"filtergen"

"filtergen" (the package formerly known as "filter") is a packet filter generator. It compiles a fairly high-level description language into iptables, ipchains or ipfilter rules (and has bits of support for Cisco IOS access-lists).

It is free software, licenced under the GNU GPL.

You can download the 0.11 release here. Older releases are 0.10, 0.9, 0.8, 0.7, 0.6, 0.5, 0.4, 0.3, 0.2 and the initial 0.1 release. The changelog lives at HISTORY. Red Hat 7.x users (and possibly people using other distributions) should be able to make an RPM with "rpm -ta" on the tarball.

The README includes some examples. The package also contains a TODO and a status report called HONESTY which explains how complete and stable (or otherwise) the package is, to help you decide if it's for you or not.

It's a fairly new tool and, in the way of these things, is unfinished, but I am using it in production environments without problems. There are some missing features and some limitations which need to be removed. The HONESTY file and filter_backends man page explain most of the issues.

It's slightly related to my other package fk, which is an application proxy suite. You can discuss both packages on the fk mailing list.