# Linx v0.1.0 - Table of Contents

> Linux kernel interface primitives for Elixir: netlink/rtnetlink/nf_tables, process & namespace lifecycle, PTY, cgroup v2, mounts, user namespaces, capabilities, seccomp, and sysctl.

## Pages

- [Linx](readme.md)
- [License](license.md)

- Netlink
  - [Overview](netlink-overview.md)
  - [Examples](netlink-examples.md)
  - [References](netlink-references.md)

- Process
  - [Overview](process-overview.md)
  - [Examples](process-examples.md)
  - [References](process-references.md)

- Tty
  - [Overview](tty-overview.md)
  - [Examples](tty-examples.md)
  - [References](tty-references.md)

- Cgroup
  - [Overview](cgroup-overview.md)
  - [Examples](cgroup-examples.md)
  - [References](cgroup-references.md)

- Mount
  - [Overview](mount-overview.md)
  - [Examples](mount-examples.md)
  - [References](mount-references.md)

- User
  - [Overview](user-overview.md)
  - [Examples](user-examples.md)
  - [References](user-references.md)

- Capabilities
  - [Overview](capabilities-overview.md)
  - [Examples](capabilities-examples.md)
  - [References](capabilities-references.md)

- Seccomp
  - [Overview](seccomp-overview.md)
  - [Examples](seccomp-examples.md)
  - [References](seccomp-references.md)

- Sysctl
  - [Overview](sysctl-overview.md)
  - [Examples](sysctl-examples.md)
  - [References](sysctl-references.md)

- Netfilter
  - [Overview](netfilter-overview.md)
  - [Examples](netfilter-examples.md)
  - [References](netfilter-references.md)

- Reconcile
  - [Overview](reconcile-overview.md)
  - [Examples](reconcile-examples.md)

## Modules

- [Linx](Linx.md): Linux kernel-interface primitives for Elixir.
- [Linx.Cgroup.Reconcile](Linx.Cgroup.Reconcile.md): Single-shot declarative reconciliation for a cgroup's **resource limits** —
observe the interface files, diff against a desired set of knobs, apply once,
and return what happened.
- [Linx.Cgroup.Reconcile.Report](Linx.Cgroup.Reconcile.Report.md): The outcome of one `Linx.Cgroup.Reconcile.reconcile/4` pass.
- [Linx.Cgroup.Reconcile.Source](Linx.Cgroup.Reconcile.Source.md): `Linx.Reconcile.Source` adapter for cgroup limits — lets the generic
`Linx.Reconcile` loop drive `Linx.Cgroup.Reconcile`.
- [Linx.Netlink.Rtnl.Diff](Linx.Netlink.Rtnl.Diff.md): Per-resource diffs for rtnetlink — the minimal set of create / update /
delete operations that converge observed kernel state onto a desired state.
- [Linx.Netlink.Rtnl.Monitor](Linx.Netlink.Rtnl.Monitor.md): A GenServer that owns a multicast rtnetlink socket, decodes each broadcast
into a `Linx.Netlink.Rtnl.Monitor.Event`, and forwards it to an owner pid —
the `ip monitor` equivalent.
- [Linx.Netlink.Rtnl.Monitor.Event](Linx.Netlink.Rtnl.Monitor.Event.md): A single rtnetlink multicast notification decoded by
`Linx.Netlink.Rtnl.Monitor`.
- [Linx.Netlink.Rtnl.Reconcile](Linx.Netlink.Rtnl.Reconcile.md): Single-shot declarative reconciliation for rtnetlink — observe the kernel,
diff against a desired state, and apply the minimal change, in one
caller-driven pass scoped to the socket's network namespace.
- [Linx.Netlink.Rtnl.Reconcile.Report](Linx.Netlink.Rtnl.Reconcile.Report.md): The outcome of one `Linx.Netlink.Rtnl.Reconcile.reconcile/4` pass.
- [Linx.Netlink.Rtnl.Reconcile.Source](Linx.Netlink.Rtnl.Reconcile.Source.md): `Linx.Reconcile.Source` adapter for rtnetlink — lets the generic
`Linx.Reconcile` loop drive `Linx.Netlink.Rtnl.Reconcile` and
`Linx.Netlink.Rtnl.Monitor`.
- [Linx.Reconcile](Linx.Reconcile.md): An opt-in, level-triggered reconcile loop over a single subsystem.
- [Linx.Reconcile.Source](Linx.Reconcile.Source.md): The plug-in contract that lets the generic `Linx.Reconcile` loop drive any
reconcilable subsystem — deliberately minimal.
- [Linx.Sysctl.Reconcile](Linx.Sysctl.Reconcile.md): Single-shot declarative reconciliation for sysctls — observe, diff, apply
once, and return what happened.
- [Linx.Sysctl.Reconcile.Report](Linx.Sysctl.Reconcile.Report.md): The outcome of one `Linx.Sysctl.Reconcile.reconcile/3` pass.
- [Linx.Sysctl.Reconcile.Source](Linx.Sysctl.Reconcile.Source.md): `Linx.Reconcile.Source` adapter for sysctls — lets the generic
`Linx.Reconcile` loop drive `Linx.Sysctl.Reconcile`.

- Public types
  - [Linx.IP](Linx.IP.md): An IPv4 or IPv6 address.
  - [Linx.IP.Subnet](Linx.IP.Subnet.md): An IPv4 or IPv6 subnet — a network address and a prefix length, parsed
from CIDR notation.
  - [Linx.MAC](Linx.MAC.md): A 48-bit MAC (link-layer) address.

- Process
  - [Linx.Process](Linx.Process.md): Linux process-lifecycle primitives — `clone(2)` with namespace flags,
`setns(2)`, `execve(2)`, signal delivery and exit-status reporting —
exposed through one GenServer per spawned child.
  - [Linx.Process.Error](Linx.Process.Error.md): A pre-exec or transport-level failure from a `Linx.Process` session.
  - [Linx.Process.Info](Linx.Process.Info.md): A snapshot of a `Linx.Process` session's state.

- Tty
  - [Linx.Tty](Linx.Tty.md): Linux terminal / PTY primitives — `/dev/tty` access, `termios(3)`
save and restore, tty `ioctl(2)` (window size), and the byte-pumping
`attach/2` that composes with `Linx.Process`'s `stdio: :pty` to give
the BEAM a `docker attach` experience.
  - [Linx.Tty.Error](Linx.Tty.Error.md): A failure from one of `Linx.Tty`'s terminal syscalls.
  - [Linx.Tty.Native](Linx.Tty.Native.md): NIF binding for `Linx.Tty`. Loads `priv/linx_tty.so` (built by the
`:linx_tty` Mix compiler) and exposes the small set of `termios(3)`
/ `ioctl(2)` syscalls the public `Linx.Tty` module wraps.
  - [Linx.Tty.Saved](Linx.Tty.Saved.md): Opaque container for a saved `termios(3)` state.
  - [Linx.Tty.WindowSize](Linx.Tty.WindowSize.md): The size of a terminal — rows, columns, and optional pixel
dimensions. The shape of `struct winsize` from `<sys/ioctl.h>`.

- Cgroup
  - [Linx.Cgroup](Linx.Cgroup.md): cgroup v2 primitives — create a cgroup, place processes into it,
set resource limits, read counters, freeze and thaw.
  - [Linx.Cgroup.Error](Linx.Cgroup.Error.md): An error returned by a `Linx.Cgroup` operation.
  - [Linx.Cgroup.Stats](Linx.Cgroup.Stats.md): A snapshot of a cgroup's resource counters.

- Mount
  - [Linx.Mount](Linx.Mount.md): Linux filesystem-mount primitives — `mount(2)`, `umount2(2)`,
`pivot_root(2)`, and the read-side `/proc/.../mountinfo` parser.
  - [Linx.Mount.Entry](Linx.Mount.Entry.md): A single parsed line from `/proc/<pid>/mountinfo` — one mount in
the namespace's mount table.
  - [Linx.Mount.Error](Linx.Mount.Error.md): An error returned by a `Linx.Mount` operation.
  - [Linx.Mount.Native](Linx.Mount.Native.md): NIF binding for `Linx.Mount`. Loads `priv/linx_mount.so` (built by
the `:linx_mount` Mix compiler) and exposes the small set of
syscalls the public `Linx.Mount` module wraps: `mount(2)`,
`umount2(2)`, and `pivot_root(2)`.

- User
  - [Linx.User](Linx.User.md): Linux user-namespace configuration primitives — `/proc/<pid>/uid_map`,
`/proc/<pid>/gid_map`, `/proc/<pid>/setgroups`.
  - [Linx.User.Error](Linx.User.Error.md): An error returned by a `Linx.User` operation.
  - [Linx.User.Map](Linx.User.Map.md): One uid/gid mapping entry from a user namespace's `uid_map` or
`gid_map`.

- Capabilities
  - [Linx.Capabilities](Linx.Capabilities.md): Linux per-process capability primitives — the kernel's five
capability sets (effective, permitted, inheritable, bounding,
ambient) and the syscalls that manipulate them.
  - [Linx.Capabilities.Error](Linx.Capabilities.Error.md): An error returned by a `Linx.Capabilities` read operation.
  - [Linx.Capabilities.State](Linx.Capabilities.State.md): A snapshot of a process's five Linux capability sets.

- Seccomp
  - [Linx.Seccomp](Linx.Seccomp.md): Linux seccomp ("SECure COMPuting") primitives — per-thread cBPF
syscall-filter facilities exposed as Elixir verbs.
  - [Linx.Seccomp.Builder](Linx.Seccomp.Builder.md): Fluent builder DSL for `%Linx.Seccomp.Filter{}`.
  - [Linx.Seccomp.Error](Linx.Seccomp.Error.md): A structured error returned by `Linx.Seccomp` operations.
  - [Linx.Seccomp.Filter](Linx.Seccomp.Filter.md): A compiled seccomp filter — what `Linx.Seccomp.allow_list/2`,
`deny_list/2`, `from_rules/1`, and `Linx.Seccomp.Builder.build/1`
produce, and what `Linx.Seccomp.install/2` consumes.

- Sysctl
  - [Linx.Sysctl](Linx.Sysctl.md): Linux kernel tunable parameters — the `/proc/sys/` surface, the same
knobs `sysctl(8)` reads and writes.
  - [Linx.Sysctl.Entry](Linx.Sysctl.Entry.md): A single sysctl read by `Linx.Sysctl.list/0` or
`Linx.Sysctl.list/1` — one key/value pair from the `/proc/sys/`
tree.
  - [Linx.Sysctl.Error](Linx.Sysctl.Error.md): An error returned by a `Linx.Sysctl` operation.
  - [Linx.Sysctl.Native](Linx.Sysctl.Native.md): NIF binding for `Linx.Sysctl`'s cross-namespace verbs. Loads
`priv/linx_sysctl.so` (built by the `:linx_sysctl` Mix compiler).

- Netfilter
  - [Linx.Netfilter](Linx.Netfilter.md): Linux netfilter primitives — modern firewall (nf_tables) via the
`NETLINK_NETFILTER` netlink protocol family, plus live ruleset
monitoring and packet-event capture (NFLOG).
  - [Linx.Netfilter.Chain](Linx.Netfilter.Chain.md): An nftables chain — a named container of rules within a table.
  - [Linx.Netfilter.Decoder](Linx.Netfilter.Decoder.md): Converts kernel-side `%Linx.Netlink.Message{}` payloads back into
`%Linx.Netfilter.*{}` value structs.
  - [Linx.Netfilter.Diff](Linx.Netfilter.Diff.md): Structural diff between two `%Linx.Netfilter.Ruleset{}` values,
producing a `%Linx.Netfilter.Patch{}` of the minimum mutations
that turn one into the other.
  - [Linx.Netfilter.Encoder](Linx.Netfilter.Encoder.md): Converts `%Linx.Netfilter.*{}` value structs into the
`%Linx.Netlink.Message{}` shapes that ride inside a
`NFNL_MSG_BATCH_BEGIN` / `NFNL_MSG_BATCH_END` envelope.
  - [Linx.Netfilter.Error](Linx.Netfilter.Error.md): An error returned by a `Linx.Netfilter` operation.
  - [Linx.Netfilter.Event](Linx.Netfilter.Event.md): A single multicast event from `NFNLGRP_NFTABLES` — a
notification the kernel broadcasts after every successful
ruleset commit.
  - [Linx.Netfilter.Expr](Linx.Netfilter.Expr.md): A single netfilter expression — one node in a rule's expression
list.
  - [Linx.Netfilter.Flowtable](Linx.Netfilter.Flowtable.md): An nftables flowtable — a connection-offload fast path that
shortcuts the netfilter hooks for established flows.
  - [Linx.Netfilter.Log](Linx.Netfilter.Log.md): NFLOG listener — receives per-packet events from the kernel's
`NFNL_SUBSYS_ULOG` (sub-subsystem 4) for rules that include
`Linx.Netfilter.Expr.log/1`.
  - [Linx.Netfilter.Log.Event](Linx.Netfilter.Log.Event.md): A decoded NFLOG packet event.
  - [Linx.Netfilter.Map](Linx.Netfilter.Map.md): An nftables map — a set with associated data per element.
  - [Linx.Netfilter.Monitor](Linx.Netfilter.Monitor.md): A GenServer that owns a multicast nfnetlink socket subscribed to
`NFNLGRP_NFTABLES`, decodes each broadcast message into a
`%Linx.Netfilter.Event{}`, and forwards it to the owner pid.
  - [Linx.Netfilter.Object](Linx.Netfilter.Object.md): An nftables named object — counters, quotas, limits, ct helpers,
ct timeouts, secmarks, synproxies.
  - [Linx.Netfilter.Patch](Linx.Netfilter.Patch.md): An ordered sequence of mutations that transforms one
`%Linx.Netfilter.Ruleset{}` into another.
  - [Linx.Netfilter.Rule](Linx.Netfilter.Rule.md): A single nftables rule — an ordered list of expressions that the
kernel evaluates against each packet visiting the rule's chain.
  - [Linx.Netfilter.Ruleset](Linx.Netfilter.Ruleset.md): The top-level netfilter value type — a netns-shaped collection of
tables (and everything inside them) as plain data.
  - [Linx.Netfilter.Set](Linx.Netfilter.Set.md): An nftables set — a named collection of elements with a uniform
key type, used for O(1) lookups in rules.
  - [Linx.Netfilter.Table](Linx.Netfilter.Table.md): An nftables table — the top-level container for chains, sets,
maps, objects, and flowtables, scoped to one family.
  - [Linx.Netfilter.Verdict](Linx.Netfilter.Verdict.md): A netfilter verdict — the terminal result of a rule's evaluation.
  - [Linx.Netfilter.Vmap](Linx.Netfilter.Vmap.md): Constructor sugar for verdict maps — a `Linx.Netfilter.Map` with
`:data_type` fixed to `:verdict`.
  - [Linx.Netfilter.Wire](Linx.Netfilter.Wire.md): Kernel-side numeric constants for `Linx.Netfilter`'s wire codec —
message opcodes, attribute IDs, hook numbers, flag bitmasks,
named priorities.

- Netfilter — ~NFT sigil
  - [Linx.NFT](Linx.NFT.md): The public entry point for the `~NFT` sigil and the file-mode
parser. Plumbs source → `Linx.NFT.Tokenizer` →
`Linx.NFT.Parser` → `Linx.NFT.Compiler` →
`%Linx.Netfilter.Ruleset{}`, plus a canonical emit going the
other way (`format/1`).
  - [Linx.NFT.Compiler](Linx.NFT.Compiler.md): AST → `%Linx.Netfilter.Ruleset{}` translation.
  - [Linx.NFT.Formatter](Linx.NFT.Formatter.md): Canonical-emit pretty-printer for `%Linx.Netfilter.Ruleset{}`.
  - [Linx.NFT.ParseError](Linx.NFT.ParseError.md): Syntax error raised by the `~NFT` sigil, by `Linx.NFT.parse/1` /
`parse_file/1`, and by the AST-walker compiler.
  - [Linx.NFT.Parser](Linx.NFT.Parser.md): Recursive-descent parser over a token stream produced by
`Linx.NFT.Tokenizer`. Builds a small internal AST that
`Linx.NFT.Compiler` later walks and translates into calls on the
`Linx.Netfilter.Ruleset` validator-setter surface (the same
surface the pipeline DSL uses — no parallel validation layer).
  - [Linx.NFT.Runtime](Linx.NFT.Runtime.md): Runtime helpers for `~NFT` sigils that contain `#{...}`
interpolations.
  - [Linx.NFT.RuntimeCompiler](Linx.NFT.RuntimeCompiler.md): AST → Elixir AST (quoted code) translation for `~NFT` sigil
bodies that contain `#{...}` interpolations.
  - [Linx.NFT.Tokenizer](Linx.NFT.Tokenizer.md): Char-by-char lexer for the `~NFT` sigil and `.nft` files.

- Netlink core
  - [Linx.Netlink](Linx.Netlink.md): Netlink for Elixir — a client for the Linux kernel's `AF_NETLINK` interface.
  - [Linx.Netlink.Attr](Linx.Netlink.Attr.md): Encoding and decoding of netlink attributes — the type-length-value (TLV)
elements that carry a message's variable-length data.
  - [Linx.Netlink.Codec](Linx.Netlink.Codec.md): A small DSL for defining netlink message codecs.
  - [Linx.Netlink.Constants](Linx.Netlink.Constants.md): Family-agnostic netlink constants — values from the core netlink ABI
(`include/uapi/linux/netlink.h`) that every protocol family shares.
  - [Linx.Netlink.Error](Linx.Netlink.Error.md): An error returned by the kernel in response to a netlink request.
  - [Linx.Netlink.Message](Linx.Netlink.Message.md): A netlink message — the `nlmsghdr` header (`include/uapi/linux/netlink.h`)
and its payload — and the framing codec for it.
  - [Linx.Netlink.Request](Linx.Netlink.Request.md): The synchronous request engine: send one netlink request and collect the
kernel's reply.
  - [Linx.Netlink.Socket](Linx.Netlink.Socket.md): An `AF_NETLINK` socket, opened in a chosen network namespace.
  - [Linx.Netlink.Socket.Native](Linx.Netlink.Socket.Native.md): The native half of `Linx.Netlink.Socket`: opens an `AF_NETLINK` socket
*inside* a given network namespace.

- nfnetlink
  - [Linx.Netlink.Nfnl](Linx.Netlink.Nfnl.md): nfnetlink (`NETLINK_NETFILTER`) — the kernel's netfilter-control
interface: nf_tables (the modern firewall), conntrack, NFLOG, NFQUEUE.
  - [Linx.Netlink.Nfnl.Codec](Linx.Netlink.Nfnl.Codec.md): Wire-format helpers for nfnetlink (`NETLINK_NETFILTER`, protocol 12).

- rtnetlink
  - [Linx.Netlink.Rtnl](Linx.Netlink.Rtnl.md): rtnetlink (`NETLINK_ROUTE`) — the kernel's networking-stack interface:
links, addresses, routes and neighbours.
  - [Linx.Netlink.Rtnl.Address](Linx.Netlink.Rtnl.Address.md): rtnetlink interface addresses — the `RTM_*ADDR` messages.
  - [Linx.Netlink.Rtnl.Link](Linx.Netlink.Rtnl.Link.md): rtnetlink network links (interfaces) — the `RTM_*LINK` messages.
  - [Linx.Netlink.Rtnl.LinkInfo](Linx.Netlink.Rtnl.LinkInfo.md): `IFLA_LINKINFO` — a link's kind and kind-specific data.
  - [Linx.Netlink.Rtnl.LinkInfo.Ipvlan](Linx.Netlink.Rtnl.LinkInfo.Ipvlan.md): `IFLA_INFO_DATA` for an `ipvlan` link — the per-kind data inside
`IFLA_LINKINFO`.
  - [Linx.Netlink.Rtnl.LinkInfo.Macvlan](Linx.Netlink.Rtnl.LinkInfo.Macvlan.md): `IFLA_INFO_DATA` for a `macvlan` link — the per-kind data inside
`IFLA_LINKINFO`.
  - [Linx.Netlink.Rtnl.LinkInfo.Veth](Linx.Netlink.Rtnl.LinkInfo.Veth.md): `IFLA_INFO_DATA` for a `veth` link — the per-kind data inside
`IFLA_LINKINFO`.
  - [Linx.Netlink.Rtnl.LinkInfo.Vlan](Linx.Netlink.Rtnl.LinkInfo.Vlan.md): `IFLA_INFO_DATA` for a `vlan` link — the per-kind data inside
`IFLA_LINKINFO`.
  - [Linx.Netlink.Rtnl.Neighbour](Linx.Netlink.Rtnl.Neighbour.md): rtnetlink neighbours — the kernel's ARP (IPv4) and NDP (IPv6) tables.
  - [Linx.Netlink.Rtnl.Route](Linx.Netlink.Rtnl.Route.md): rtnetlink routes — the `RTM_*ROUTE` messages.
  - [Linx.Netlink.Rtnl.Rule](Linx.Netlink.Rtnl.Rule.md): rtnetlink policy-routing rules — the FIB rules that decide which routing
table to consult for a given packet, based on source address, destination,
firewall mark and so on.
  - [Linx.Netlink.Rtnl.Stats](Linx.Netlink.Rtnl.Stats.md): rtnetlink interface statistics — the `RTM_GETSTATS` reads.
  - [Linx.Netlink.Rtnl.Stats.Link64](Linx.Netlink.Rtnl.Stats.Link64.md): Per-interface counters as the kernel reports them in
`IFLA_STATS_LINK_64` — `struct rtnl_link_stats64`, a packed array of
64-bit counters defined in `include/uapi/linux/if_link.h`.

