# `Linx.Netfilter.Wire` [🔗](https://github.com/oshlabs/linx/blob/v0.2.0/lib/linx/netfilter/wire.ex#L1) Kernel-side numeric constants for `Linx.Netfilter`'s wire codec — message opcodes, attribute IDs, hook numbers, flag bitmasks, named priorities. All values come from `include/uapi/linux/netfilter/nf_tables.h` and `include/uapi/linux/netfilter.h`. Kept in one module so the Encoder/Decoder can `import Linx.Netfilter.Wire` and use them by name without a long alias chain. ## Byte order nftables uses **big-endian** on the wire for its `NLA_U16` / `NLA_U32` / `NLA_U64` integers — opposite to rtnetlink (which uses native byte order). The helpers `u32_be/1` and `u64_be/1` here produce the right payload form; `u32_be!/1` / `u64_be!/1` decode. String / binary attributes are byte-order agnostic. ## References * [`include/uapi/linux/netfilter/nf_tables.h`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/netfilter/nf_tables.h) * [`include/uapi/linux/netfilter.h`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/netfilter.h) # `chain_flags_atoms` ```elixir @spec chain_flags_atoms(non_neg_integer()) :: [atom()] ``` Decodes a chain-flags integer into a list of atoms. # `chain_flags_int` ```elixir @spec chain_flags_int([atom()]) :: non_neg_integer() ``` Maps a chain-flags list to the OR'd integer for `NFTA_CHAIN_FLAGS`. # `chain_type_atom` ```elixir @spec chain_type_atom(binary()) :: atom() ``` Inverse of `chain_type_string/1`. # `chain_type_string` ```elixir @spec chain_type_string(atom()) :: String.t() ``` Maps a chain type atom to the kernel's string form for `NFTA_CHAIN_TYPE`. # `cmp_op_atom` ```elixir @spec cmp_op_atom(0..5) :: atom() ``` # `cmp_op_int` ```elixir @spec cmp_op_int(atom()) :: 0..5 ``` # `copy_mode_int` ```elixir @spec copy_mode_int(atom() | {:packet, non_neg_integer()}) :: 0..2 ``` Maps a NFLOG copy-mode atom to the kernel's u8 value: `:none` → 0, `:meta` → 1, `:packet` → 2. # `ct_key_atom` ```elixir @spec ct_key_atom(non_neg_integer()) :: atom() | {:unknown_ct_key, non_neg_integer()} ``` # `ct_key_int` ```elixir @spec ct_key_int(atom()) :: non_neg_integer() ``` # `ct_state_bits` ```elixir @spec ct_state_bits(atom() | [atom()]) :: non_neg_integer() ``` Maps a CT-state atom (or list of atoms) to the kernel's bitmask. Multiple states OR together: `[:new, :related]` → 12. # `family_atom` ```elixir @spec family_atom(0..255) :: atom() ``` Inverse of `family_num/1`. Returns `:unknown` for unrecognised numbers. # `family_num` ```elixir @spec family_num(atom()) :: 0..255 ``` NFPROTO_* — kernel address-family numbers used in `nfgen_family` and in `NF_INET_HOOKS` indexing. # `hook_atom` ```elixir @spec hook_atom(atom(), 0..255) :: atom() ``` Inverse of `hook_num/2`. Decoded hook numbers are family-dependent. # `hook_num` ```elixir @spec hook_num(atom(), atom()) :: 0..255 ``` Maps `(family, hook)` to the kernel's per-family hook number. The same atom (`:input`) corresponds to different integers depending on family — `NF_INET_LOCAL_IN = 1` for ip/ip6/inet, `NF_ARP_IN = 0` for arp, `NF_BR_LOCAL_IN = 1` for bridge. # `lookup_flags_int` ```elixir @spec lookup_flags_int([atom()]) :: non_neg_integer() ``` Maps a lookup-flags list (`[:inv]`) to its u32 bitmask. # `meta_key_atom` ```elixir @spec meta_key_atom(non_neg_integer()) :: atom() | {:unknown_meta_key, non_neg_integer()} ``` # `meta_key_int` ```elixir @spec meta_key_int(atom()) :: non_neg_integer() ``` # `nat_flags_atoms` ```elixir @spec nat_flags_atoms(non_neg_integer()) :: [atom()] ``` Decodes a NAT-flags u32 bitmask into a list of atoms. # `nat_flags_int` ```elixir @spec nat_flags_int([atom()]) :: non_neg_integer() ``` Maps a NAT-flags list to the u32 bitmask the kernel expects in `NFTA_NAT_FLAGS` / `NFTA_MASQ_FLAGS` / `NFTA_REDIR_FLAGS`. Accepted atoms: * `:random` — randomize port selection (`NF_NAT_RANGE_PROTO_RANDOM`). * `:fully_random` — fully randomize, including per-connection (`NF_NAT_RANGE_PROTO_RANDOM_FULLY`). * `:persistent` — same client gets same NAT mapping (`NF_NAT_RANGE_PERSISTENT`). * `:netmap` — preserve the host portion of the address while remapping the network portion (`NF_NAT_RANGE_NETMAP`, 5.0+). Note: `:map_ips` and `:proto_specified` are usually set by the encoder based on whether addresses / ports are provided, not by the caller. # `nf_accept` *macro* # `nf_ct_state_established_bit` *macro* # `nf_ct_state_invalid_bit` *macro* # `nf_ct_state_new_bit` *macro* # `nf_ct_state_related_bit` *macro* # `nf_ct_state_untracked_bit` *macro* # `nf_drop` *macro* # `nf_nat_range_map_ips` *macro* # `nf_nat_range_netmap` *macro* # `nf_nat_range_persistent` *macro* # `nf_nat_range_proto_offset` *macro* # `nf_nat_range_proto_random` *macro* # `nf_nat_range_proto_random_fully` *macro* # `nf_nat_range_proto_specified` *macro* # `nf_queue` *macro* # `nf_stop` *macro* # `nft_break` *macro* # `nft_chain_f_base` *macro* # `nft_chain_f_binding` *macro* # `nft_chain_f_hw_offload` *macro* # `nft_continue` *macro* # `nft_goto` *macro* # `nft_jump` *macro* # `nft_lookup_f_inv` *macro* # `nft_msg_delchain` *macro* # `nft_msg_delflowtable` *macro* # `nft_msg_delobj` *macro* # `nft_msg_delrule` *macro* # `nft_msg_delset` *macro* # `nft_msg_delsetelem` *macro* # `nft_msg_deltable` *macro* # `nft_msg_destroychain` *macro* # `nft_msg_destroyflowtable` *macro* # `nft_msg_destroyobj` *macro* # `nft_msg_destroyrule` *macro* # `nft_msg_destroyset` *macro* # `nft_msg_destroysetelem` *macro* # `nft_msg_destroytable` *macro* # `nft_msg_getchain` *macro* # `nft_msg_getflowtable` *macro* # `nft_msg_getgen` *macro* # `nft_msg_getobj` *macro* # `nft_msg_getobj_reset` *macro* # `nft_msg_getrule` *macro* # `nft_msg_getrule_reset` *macro* # `nft_msg_getset` *macro* # `nft_msg_getsetelem` *macro* # `nft_msg_gettable` *macro* # `nft_msg_newchain` *macro* # `nft_msg_newflowtable` *macro* # `nft_msg_newgen` *macro* # `nft_msg_newobj` *macro* # `nft_msg_newrule` *macro* # `nft_msg_newset` *macro* # `nft_msg_newsetelem` *macro* # `nft_msg_newtable` *macro* # `nft_msg_trace` *macro* # `nft_nat_dnat` *macro* # `nft_nat_snat` *macro* # `nft_reg32_00` *macro* # `nft_reg_1` *macro* # `nft_reg_2` *macro* # `nft_reg_3` *macro* # `nft_reg_4` *macro* # `nft_reg_verdict` *macro* # `nft_return` *macro* # `nft_set_anonymous` *macro* # `nft_set_concat` *macro* # `nft_set_constant` *macro* # `nft_set_elem_catchall` *macro* # `nft_set_elem_interval_end` *macro* # `nft_set_eval` *macro* # `nft_set_expr_flag` *macro* # `nft_set_interval` *macro* # `nft_set_map` *macro* # `nft_set_object_flag` *macro* # `nft_set_timeout_flag` *macro* # `nft_table_f_dormant` *macro* # `nft_table_f_owner` *macro* # `nft_table_f_persist` *macro* # `nfta_bitwise_data` *macro* # `nfta_bitwise_dreg` *macro* # `nfta_bitwise_len` *macro* # `nfta_bitwise_mask` *macro* # `nfta_bitwise_op` *macro* # `nfta_bitwise_sreg` *macro* # `nfta_bitwise_xor` *macro* # `nfta_chain_counters` *macro* # `nfta_chain_flags` *macro* # `nfta_chain_handle` *macro* # `nfta_chain_hook` *macro* # `nfta_chain_id` *macro* # `nfta_chain_name` *macro* # `nfta_chain_pad` *macro* # `nfta_chain_policy` *macro* # `nfta_chain_table` *macro* # `nfta_chain_type` *macro* # `nfta_chain_use` *macro* # `nfta_chain_userdata` *macro* # `nfta_cmp_data` *macro* # `nfta_cmp_op` *macro* # `nfta_cmp_sreg` *macro* # `nfta_counter_bytes` *macro* # `nfta_counter_packets` *macro* # `nfta_counter_pad` *macro* # `nfta_ct_direction` *macro* # `nfta_ct_dreg` *macro* # `nfta_ct_key` *macro* # `nfta_ct_sreg` *macro* # `nfta_data_value` *macro* # `nfta_data_verdict` *macro* # `nfta_expr_data` *macro* # `nfta_expr_name` *macro* # `nfta_hook_dev` *macro* # `nfta_hook_devs` *macro* # `nfta_hook_hooknum` *macro* # `nfta_hook_priority` *macro* # `nfta_immediate_data` *macro* # `nfta_immediate_dreg` *macro* # `nfta_list_elem` *macro* # `nfta_log_flags` *macro* # `nfta_log_group` *macro* # `nfta_log_level` *macro* # `nfta_log_prefix` *macro* # `nfta_log_qthreshold` *macro* # `nfta_log_snaplen` *macro* # `nfta_lookup_dreg` *macro* # `nfta_lookup_flags` *macro* # `nfta_lookup_set` *macro* # `nfta_lookup_set_id` *macro* # `nfta_lookup_sreg` *macro* # `nfta_masq_flags` *macro* # `nfta_masq_reg_proto_max` *macro* # `nfta_masq_reg_proto_min` *macro* # `nfta_meta_dreg` *macro* # `nfta_meta_key` *macro* # `nfta_meta_sreg` *macro* # `nfta_nat_family` *macro* # `nfta_nat_flags` *macro* # `nfta_nat_reg_addr_max` *macro* # `nfta_nat_reg_addr_min` *macro* # `nfta_nat_reg_proto_max` *macro* # `nfta_nat_reg_proto_min` *macro* # `nfta_nat_type` *macro* # `nfta_payload_base` *macro* # `nfta_payload_csum_flags` *macro* # `nfta_payload_csum_offset` *macro* # `nfta_payload_csum_type` *macro* # `nfta_payload_dreg` *macro* # `nfta_payload_len` *macro* # `nfta_payload_offset` *macro* # `nfta_payload_sreg` *macro* # `nfta_redir_flags` *macro* # `nfta_redir_reg_proto_max` *macro* # `nfta_redir_reg_proto_min` *macro* # `nfta_reject_icmp_code` *macro* # `nfta_reject_type` *macro* # `nfta_rule_chain` *macro* # `nfta_rule_chain_id` *macro* # `nfta_rule_compat` *macro* # `nfta_rule_expressions` *macro* # `nfta_rule_handle` *macro* # `nfta_rule_id` *macro* # `nfta_rule_pad` *macro* # `nfta_rule_position` *macro* # `nfta_rule_position_id` *macro* # `nfta_rule_table` *macro* # `nfta_rule_userdata` *macro* # `nfta_set_data_len` *macro* # `nfta_set_data_type` *macro* # `nfta_set_desc` *macro* # `nfta_set_desc_concat` *macro* # `nfta_set_desc_size` *macro* # `nfta_set_elem_data` *macro* # `nfta_set_elem_expiration` *macro* # `nfta_set_elem_expr` *macro* # `nfta_set_elem_expressions` *macro* # `nfta_set_elem_flags` *macro* # `nfta_set_elem_key` *macro* # `nfta_set_elem_key_end` *macro* # `nfta_set_elem_list_elements` *macro* # `nfta_set_elem_list_set` *macro* # `nfta_set_elem_list_set_id` *macro* # `nfta_set_elem_list_table` *macro* # `nfta_set_elem_objref` *macro* # `nfta_set_elem_pad` *macro* # `nfta_set_elem_timeout` *macro* # `nfta_set_elem_userdata` *macro* # `nfta_set_expr` *macro* # `nfta_set_expressions` *macro* # `nfta_set_flags` *macro* # `nfta_set_gc_interval` *macro* # `nfta_set_handle` *macro* # `nfta_set_id` *macro* # `nfta_set_key_len` *macro* # `nfta_set_key_type` *macro* # `nfta_set_name` *macro* # `nfta_set_obj_type` *macro* # `nfta_set_pad` *macro* # `nfta_set_policy` *macro* # `nfta_set_table` *macro* # `nfta_set_timeout` *macro* # `nfta_set_userdata` *macro* # `nfta_table_flags` *macro* # `nfta_table_handle` *macro* # `nfta_table_name` *macro* # `nfta_table_owner` *macro* # `nfta_table_pad` *macro* # `nfta_table_use` *macro* # `nfta_table_userdata` *macro* # `nfta_verdict_chain` *macro* # `nfta_verdict_chain_id` *macro* # `nfta_verdict_code` *macro* # `nftnl_type_bitmask` *macro* # `nftnl_type_etheraddr` *macro* # `nftnl_type_ethertype` *macro* # `nftnl_type_ifname` *macro* # `nftnl_type_inet_protocol` *macro* # `nftnl_type_inet_service` *macro* # `nftnl_type_integer` *macro* # `nftnl_type_invalid` *macro* # `nftnl_type_ip6addr` *macro* # `nftnl_type_ipaddr` *macro* # `nftnl_type_lladdr` *macro* # `nftnl_type_mark` *macro* # `nftnl_type_nf_proto` *macro* # `nftnl_type_string` *macro* # `nftnl_type_verdict` *macro* # `nfula_cfg_cmd` *macro* # `nfula_cfg_flags` *macro* # `nfula_cfg_mode` *macro* # `nfula_cfg_nlbufsiz` *macro* # `nfula_cfg_qthresh` *macro* # `nfula_cfg_timeout` *macro* # `nfula_ct` *macro* # `nfula_ct_info` *macro* # `nfula_gid` *macro* # `nfula_hwaddr` *macro* # `nfula_hwheader` *macro* # `nfula_hwlen` *macro* # `nfula_hwtype` *macro* # `nfula_ifindex_indev` *macro* # `nfula_ifindex_outdev` *macro* # `nfula_ifindex_physindev` *macro* # `nfula_ifindex_physoutdev` *macro* # `nfula_l2hdr` *macro* # `nfula_mark` *macro* # `nfula_packet_hdr` *macro* # `nfula_payload` *macro* # `nfula_prefix` *macro* # `nfula_seq` *macro* # `nfula_seq_global` *macro* # `nfula_timestamp` *macro* # `nfula_uid` *macro* # `nfula_vlan` *macro* # `nfulnl_cfg_cmd_bind` *macro* # `nfulnl_cfg_cmd_none` *macro* # `nfulnl_cfg_cmd_pf_bind` *macro* # `nfulnl_cfg_cmd_pf_unbind` *macro* # `nfulnl_cfg_cmd_unbind` *macro* # `nfulnl_cfg_f_conntrack` *macro* # `nfulnl_cfg_f_seq` *macro* # `nfulnl_cfg_f_seq_global` *macro* # `nfulnl_cfg_flags_int` ```elixir @spec nfulnl_cfg_flags_int([atom()]) :: non_neg_integer() ``` Maps a NFLOG-config-flags list to the u16 bitmask (BE on wire). # `nfulnl_copy_meta` *macro* # `nfulnl_copy_none` *macro* # `nfulnl_copy_packet` *macro* # `nfulnl_msg_config` *macro* # `nfulnl_msg_packet` *macro* # `payload_base_atom` ```elixir @spec payload_base_atom(0..3) :: atom() ``` # `payload_base_int` ```elixir @spec payload_base_int(atom()) :: 0..3 ``` # `policy_atom` ```elixir @spec policy_atom(0 | 1) :: atom() ``` Inverse of `policy_int/1`. # `policy_int` ```elixir @spec policy_int(atom()) :: 0 | 1 ``` Maps a chain policy atom to the kernel's u32 verdict integer (NF_DROP = 0, NF_ACCEPT = 1). # `priority_int` ```elixir @spec priority_int(atom(), integer() | atom() | {atom(), integer()}) :: integer() ``` Resolves a chain priority — integer, named atom, or `{atom, offset}` — to a signed 32-bit integer per `family`. Standard nft names map to standard integer priorities. Bridge family has its own table (with `:filter` = -200 vs ip's `:filter` = 0); netdev / arp have effectively just `:filter` = 0. # `reject_type_atom` ```elixir @spec reject_type_atom(0..2) :: atom() ``` # `reject_type_int` ```elixir @spec reject_type_int(atom()) :: 0..2 ``` # `s32_be` ```elixir @spec s32_be(integer()) :: binary() ``` Encodes an s32 as 4 big-endian bytes. # `s32_be!` ```elixir @spec s32_be!(binary()) :: integer() ``` Decodes a 4-byte big-endian s32. # `set_flags_atoms` ```elixir @spec set_flags_atoms(non_neg_integer()) :: [atom()] ``` Inverse: u32 bitmask → list of flag atoms. # `set_flags_int` ```elixir @spec set_flags_int([atom()]) :: non_neg_integer() ``` Maps a set-flags atom list to the u32 bitmask. The encoder may add `:map` / `:eval` automatically based on the set's `:data_type` / `:dynamic` shape. # `set_type_atom` ```elixir @spec set_type_atom(non_neg_integer(), pos_integer()) :: atom() | tuple() ``` Inverse: maps a libnftnl type id + length back to a key-type atom. Returns `{:unknown_type, id, len}` for unrecognised pairs. # `set_type_info` ```elixir @spec set_type_info(atom()) :: {non_neg_integer(), pos_integer()} ``` Maps a Linx key-type atom to its `(libnftnl_type_id, byte_len)` pair for `NFTA_SET_KEY_TYPE` / `NFTA_SET_KEY_LEN`. # `table_flags_atoms` ```elixir @spec table_flags_atoms(non_neg_integer()) :: [atom()] ``` Decodes a table-flags integer into a list of atoms. # `table_flags_int` ```elixir @spec table_flags_int([atom()]) :: non_neg_integer() ``` Maps a table-flags list to the OR'd integer for `NFTA_TABLE_FLAGS`. # `u32_be` ```elixir @spec u32_be(non_neg_integer()) :: binary() ``` Encodes a u32 as 4 big-endian bytes (nftables convention). # `u32_be!` ```elixir @spec u32_be!(binary()) :: non_neg_integer() ``` Decodes a 4-byte big-endian u32. # `u64_be` ```elixir @spec u64_be(non_neg_integer()) :: binary() ``` Encodes a u64 as 8 big-endian bytes. # `u64_be!` ```elixir @spec u64_be!(binary()) :: non_neg_integer() ``` Decodes an 8-byte big-endian u64. # `verdict_atom` ```elixir @spec verdict_atom(integer()) :: atom() ``` Inverse of `verdict_code/1`. # `verdict_code` ```elixir @spec verdict_code(atom()) :: integer() ``` Maps a `%Linx.Netfilter.Verdict{}` to its kernel verdict-code integer (signed; some are negative). --- *Consult [api-reference.md](api-reference.md) for complete listing*