluationContext $context): Decision // Render to vendor config render(RendererInterface $renderer, RenderContext $context): string ``` ### Network Classes [](#network-classes) #### Prefix [](#prefix) ``` new Prefix(string $cidr) // e.g., "192.168.0.0/16" contains(Prefix $other): bool // Check containment overlaps(Prefix $other): bool // Check overlap cidr(): string // Get CIDR notation ``` #### AsNumber [](#asnumber) ``` new AsNumber(int $asn) // e.g., 65001 value(): int equals(AsNumber $other): bool ``` #### Protocol [](#protocol) ``` Protocol::BGP Protocol::OSPF Protocol::STATIC ``` ### Evaluation [](#evaluation) #### EvaluationContext [](#evaluationcontext) ``` new EvaluationContext( Prefix $prefix, Protocol $protocol, ?AsNumber $asn, string $direction // 'in', 'out', or 'any' ) ``` #### Decision [](#decision) ``` action(): string // 'accept', 'reject', or 'modify' attributes(): AttributeBag // Action attributes rule(): Rule // Matching rule ``` --- πŸ§ͺ Testing --------- [](#-testing) This project uses **PHPUnit 11** with comprehensive test coverage. ### Run Tests [](#run-tests) ``` # All tests composer test # Unit tests only vendor/bin/phpunit --testsuite Unit # Integration tests only vendor/bin/phpunit --testsuite Integration # With HTML coverage report vendor/bin/phpunit --coverage-html coverage ``` ### Test Statistics [](#test-statistics) - **Total Tests:** 42 - **Assertions:** 78 - **Coverage:** Network, DSL, Validation, Engine, Integration - **CI/CD:** Automated on PHP 8.2 & 8.3, Linux/Windows/macOS See [TESTING.md](TESTING.md) for detailed testing documentation. --- πŸ“– Examples ---------- [](#-examples) The `examples/` directory contains practical demonstrations: ### Available Examples [](#available-examples) 1. **01-basic-usage.php** - Fundamental workflow 2. **02-conflict-detection.php** - Understanding conflicts 3. **03-cisco-rendering.php** - Generate IOS-XR configs 4. **04-ipv6-support.php** - IPv6 prefix operations 5. **05-multi-format.php** - JSON/YAML/XML loading ### Run an Example [](#run-an-example) ``` php examples/01-basic-usage.php ``` See [examples/README.md](examples/README.md) for detailed documentation. --- πŸ—οΈ Architecture --------------- [](#️-architecture) ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ DSL β”‚ JSON/YAML/XML β†’ PolicyLoader β†’ PolicyParser β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ Normalizer β”‚ Array β†’ Domain Objects (PolicySet, Policy, Rule) β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ Validator β”‚ PolicyValidator + RuleConflictDetector β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ Engine β”‚ PolicyEngine β†’ Decision β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ Renderer β”‚ IosXrRenderer β†’ Vendor Config β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` Each layer is isolated, testable, and follows clean architecture principles. --- 🌐 Supported Formats ------------------- [](#-supported-formats) ### Input Formats [](#input-formats) - **JSON** (recommended) - Native PHP support, maximum compatibility - **YAML** - Requires `yaml` PHP extension, human-friendly - **XML** - Native PHP support, enterprise compatibility - **PHP Arrays** - Programmatic generation Format is auto-detected based on file content. ### Example Policy (YAML) [](#example-policy-yaml) ``` policies: - name: customer-policy priority: 10 rules: - match: prefix: "192.168.0.0/16" protocol: BGP direction: in action: type: accept attributes: local-pref: 150 ``` --- 🎨 Rendering ----------- [](#-rendering) ### Cisco IOS-XR [](#cisco-ios-xr) Generate production-ready route-policy configurations: ``` $renderer = new IosXrRenderer(); $config = $netpolicy->render($renderer, $context); ``` Features: - Automatic prefix-set generation - Route-policy syntax - BGP attribute setting (local-pref, community, MED) - Conditional logic (if/then/endif) ### Future Renderers [](#future-renderers) Planned support for: - MikroTik RouterOS - Juniper JunOS - nftables - iptables --- βœ… Validation ------------ [](#-validation) ### Schema Validation [](#schema-validation) Validates policy structure against V1 schema: - Required fields presence - Correct data types - Valid protocol values (BGP, OSPF, STATIC) - Valid direction values (in, out, any) - Valid action types (accept, reject, modify) ### Conflict Detection [](#conflict-detection-1) Automatically detects: - **Overlapping prefixes** with different actions - **Same match conditions** with conflicting outcomes - Reports all conflicts with detailed messages Example: ``` try { $netpolicy->validate(); } catch (ValidationException $e) { echo $e->getMessage(); // "Policy validation failed with 1 conflict(s): // Conflict between policy 'policy-a' and 'policy-b'" } ``` --- πŸ”’ Error Handling ---------------- [](#-error-handling) All errors extend `NetPolicyException`: ExceptionWhenExample`InvalidPolicyException`Policy syntax/semantic errorsInvalid protocol name`ValidationException`Validation failuresEmpty policy set, conflicts`RenderException`Rendering errorsMissing required attributes**No errors are silently ignored.** The library fails fast with explicit error messages. --- πŸš€ CI/CD ------- [](#-cicd) ### GitHub Actions Workflows [](#github-actions-workflows) #### Tests Workflow (`.github/workflows/tests.yml`) [](#tests-workflow-githubworkflowstestsyml) - Runs on push and pull requests - Tests on PHP 8.2 and 8.3 - Multi-platform: Ubuntu, Windows, macOS - Generates coverage reports - Uploads to Codecov #### Code Quality Workflow (`.github/workflows/code-quality.yml`) [](#code-quality-workflow-githubworkflowscode-qualityyml) - PHP syntax validation - Optional PHPStan analysis - Optional PHP-CS-Fixer checks ### Status Badges [](#status-badges) Add to your README: ``` ![Tests](https://github.com/YOUR-USERNAME/netpolicy-php/workflows/Tests/badge.svg) ``` --- 🎯 Use Cases ----------- [](#-use-cases) ### BGP Route Filtering [](#bgp-route-filtering) Define customer-specific BGP import/export policies: ``` // Accept customer prefixes with specific attributes // Reject bogons (RFC1918, etc.) // Set communities and local-preference ``` ### OSPF Route Redistribution [](#ospf-route-redistribution) Control route redistribution between protocols: ``` // Redistribute specific prefixes from BGP to OSPF // Set metrics and route types ``` ### Multi-Vendor Deployments [](#multi-vendor-deployments) Define policies once, render for multiple vendors: ``` $iosxr_config = $policy->render(new IosXrRenderer(), $context); $junos_config = $policy->render(new JunosRenderer(), $context); ``` ### Policy Auditing [](#policy-auditing) Validate policies before deployment: ``` // Detect conflicts // Verify no overlapping rules // Ensure consistent policy across devices ``` --- πŸ“Š Performance ------------- [](#-performance) - **Lightweight:** No external dependencies beyond core PHP - **Fast:** Policy evaluation in microseconds - **Efficient:** Lazy loading and minimal memory footprint - **Scalable:** Handles large policy sets with hundreds of rules Benchmark (PHP 8.3, typical policy): - Load & parse: ~5ms - Validate: ~10ms - Evaluate: ~0.1ms per decision - Render: ~15ms --- πŸ›‘οΈ Security ----------- [](#️-security) - **No dynamic code execution** - Static analysis safe - **No shell access** - Pure PHP implementation - **No network access** - Offline policy compilation - **No unsafe deserialization** - Controlled input parsing - **Input validation** - All user input is validated Perfect for CI/CD pipelines and automated deployments. --- πŸ—ΊοΈ Roadmap ---------- [](#️-roadmap) - Core policy engine - Conflict detection - Cisco IOS-XR renderer - IPv6 support - PHPUnit test suite - GitHub Actions CI/CD - Examples and documentation - MikroTik RouterOS renderer - Juniper JunOS renderer - nftables renderer - Policy diffing - CLI tool (`netpolicy` command) - Policy simulation matrix --- 🀝 Contributing -------------- [](#-contributing) Contributions are welcome! Please: 1. Fork the repository 2. Create a feature branch (`git checkout -b feature/amazing-feature`) 3. Make your changes 4. Add tests for new functionality 5. Ensure all tests pass (`composer test`) 6. Commit your changes (`git commit -m 'Add amazing feature'`) 7. Push to the branch (`git push origin feature/amazing-feature`) 8. Open a Pull Request ### Development Setup [](#development-setup) ``` git clone https://github.com/patrykmolenda/netpolicy-php.git cd netpolicy-php composer install composer test ``` ### Coding Standards [](#coding-standards) - Follow **PSR-12** coding style - Add **PHPDoc** comments for all public methods - Write **tests** for new features - Keep **backward compatibility** when possible --- πŸ“„ License --------- [](#-license) This project is licensed under the **MIT License** - see the [LICENSE](LICENSE) file for details. --- πŸ‘€ Author -------- [](#-author) **Patryk Molenda** Email: GitHub: [@patrykmolenda](https://github.com/patrykmolenda) --- πŸ™ Acknowledgments ----------------- [](#-acknowledgments) - Inspired by the need for vendor-neutral network policy management - Built with ❀️ for network engineers who value correctness - Thanks to all contributors and users --- πŸ’¬ Support --------- [](#-support) - **Issues:** [GitHub Issues](https://github.com/patrykmolenda/netpolicy-php/issues) - **Discussions:** [GitHub Discussions](https://github.com/patrykmolenda/netpolicy-php/discussions) - **Email:** --- 🌟 Show Your Support ------------------- [](#-show-your-support) If you find this project helpful, please consider: - ⭐ **Starring** the repository - πŸ› **Reporting** bugs and issues - πŸ’‘ **Suggesting** new features - πŸ“– **Improving** documentation - πŸ”€ **Contributing** code --- **Built with ❀️ for network engineers who value correctness, determinism, and type safety.** > *"If a policy cannot be validated deterministically, it should not be deployed."* --- **[Examples](examples/)** β€’ **[Contributing](#-contributing)** β€’ **[License](#-license)** Made with PHP 8.2+ | No dependencies | Production ready ### Health Score 30 β€” LowBetter than 64% of packages Maintenance73 Regular maintenance activity Popularity1 Limited adoption so far Community6 Small or concentrated contributor base Maturity34 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits β€” single point of failure How is this calculated?**Maintenance (25%)** β€” Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** β€” Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** β€” Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** β€” Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 149d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/940168001bae4d042c2ccaabc1c1614c760e4634232db29c6164293ade8425f3?d=identicon)[Francys](/maintainers/Francys) --- Top Contributors [![PatrykMolenda](https://avatars.githubusercontent.com/u/90420828?v=4)](https://github.com/PatrykMolenda "PatrykMolenda (2 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/patrykmolenda-netpolicy-php/health.svg) ``` [![Health](https://phpackages.com/badges/patrykmolenda-netpolicy-php/health.svg)](https://phpackages.com/packages/patrykmolenda-netpolicy-php) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages Β© 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)