Modules
Linux kernel-interface primitives for Elixir.
Linux per-process capability primitives — the kernel's five capability sets (effective, permitted, inheritable, bounding, ambient) and the syscalls that manipulate them.
An error returned by a Linx.Capabilities read operation.
A snapshot of a process's five Linux capability sets.
cgroup v2 primitives — create a cgroup, place processes into it, set resource limits, read counters, freeze and thaw.
An error returned by a Linx.Cgroup operation.
Single-shot declarative reconciliation for a cgroup's resource limits — observe the interface files, diff against a desired set of knobs, apply once, and return what happened.
The outcome of one Linx.Cgroup.Reconcile.reconcile/4 pass.
Linx.Reconcile.Source adapter for cgroup limits — lets the generic
Linx.Reconcile loop drive Linx.Cgroup.Reconcile.
A snapshot of a cgroup's resource counters.
An IPv4 or IPv6 address.
An IPv4 or IPv6 subnet — a network address and a prefix length, parsed from CIDR notation.
A 48-bit MAC (link-layer) address.
Linux filesystem-mount primitives — mount(2), umount2(2),
pivot_root(2), and the read-side /proc/.../mountinfo parser.
A single parsed line from /proc/<pid>/mountinfo — one mount in
the namespace's mount table.
An error returned by a Linx.Mount operation.
NIF binding for Linx.Mount. Loads priv/linx_mount.so (built by
the :linx_mount Mix compiler) and exposes the small set of
syscalls the public Linx.Mount module wraps: mount(2),
umount2(2), and pivot_root(2).
The public entry point for the ~NFT sigil and the file-mode
parser. Plumbs source → Linx.NFT.Tokenizer →
Linx.NFT.Parser → Linx.NFT.Compiler →
%Linx.Netfilter.Ruleset{}, plus a canonical emit going the
other way (format/1).
AST → %Linx.Netfilter.Ruleset{} translation.
Canonical-emit pretty-printer for %Linx.Netfilter.Ruleset{}.
Syntax error raised by the ~NFT sigil, by Linx.NFT.parse/1 /
parse_file/1, and by the AST-walker compiler.
Recursive-descent parser over a token stream produced by
Linx.NFT.Tokenizer. Builds a small internal AST that
Linx.NFT.Compiler later walks and translates into calls on the
Linx.Netfilter.Ruleset validator-setter surface (the same
surface the pipeline DSL uses — no parallel validation layer).
Runtime helpers for ~NFT sigils that contain #{...}
interpolations.
AST → Elixir AST (quoted code) translation for ~NFT sigil
bodies that contain #{...} interpolations.
Char-by-char lexer for the ~NFT sigil and .nft files.
Linux netfilter primitives — modern firewall (nf_tables) via the
NETLINK_NETFILTER netlink protocol family, plus live ruleset
monitoring and packet-event capture (NFLOG).
An nftables chain — a named container of rules within a table.
Converts kernel-side %Linx.Netlink.Message{} payloads back into
%Linx.Netfilter.*{} value structs.
Structural diff between two %Linx.Netfilter.Ruleset{} values,
producing a %Linx.Netfilter.Patch{} of the minimum mutations
that turn one into the other.
Converts %Linx.Netfilter.*{} value structs into the
%Linx.Netlink.Message{} shapes that ride inside a
NFNL_MSG_BATCH_BEGIN / NFNL_MSG_BATCH_END envelope.
An error returned by a Linx.Netfilter operation.
A single multicast event from NFNLGRP_NFTABLES — a
notification the kernel broadcasts after every successful
ruleset commit.
A single netfilter expression — one node in a rule's expression list.
An nftables flowtable — a connection-offload fast path that shortcuts the netfilter hooks for established flows.
NFLOG listener — receives per-packet events from the kernel's
NFNL_SUBSYS_ULOG (sub-subsystem 4) for rules that include
Linx.Netfilter.Expr.log/1.
A decoded NFLOG packet event.
An nftables map — a set with associated data per element.
A GenServer that owns a multicast nfnetlink socket subscribed to
NFNLGRP_NFTABLES, decodes each broadcast message into a
%Linx.Netfilter.Event{}, and forwards it to the owner pid.
An nftables named object — counters, quotas, limits, ct helpers, ct timeouts, secmarks, synproxies.
An ordered sequence of mutations that transforms one
%Linx.Netfilter.Ruleset{} into another.
A single nftables rule — an ordered list of expressions that the kernel evaluates against each packet visiting the rule's chain.
The top-level netfilter value type — a netns-shaped collection of tables (and everything inside them) as plain data.
An nftables set — a named collection of elements with a uniform key type, used for O(1) lookups in rules.
An nftables table — the top-level container for chains, sets, maps, objects, and flowtables, scoped to one family.
A netfilter verdict — the terminal result of a rule's evaluation.
Constructor sugar for verdict maps — a Linx.Netfilter.Map with
:data_type fixed to :verdict.
Kernel-side numeric constants for Linx.Netfilter's wire codec —
message opcodes, attribute IDs, hook numbers, flag bitmasks,
named priorities.
Netlink for Elixir — a client for the Linux kernel's AF_NETLINK interface.
Encoding and decoding of netlink attributes — the type-length-value (TLV) elements that carry a message's variable-length data.
A small DSL for defining netlink message codecs.
Family-agnostic netlink constants — values from the core netlink ABI
(include/uapi/linux/netlink.h) that every protocol family shares.
An error returned by the kernel in response to a netlink request.
A netlink message — the nlmsghdr header (include/uapi/linux/netlink.h)
and its payload — and the framing codec for it.
nfnetlink (NETLINK_NETFILTER) — the kernel's netfilter-control
interface: nf_tables (the modern firewall), conntrack, NFLOG, NFQUEUE.
Wire-format helpers for nfnetlink (NETLINK_NETFILTER, protocol 12).
The synchronous request engine: send one netlink request and collect the kernel's reply.
rtnetlink (NETLINK_ROUTE) — the kernel's networking-stack interface:
links, addresses, routes and neighbours.
rtnetlink interface addresses — the RTM_*ADDR messages.
Per-resource diffs for rtnetlink — the minimal set of create / update / delete operations that converge observed kernel state onto a desired state.
rtnetlink network links (interfaces) — the RTM_*LINK messages.
IFLA_LINKINFO — a link's kind and kind-specific data.
IFLA_INFO_DATA for an ipvlan link — the per-kind data inside
IFLA_LINKINFO.
IFLA_INFO_DATA for a macvlan link — the per-kind data inside
IFLA_LINKINFO.
IFLA_INFO_DATA for a veth link — the per-kind data inside
IFLA_LINKINFO.
IFLA_INFO_DATA for a vlan link — the per-kind data inside
IFLA_LINKINFO.
A GenServer that owns a multicast rtnetlink socket, decodes each broadcast
into a Linx.Netlink.Rtnl.Monitor.Event, and forwards it to an owner pid —
the ip monitor equivalent.
A single rtnetlink multicast notification decoded by
Linx.Netlink.Rtnl.Monitor.
rtnetlink neighbours — the kernel's ARP (IPv4) and NDP (IPv6) tables.
Single-shot declarative reconciliation for rtnetlink — observe the kernel, diff against a desired state, and apply the minimal change, in one caller-driven pass scoped to the socket's network namespace.
The outcome of one Linx.Netlink.Rtnl.Reconcile.reconcile/4 pass.
Linx.Reconcile.Source adapter for rtnetlink — lets the generic
Linx.Reconcile loop drive Linx.Netlink.Rtnl.Reconcile and
Linx.Netlink.Rtnl.Monitor.
rtnetlink routes — the RTM_*ROUTE messages.
rtnetlink policy-routing rules — the FIB rules that decide which routing table to consult for a given packet, based on source address, destination, firewall mark and so on.
rtnetlink interface statistics — the RTM_GETSTATS reads.
Per-interface counters as the kernel reports them in
IFLA_STATS_LINK_64 — struct rtnl_link_stats64, a packed array of
64-bit counters defined in include/uapi/linux/if_link.h.
An AF_NETLINK socket, opened in a chosen network namespace.
The native half of Linx.Netlink.Socket: opens an AF_NETLINK socket
inside a given network namespace.
Linux process-lifecycle primitives — clone(2) with namespace flags,
setns(2), execve(2), signal delivery and exit-status reporting —
exposed through one GenServer per spawned child.
A pre-exec or transport-level failure from a Linx.Process session.
A snapshot of a Linx.Process session's state.
An opt-in, level-triggered reconcile loop over a single subsystem.
The plug-in contract that lets the generic Linx.Reconcile loop drive any
reconcilable subsystem — deliberately minimal.
Linux seccomp ("SECure COMPuting") primitives — per-thread cBPF syscall-filter facilities exposed as Elixir verbs.
Fluent builder DSL for %Linx.Seccomp.Filter{}.
A structured error returned by Linx.Seccomp operations.
A compiled seccomp filter — what Linx.Seccomp.allow_list/2,
deny_list/2, from_rules/1, and Linx.Seccomp.Builder.build/1
produce, and what Linx.Seccomp.install/2 consumes.
Linux kernel tunable parameters — the /proc/sys/ surface, the same
knobs sysctl(8) reads and writes.
A single sysctl read by Linx.Sysctl.list/0 or
Linx.Sysctl.list/1 — one key/value pair from the /proc/sys/
tree.
An error returned by a Linx.Sysctl operation.
NIF binding for Linx.Sysctl's cross-namespace verbs. Loads
priv/linx_sysctl.so (built by the :linx_sysctl Mix compiler).
Single-shot declarative reconciliation for sysctls — observe, diff, apply once, and return what happened.
The outcome of one Linx.Sysctl.Reconcile.reconcile/3 pass.
Linx.Reconcile.Source adapter for sysctls — lets the generic
Linx.Reconcile loop drive Linx.Sysctl.Reconcile.
Linux terminal / PTY primitives — /dev/tty access, termios(3)
save and restore, tty ioctl(2) (window size), and the byte-pumping
attach/2 that composes with Linx.Process's stdio: :pty to give
the BEAM a docker attach experience.
A failure from one of Linx.Tty's terminal syscalls.
Opaque container for a saved termios(3) state.
The size of a terminal — rows, columns, and optional pixel
dimensions. The shape of struct winsize from <sys/ioctl.h>.
Linux user-namespace configuration primitives — /proc/<pid>/uid_map,
/proc/<pid>/gid_map, /proc/<pid>/setgroups.
An error returned by a Linx.User operation.
One uid/gid mapping entry from a user namespace's uid_map or
gid_map.