An nftables table — the top-level container for chains, sets, maps, objects, and flowtables, scoped to one family.
Fields
:family—:ip|:ip6|:inet|:arp|:bridge|:netdev.:name— table name (unique within the family in the netns).:flags— list.:ownerenablesNFT_TABLE_F_OWNER(the table auto-destroys when the owning socket closes);:persistsetsNFT_TABLE_F_PERSIST(table survives even when unreferenced — owner's opt-out, kernel 6.9+);:dormantsetsNFT_TABLE_F_DORMANT(table loaded but inactive).:use_count— kernel-reported reference count, only set on pulled tables;nilfor authoring-time tables.:handle— kernel handle;niluntil pushed.:chains—%{chain_name => %Linx.Netfilter.Chain{}}.:sets—%{set_name => %Linx.Netfilter.Set{}}.:maps—%{map_name => %Linx.Netfilter.Map{}}.:objects—%{{kind, name} => %Linx.Netfilter.Object{}}— objects are scoped by(kind, name)since kinds don't share a namespace (a:counterand a:quotaof the same name coexist).:flowtables—%{ft_name => %Linx.Netfilter.Flowtable{}}.
Construction
iex> Table.new(:inet, "myapp")
{:ok, %Linx.Netfilter.Table{family: :inet, name: "myapp", flags: [], ...}}
iex> Table.new(:inet, "myapp", flags: [:owner])
{:ok, %Linx.Netfilter.Table{flags: [:owner], ...}}Errors: {:error, {:bad_table, reason}}.
Container mutations (add_chain/2, add_set/2, …) come with
uniqueness checks and route the entity through its family's
validation. They return the updated table or
{:error, {:bad_table, …}} (for uniqueness collisions) /
{:error, {:bad_chain, …}} (for entity-shape failures).
References
Summary
Functions
Adds a chain to the table. Validates the chain against the table's family and that the chain name is unique within the table.
Adds a flowtable to the table. Validates name uniqueness.
Adds a map (or vmap) to the table. Validates map name uniqueness within the table (sets and maps share a namespace at the kernel level — a set and a map of the same name collide).
Adds an object to the table. Uniqueness is by (kind, name) —
objects of different kinds may share a name.
Adds a set to the table. Validates set name uniqueness within the table.
Looks up a chain by name. Returns {:ok, chain} or
{:error, :no_such_chain}.
Builds a table.
Bang variant.
Replaces a chain in the table. The chain must already exist by
name (intended for use after mutating one with Chain.add_rule/2
or similar).
Types
@type family() :: :ip | :ip6 | :inet | :arp | :bridge | :netdev
@type flag() :: :owner | :persist | :dormant
@type t() :: %Linx.Netfilter.Table{ chains: %{optional(String.t()) => Linx.Netfilter.Chain.t()}, family: family(), flags: [flag()], flowtables: %{optional(String.t()) => Linx.Netfilter.Flowtable.t()}, handle: pos_integer() | nil, maps: %{optional(String.t()) => Linx.Netfilter.Map.t()}, name: String.t(), objects: %{ optional({Linx.Netfilter.Object.kind(), String.t()}) => Linx.Netfilter.Object.t() }, sets: %{optional(String.t()) => Linx.Netfilter.Set.t()}, use_count: non_neg_integer() | nil }
Functions
@spec add_chain(t(), Linx.Netfilter.Chain.t()) :: {:ok, t()} | {:error, {:bad_table | :bad_chain, term()}}
Adds a chain to the table. Validates the chain against the table's family and that the chain name is unique within the table.
Sets the chain's :table field to this table's name (so
free-standing chains pick up their context when inserted).
@spec add_flowtable(t(), Linx.Netfilter.Flowtable.t()) :: {:ok, t()} | {:error, {:bad_table, term()}}
Adds a flowtable to the table. Validates name uniqueness.
@spec add_map(t(), Linx.Netfilter.Map.t()) :: {:ok, t()} | {:error, {:bad_table, term()}}
Adds a map (or vmap) to the table. Validates map name uniqueness within the table (sets and maps share a namespace at the kernel level — a set and a map of the same name collide).
@spec add_object(t(), Linx.Netfilter.Object.t()) :: {:ok, t()} | {:error, {:bad_table, term()}}
Adds an object to the table. Uniqueness is by (kind, name) —
objects of different kinds may share a name.
@spec add_set(t(), Linx.Netfilter.Set.t()) :: {:ok, t()} | {:error, {:bad_table, term()}}
Adds a set to the table. Validates set name uniqueness within the table.
@spec fetch_chain(t(), String.t()) :: {:ok, Linx.Netfilter.Chain.t()} | {:error, :no_such_chain}
Looks up a chain by name. Returns {:ok, chain} or
{:error, :no_such_chain}.
Builds a table.
Bang variant.
@spec put_chain(t(), Linx.Netfilter.Chain.t()) :: {:ok, t()} | {:error, {:bad_table, term()}}
Replaces a chain in the table. The chain must already exist by
name (intended for use after mutating one with Chain.add_rule/2
or similar).