References

The kernel docs, man pages, source files, and external designs this subsystem encodes or learns from. Cite specific sections in the source when interpretation is non-obvious.

Kernel UAPI headers (authoritative wire format)

• include/uapi/linux/netfilter/nf_tables.h — every nftables message type (enum nf_tables_msg_types), attribute tag (`NFTA*`), expression name, set/map type, chain type, hook number, verdict code. The single most-cited file in the codec.
• include/uapi/linux/netfilter/nfnetlink.h — struct nfgenmsg, sub-subsystem ids, multicast groups (NFNLGRP_*), batch envelope types (NFNL_MSG_BATCH_BEGIN/END), batch attributes (NFNL_BATCH_GENID).
• include/uapi/linux/netfilter/nfnetlink_log.h — NFLOG message types (NFULNL_MSG_PACKET / CONFIG), per-packet attributes (NFULA_*), config commands (NFULNL_CFG_CMD_*).
• include/uapi/linux/netfilter/nfnetlink_queue.h — NFQUEUE (deferred milestone; reference for completeness).
• include/uapi/linux/netfilter/nfnetlink_conntrack.h — ctnetlink (deferred milestone).
• include/uapi/linux/netlink.h — NETLINK_NETFILTER protocol number (12), NLMSGERR_ATTR_* extended-ack attributes (NLMSGERR_ATTR_MSG, _OFFS, _COOKIE).

Kernel documentation

• Documentation/networking/netlink_spec/nftables — generated reference from the YAML netlink spec; the authoritative wire-format document for nf_tables messages. Updated per kernel release.
• Documentation/networking/nf_flowtable — flowtable fast-path architecture, hardware offload story.

Man pages

• nft(8) — userspace tool reference; the grammar ~NFT parses is the one documented here.
• libnftables(3) — official C library API; cross-reference for the JSON schema even though we don't use it.
• libnftables-json(5) — JSON schema documentation; useful as a structural cross-reference for the AST shape.

Community references (wiki.nftables.org)

• Main Page — entry point.
• Quick reference — nftables in 10 minutes — the syntax tour everyone reads first.
• Configuring tables
• Configuring chains
• Performing NAT
• Sets / Maps / Verdict Maps (vmaps) / Concatenations
• Meters / dynamic sets
• Matching conntrack metainformation
• Setting conntrack metainformation
• Conntrack helpers
• Logging traffic
• Flowtables
• Scripting — nftables.conf file conventions; reference for the ~NFT / Linx.NFT.Conf parser scope.
• List of updates since Linux kernel 3.13 — per-version feature additions; lookup table for kernel-floor decisions.
• Portal:DeveloperDocs/nftables internals — wire-format internals; the right reading list for codec implementers.

nftables source (grammar reference for ~NFT)

• src/parser_bison.y — full bison grammar, ~6,594 lines, ~471 left-hand-side non-terminals. The reference for what ~NFT parses (subset) and emits.
• src/scanner.l — flex lexer with 50+ start conditions; reference for Linx.NFT.Tokenizer's start-condition stack.
• libnftnl — readable netlink-message construction reference (we don't link it, but it's the canonical implementation of the wire format).

HEEx implementation (model for ~NFT)

• phoenix_live_view/lib/phoenix_live_view/tag_engine/tokenizer.ex (~773 LOC) — the char-by-char tokenizer pattern Linx.NFT.Tokenizer mirrors.
• phoenix_live_view/lib/phoenix_live_view/tag_engine/parser.ex (~731 LOC) — the token-stream parser pattern.
• phoenix_live_view/lib/phoenix_live_view/tag_engine/compiler.ex (~1348 LOC) — the AST-to-compiled-Elixir pattern.
• phoenix_live_view/lib/phoenix_live_view/html_formatter.ex (~657 LOC) — mix format plugin reference for the formatter.

Production-shape references

• Kubernetes blog — nftables kube-proxy mode (Feb 2025) — the canonical "scalable NAT via nftables" design: vmaps with concatenated keys for service dispatch. The shape Linx.Netfilter should make ergonomic.
• ulogd2 documentation — reference NFLOG consumer; useful for understanding per-group worker patterns and qthresh / timeout tuning.
• firewalld nftables backend (2019 post-mortem) — large-scale nftables consumer; informative on edge cases of the JSON form (which Linx avoids).
• Hairpin NAT with nftables — chromic.org — the DNAT+SNAT pattern Linx.Netfilter examples will document.

Adjacent userspace tooling

• nft (the CLI) — userspace tool; everything Linx.Netfilter does could alternatively be done via nft. We don't shell to it; the point of Linx is to be the in-Elixir equivalent.
• google/nftables (Go) — pure-Go reimplementation of libnftnl. Closest precedent for what we're building. ~15 kloc; informative for sizing the codec milestones.
• nftnl-rs / nftables-rs (Rust) — low-level netlink and JSON-shim respectively.
• nftables on hex.pm — pre-existing Elixir wrapper (libnftables JSON via a Zig port); different architecture from Linx, but useful prior art to know about.

In-repo cross-references

• Linx.Netlink — Linx.Netlink.Rtnl's codec DSL + socket plumbing; Linx.Netlink.Nfnl mirrors the family-specific parts for netfilter.
• Linx.Seccomp — the value-type-with-codec precedent (%Linx.Seccomp.Filter{} is the small-scale version of what %Linx.Netfilter.Ruleset{} is at large scale).
• Linx.Process — the checkpoint composition story; every cross-namespace verb (Mount, User, Capabilities, Seccomp, Sysctl, Netfilter) hooks in the same way.
• Linx.Sysctl — the most recent "build a subsystem from scratch" template; Netfilter's milestone shape borrows from it.