A single nftables rule — an ordered list of expressions that the kernel evaluates against each packet visiting the rule's chain.

Fields

• :expressions — ordered list of %Linx.Netfilter.Expr{}. The terminator is typically a verdict-bearing immediate expression; if absent, falls through to the next rule.

• :chain — name (string) of the chain this rule belongs to. nil for free-standing rules; populated when the rule is inserted into a chain (and when pulled from the kernel).

• :handle — the kernel-assigned rule handle (positive integer). nil for authoring-time rules; populated on the first successful push/2 and round-tripped on pull/1..2. Required for in-place :replace / :delete of rules without a tag.

• :tag — Linx-side stable identity (atom). The basis of :reconcile mode's diffing: a Rule keeps its identity across pushes regardless of position or handle, as long as the tag matches. nil is allowed; untagged rules fall back to positional identity (and forfeit :reconcile diffability).

• :comment — a user-supplied comment string, round-tripped via the kernel's NFTNL_RULE_USERDATA opaque slot.

Construction

Use build/1 or build/2 with an expression list. The list may include verdict sugar — atoms (:accept), tuples ({:jump, name}), or %Linx.Netfilter.Verdict{} values — which are normalised to Expr.immediate/1 calls so the resulting Rule is uniform.

iex> Rule.build([Expr.immediate(:accept)])
{:ok, #Linx.Netfilter.Rule<[immediate accept]>}

iex> Rule.build([:drop], tag: :default_deny, comment: "block-all")
{:ok, #Linx.Netfilter.Rule<:default_deny [immediate drop]>}

iex> Rule.build([{:jump, "input_extras"}])
{:ok, #Linx.Netfilter.Rule<[immediate jump "input_extras"]>}

Bang variant build!/2 raises ArgumentError on validation failure. The non-bang form returns {:error, {:bad_rule, reason}}.

Inspect

Compact: tag (if set) then bracketed expressions. Comment + handle are omitted from the brief rendering; pattern-match on the struct fields if you need the full detail.