Kernel-side numeric constants for Linx.Netfilter's wire codec —
message opcodes, attribute IDs, hook numbers, flag bitmasks,
named priorities.
All values come from include/uapi/linux/netfilter/nf_tables.h and
include/uapi/linux/netfilter.h. Kept in one module so the
Encoder/Decoder can import Linx.Netfilter.Wire and use them by
name without a long alias chain.
Byte order
nftables uses big-endian on the wire for its NLA_U16 /
NLA_U32 / NLA_U64 integers — opposite to rtnetlink (which uses
native byte order). The helpers u32_be/1 and u64_be/1 here
produce the right payload form; u32_be!/1 / u64_be!/1 decode.
String / binary attributes are byte-order agnostic.
References
Summary
Functions
Decodes a chain-flags integer into a list of atoms.
Maps a chain-flags list to the OR'd integer for NFTA_CHAIN_FLAGS.
Inverse of chain_type_string/1.
Maps a chain type atom to the kernel's string form for
NFTA_CHAIN_TYPE.
Maps a NFLOG copy-mode atom to the kernel's u8 value:
:none → 0, :meta → 1, :packet → 2.
Maps a CT-state atom (or list of atoms) to the kernel's bitmask.
Multiple states OR together: [:new, :related] → 12.
Inverse of family_num/1. Returns :unknown for unrecognised numbers.
NFPROTO_* — kernel address-family numbers used in nfgen_family
and in NF_INET_HOOKS indexing.
Inverse of hook_num/2. Decoded hook numbers are family-dependent.
Maps (family, hook) to the kernel's per-family hook number.
Maps a lookup-flags list ([:inv]) to its u32 bitmask.
Decodes a NAT-flags u32 bitmask into a list of atoms.
Maps a NAT-flags list to the u32 bitmask the kernel expects in
NFTA_NAT_FLAGS / NFTA_MASQ_FLAGS / NFTA_REDIR_FLAGS.
Maps a NFLOG-config-flags list to the u16 bitmask (BE on wire).
Inverse of policy_int/1.
Maps a chain policy atom to the kernel's u32 verdict integer (NF_DROP = 0, NF_ACCEPT = 1).
Resolves a chain priority — integer, named atom, or
{atom, offset} — to a signed 32-bit integer per family.
Encodes an s32 as 4 big-endian bytes.
Decodes a 4-byte big-endian s32.
Inverse: u32 bitmask → list of flag atoms.
Maps a set-flags atom list to the u32 bitmask. The encoder may
add :map / :eval automatically based on the set's
:data_type / :dynamic shape.
Inverse: maps a libnftnl type id + length back to a key-type
atom. Returns {:unknown_type, id, len} for unrecognised pairs.
Maps a Linx key-type atom to its (libnftnl_type_id, byte_len)
pair for NFTA_SET_KEY_TYPE / NFTA_SET_KEY_LEN.
Decodes a table-flags integer into a list of atoms.
Maps a table-flags list to the OR'd integer for NFTA_TABLE_FLAGS.
Encodes a u32 as 4 big-endian bytes (nftables convention).
Decodes a 4-byte big-endian u32.
Encodes a u64 as 8 big-endian bytes.
Decodes an 8-byte big-endian u64.
Inverse of verdict_code/1.
Maps a %Linx.Netfilter.Verdict{} to its kernel verdict-code integer
(signed; some are negative).
Functions
@spec chain_flags_atoms(non_neg_integer()) :: [atom()]
Decodes a chain-flags integer into a list of atoms.
@spec chain_flags_int([atom()]) :: non_neg_integer()
Maps a chain-flags list to the OR'd integer for NFTA_CHAIN_FLAGS.
Inverse of chain_type_string/1.
Maps a chain type atom to the kernel's string form for
NFTA_CHAIN_TYPE.
@spec cmp_op_atom(0..5) :: atom()
@spec cmp_op_int(atom()) :: 0..5
@spec copy_mode_int(atom() | {:packet, non_neg_integer()}) :: 0..2
Maps a NFLOG copy-mode atom to the kernel's u8 value:
:none → 0, :meta → 1, :packet → 2.
@spec ct_key_atom(non_neg_integer()) :: atom() | {:unknown_ct_key, non_neg_integer()}
@spec ct_key_int(atom()) :: non_neg_integer()
@spec ct_state_bits(atom() | [atom()]) :: non_neg_integer()
Maps a CT-state atom (or list of atoms) to the kernel's bitmask.
Multiple states OR together: [:new, :related] → 12.
@spec family_atom(0..255) :: atom()
Inverse of family_num/1. Returns :unknown for unrecognised numbers.
@spec family_num(atom()) :: 0..255
NFPROTO_* — kernel address-family numbers used in nfgen_family
and in NF_INET_HOOKS indexing.
Inverse of hook_num/2. Decoded hook numbers are family-dependent.
Maps (family, hook) to the kernel's per-family hook number.
The same atom (:input) corresponds to different integers
depending on family — NF_INET_LOCAL_IN = 1 for ip/ip6/inet,
NF_ARP_IN = 0 for arp, NF_BR_LOCAL_IN = 1 for bridge.
@spec lookup_flags_int([atom()]) :: non_neg_integer()
Maps a lookup-flags list ([:inv]) to its u32 bitmask.
@spec meta_key_atom(non_neg_integer()) :: atom() | {:unknown_meta_key, non_neg_integer()}
@spec meta_key_int(atom()) :: non_neg_integer()
@spec nat_flags_atoms(non_neg_integer()) :: [atom()]
Decodes a NAT-flags u32 bitmask into a list of atoms.
@spec nat_flags_int([atom()]) :: non_neg_integer()
Maps a NAT-flags list to the u32 bitmask the kernel expects in
NFTA_NAT_FLAGS / NFTA_MASQ_FLAGS / NFTA_REDIR_FLAGS.
Accepted atoms:
:random— randomize port selection (NF_NAT_RANGE_PROTO_RANDOM).:fully_random— fully randomize, including per-connection (NF_NAT_RANGE_PROTO_RANDOM_FULLY).:persistent— same client gets same NAT mapping (NF_NAT_RANGE_PERSISTENT).:netmap— preserve the host portion of the address while remapping the network portion (NF_NAT_RANGE_NETMAP, 5.0+).
Note: :map_ips and :proto_specified are usually set by the
encoder based on whether addresses / ports are provided, not by
the caller.
@spec nfulnl_cfg_flags_int([atom()]) :: non_neg_integer()
Maps a NFLOG-config-flags list to the u16 bitmask (BE on wire).
@spec payload_base_atom(0..3) :: atom()
@spec payload_base_int(atom()) :: 0..3
@spec policy_atom(0 | 1) :: atom()
Inverse of policy_int/1.
@spec policy_int(atom()) :: 0 | 1
Maps a chain policy atom to the kernel's u32 verdict integer (NF_DROP = 0, NF_ACCEPT = 1).
Resolves a chain priority — integer, named atom, or
{atom, offset} — to a signed 32-bit integer per family.
Standard nft names map to standard integer priorities. Bridge
family has its own table (with :filter = -200 vs ip's :filter
= 0); netdev / arp have effectively just :filter = 0.
@spec reject_type_atom(0..2) :: atom()
@spec reject_type_int(atom()) :: 0..2
Encodes an s32 as 4 big-endian bytes.
Decodes a 4-byte big-endian s32.
@spec set_flags_atoms(non_neg_integer()) :: [atom()]
Inverse: u32 bitmask → list of flag atoms.
@spec set_flags_int([atom()]) :: non_neg_integer()
Maps a set-flags atom list to the u32 bitmask. The encoder may
add :map / :eval automatically based on the set's
:data_type / :dynamic shape.
@spec set_type_atom(non_neg_integer(), pos_integer()) :: atom() | tuple()
Inverse: maps a libnftnl type id + length back to a key-type
atom. Returns {:unknown_type, id, len} for unrecognised pairs.
@spec set_type_info(atom()) :: {non_neg_integer(), pos_integer()}
Maps a Linx key-type atom to its (libnftnl_type_id, byte_len)
pair for NFTA_SET_KEY_TYPE / NFTA_SET_KEY_LEN.
@spec table_flags_atoms(non_neg_integer()) :: [atom()]
Decodes a table-flags integer into a list of atoms.
@spec table_flags_int([atom()]) :: non_neg_integer()
Maps a table-flags list to the OR'd integer for NFTA_TABLE_FLAGS.
@spec u32_be(non_neg_integer()) :: binary()
Encodes a u32 as 4 big-endian bytes (nftables convention).
@spec u32_be!(binary()) :: non_neg_integer()
Decodes a 4-byte big-endian u32.
@spec u64_be(non_neg_integer()) :: binary()
Encodes a u64 as 8 big-endian bytes.
@spec u64_be!(binary()) :: non_neg_integer()
Decodes an 8-byte big-endian u64.
Inverse of verdict_code/1.
Maps a %Linx.Netfilter.Verdict{} to its kernel verdict-code integer
(signed; some are negative).