An nftables named object — counters, quotas, limits, ct helpers, ct timeouts, secmarks, synproxies.

Named objects are stateful primitives that rules reference. A counter accumulates packet/byte counts across all rules that reference it; a quota fires when its threshold is hit; a ct helper enables an ALG (FTP, SIP, …) on specific traffic. The value lives in the table; rules carry references.

Fields

• :name — object name (unique within the table for its kind).
• :table — owning table's name.
• :kind — object kind atom. The canonical kinds are accepted; per-kind data shapes are not yet validated.
• :data — kind-specific value (map / keyword / struct). Opaque to the validator; per-kind shape validation is not yet implemented.
• :handle — kernel-assigned handle; nil until pushed.
• :comment — round-trips via object userdata.

Object kinds

• :counter — packet/byte counter. Data: %{packets: int, bytes: int}.
• :quota — quota object. Data: %{bytes: int, used: int, flags: [:inv]}.
• :limit — rate limit. Data: %{rate: int, unit: atom, ...}.
• :ct_helper — connection-tracking helper (ALG). Data: %{type: "ftp", protocol: :tcp, l3proto: :inet}.
• :ct_timeout — per-flow timeout policy.
• :ct_expectation — explicit expected connection.
• :secmark — SELinux/SMACK label.
• :synproxy — SYN proxy parameters.

Construction

iex> Object.new(:counter, "ssh_attempts", %{packets: 0, bytes: 0})
{:ok, %Linx.Netfilter.Object{kind: :counter, name: "ssh_attempts", ...}}

iex> Object.new(:ct_helper, "ftp_helper",
...>             %{type: "ftp", protocol: :tcp, l3proto: :inet})
{:ok, %Linx.Netfilter.Object{kind: :ct_helper, ...}}

Errors: {:error, {:bad_object, reason}}.