nftables-napi 0.0.1

package/src/netlink/nl_socket.cpp

@@ -0,0 +1,117 @@
+#include "nl_socket.h"
+
+extern "C" {
+#include <linux/netfilter/nfnetlink.h>
+}
+
+#include <cerrno>
+#include <cstring>
+#include <sys/socket.h>
+
+static constexpr size_t RECV_BUF_SIZE = 16384;
+
+// Custom NLMSG_ERROR handler for mnl_cb_run2.
+// Returns MNL_CB_OK for success ACKs and ignored ENOENT errors,
+// allowing mnl_cb_run2 to continue processing all messages in buffer.
+// Returns MNL_CB_ERROR for real errors.
+struct BatchRecvCtx {
+    bool ignore_enoent;
+    bool has_error;
+    int error_code;
+};
+
+static int batch_error_cb(const struct nlmsghdr* nlh, void* data) {
+    auto* ctx = static_cast<BatchRecvCtx*>(data);
+
+    if (nlh->nlmsg_len < mnl_nlmsg_size(sizeof(struct nlmsgerr))) {
+        ctx->has_error = true;
+        ctx->error_code = EBADMSG;
+        errno = EBADMSG;
+        return MNL_CB_ERROR;
+    }
+
+    auto* err = static_cast<struct nlmsgerr*>(mnl_nlmsg_get_payload(nlh));
+
+    if (err->error == 0)
+        return MNL_CB_OK; // success ACK — continue
+
+    if (ctx->ignore_enoent && err->error == -ENOENT)
+        return MNL_CB_OK; // ignored error — continue
+
+    ctx->has_error = true;
+    ctx->error_code = -err->error;
+    errno = -err->error;
+    return MNL_CB_ERROR;
+}
+
+NlSocket::NlSocket() : nl_(nullptr), portid_(0) {
+    nl_ = mnl_socket_open(NETLINK_NETFILTER);
+    if (!nl_)
+        return;
+
+    if (mnl_socket_bind(nl_, 0, MNL_SOCKET_AUTOPID) < 0) {
+        mnl_socket_close(nl_);
+        nl_ = nullptr;
+        return;
+    }
+
+    // Tune socket buffers for bulk batch operations.
+    // Failures are non-fatal; the kernel may cap at rmem_max/wmem_max.
+    static constexpr int SOCK_BUF_SIZE = 256 * 1024;
+    int fd = mnl_socket_get_fd(nl_);
+    // Non-fatal: kernel may reject buffer size increase
+    (void)setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &SOCK_BUF_SIZE, sizeof(SOCK_BUF_SIZE));
+    (void)setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &SOCK_BUF_SIZE, sizeof(SOCK_BUF_SIZE));
+
+    portid_ = mnl_socket_get_portid(nl_);
+}
+
+NlSocket::~NlSocket() {
+    if (nl_)
+        mnl_socket_close(nl_);
+}
+
+bool NlSocket::is_valid() const {
+    return nl_ != nullptr;
+}
+
+NlResult NlSocket::send_batch(struct mnl_nlmsg_batch* batch, bool ignore_enoent) {
+    ssize_t sent = mnl_socket_sendto(nl_,
+                                     mnl_nlmsg_batch_head(batch),
+                                     mnl_nlmsg_batch_size(batch));
+    if (sent < 0)
+        return {false, std::string("mnl_socket_sendto: ") + strerror(errno)};
+
+    BatchRecvCtx ctx{ignore_enoent, false, 0};
+
+    // Custom control callback array: override only NLMSG_ERROR (index 2).
+    // Array size = NLMSG_ERROR + 1 = 3, so NLMSG_DONE (3) and others
+    // fall through to default mnl handling.
+    mnl_cb_t cb_ctl[NLMSG_ERROR + 1] = {};
+    cb_ctl[NLMSG_ERROR] = batch_error_cb;
+
+    int fd = mnl_socket_get_fd(nl_);
+    char recv_buf[RECV_BUF_SIZE];
+
+    // First read: blocking (kernel response should arrive promptly)
+    ssize_t ret = mnl_socket_recvfrom(nl_, recv_buf, sizeof(recv_buf));
+    if (ret < 0)
+        return {false, std::string("mnl_socket_recvfrom: ") + strerror(errno)};
+    while (ret > 0) {
+        int cb_ret = mnl_cb_run2(recv_buf, static_cast<size_t>(ret), 0, portid_,
+                                  nullptr, &ctx, cb_ctl, NLMSG_ERROR + 1);
+        if (cb_ret <= 0)
+            break;
+
+        // Non-blocking read for remaining kernel responses
+        ret = recv(fd, recv_buf, sizeof(recv_buf), MSG_DONTWAIT);
+    }
+
+    // Drain any leftover messages to keep socket clean for next operation
+    while (recv(fd, recv_buf, sizeof(recv_buf), MSG_DONTWAIT) > 0) {}
+
+    if (ctx.has_error)
+        return {false, std::string("batch error: ") + strerror(ctx.error_code)};
+
+    return {true, ""};
+}

package/src/netlink/nl_socket.h

@@ -0,0 +1,28 @@
+#pragma once
+
+extern "C" {
+#include <libmnl/libmnl.h>
+}
+
+#include <cstdint>
+
+#include "nl_result.h"
+
+class NlSocket {
+public:
+    NlSocket();
+    ~NlSocket();
+
+    NlSocket(const NlSocket&) = delete;
+    NlSocket& operator=(const NlSocket&) = delete;
+    NlSocket(NlSocket&&) = delete;
+    NlSocket& operator=(NlSocket&&) = delete;
+
+    bool is_valid() const;
+
+    NlResult send_batch(struct mnl_nlmsg_batch* batch, bool ignore_enoent = false);
+
+private:
+    struct mnl_socket* nl_;
+    uint32_t portid_;
+};

package/src/netlink/operation.h

@@ -0,0 +1,11 @@
+#pragma once
+
+#include "nl_result.h"
+
+class NlSocket;
+
+class NlOperation {
+public:
+    virtual ~NlOperation() = default;
+    virtual NlResult execute(NlSocket& sock) = 0;
+};

package/src/netlink/parsed_addr.h

@@ -0,0 +1,14 @@
+#pragma once
+
+#include <cstdint>
+
+struct ParsedAddr {
+    uint32_t family;       // nft::FAMILY_IPV4 or nft::FAMILY_IPV6 (== NFPROTO_IPV4/IPV6)
+    uint8_t bytes[16];
+    uint32_t len;          // 4 for IPv4, 16 for IPv6
+};
+
+namespace nft {
+inline constexpr uint32_t FAMILY_IPV4 = 2;
+inline constexpr uint32_t FAMILY_IPV6 = 10;
+} // namespace nft

package/src/netlink/set_ops.cpp

@@ -0,0 +1,113 @@
+#include "set_ops.h"
+#include "nftnl_raii.h"
+#include "nl_batch.h"
+#include "nl_socket.h"
+#include "constants.h"
+#include "nft_config.h"
+
+extern "C" {
+#include <libnftnl/set.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+}
+
+#include <algorithm>
+
+using namespace nft;
+
+static_assert(nft::FAMILY_IPV4 == NFPROTO_IPV4, "nft::FAMILY_IPV4 must match NFPROTO_IPV4");
+static_assert(nft::FAMILY_IPV6 == NFPROTO_IPV6, "nft::FAMILY_IPV6 must match NFPROTO_IPV6");
+
+enum class SetElemAction { Add, Del };
+
+static NlResult bulk_set_elem_op(
+    const std::vector<ParsedAddr>& addrs,
+    NlSocket& sock,
+    SetElemAction action,
+    const nft::NftConfig& cfg,
+    nft::TargetSet target,
+    uint64_t timeout_ms = 0)
+{
+    // Partition by family
+    std::vector<const ParsedAddr*> v4, v6;
+    for (const auto& a : addrs) {
+        if (a.family == NFPROTO_IPV4) v4.push_back(&a);
+        else v6.push_back(&a);
+    }
+
+    const uint16_t msg_type = (action == SetElemAction::Add)
+        ? NFT_MSG_NEWSETELEM : NFT_MSG_DELSETELEM;
+    const uint16_t flags = (action == SetElemAction::Add)
+        ? (NLM_F_CREATE | NLM_F_ACK) : NLM_F_ACK;
+    const bool ignore_enoent = (action == SetElemAction::Del);
+
+    // Helper lambda to process one family
+    auto process = [&](uint32_t family, const std::vector<const ParsedAddr*>& family_addrs) -> NlResult {
+        if (family_addrs.empty()) return {true, ""};
+
+        const char* table = (family == NFPROTO_IPV4)
+            ? cfg.table_v4.c_str() : cfg.table_v6.c_str();
+        const char* set_name = (family == NFPROTO_IPV4)
+            ? cfg.resolve_set_v4(target).c_str()
+            : cfg.resolve_set_v6(target).c_str();
+        uint32_t key_type = (family == NFPROTO_IPV4) ? DATATYPE_IPADDR : DATATYPE_IP6ADDR;
+        uint32_t key_len = (family == NFPROTO_IPV4) ? IPV4_ADDR_LEN : IPV6_ADDR_LEN;
+
+        for (size_t offset = 0; offset < family_addrs.size(); offset += BULK_CHUNK_SIZE) {
+            size_t end = std::min(offset + static_cast<size_t>(BULK_CHUNK_SIZE), family_addrs.size());
+
+            auto s = nft::make_set();
+            if (!s) return {false, "nftnl_set_alloc failed"};
+
+            nftnl_set_set_str(s.get(), NFTNL_SET_TABLE, table);
+            nftnl_set_set_str(s.get(), NFTNL_SET_NAME, set_name);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_FAMILY, family);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_TYPE, key_type);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_LEN, key_len);
+
+            for (size_t i = offset; i < end; ++i) {
+                auto* e = nftnl_set_elem_alloc();
+                if (!e) return {false, "nftnl_set_elem_alloc failed"};
+                nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, family_addrs[i]->bytes, family_addrs[i]->len);
+                if (timeout_ms > 0) {
+                    nftnl_set_elem_set_u64(e, NFTNL_SET_ELEM_TIMEOUT, timeout_ms);
+                }
+                nftnl_set_elem_add(s.get(), e); // set owns e now
+            }
+
+            NlBatch batch;
+            if (!batch.is_valid()) return {false, "failed to allocate batch"};
+
+            auto* nlh = batch.add_msg(msg_type, family, flags);
+            if (!nlh) return {false, "failed to add message to batch"};
+            nftnl_set_elems_nlmsg_build_payload(nlh, s.get());
+
+            if (!batch.advance()) return {false, "batch buffer full"};
+
+            NlResult res = batch.execute(sock, ignore_enoent);
+            if (!res.success) return res;
+        }
+        return {true, ""};
+    };
+
+    NlResult res = process(NFPROTO_IPV4, v4);
+    if (!res.success) return res;
+    return process(NFPROTO_IPV6, v6);
+}
+
+BulkAddSetElemOp::BulkAddSetElemOp(std::vector<ParsedAddr> addrs, uint64_t timeout_ms,
+                                   std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target)
+    : addrs_(std::move(addrs)), timeout_ms_(timeout_ms),
+      cfg_(std::move(config)), target_(target) {}
+
+NlResult BulkAddSetElemOp::execute(NlSocket& sock) {
+    return bulk_set_elem_op(addrs_, sock, SetElemAction::Add, *cfg_, target_, timeout_ms_);
+}
+
+BulkDelSetElemOp::BulkDelSetElemOp(std::vector<ParsedAddr> addrs,
+                                   std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target)
+    : addrs_(std::move(addrs)), cfg_(std::move(config)), target_(target) {}
+
+NlResult BulkDelSetElemOp::execute(NlSocket& sock) {
+    return bulk_set_elem_op(addrs_, sock, SetElemAction::Del, *cfg_, target_);
+}

package/src/netlink/set_ops.h

@@ -0,0 +1,32 @@
+#pragma once
+
+#include "operation.h"
+#include "nft_config.h"
+#include "parsed_addr.h"
+#include <memory>
+#include <vector>
+
+class BulkAddSetElemOp final : public NlOperation {
+public:
+    BulkAddSetElemOp(std::vector<ParsedAddr> addrs, uint64_t timeout_ms,
+                     std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target);
+    NlResult execute(NlSocket& sock) override;
+
+private:
+    std::vector<ParsedAddr> addrs_;
+    uint64_t timeout_ms_;
+    std::shared_ptr<const nft::NftConfig> cfg_;
+    nft::TargetSet target_;
+};
+
+class BulkDelSetElemOp final : public NlOperation {
+public:
+    BulkDelSetElemOp(std::vector<ParsedAddr> addrs,
+                     std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target);
+    NlResult execute(NlSocket& sock) override;
+
+private:
+    std::vector<ParsedAddr> addrs_;
+    std::shared_ptr<const nft::NftConfig> cfg_;
+    nft::TargetSet target_;
+};

package/src/netlink/table_ops.cpp

@@ -0,0 +1,221 @@
+#include "table_ops.h"
+#include "nftnl_raii.h"
+#include "nl_batch.h"
+#include "nl_socket.h"
+#include "constants.h"
+#include "nft_config.h"
+
+extern "C" {
+#include <libnftnl/table.h>
+#include <libnftnl/chain.h>
+#include <libnftnl/set.h>
+#include <libnftnl/rule.h>
+#include <libnftnl/expr.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+}
+
+using namespace nft;
+
+static bool add_table(NlBatch& batch, uint32_t family, const char* name,
+                      uint16_t msg_type, uint16_t extra_flags) {
+    auto t = nft::make_table();
+    if (!t) return false;
+    nftnl_table_set_u32(t.get(), NFTNL_TABLE_FAMILY, family);
+    nftnl_table_set_str(t.get(), NFTNL_TABLE_NAME, name);
+    struct nlmsghdr* nlh = batch.add_msg(msg_type, family, NLM_F_ACK | extra_flags);
+    if (!nlh) return false;
+    nftnl_table_nlmsg_build_payload(nlh, t.get());
+    return batch.advance();
+}
+
+static bool add_chain(NlBatch& batch, uint32_t family, const char* table,
+                      const char* name, uint32_t hooknum) {
+    auto c = nft::make_chain();
+    if (!c) return false;
+    nftnl_chain_set_str(c.get(), NFTNL_CHAIN_TABLE, table);
+    nftnl_chain_set_str(c.get(), NFTNL_CHAIN_NAME, name);
+    nftnl_chain_set_u32(c.get(), NFTNL_CHAIN_HOOKNUM, hooknum);
+    nftnl_chain_set_s32(c.get(), NFTNL_CHAIN_PRIO, CHAIN_PRIORITY);
+    nftnl_chain_set_u32(c.get(), NFTNL_CHAIN_POLICY, NF_ACCEPT);
+    nftnl_chain_set_str(c.get(), NFTNL_CHAIN_TYPE, CHAIN_TYPE_FILTER);
+    struct nlmsghdr* nlh = batch.add_msg(NFT_MSG_NEWCHAIN, family, NLM_F_CREATE | NLM_F_ACK);
+    if (!nlh) return false;
+    nftnl_chain_nlmsg_build_payload(nlh, c.get());
+    return batch.advance();
+}
+
+static bool add_set(NlBatch& batch, uint32_t family, const char* table,
+                    const char* name, uint32_t key_type, uint32_t key_len,
+                    uint32_t set_id) {
+    auto s = nft::make_set();
+    if (!s) return false;
+    nftnl_set_set_str(s.get(), NFTNL_SET_TABLE, table);
+    nftnl_set_set_str(s.get(), NFTNL_SET_NAME, name);
+    nftnl_set_set_u32(s.get(), NFTNL_SET_FAMILY, family);
+    nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_TYPE, key_type);
+    nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_LEN, key_len);
+    nftnl_set_set_u32(s.get(), NFTNL_SET_FLAGS, NFT_SET_TIMEOUT);
+    nftnl_set_set_u32(s.get(), NFTNL_SET_ID, set_id);
+    struct nlmsghdr* nlh = batch.add_msg(NFT_MSG_NEWSET, family, NLM_F_CREATE | NLM_F_ACK);
+    if (!nlh) return false;
+    nftnl_set_nlmsg_build_payload(nlh, s.get());
+    return batch.advance();
+}
+
+static bool add_expr_payload(struct nftnl_rule* r, uint32_t base, uint32_t dreg,
+                             uint32_t offset, uint32_t len) {
+    struct nftnl_expr* e = nftnl_expr_alloc("payload");
+    if (!e) return false;
+    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_BASE, base);
+    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, dreg);
+    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET, offset);
+    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_LEN, len);
+    nftnl_rule_add_expr(r, e);
+    return true;
+}
+
+static bool add_expr_lookup(struct nftnl_rule* r, const char* set_name, uint32_t sreg) {
+    struct nftnl_expr* e = nftnl_expr_alloc("lookup");
+    if (!e) return false;
+    nftnl_expr_set_str(e, NFTNL_EXPR_LOOKUP_SET, set_name);
+    nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_SREG, sreg);
+    nftnl_rule_add_expr(r, e);
+    return true;
+}
+
+static bool add_expr_log(struct nftnl_rule* r, const char* prefix) {
+    struct nftnl_expr* e = nftnl_expr_alloc("log");
+    if (!e) return false;
+    nftnl_expr_set_str(e, NFTNL_EXPR_LOG_PREFIX, prefix);
+    nftnl_rule_add_expr(r, e);
+    return true;
+}
+
+static bool add_expr_drop(struct nftnl_rule* r) {
+    struct nftnl_expr* e = nftnl_expr_alloc("immediate");
+    if (!e) return false;
+    nftnl_expr_set_u32(e, NFTNL_EXPR_IMM_DREG, NFT_REG_VERDICT);
+    nftnl_expr_set_u32(e, NFTNL_EXPR_IMM_VERDICT, NF_DROP);
+    nftnl_rule_add_expr(r, e);
+    return true;
+}
+
+// Helper: creates a rule with table/chain/family metadata, calls build_exprs
+// to populate expressions, then adds to batch. Returns false on any failure.
+template<typename F>
+static bool add_rule_with(NlBatch& batch, uint32_t family, const char* table,
+                          const char* chain, F build_exprs) {
+    auto r = nft::make_rule();
+    if (!r) return false;
+    nftnl_rule_set_str(r.get(), NFTNL_RULE_TABLE, table);
+    nftnl_rule_set_str(r.get(), NFTNL_RULE_CHAIN, chain);
+    nftnl_rule_set_u32(r.get(), NFTNL_RULE_FAMILY, family);
+
+    if (!build_exprs(r.get())) return false;
+
+    struct nlmsghdr* nlh = batch.add_msg(NFT_MSG_NEWRULE, family,
+                                          NLM_F_CREATE | NLM_F_APPEND | NLM_F_ACK);
+    if (!nlh) return false;
+    nftnl_rule_nlmsg_build_payload(nlh, r.get());
+    return batch.advance();
+}
+
+static bool add_rule(NlBatch& batch, uint32_t family, const char* table,
+                     const char* chain, const char* set_name,
+                     uint32_t payload_offset, uint32_t addr_len,
+                     const char* log_prefix) {
+    return add_rule_with(batch, family, table, chain, [&](nftnl_rule* r) {
+        return add_expr_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1, payload_offset, addr_len)
+            && add_expr_lookup(r, set_name, NFT_REG_1)
+            && add_expr_log(r, log_prefix)
+            && add_expr_drop(r);
+    });
+}
+
+CreateTableOp::CreateTableOp(std::shared_ptr<const nft::NftConfig> config)
+    : cfg_(std::move(config)) {}
+
+NlResult CreateTableOp::execute(NlSocket& sock) {
+    {
+        NlBatch batch;
+        if (!batch.is_valid())
+            return {false, "failed to allocate batch"};
+        if (!add_table(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), NFT_MSG_DELTABLE, 0)
+            || !add_table(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), NFT_MSG_DELTABLE, 0))
+            return {false, "failed to build delete-tables batch"};
+        NlResult res = batch.execute(sock, true);
+        if (!res.success) return res;
+    }
+
+    NlBatch batch;
+    if (!batch.is_valid())
+        return {false, "failed to allocate batch"};
+
+    uint32_t sid = 0;
+
+    if (!add_table(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), NFT_MSG_NEWTABLE, NLM_F_CREATE)
+        || !add_table(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), NFT_MSG_NEWTABLE, NLM_F_CREATE))
+        return {false, "failed to build tables"};
+
+    // Blacklist sets
+    if (!add_set(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), cfg_->set_v4.c_str(),
+                 DATATYPE_IPADDR, IPV4_ADDR_LEN, sid++)
+        || !add_set(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), cfg_->set_v6.c_str(),
+                    DATATYPE_IP6ADDR, IPV6_ADDR_LEN, sid++))
+        return {false, "failed to build blacklist sets"};
+
+    // Droplist sets
+    if (!add_set(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), cfg_->drop_set_v4.c_str(),
+                 DATATYPE_IPADDR, IPV4_ADDR_LEN, sid++)
+        || !add_set(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), cfg_->drop_set_v6.c_str(),
+                    DATATYPE_IP6ADDR, IPV6_ADDR_LEN, sid++))
+        return {false, "failed to build droplist sets"};
+
+    if (!add_chain(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT, NF_INET_LOCAL_IN)
+        || !add_chain(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD, NF_INET_FORWARD)
+        || !add_chain(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT, NF_INET_LOCAL_IN)
+        || !add_chain(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD, NF_INET_FORWARD))
+        return {false, "failed to build chains"};
+
+    const char* bl_lp = cfg_->blacklist_log_prefix.c_str();
+
+    // Blacklist rules
+    if (!add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT,
+                  cfg_->set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, bl_lp)
+        || !add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD,
+                     cfg_->set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, bl_lp)
+        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT,
+                     cfg_->set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, bl_lp)
+        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD,
+                     cfg_->set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, bl_lp))
+        return {false, "failed to build blacklist rules"};
+
+    const char* dl_lp = cfg_->droplist_log_prefix.c_str();
+
+    // Droplist rules
+    if (!add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT,
+                  cfg_->drop_set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, dl_lp)
+        || !add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD,
+                     cfg_->drop_set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, dl_lp)
+        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT,
+                     cfg_->drop_set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, dl_lp)
+        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD,
+                     cfg_->drop_set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, dl_lp))
+        return {false, "failed to build droplist rules"};
+
+    return batch.execute(sock);
+}
+
+DeleteTableOp::DeleteTableOp(std::shared_ptr<const nft::NftConfig> config)
+    : cfg_(std::move(config)) {}
+
+NlResult DeleteTableOp::execute(NlSocket& sock) {
+    NlBatch batch;
+    if (!batch.is_valid())
+        return {false, "failed to allocate batch"};
+    if (!add_table(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), NFT_MSG_DELTABLE, 0)
+        || !add_table(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), NFT_MSG_DELTABLE, 0))
+        return {false, "failed to build delete-tables batch"};
+    return batch.execute(sock, true);
+}

package/src/netlink/table_ops.h

@@ -0,0 +1,23 @@
+#pragma once
+
+#include "operation.h"
+#include "nft_config.h"
+#include <memory>
+
+class CreateTableOp final : public NlOperation {
+public:
+    explicit CreateTableOp(std::shared_ptr<const nft::NftConfig> config);
+    NlResult execute(NlSocket& sock) override;
+
+private:
+    std::shared_ptr<const nft::NftConfig> cfg_;
+};
+
+class DeleteTableOp final : public NlOperation {
+public:
+    explicit DeleteTableOp(std::shared_ptr<const nft::NftConfig> config);
+    NlResult execute(NlSocket& sock) override;
+
+private:
+    std::shared_ptr<const nft::NftConfig> cfg_;
+};