# Linx v0.2.0 - Table of Contents > Linux kernel interface primitives for Elixir: netlink/rtnetlink/nf_tables, process & namespace lifecycle, PTY, cgroup v2, mounts, user namespaces, capabilities, seccomp, and sysctl. ## Pages - [Linx](readme.md) - [Changelog](changelog.md) - [License](license.md) - Netlink - [Overview](netlink-overview.md) - [Examples](netlink-examples.md) - [References](netlink-references.md) - Process - [Overview](process-overview.md) - [Examples](process-examples.md) - [References](process-references.md) - Tty - [Overview](tty-overview.md) - [Examples](tty-examples.md) - [References](tty-references.md) - Cgroup - [Overview](cgroup-overview.md) - [Examples](cgroup-examples.md) - [References](cgroup-references.md) - Mount - [Overview](mount-overview.md) - [Examples](mount-examples.md) - [References](mount-references.md) - User - [Overview](user-overview.md) - [Examples](user-examples.md) - [References](user-references.md) - Capabilities - [Overview](capabilities-overview.md) - [Examples](capabilities-examples.md) - [References](capabilities-references.md) - Seccomp - [Overview](seccomp-overview.md) - [Examples](seccomp-examples.md) - [References](seccomp-references.md) - Sysctl - [Overview](sysctl-overview.md) - [Examples](sysctl-examples.md) - [References](sysctl-references.md) - Netfilter - [Overview](netfilter-overview.md) - [Examples](netfilter-examples.md) - [References](netfilter-references.md) - Reconcile - [Overview](reconcile-overview.md) - [Examples](reconcile-examples.md) ## Modules - [Linx](Linx.md): Linux kernel-interface primitives for Elixir. - [Linx.Cgroup.Reconcile](Linx.Cgroup.Reconcile.md): Single-shot declarative reconciliation for a cgroup's **resource limits** — observe the interface files, diff against a desired set of knobs, apply once, and return what happened. - [Linx.Cgroup.Reconcile.Report](Linx.Cgroup.Reconcile.Report.md): The outcome of one `Linx.Cgroup.Reconcile.reconcile/4` pass. - [Linx.Cgroup.Reconcile.Source](Linx.Cgroup.Reconcile.Source.md): `Linx.Reconcile.Source` adapter for cgroup limits — lets the generic `Linx.Reconcile` loop drive `Linx.Cgroup.Reconcile`. - [Linx.Netlink.Rtnl.Diff](Linx.Netlink.Rtnl.Diff.md): Per-resource diffs for rtnetlink — the minimal set of create / update / delete operations that converge observed kernel state onto a desired state. - [Linx.Netlink.Rtnl.Monitor](Linx.Netlink.Rtnl.Monitor.md): A GenServer that owns a multicast rtnetlink socket, decodes each broadcast into a `Linx.Netlink.Rtnl.Monitor.Event`, and forwards it to an owner pid — the `ip monitor` equivalent. - [Linx.Netlink.Rtnl.Monitor.Event](Linx.Netlink.Rtnl.Monitor.Event.md): A single rtnetlink multicast notification decoded by `Linx.Netlink.Rtnl.Monitor`. - [Linx.Netlink.Rtnl.Reconcile](Linx.Netlink.Rtnl.Reconcile.md): Single-shot declarative reconciliation for rtnetlink — observe the kernel, diff against a desired state, and apply the minimal change, in one caller-driven pass scoped to the socket's network namespace. - [Linx.Netlink.Rtnl.Reconcile.Report](Linx.Netlink.Rtnl.Reconcile.Report.md): The outcome of one `Linx.Netlink.Rtnl.Reconcile.reconcile/4` pass. - [Linx.Netlink.Rtnl.Reconcile.Source](Linx.Netlink.Rtnl.Reconcile.Source.md): `Linx.Reconcile.Source` adapter for rtnetlink — lets the generic `Linx.Reconcile` loop drive `Linx.Netlink.Rtnl.Reconcile` and `Linx.Netlink.Rtnl.Monitor`. - [Linx.Reconcile](Linx.Reconcile.md): An opt-in, level-triggered reconcile loop over a single subsystem. - [Linx.Reconcile.Source](Linx.Reconcile.Source.md): The plug-in contract that lets the generic `Linx.Reconcile` loop drive any reconcilable subsystem — deliberately minimal. - [Linx.Sysctl.Reconcile](Linx.Sysctl.Reconcile.md): Single-shot declarative reconciliation for sysctls — observe, diff, apply once, and return what happened. - [Linx.Sysctl.Reconcile.Report](Linx.Sysctl.Reconcile.Report.md): The outcome of one `Linx.Sysctl.Reconcile.reconcile/3` pass. - [Linx.Sysctl.Reconcile.Source](Linx.Sysctl.Reconcile.Source.md): `Linx.Reconcile.Source` adapter for sysctls — lets the generic `Linx.Reconcile` loop drive `Linx.Sysctl.Reconcile`. - Public types - [Linx.IP](Linx.IP.md): An IPv4 or IPv6 address. - [Linx.IP.Subnet](Linx.IP.Subnet.md): An IPv4 or IPv6 subnet — a network address and a prefix length, parsed from CIDR notation. - [Linx.MAC](Linx.MAC.md): A 48-bit MAC (link-layer) address. - Process - [Linx.Process](Linx.Process.md): Linux process-lifecycle primitives — `clone(2)` with namespace flags, `setns(2)`, `execve(2)`, signal delivery and exit-status reporting — exposed through one GenServer per spawned child. - [Linx.Process.Error](Linx.Process.Error.md): A pre-exec or transport-level failure from a `Linx.Process` session. - [Linx.Process.Info](Linx.Process.Info.md): A snapshot of a `Linx.Process` session's state. - Tty - [Linx.Tty](Linx.Tty.md): Linux terminal / PTY primitives — `/dev/tty` access, `termios(3)` save and restore, tty `ioctl(2)` (window size), and the byte-pumping `attach/2` that composes with `Linx.Process`'s `stdio: :pty` to give the BEAM a `docker attach` experience. - [Linx.Tty.Error](Linx.Tty.Error.md): A failure from one of `Linx.Tty`'s terminal syscalls. - [Linx.Tty.Native](Linx.Tty.Native.md): NIF binding for `Linx.Tty`. Loads `priv/linx_tty.so` (built by the `:linx_tty` Mix compiler) and exposes the small set of `termios(3)` / `ioctl(2)` syscalls the public `Linx.Tty` module wraps. - [Linx.Tty.Saved](Linx.Tty.Saved.md): Opaque container for a saved `termios(3)` state. - [Linx.Tty.WindowSize](Linx.Tty.WindowSize.md): The size of a terminal — rows, columns, and optional pixel dimensions. The shape of `struct winsize` from ``. - Cgroup - [Linx.Cgroup](Linx.Cgroup.md): cgroup v2 primitives — create a cgroup, place processes into it, set resource limits, read counters, freeze and thaw. - [Linx.Cgroup.Error](Linx.Cgroup.Error.md): An error returned by a `Linx.Cgroup` operation. - [Linx.Cgroup.Stats](Linx.Cgroup.Stats.md): A snapshot of a cgroup's resource counters. - Mount - [Linx.Mount](Linx.Mount.md): Linux filesystem-mount primitives — `mount(2)`, `umount2(2)`, `pivot_root(2)`, and the read-side `/proc/.../mountinfo` parser. - [Linx.Mount.Entry](Linx.Mount.Entry.md): A single parsed line from `/proc//mountinfo` — one mount in the namespace's mount table. - [Linx.Mount.Error](Linx.Mount.Error.md): An error returned by a `Linx.Mount` operation. - [Linx.Mount.Native](Linx.Mount.Native.md): NIF binding for `Linx.Mount`. Loads `priv/linx_mount.so` (built by the `:linx_mount` Mix compiler) and exposes the small set of syscalls the public `Linx.Mount` module wraps: `mount(2)`, `umount2(2)`, and `pivot_root(2)`. - User - [Linx.User](Linx.User.md): Linux user-namespace configuration primitives — `/proc//uid_map`, `/proc//gid_map`, `/proc//setgroups`. - [Linx.User.Error](Linx.User.Error.md): An error returned by a `Linx.User` operation. - [Linx.User.Map](Linx.User.Map.md): One uid/gid mapping entry from a user namespace's `uid_map` or `gid_map`. - Capabilities - [Linx.Capabilities](Linx.Capabilities.md): Linux per-process capability primitives — the kernel's five capability sets (effective, permitted, inheritable, bounding, ambient) and the syscalls that manipulate them. - [Linx.Capabilities.Error](Linx.Capabilities.Error.md): An error returned by a `Linx.Capabilities` read operation. - [Linx.Capabilities.State](Linx.Capabilities.State.md): A snapshot of a process's five Linux capability sets. - Seccomp - [Linx.Seccomp](Linx.Seccomp.md): Linux seccomp ("SECure COMPuting") primitives — per-thread cBPF syscall-filter facilities exposed as Elixir verbs. - [Linx.Seccomp.Builder](Linx.Seccomp.Builder.md): Fluent builder DSL for `%Linx.Seccomp.Filter{}`. - [Linx.Seccomp.Error](Linx.Seccomp.Error.md): A structured error returned by `Linx.Seccomp` operations. - [Linx.Seccomp.Filter](Linx.Seccomp.Filter.md): A compiled seccomp filter — what `Linx.Seccomp.allow_list/2`, `deny_list/2`, `from_rules/1`, and `Linx.Seccomp.Builder.build/1` produce, and what `Linx.Seccomp.install/2` consumes. - Sysctl - [Linx.Sysctl](Linx.Sysctl.md): Linux kernel tunable parameters — the `/proc/sys/` surface, the same knobs `sysctl(8)` reads and writes. - [Linx.Sysctl.Entry](Linx.Sysctl.Entry.md): A single sysctl read by `Linx.Sysctl.list/0` or `Linx.Sysctl.list/1` — one key/value pair from the `/proc/sys/` tree. - [Linx.Sysctl.Error](Linx.Sysctl.Error.md): An error returned by a `Linx.Sysctl` operation. - [Linx.Sysctl.Native](Linx.Sysctl.Native.md): NIF binding for `Linx.Sysctl`'s cross-namespace verbs. Loads `priv/linx_sysctl.so` (built by the `:linx_sysctl` Mix compiler). - Netfilter - [Linx.Netfilter](Linx.Netfilter.md): Linux netfilter primitives — modern firewall (nf_tables) via the `NETLINK_NETFILTER` netlink protocol family, plus live ruleset monitoring and packet-event capture (NFLOG). - [Linx.Netfilter.Chain](Linx.Netfilter.Chain.md): An nftables chain — a named container of rules within a table. - [Linx.Netfilter.Decoder](Linx.Netfilter.Decoder.md): Converts kernel-side `%Linx.Netlink.Message{}` payloads back into `%Linx.Netfilter.*{}` value structs. - [Linx.Netfilter.Diff](Linx.Netfilter.Diff.md): Structural diff between two `%Linx.Netfilter.Ruleset{}` values, producing a `%Linx.Netfilter.Patch{}` of the minimum mutations that turn one into the other. - [Linx.Netfilter.Encoder](Linx.Netfilter.Encoder.md): Converts `%Linx.Netfilter.*{}` value structs into the `%Linx.Netlink.Message{}` shapes that ride inside a `NFNL_MSG_BATCH_BEGIN` / `NFNL_MSG_BATCH_END` envelope. - [Linx.Netfilter.Error](Linx.Netfilter.Error.md): An error returned by a `Linx.Netfilter` operation. - [Linx.Netfilter.Event](Linx.Netfilter.Event.md): A single multicast event from `NFNLGRP_NFTABLES` — a notification the kernel broadcasts after every successful ruleset commit. - [Linx.Netfilter.Expr](Linx.Netfilter.Expr.md): A single netfilter expression — one node in a rule's expression list. - [Linx.Netfilter.Flowtable](Linx.Netfilter.Flowtable.md): An nftables flowtable — a connection-offload fast path that shortcuts the netfilter hooks for established flows. - [Linx.Netfilter.Log](Linx.Netfilter.Log.md): NFLOG listener — receives per-packet events from the kernel's `NFNL_SUBSYS_ULOG` (sub-subsystem 4) for rules that include `Linx.Netfilter.Expr.log/1`. - [Linx.Netfilter.Log.Event](Linx.Netfilter.Log.Event.md): A decoded NFLOG packet event. - [Linx.Netfilter.Map](Linx.Netfilter.Map.md): An nftables map — a set with associated data per element. - [Linx.Netfilter.Monitor](Linx.Netfilter.Monitor.md): A GenServer that owns a multicast nfnetlink socket subscribed to `NFNLGRP_NFTABLES`, decodes each broadcast message into a `%Linx.Netfilter.Event{}`, and forwards it to the owner pid. - [Linx.Netfilter.Object](Linx.Netfilter.Object.md): An nftables named object — counters, quotas, limits, ct helpers, ct timeouts, secmarks, synproxies. - [Linx.Netfilter.Patch](Linx.Netfilter.Patch.md): An ordered sequence of mutations that transforms one `%Linx.Netfilter.Ruleset{}` into another. - [Linx.Netfilter.Rule](Linx.Netfilter.Rule.md): A single nftables rule — an ordered list of expressions that the kernel evaluates against each packet visiting the rule's chain. - [Linx.Netfilter.Ruleset](Linx.Netfilter.Ruleset.md): The top-level netfilter value type — a netns-shaped collection of tables (and everything inside them) as plain data. - [Linx.Netfilter.Set](Linx.Netfilter.Set.md): An nftables set — a named collection of elements with a uniform key type, used for O(1) lookups in rules. - [Linx.Netfilter.Table](Linx.Netfilter.Table.md): An nftables table — the top-level container for chains, sets, maps, objects, and flowtables, scoped to one family. - [Linx.Netfilter.Verdict](Linx.Netfilter.Verdict.md): A netfilter verdict — the terminal result of a rule's evaluation. - [Linx.Netfilter.Vmap](Linx.Netfilter.Vmap.md): Constructor sugar for verdict maps — a `Linx.Netfilter.Map` with `:data_type` fixed to `:verdict`. - [Linx.Netfilter.Wire](Linx.Netfilter.Wire.md): Kernel-side numeric constants for `Linx.Netfilter`'s wire codec — message opcodes, attribute IDs, hook numbers, flag bitmasks, named priorities. - Netfilter — ~NFT sigil - [Linx.NFT](Linx.NFT.md): The public entry point for the `~NFT` sigil and the file-mode parser. Plumbs source → `Linx.NFT.Tokenizer` → `Linx.NFT.Parser` → `Linx.NFT.Compiler` → `%Linx.Netfilter.Ruleset{}`, plus a canonical emit going the other way (`format/1`). - [Linx.NFT.Compiler](Linx.NFT.Compiler.md): AST → `%Linx.Netfilter.Ruleset{}` translation. - [Linx.NFT.Formatter](Linx.NFT.Formatter.md): Canonical-emit pretty-printer for `%Linx.Netfilter.Ruleset{}`. - [Linx.NFT.ParseError](Linx.NFT.ParseError.md): Syntax error raised by the `~NFT` sigil, by `Linx.NFT.parse/1` / `parse_file/1`, and by the AST-walker compiler. - [Linx.NFT.Parser](Linx.NFT.Parser.md): Recursive-descent parser over a token stream produced by `Linx.NFT.Tokenizer`. Builds a small internal AST that `Linx.NFT.Compiler` later walks and translates into calls on the `Linx.Netfilter.Ruleset` validator-setter surface (the same surface the pipeline DSL uses — no parallel validation layer). - [Linx.NFT.Runtime](Linx.NFT.Runtime.md): Runtime helpers for `~NFT` sigils that contain `#{...}` interpolations. - [Linx.NFT.RuntimeCompiler](Linx.NFT.RuntimeCompiler.md): AST → Elixir AST (quoted code) translation for `~NFT` sigil bodies that contain `#{...}` interpolations. - [Linx.NFT.Tokenizer](Linx.NFT.Tokenizer.md): Char-by-char lexer for the `~NFT` sigil and `.nft` files. - Netlink core - [Linx.Netlink](Linx.Netlink.md): Netlink for Elixir — a client for the Linux kernel's `AF_NETLINK` interface. - [Linx.Netlink.Attr](Linx.Netlink.Attr.md): Encoding and decoding of netlink attributes — the type-length-value (TLV) elements that carry a message's variable-length data. - [Linx.Netlink.Codec](Linx.Netlink.Codec.md): A small DSL for defining netlink message codecs. - [Linx.Netlink.Constants](Linx.Netlink.Constants.md): Family-agnostic netlink constants — values from the core netlink ABI (`include/uapi/linux/netlink.h`) that every protocol family shares. - [Linx.Netlink.Error](Linx.Netlink.Error.md): An error returned by the kernel in response to a netlink request. - [Linx.Netlink.Message](Linx.Netlink.Message.md): A netlink message — the `nlmsghdr` header (`include/uapi/linux/netlink.h`) and its payload — and the framing codec for it. - [Linx.Netlink.Request](Linx.Netlink.Request.md): The synchronous request engine: send one netlink request and collect the kernel's reply. - [Linx.Netlink.Socket](Linx.Netlink.Socket.md): An `AF_NETLINK` socket, opened in a chosen network namespace. - [Linx.Netlink.Socket.Native](Linx.Netlink.Socket.Native.md): The native half of `Linx.Netlink.Socket`: opens an `AF_NETLINK` socket *inside* a given network namespace. - nfnetlink - [Linx.Netlink.Nfnl](Linx.Netlink.Nfnl.md): nfnetlink (`NETLINK_NETFILTER`) — the kernel's netfilter-control interface: nf_tables (the modern firewall), conntrack, NFLOG, NFQUEUE. - [Linx.Netlink.Nfnl.Codec](Linx.Netlink.Nfnl.Codec.md): Wire-format helpers for nfnetlink (`NETLINK_NETFILTER`, protocol 12). - rtnetlink - [Linx.Netlink.Rtnl](Linx.Netlink.Rtnl.md): rtnetlink (`NETLINK_ROUTE`) — the kernel's networking-stack interface: links, addresses, routes and neighbours. - [Linx.Netlink.Rtnl.Address](Linx.Netlink.Rtnl.Address.md): rtnetlink interface addresses — the `RTM_*ADDR` messages. - [Linx.Netlink.Rtnl.Link](Linx.Netlink.Rtnl.Link.md): rtnetlink network links (interfaces) — the `RTM_*LINK` messages. - [Linx.Netlink.Rtnl.LinkInfo](Linx.Netlink.Rtnl.LinkInfo.md): `IFLA_LINKINFO` — a link's kind and kind-specific data. - [Linx.Netlink.Rtnl.LinkInfo.Ipvlan](Linx.Netlink.Rtnl.LinkInfo.Ipvlan.md): `IFLA_INFO_DATA` for an `ipvlan` link — the per-kind data inside `IFLA_LINKINFO`. - [Linx.Netlink.Rtnl.LinkInfo.Macvlan](Linx.Netlink.Rtnl.LinkInfo.Macvlan.md): `IFLA_INFO_DATA` for a `macvlan` link — the per-kind data inside `IFLA_LINKINFO`. - [Linx.Netlink.Rtnl.LinkInfo.Veth](Linx.Netlink.Rtnl.LinkInfo.Veth.md): `IFLA_INFO_DATA` for a `veth` link — the per-kind data inside `IFLA_LINKINFO`. - [Linx.Netlink.Rtnl.LinkInfo.Vlan](Linx.Netlink.Rtnl.LinkInfo.Vlan.md): `IFLA_INFO_DATA` for a `vlan` link — the per-kind data inside `IFLA_LINKINFO`. - [Linx.Netlink.Rtnl.Neighbour](Linx.Netlink.Rtnl.Neighbour.md): rtnetlink neighbours — the kernel's ARP (IPv4) and NDP (IPv6) tables. - [Linx.Netlink.Rtnl.Route](Linx.Netlink.Rtnl.Route.md): rtnetlink routes — the `RTM_*ROUTE` messages. - [Linx.Netlink.Rtnl.Rule](Linx.Netlink.Rtnl.Rule.md): rtnetlink policy-routing rules — the FIB rules that decide which routing table to consult for a given packet, based on source address, destination, firewall mark and so on. - [Linx.Netlink.Rtnl.Stats](Linx.Netlink.Rtnl.Stats.md): rtnetlink interface statistics — the `RTM_GETSTATS` reads. - [Linx.Netlink.Rtnl.Stats.Link64](Linx.Netlink.Rtnl.Stats.Link64.md): Per-interface counters as the kernel reports them in `IFLA_STATS_LINK_64` — `struct rtnl_link_stats64`, a packed array of 64-bit counters defined in `include/uapi/linux/if_link.h`.