nftables-napi 0.0.2 → 0.1.0

package/README.md

@@ -1,6 +1,6 @@
 # nftables-napi
 
-Native Node.js binding for nftables via libnftnl + libmnl. Manages IPv4/IPv6 blacklist tables with timeout support through direct netlink communication — no shell commands, no `nft` CLI.
+Native Node.js binding for nftables via libnftnl + libmnl. Manages IPv4/IPv6 tables with dynamic sets and timeout support through direct netlink communication — no shell commands, no `nft` CLI.
 
 Requires Linux with `CAP_NET_ADMIN` or root.
 
@@ -35,8 +35,7 @@ const { NftManager } = require("nftables-napi");
 
 const nft = new NftManager({
   tableName: "tablename",
-  blacklistSetName: "blacklist",
-  droplistSetName: "droplist",
+  sets: ["blacklist", "droplist"],
 });
 
 await nft.createTable();
@@ -62,13 +61,10 @@ await nft.deleteTable();
 
 ### `new NftManager(options)`
 
-| Option             | Type     | Required | Description                                  |
-| ------------------ | -------- | -------- | -------------------------------------------- |
-| `tableName`        | `string` | Yes      | Base table name (IPv6 auto-appends `'6'`)    |
-| `blacklistSetName` | `string` | Yes      | Blacklist set name (IPv6 auto-appends `'6'`) |
-| `droplistSetName`  | `string` | Yes      | Droplist set name (IPv6 auto-appends `'6'`)  |
-
-Log prefixes are auto-generated: `'{setName}: '` for each set.
+| Option      | Type       | Required | Description                                                                                      |
+| ----------- | ---------- | -------- | ------------------------------------------------------------------------------------------------ |
+| `tableName` | `string`   | Yes      | Base table name (IPv6 table auto-appends `'6'`)                                                  |
+| `sets`      | `string[]` | Yes      | Set names (1+, unique, non-empty). IPv6 sets auto-append `'6'`. Log prefix: `'{name}: '` |
 
 ### Methods
 
@@ -76,8 +72,8 @@ All methods return `Promise<void>`.
 
 | Method                                 | Description                                                           |
 | -------------------------------------- | --------------------------------------------------------------------- |
-| `createTable()`                        | Create IPv4/IPv6 tables with blacklist and droplist sets. Idempotent. |
-| `deleteTable()`                        | Delete both tables. Idempotent.                                       |
+| `createTable()`                        | Create IPv4/IPv6 tables with all configured sets and filter chains. Idempotent. |
+| `deleteTable()`                        | Delete both tables. Idempotent.                                                 |
 | `addAddress({ ip, set, timeout? })`    | Add IP to set. `timeout` in seconds, omit for permanent.              |
 | `removeAddress({ ip, set })`           | Remove IP from set. Idempotent.                                       |
 | `addAddresses({ ips, set, timeout? })` | Bulk add to set. Chunked for efficient netlink communication.         |

package/lib/index.d.ts

@@ -1,28 +1,23 @@
 /**
  * Native nftables manager for Linux firewall.
- * Manages IPv4/IPv6 blacklist/droplist tables via libnftnl + libmnl (direct netlink, no nft CLI).
+ * Manages IPv4/IPv6 tables with dynamic sets via libnftnl + libmnl (direct netlink, no nft CLI).
  * Requires CAP_NET_ADMIN or root privileges.
  */
 
-/** Target set for address operations. */
-export type TargetSet = 'blacklist' | 'droplist';
-
 /** Constructor options. All fields are required — no defaults. */
 export interface NftManagerOptions {
     /** Base table name. IPv6 table auto-appends '6'. */
     tableName: string;
-    /** Blacklist set name. IPv6 set auto-appends '6'. */
-    blacklistSetName: string;
-    /** Droplist set name. IPv6 set auto-appends '6'. */
-    droplistSetName: string;
+    /** Set names. At least 1, no duplicates, non-empty strings. IPv6 sets auto-append '6'. */
+    sets: string[];
 }
 
 /** Options for adding a single address. */
 export interface AddAddressOptions {
     /** IPv4 or IPv6 address (e.g., "1.2.3.4" or "2001:db8::1"). */
     ip: string;
-    /** Target set: 'blacklist' or 'droplist'. */
-    set: TargetSet;
+    /** Target set name (must match one from constructor's sets array). */
+    set: string;
     /** Timeout in seconds. Omit for permanent ban. */
     timeout?: number;
 }
@@ -31,16 +26,16 @@ export interface AddAddressOptions {
 export interface RemoveAddressOptions {
     /** IPv4 or IPv6 address to remove. */
     ip: string;
-    /** Target set: 'blacklist' or 'droplist'. */
-    set: TargetSet;
+    /** Target set name (must match one from constructor's sets array). */
+    set: string;
 }
 
 /** Options for bulk adding addresses. */
 export interface AddAddressesOptions {
     /** Array of IPv4/IPv6 addresses. */
     ips: string[];
-    /** Target set: 'blacklist' or 'droplist'. */
-    set: TargetSet;
+    /** Target set name (must match one from constructor's sets array). */
+    set: string;
     /** Timeout in seconds. Omit for permanent ban. */
     timeout?: number;
 }
@@ -49,8 +44,8 @@ export interface AddAddressesOptions {
 export interface RemoveAddressesOptions {
     /** Array of IPv4/IPv6 addresses to remove. */
     ips: string[];
-    /** Target set: 'blacklist' or 'droplist'. */
-    set: TargetSet;
+    /** Target set name (must match one from constructor's sets array). */
+    set: string;
 }
 
 export class NftManager {
@@ -58,21 +53,25 @@ export class NftManager {
      * Creates a new NftManager instance.
      * Opens a netlink socket and validates configuration.
      *
-     * @param options - Required configuration with table and set names.
+     * @param options - Required configuration with table name and set names.
      * @throws {TypeError} if options are missing or have wrong types
      * @throws {Error} if netlink socket cannot be opened (missing CAP_NET_ADMIN)
      */
     constructor(options: NftManagerOptions);
 
     /**
-     * Creates IPv4 and IPv6 tables with blacklist/droplist sets and filter chains.
+     * Creates IPv4 and IPv6 tables with all configured sets and filter chains.
      * Idempotent — destroys existing tables first, then recreates.
+     *
+     * @throws {Error} if nftables operation fails
      */
     createTable(): Promise<void>;
 
     /**
      * Deletes both IPv4 and IPv6 tables.
      * Idempotent — no error if tables don't exist.
+     *
+     * @throws {Error} if nftables operation fails
      */
     deleteTable(): Promise<void>;
 
@@ -80,9 +79,9 @@ export class NftManager {
      * Adds an IP address to a set.
      * Auto-detects IPv4 vs IPv6 and routes to the correct table/set.
      *
-     * @param options - Address, target set, and optional timeout
-     * @throws {TypeError} if options are invalid
-     * @throws {Error} if IP is invalid or nftables operation fails
+     * @param options - Address, target set name, and optional timeout.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if IP is invalid, set name is unknown, or nftables operation fails
      */
     addAddress(options: AddAddressOptions): Promise<void>;
 
@@ -90,20 +89,19 @@ export class NftManager {
      * Removes an IP address from a set.
      * Idempotent — no error if IP is not in the set.
      *
-     * @param options - Address and target set
-     * @throws {TypeError} if options are invalid
-     * @throws {Error} if IP is invalid or nftables operation fails
+     * @param options - Address and target set name.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if IP is invalid, set name is unknown, or nftables operation fails
      */
     removeAddress(options: RemoveAddressOptions): Promise<void>;
 
     /**
      * Adds multiple IP addresses to a set in bulk.
-     * Addresses are chunked for efficient netlink communication.
      * Empty arrays are a no-op.
      *
-     * @param options - Addresses, target set, and optional timeout
-     * @throws {TypeError} if options are invalid
-     * @throws {Error} if any IP is invalid or nftables operation fails
+     * @param options - Array of addresses, target set name, and optional timeout.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if any IP is invalid, set name is unknown, or nftables operation fails
      */
     addAddresses(options: AddAddressesOptions): Promise<void>;
 
@@ -112,9 +110,9 @@ export class NftManager {
      * Idempotent — no error if IPs are not in the set.
      * Empty arrays are a no-op.
      *
-     * @param options - Addresses and target set
-     * @throws {TypeError} if options are invalid
-     * @throws {Error} if any IP is invalid or nftables operation fails
+     * @param options - Array of addresses and target set name.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if any IP is invalid, set name is unknown, or nftables operation fails
      */
     removeAddresses(options: RemoveAddressesOptions): Promise<void>;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nftables-napi",
-  "version": "0.0.2",
+  "version": "0.1.0",
   "description": "Native Node.js binding for nftables via libnftnl+libmnl — nftables firewall management",
   "author": {
     "name": "kastov",

package/src/netlink/nft_config.h

@@ -1,42 +1,31 @@
 #pragma once
 
 #include <string>
+#include <vector>
 
 namespace nft {
 
-enum class TargetSet {
-    Blacklist,
-    Droplist
+struct SetDef {
+    std::string name;        // user-facing key = nftables IPv4 set name
+    std::string name_v6;     // name + "6"
+    std::string log_prefix;  // name + ": "
 };
 
 struct NftConfig {
     std::string table_v4;
     std::string table_v6;
-    std::string set_v4;
-    std::string set_v6;
-    std::string drop_set_v4;
-    std::string drop_set_v6;
-    std::string blacklist_log_prefix;
-    std::string droplist_log_prefix;
+    std::vector<SetDef> sets;
 
     static NftConfig from_names(const std::string& table_name,
-                                const std::string& blacklist_set_name,
-                                const std::string& droplist_set_name) {
-        return {table_name, table_name + "6",
-                blacklist_set_name, blacklist_set_name + "6",
-                droplist_set_name, droplist_set_name + "6",
-                blacklist_set_name + ": ",
-                droplist_set_name + ": "};
-    }
-
-    const std::string& resolve_set_v4(TargetSet ts) const {
-        return (ts == TargetSet::Blacklist) ? set_v4 : drop_set_v4;
-    }
-    const std::string& resolve_set_v6(TargetSet ts) const {
-        return (ts == TargetSet::Blacklist) ? set_v6 : drop_set_v6;
-    }
-    const std::string& resolve_log_prefix(TargetSet ts) const {
-        return (ts == TargetSet::Blacklist) ? blacklist_log_prefix : droplist_log_prefix;
+                                const std::vector<std::string>& set_names) {
+        NftConfig cfg;
+        cfg.table_v4 = table_name;
+        cfg.table_v6 = table_name + "6";
+        cfg.sets.reserve(set_names.size());
+        for (const auto& n : set_names) {
+            cfg.sets.push_back({n, n + "6", n + ": "});
+        }
+        return cfg;
     }
 };
 

package/src/netlink/set_ops.cpp

@@ -13,8 +13,6 @@ extern "C" {
 
 #include <algorithm>
 
-using namespace nft;
-
 static_assert(nft::FAMILY_IPV4 == NFPROTO_IPV4, "nft::FAMILY_IPV4 must match NFPROTO_IPV4");
 static_assert(nft::FAMILY_IPV6 == NFPROTO_IPV6, "nft::FAMILY_IPV6 must match NFPROTO_IPV6");
 
@@ -25,10 +23,9 @@ static NlResult bulk_set_elem_op(
     NlSocket& sock,
     SetElemAction action,
     const nft::NftConfig& cfg,
-    nft::TargetSet target,
+    size_t set_idx,
     uint64_t timeout_ms = 0)
 {
-    // Partition by family
     std::vector<const ParsedAddr*> v4, v6;
     for (const auto& a : addrs) {
         if (a.family == NFPROTO_IPV4) v4.push_back(&a);
@@ -41,20 +38,20 @@ static NlResult bulk_set_elem_op(
         ? (NLM_F_CREATE | NLM_F_ACK) : NLM_F_ACK;
     const bool ignore_enoent = (action == SetElemAction::Del);
 
-    // Helper lambda to process one family
+    const auto& sd = cfg.sets[set_idx];
+
     auto process = [&](uint32_t family, const std::vector<const ParsedAddr*>& family_addrs) -> NlResult {
         if (family_addrs.empty()) return {true, ""};
 
         const char* table = (family == NFPROTO_IPV4)
             ? cfg.table_v4.c_str() : cfg.table_v6.c_str();
         const char* set_name = (family == NFPROTO_IPV4)
-            ? cfg.resolve_set_v4(target).c_str()
-            : cfg.resolve_set_v6(target).c_str();
-        uint32_t key_type = (family == NFPROTO_IPV4) ? DATATYPE_IPADDR : DATATYPE_IP6ADDR;
-        uint32_t key_len = (family == NFPROTO_IPV4) ? IPV4_ADDR_LEN : IPV6_ADDR_LEN;
+            ? sd.name.c_str() : sd.name_v6.c_str();
+        uint32_t key_type = (family == NFPROTO_IPV4) ? nft::DATATYPE_IPADDR : nft::DATATYPE_IP6ADDR;
+        uint32_t key_len = (family == NFPROTO_IPV4) ? nft::IPV4_ADDR_LEN : nft::IPV6_ADDR_LEN;
 
-        for (size_t offset = 0; offset < family_addrs.size(); offset += BULK_CHUNK_SIZE) {
-            size_t end = std::min(offset + static_cast<size_t>(BULK_CHUNK_SIZE), family_addrs.size());
+        for (size_t offset = 0; offset < family_addrs.size(); offset += nft::BULK_CHUNK_SIZE) {
+            size_t end = std::min(offset + static_cast<size_t>(nft::BULK_CHUNK_SIZE), family_addrs.size());
 
             auto s = nft::make_set();
             if (!s) return {false, "nftnl_set_alloc failed"};
@@ -72,7 +69,7 @@ static NlResult bulk_set_elem_op(
                 if (timeout_ms > 0) {
                     nftnl_set_elem_set_u64(e, NFTNL_SET_ELEM_TIMEOUT, timeout_ms);
                 }
-                nftnl_set_elem_add(s.get(), e); // set owns e now
+                nftnl_set_elem_add(s.get(), e);
             }
 
             NlBatch batch;
@@ -96,18 +93,18 @@ static NlResult bulk_set_elem_op(
 }
 
 BulkAddSetElemOp::BulkAddSetElemOp(std::vector<ParsedAddr> addrs, uint64_t timeout_ms,
-                                   std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target)
+                                   std::shared_ptr<const nft::NftConfig> config, size_t set_idx)
     : addrs_(std::move(addrs)), timeout_ms_(timeout_ms),
-      cfg_(std::move(config)), target_(target) {}
+      cfg_(std::move(config)), set_idx_(set_idx) {}
 
 NlResult BulkAddSetElemOp::execute(NlSocket& sock) {
-    return bulk_set_elem_op(addrs_, sock, SetElemAction::Add, *cfg_, target_, timeout_ms_);
+    return bulk_set_elem_op(addrs_, sock, SetElemAction::Add, *cfg_, set_idx_, timeout_ms_);
 }
 
 BulkDelSetElemOp::BulkDelSetElemOp(std::vector<ParsedAddr> addrs,
-                                   std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target)
-    : addrs_(std::move(addrs)), cfg_(std::move(config)), target_(target) {}
+                                   std::shared_ptr<const nft::NftConfig> config, size_t set_idx)
+    : addrs_(std::move(addrs)), cfg_(std::move(config)), set_idx_(set_idx) {}
 
 NlResult BulkDelSetElemOp::execute(NlSocket& sock) {
-    return bulk_set_elem_op(addrs_, sock, SetElemAction::Del, *cfg_, target_);
+    return bulk_set_elem_op(addrs_, sock, SetElemAction::Del, *cfg_, set_idx_);
 }

package/src/netlink/set_ops.h

@@ -9,24 +9,24 @@
 class BulkAddSetElemOp final : public NlOperation {
 public:
     BulkAddSetElemOp(std::vector<ParsedAddr> addrs, uint64_t timeout_ms,
-                     std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target);
+                     std::shared_ptr<const nft::NftConfig> config, size_t set_idx);
     NlResult execute(NlSocket& sock) override;
 
 private:
     std::vector<ParsedAddr> addrs_;
     uint64_t timeout_ms_;
     std::shared_ptr<const nft::NftConfig> cfg_;
-    nft::TargetSet target_;
+    size_t set_idx_;
 };
 
 class BulkDelSetElemOp final : public NlOperation {
 public:
     BulkDelSetElemOp(std::vector<ParsedAddr> addrs,
-                     std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target);
+                     std::shared_ptr<const nft::NftConfig> config, size_t set_idx);
     NlResult execute(NlSocket& sock) override;
 
 private:
     std::vector<ParsedAddr> addrs_;
     std::shared_ptr<const nft::NftConfig> cfg_;
-    nft::TargetSet target_;
+    size_t set_idx_;
 };

package/src/netlink/table_ops.cpp

@@ -158,19 +158,13 @@ NlResult CreateTableOp::execute(NlSocket& sock) {
         || !add_table(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), NFT_MSG_NEWTABLE, NLM_F_CREATE))
         return {false, "failed to build tables"};
 
-    // Blacklist sets
-    if (!add_set(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), cfg_->set_v4.c_str(),
-                 DATATYPE_IPADDR, IPV4_ADDR_LEN, sid++)
-        || !add_set(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), cfg_->set_v6.c_str(),
-                    DATATYPE_IP6ADDR, IPV6_ADDR_LEN, sid++))
-        return {false, "failed to build blacklist sets"};
-
-    // Droplist sets
-    if (!add_set(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), cfg_->drop_set_v4.c_str(),
-                 DATATYPE_IPADDR, IPV4_ADDR_LEN, sid++)
-        || !add_set(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), cfg_->drop_set_v6.c_str(),
-                    DATATYPE_IP6ADDR, IPV6_ADDR_LEN, sid++))
-        return {false, "failed to build droplist sets"};
+    for (const auto& sd : cfg_->sets) {
+        if (!add_set(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), sd.name.c_str(),
+                     DATATYPE_IPADDR, IPV4_ADDR_LEN, sid++)
+            || !add_set(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), sd.name_v6.c_str(),
+                        DATATYPE_IP6ADDR, IPV6_ADDR_LEN, sid++))
+            return {false, "failed to build set '" + sd.name + "'"};
+    }
 
     if (!add_chain(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT, NF_INET_LOCAL_IN)
         || !add_chain(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD, NF_INET_FORWARD)
@@ -178,31 +172,18 @@ NlResult CreateTableOp::execute(NlSocket& sock) {
         || !add_chain(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD, NF_INET_FORWARD))
         return {false, "failed to build chains"};
 
-    const char* bl_lp = cfg_->blacklist_log_prefix.c_str();
-
-    // Blacklist rules
-    if (!add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT,
-                  cfg_->set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, bl_lp)
-        || !add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD,
-                     cfg_->set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, bl_lp)
-        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT,
-                     cfg_->set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, bl_lp)
-        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD,
-                     cfg_->set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, bl_lp))
-        return {false, "failed to build blacklist rules"};
-
-    const char* dl_lp = cfg_->droplist_log_prefix.c_str();
-
-    // Droplist rules
-    if (!add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT,
-                  cfg_->drop_set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, dl_lp)
-        || !add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD,
-                     cfg_->drop_set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, dl_lp)
-        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT,
-                     cfg_->drop_set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, dl_lp)
-        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD,
-                     cfg_->drop_set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, dl_lp))
-        return {false, "failed to build droplist rules"};
+    for (const auto& sd : cfg_->sets) {
+        const char* lp = sd.log_prefix.c_str();
+        if (!add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT,
+                      sd.name.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, lp)
+            || !add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD,
+                         sd.name.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, lp)
+            || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT,
+                         sd.name_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, lp)
+            || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD,
+                         sd.name_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, lp))
+            return {false, "failed to build rules for set '" + sd.name + "'"};
+    }
 
     return batch.execute(sock);
 }

package/src/nft_manager.cpp

@@ -46,17 +46,26 @@ static std::vector<ParsedAddr> parse_ip_array(Napi::Env env, Napi::Array arr) {
     return addrs;
 }
 
-// Returns the parsed TargetSet or sets a JS exception and returns std::nullopt.
-static std::optional<nft::TargetSet> parse_target_set(Napi::Env env, Napi::Object opts, const char* method_name) {
+static std::optional<size_t> parse_set_name(Napi::Env env, Napi::Object opts,
+                                             const char* method_name,
+                                             const nft::NftConfig& cfg) {
     if (!opts.Has("set") || !opts.Get("set").IsString()) {
-        std::string msg = std::string(method_name) + ": 'set' is required and must be a string ('blacklist' or 'droplist')";
+        std::string msg = std::string(method_name) + ": 'set' is required and must be a string";
         Napi::TypeError::New(env, msg).ThrowAsJavaScriptException();
         return std::nullopt;
     }
     std::string set_str = opts.Get("set").As<Napi::String>().Utf8Value();
-    if (set_str == "blacklist") return nft::TargetSet::Blacklist;
-    if (set_str == "droplist") return nft::TargetSet::Droplist;
-    std::string msg = std::string(method_name) + ": 'set' must be 'blacklist' or 'droplist'";
+
+    for (size_t i = 0; i < cfg.sets.size(); ++i) {
+        if (cfg.sets[i].name == set_str) return i;
+    }
+
+    std::string valid;
+    for (size_t i = 0; i < cfg.sets.size(); ++i) {
+        if (i > 0) valid += ", ";
+        valid += "'" + cfg.sets[i].name + "'";
+    }
+    std::string msg = std::string(method_name) + ": 'set' must be one of: " + valid;
     Napi::Error::New(env, msg).ThrowAsJavaScriptException();
     return std::nullopt;
 }
@@ -102,45 +111,69 @@ NftManager::NftManager(const Napi::CallbackInfo& info)
     : Napi::ObjectWrap<NftManager>(info) {
     Napi::Env env = info.Env();
 
-    // 1. Validate options object exists
     if (info.Length() < 1 || !info[0].IsObject()) {
         Napi::TypeError::New(env,
-            "NftManager requires options object with tableName, blacklistSetName, droplistSetName")
+            "NftManager requires options object with tableName and sets")
             .ThrowAsJavaScriptException();
         return;
     }
 
     Napi::Object opts = info[0].As<Napi::Object>();
 
-    // 2. Extract and validate 3 required string fields
     if (!opts.Has("tableName") || !opts.Get("tableName").IsString()) {
         Napi::TypeError::New(env, "NftManager: 'tableName' is required and must be a string")
             .ThrowAsJavaScriptException();
         return;
     }
-    if (!opts.Has("blacklistSetName") || !opts.Get("blacklistSetName").IsString()) {
-        Napi::TypeError::New(env, "NftManager: 'blacklistSetName' is required and must be a string")
+
+    if (!opts.Has("sets") || !opts.Get("sets").IsArray()) {
+        Napi::TypeError::New(env, "NftManager: 'sets' is required and must be an array of strings")
             .ThrowAsJavaScriptException();
         return;
     }
-    if (!opts.Has("droplistSetName") || !opts.Get("droplistSetName").IsString()) {
-        Napi::TypeError::New(env, "NftManager: 'droplistSetName' is required and must be a string")
+
+    Napi::Array sets_arr = opts.Get("sets").As<Napi::Array>();
+    uint32_t len = sets_arr.Length();
+
+    if (len == 0) {
+        Napi::Error::New(env, "NftManager: 'sets' must contain at least one set name")
             .ThrowAsJavaScriptException();
         return;
     }
 
+    std::vector<std::string> set_names;
+    set_names.reserve(len);
+
+    for (uint32_t i = 0; i < len; ++i) {
+        Napi::Value val = sets_arr[i];
+        if (!val.IsString()) {
+            Napi::TypeError::New(env, "NftManager: 'sets[" + std::to_string(i) + "]' must be a string")
+                .ThrowAsJavaScriptException();
+            return;
+        }
+        std::string name = val.As<Napi::String>().Utf8Value();
+        if (name.empty()) {
+            Napi::Error::New(env, "NftManager: 'sets[" + std::to_string(i) + "]' must not be empty")
+                .ThrowAsJavaScriptException();
+            return;
+        }
+        for (size_t j = 0; j < set_names.size(); ++j) {
+            if (set_names[j] == name) {
+                Napi::Error::New(env, "NftManager: duplicate set name '" + name + "'")
+                    .ThrowAsJavaScriptException();
+                return;
+            }
+        }
+        set_names.push_back(std::move(name));
+    }
+
     std::string table_name = opts.Get("tableName").As<Napi::String>().Utf8Value();
-    std::string blacklist_set_name = opts.Get("blacklistSetName").As<Napi::String>().Utf8Value();
-    std::string droplist_set_name = opts.Get("droplistSetName").As<Napi::String>().Utf8Value();
 
-    // 3. Create NftConfig from names
     config_ = std::make_shared<const nft::NftConfig>(
-        nft::NftConfig::from_names(table_name, blacklist_set_name, droplist_set_name));
+        nft::NftConfig::from_names(table_name, set_names));
 
-    // 4. Open netlink socket
     sock_ = std::make_shared<NlSocket>();
 
-    // 5. Validate socket
     if (!sock_->is_valid()) {
         Napi::Error::New(env, "Failed to open netlink socket. Ensure CAP_NET_ADMIN or root.")
             .ThrowAsJavaScriptException();
@@ -176,9 +209,9 @@ Napi::Value NftManager::AddAddress(const Napi::CallbackInfo& info) {
     }
     std::string ip = opts.Get("ip").As<Napi::String>().Utf8Value();
 
-    // set — required string ('blacklist' or 'droplist')
-    auto target = parse_target_set(env, opts, "addAddress");
-    if (!target) return env.Undefined();
+    // set — required string
+    auto set_idx = parse_set_name(env, opts, "addAddress", *config_);
+    if (!set_idx) return env.Undefined();
 
     // timeout — optional number (seconds). If absent, 0 = permanent
     auto timeout_ms = parse_timeout(env, opts, "addAddress");
@@ -194,7 +227,7 @@ Napi::Value NftManager::AddAddress(const Napi::CallbackInfo& info) {
 
     std::vector<ParsedAddr> addrs;
     addrs.push_back(to_parsed_addr(addr));
-    auto op = std::make_unique<BulkAddSetElemOp>(std::move(addrs), *timeout_ms, config_, *target);
+    auto op = std::make_unique<BulkAddSetElemOp>(std::move(addrs), *timeout_ms, config_, *set_idx);
 
     auto deferred = Napi::Promise::Deferred::New(env);
     auto promise = deferred.Promise();
@@ -221,9 +254,9 @@ Napi::Value NftManager::RemoveAddress(const Napi::CallbackInfo& info) {
     }
     std::string ip = opts.Get("ip").As<Napi::String>().Utf8Value();
 
-    // set — required string ('blacklist' or 'droplist')
-    auto target = parse_target_set(env, opts, "removeAddress");
-    if (!target) return env.Undefined();
+    // set — required string
+    auto set_idx = parse_set_name(env, opts, "removeAddress", *config_);
+    if (!set_idx) return env.Undefined();
 
     // Validate IP
     IpAddr addr = parse_ip(ip);
@@ -235,7 +268,7 @@ Napi::Value NftManager::RemoveAddress(const Napi::CallbackInfo& info) {
 
     std::vector<ParsedAddr> addrs;
     addrs.push_back(to_parsed_addr(addr));
-    auto op = std::make_unique<BulkDelSetElemOp>(std::move(addrs), config_, *target);
+    auto op = std::make_unique<BulkDelSetElemOp>(std::move(addrs), config_, *set_idx);
 
     auto deferred = Napi::Promise::Deferred::New(env);
     auto promise = deferred.Promise();
@@ -262,9 +295,9 @@ Napi::Value NftManager::AddAddresses(const Napi::CallbackInfo& info) {
     }
     Napi::Array arr = opts.Get("ips").As<Napi::Array>();
 
-    // set — required string ('blacklist' or 'droplist')
-    auto target = parse_target_set(env, opts, "addAddresses");
-    if (!target) return env.Undefined();
+    // set — required string
+    auto set_idx = parse_set_name(env, opts, "addAddresses", *config_);
+    if (!set_idx) return env.Undefined();
 
     // timeout — optional number (seconds). If absent, 0 = permanent
     auto timeout_ms = parse_timeout(env, opts, "addAddresses");
@@ -281,7 +314,7 @@ Napi::Value NftManager::AddAddresses(const Napi::CallbackInfo& info) {
         return promise;
     }
 
-    auto op = std::make_unique<BulkAddSetElemOp>(std::move(addrs), *timeout_ms, config_, *target);
+    auto op = std::make_unique<BulkAddSetElemOp>(std::move(addrs), *timeout_ms, config_, *set_idx);
 
     auto deferred = Napi::Promise::Deferred::New(env);
     auto promise = deferred.Promise();
@@ -308,9 +341,9 @@ Napi::Value NftManager::RemoveAddresses(const Napi::CallbackInfo& info) {
     }
     Napi::Array arr = opts.Get("ips").As<Napi::Array>();
 
-    // set — required string ('blacklist' or 'droplist')
-    auto target = parse_target_set(env, opts, "removeAddresses");
-    if (!target) return env.Undefined();
+    // set — required string
+    auto set_idx = parse_set_name(env, opts, "removeAddresses", *config_);
+    if (!set_idx) return env.Undefined();
 
     std::vector<ParsedAddr> addrs = parse_ip_array(env, arr);
     if (env.IsExceptionPending()) return env.Undefined();
@@ -323,7 +356,7 @@ Napi::Value NftManager::RemoveAddresses(const Napi::CallbackInfo& info) {
         return promise;
     }
 
-    auto op = std::make_unique<BulkDelSetElemOp>(std::move(addrs), config_, *target);
+    auto op = std::make_unique<BulkDelSetElemOp>(std::move(addrs), config_, *set_idx);
 
     auto deferred = Napi::Promise::Deferred::New(env);
     auto promise = deferred.Promise();