nftables-napi 0.0.2 → 0.1.1

package/src/netlink/set_ops.cpp

@@ -13,10 +13,9 @@ extern "C" {
 
 #include <algorithm>
 
-using namespace nft;
-
 static_assert(nft::FAMILY_IPV4 == NFPROTO_IPV4, "nft::FAMILY_IPV4 must match NFPROTO_IPV4");
 static_assert(nft::FAMILY_IPV6 == NFPROTO_IPV6, "nft::FAMILY_IPV6 must match NFPROTO_IPV6");
+static_assert(nft::PROTO_SERVICE_KEY_LEN == 8, "concatenated proto.service key must be 8 bytes");
 
 enum class SetElemAction { Add, Del };
 
@@ -25,10 +24,9 @@ static NlResult bulk_set_elem_op(
     NlSocket& sock,
     SetElemAction action,
     const nft::NftConfig& cfg,
-    nft::TargetSet target,
+    size_t set_idx,
     uint64_t timeout_ms = 0)
 {
-    // Partition by family
     std::vector<const ParsedAddr*> v4, v6;
     for (const auto& a : addrs) {
         if (a.family == NFPROTO_IPV4) v4.push_back(&a);
@@ -41,20 +39,20 @@ static NlResult bulk_set_elem_op(
         ? (NLM_F_CREATE | NLM_F_ACK) : NLM_F_ACK;
     const bool ignore_enoent = (action == SetElemAction::Del);
 
-    // Helper lambda to process one family
+    const auto& sd = cfg.sets[set_idx];
+
     auto process = [&](uint32_t family, const std::vector<const ParsedAddr*>& family_addrs) -> NlResult {
         if (family_addrs.empty()) return {true, ""};
 
         const char* table = (family == NFPROTO_IPV4)
             ? cfg.table_v4.c_str() : cfg.table_v6.c_str();
         const char* set_name = (family == NFPROTO_IPV4)
-            ? cfg.resolve_set_v4(target).c_str()
-            : cfg.resolve_set_v6(target).c_str();
-        uint32_t key_type = (family == NFPROTO_IPV4) ? DATATYPE_IPADDR : DATATYPE_IP6ADDR;
-        uint32_t key_len = (family == NFPROTO_IPV4) ? IPV4_ADDR_LEN : IPV6_ADDR_LEN;
+            ? sd.name.c_str() : sd.name_v6.c_str();
+        uint32_t key_type = (family == NFPROTO_IPV4) ? nft::DATATYPE_IPADDR : nft::DATATYPE_IP6ADDR;
+        uint32_t key_len = (family == NFPROTO_IPV4) ? nft::IPV4_ADDR_LEN : nft::IPV6_ADDR_LEN;
 
-        for (size_t offset = 0; offset < family_addrs.size(); offset += BULK_CHUNK_SIZE) {
-            size_t end = std::min(offset + static_cast<size_t>(BULK_CHUNK_SIZE), family_addrs.size());
+        for (size_t offset = 0; offset < family_addrs.size(); offset += nft::BULK_CHUNK_SIZE) {
+            size_t end = std::min(offset + static_cast<size_t>(nft::BULK_CHUNK_SIZE), family_addrs.size());
 
             auto s = nft::make_set();
             if (!s) return {false, "nftnl_set_alloc failed"};
@@ -72,7 +70,7 @@ static NlResult bulk_set_elem_op(
                 if (timeout_ms > 0) {
                     nftnl_set_elem_set_u64(e, NFTNL_SET_ELEM_TIMEOUT, timeout_ms);
                 }
-                nftnl_set_elem_add(s.get(), e); // set owns e now
+                nftnl_set_elem_add(s.get(), e);
             }
 
             NlBatch batch;
@@ -96,18 +94,105 @@ static NlResult bulk_set_elem_op(
 }
 
 BulkAddSetElemOp::BulkAddSetElemOp(std::vector<ParsedAddr> addrs, uint64_t timeout_ms,
-                                   std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target)
+                                   std::shared_ptr<const nft::NftConfig> config, size_t set_idx)
     : addrs_(std::move(addrs)), timeout_ms_(timeout_ms),
-      cfg_(std::move(config)), target_(target) {}
+      cfg_(std::move(config)), set_idx_(set_idx) {}
 
 NlResult BulkAddSetElemOp::execute(NlSocket& sock) {
-    return bulk_set_elem_op(addrs_, sock, SetElemAction::Add, *cfg_, target_, timeout_ms_);
+    return bulk_set_elem_op(addrs_, sock, SetElemAction::Add, *cfg_, set_idx_, timeout_ms_);
 }
 
 BulkDelSetElemOp::BulkDelSetElemOp(std::vector<ParsedAddr> addrs,
-                                   std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target)
-    : addrs_(std::move(addrs)), cfg_(std::move(config)), target_(target) {}
+                                   std::shared_ptr<const nft::NftConfig> config, size_t set_idx)
+    : addrs_(std::move(addrs)), cfg_(std::move(config)), set_idx_(set_idx) {}
 
 NlResult BulkDelSetElemOp::execute(NlSocket& sock) {
-    return bulk_set_elem_op(addrs_, sock, SetElemAction::Del, *cfg_, target_);
+    return bulk_set_elem_op(addrs_, sock, SetElemAction::Del, *cfg_, set_idx_);
+}
+
+static NlResult bulk_port_elem_op(
+    const std::vector<PortElem>& elems,
+    NlSocket& sock,
+    SetElemAction action,
+    const nft::NftConfig& cfg,
+    size_t set_idx,
+    uint64_t timeout_ms = 0)
+{
+    const uint16_t msg_type = (action == SetElemAction::Add)
+        ? NFT_MSG_NEWSETELEM : NFT_MSG_DELSETELEM;
+    const uint16_t flags = (action == SetElemAction::Add)
+        ? (NLM_F_CREATE | NLM_F_ACK) : NLM_F_ACK;
+    const bool ignore_enoent = (action == SetElemAction::Del);
+
+    const auto& sd = cfg.sets[set_idx];
+
+    struct FamilyInfo {
+        uint32_t family;
+        const char* table;
+        const char* set_name;
+    };
+    FamilyInfo families[] = {
+        {NFPROTO_IPV4, cfg.table_v4.c_str(), sd.name.c_str()},
+        {NFPROTO_IPV6, cfg.table_v6.c_str(), sd.name_v6.c_str()},
+    };
+
+    for (const auto& fi : families) {
+        for (size_t offset = 0; offset < elems.size(); offset += nft::BULK_CHUNK_SIZE) {
+            size_t end = std::min(offset + static_cast<size_t>(nft::BULK_CHUNK_SIZE), elems.size());
+
+            auto s = nft::make_set();
+            if (!s) return {false, "nftnl_set_alloc failed"};
+
+            nftnl_set_set_str(s.get(), NFTNL_SET_TABLE, fi.table);
+            nftnl_set_set_str(s.get(), NFTNL_SET_NAME, fi.set_name);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_FAMILY, fi.family);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_TYPE, nft::DATATYPE_PROTO_SERVICE);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_LEN, nft::PROTO_SERVICE_KEY_LEN);
+
+            for (size_t i = offset; i < end; ++i) {
+                auto* e = nftnl_set_elem_alloc();
+                if (!e) return {false, "nftnl_set_elem_alloc failed"};
+                // 8-byte concatenated key: [proto][pad:3][port_hi][port_lo][pad:2]
+                uint8_t key[8] = {};
+                key[0] = elems[i].proto;
+                key[4] = static_cast<uint8_t>(elems[i].port >> 8);
+                key[5] = static_cast<uint8_t>(elems[i].port & 0xFF);
+                nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, key, sizeof(key));
+                if (timeout_ms > 0) {
+                    nftnl_set_elem_set_u64(e, NFTNL_SET_ELEM_TIMEOUT, timeout_ms);
+                }
+                nftnl_set_elem_add(s.get(), e);
+            }
+
+            NlBatch batch;
+            if (!batch.is_valid()) return {false, "failed to allocate batch"};
+
+            auto* nlh = batch.add_msg(msg_type, fi.family, flags);
+            if (!nlh) return {false, "failed to add message to batch"};
+            nftnl_set_elems_nlmsg_build_payload(nlh, s.get());
+
+            if (!batch.advance()) return {false, "batch buffer full"};
+
+            NlResult res = batch.execute(sock, ignore_enoent);
+            if (!res.success) return res;
+        }
+    }
+    return {true, ""};
+}
+
+BulkAddPortElemOp::BulkAddPortElemOp(std::vector<PortElem> elems, uint64_t timeout_ms,
+                                     std::shared_ptr<const nft::NftConfig> config, size_t set_idx)
+    : elems_(std::move(elems)), timeout_ms_(timeout_ms),
+      cfg_(std::move(config)), set_idx_(set_idx) {}
+
+NlResult BulkAddPortElemOp::execute(NlSocket& sock) {
+    return bulk_port_elem_op(elems_, sock, SetElemAction::Add, *cfg_, set_idx_, timeout_ms_);
+}
+
+BulkDelPortElemOp::BulkDelPortElemOp(std::vector<PortElem> elems,
+                                     std::shared_ptr<const nft::NftConfig> config, size_t set_idx)
+    : elems_(std::move(elems)), cfg_(std::move(config)), set_idx_(set_idx) {}
+
+NlResult BulkDelPortElemOp::execute(NlSocket& sock) {
+    return bulk_port_elem_op(elems_, sock, SetElemAction::Del, *cfg_, set_idx_);
 }

package/src/netlink/set_ops.h

@@ -3,30 +3,61 @@
 #include "operation.h"
 #include "nft_config.h"
 #include "parsed_addr.h"
+#include <cstdint>
 #include <memory>
 #include <vector>
 
 class BulkAddSetElemOp final : public NlOperation {
 public:
     BulkAddSetElemOp(std::vector<ParsedAddr> addrs, uint64_t timeout_ms,
-                     std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target);
+                     std::shared_ptr<const nft::NftConfig> config, size_t set_idx);
     NlResult execute(NlSocket& sock) override;
 
 private:
     std::vector<ParsedAddr> addrs_;
     uint64_t timeout_ms_;
     std::shared_ptr<const nft::NftConfig> cfg_;
-    nft::TargetSet target_;
+    size_t set_idx_;
 };
 
 class BulkDelSetElemOp final : public NlOperation {
 public:
     BulkDelSetElemOp(std::vector<ParsedAddr> addrs,
-                     std::shared_ptr<const nft::NftConfig> config, nft::TargetSet target);
+                     std::shared_ptr<const nft::NftConfig> config, size_t set_idx);
     NlResult execute(NlSocket& sock) override;
 
 private:
     std::vector<ParsedAddr> addrs_;
     std::shared_ptr<const nft::NftConfig> cfg_;
-    nft::TargetSet target_;
+    size_t set_idx_;
+};
+
+struct PortElem {
+    uint8_t proto;   // nft::PROTO_TCP or nft::PROTO_UDP
+    uint16_t port;
+};
+
+class BulkAddPortElemOp final : public NlOperation {
+public:
+    BulkAddPortElemOp(std::vector<PortElem> elems, uint64_t timeout_ms,
+                      std::shared_ptr<const nft::NftConfig> config, size_t set_idx);
+    NlResult execute(NlSocket& sock) override;
+
+private:
+    std::vector<PortElem> elems_;
+    uint64_t timeout_ms_;
+    std::shared_ptr<const nft::NftConfig> cfg_;
+    size_t set_idx_;
+};
+
+class BulkDelPortElemOp final : public NlOperation {
+public:
+    BulkDelPortElemOp(std::vector<PortElem> elems,
+                      std::shared_ptr<const nft::NftConfig> config, size_t set_idx);
+    NlResult execute(NlSocket& sock) override;
+
+private:
+    std::vector<PortElem> elems_;
+    std::shared_ptr<const nft::NftConfig> cfg_;
+    size_t set_idx_;
 };

package/src/netlink/table_ops.cpp

@@ -11,12 +11,15 @@ extern "C" {
 #include <libnftnl/set.h>
 #include <libnftnl/rule.h>
 #include <libnftnl/expr.h>
+#include <libnftnl/object.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_tables.h>
 }
 
 using namespace nft;
 
+// ── Table helpers ────────────────────────────────────────────────────────────
+
 static bool add_table(NlBatch& batch, uint32_t family, const char* name,
                       uint16_t msg_type, uint16_t extra_flags) {
     auto t = nft::make_table();
@@ -29,6 +32,8 @@ static bool add_table(NlBatch& batch, uint32_t family, const char* name,
     return batch.advance();
 }
 
+// ── Chain helpers ────────────────────────────────────────────────────────────
+
 static bool add_chain(NlBatch& batch, uint32_t family, const char* table,
                       const char* name, uint32_t hooknum) {
     auto c = nft::make_chain();
@@ -45,9 +50,28 @@ static bool add_chain(NlBatch& batch, uint32_t family, const char* table,
     return batch.advance();
 }
 
+// ── Named counter (stateful object) ─────────────────────────────────────────
+
+static bool add_counter_obj(NlBatch& batch, uint32_t family, const char* table,
+                            const char* name) {
+    auto o = nft::make_obj();
+    if (!o) return false;
+    nftnl_obj_set_str(o.get(), NFTNL_OBJ_TABLE, table);
+    nftnl_obj_set_str(o.get(), NFTNL_OBJ_NAME, name);
+    nftnl_obj_set_u32(o.get(), NFTNL_OBJ_TYPE, NFT_OBJECT_COUNTER);
+    struct nlmsghdr* nlh = batch.add_msg(NFT_MSG_NEWOBJ, family, NLM_F_CREATE | NLM_F_ACK);
+    if (!nlh) return false;
+    nftnl_obj_nlmsg_build_payload(nlh, o.get());
+    return batch.advance();
+}
+
+// ── Set helpers ─────────────────────────────────────────────────────────────
+
 static bool add_set(NlBatch& batch, uint32_t family, const char* table,
                     const char* name, uint32_t key_type, uint32_t key_len,
-                    uint32_t set_id) {
+                    uint32_t set_id,
+                    const uint8_t* concat_field_lens = nullptr,
+                    size_t concat_field_count = 0) {
     auto s = nft::make_set();
     if (!s) return false;
     nftnl_set_set_str(s.get(), NFTNL_SET_TABLE, table);
@@ -55,14 +79,31 @@ static bool add_set(NlBatch& batch, uint32_t family, const char* table,
     nftnl_set_set_u32(s.get(), NFTNL_SET_FAMILY, family);
     nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_TYPE, key_type);
     nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_LEN, key_len);
-    nftnl_set_set_u32(s.get(), NFTNL_SET_FLAGS, NFT_SET_TIMEOUT);
+
+    uint32_t set_flags = NFT_SET_TIMEOUT | NFT_SET_EXPR;
+    if (concat_field_lens && concat_field_count > 0)
+        set_flags |= NFT_SET_CONCAT;
+    nftnl_set_set_u32(s.get(), NFTNL_SET_FLAGS, set_flags);
     nftnl_set_set_u32(s.get(), NFTNL_SET_ID, set_id);
+
+    if (concat_field_lens && concat_field_count > 0) {
+        nftnl_set_set_data(s.get(), NFTNL_SET_DESC_CONCAT,
+                           concat_field_lens, concat_field_count);
+    }
+
+    // Per-element counter expression
+    struct nftnl_expr* counter = nftnl_expr_alloc("counter");
+    if (!counter) return false;
+    nftnl_set_add_expr(s.get(), counter);  // ownership transferred
+
     struct nlmsghdr* nlh = batch.add_msg(NFT_MSG_NEWSET, family, NLM_F_CREATE | NLM_F_ACK);
     if (!nlh) return false;
     nftnl_set_nlmsg_build_payload(nlh, s.get());
     return batch.advance();
 }
 
+// ── Expression helpers ──────────────────────────────────────────────────────
+
 static bool add_expr_payload(struct nftnl_rule* r, uint32_t base, uint32_t dreg,
                              uint32_t offset, uint32_t len) {
     struct nftnl_expr* e = nftnl_expr_alloc("payload");
@@ -92,6 +133,15 @@ static bool add_expr_log(struct nftnl_rule* r, const char* prefix) {
     return true;
 }
 
+static bool add_expr_counter_ref(struct nftnl_rule* r, const char* counter_name) {
+    struct nftnl_expr* e = nftnl_expr_alloc("objref");
+    if (!e) return false;
+    nftnl_expr_set_u32(e, NFTNL_EXPR_OBJREF_IMM_TYPE, NFT_OBJECT_COUNTER);
+    nftnl_expr_set_str(e, NFTNL_EXPR_OBJREF_IMM_NAME, counter_name);
+    nftnl_rule_add_expr(r, e);
+    return true;
+}
+
 static bool add_expr_drop(struct nftnl_rule* r) {
     struct nftnl_expr* e = nftnl_expr_alloc("immediate");
     if (!e) return false;
@@ -101,8 +151,8 @@ static bool add_expr_drop(struct nftnl_rule* r) {
     return true;
 }
 
-// Helper: creates a rule with table/chain/family metadata, calls build_exprs
-// to populate expressions, then adds to batch. Returns false on any failure.
+// ── Rule builder ────────────────────────────────────────────────────────────
+
 template<typename F>
 static bool add_rule_with(NlBatch& batch, uint32_t family, const char* table,
                           const char* chain, F build_exprs) {
@@ -121,22 +171,77 @@ static bool add_rule_with(NlBatch& batch, uint32_t family, const char* table,
     return batch.advance();
 }
 
-static bool add_rule(NlBatch& batch, uint32_t family, const char* table,
-                     const char* chain, const char* set_name,
-                     uint32_t payload_offset, uint32_t addr_len,
-                     const char* log_prefix) {
+// Rule: counter name "processed" (standalone rule in chain)
+static bool add_rule_counter_ref(NlBatch& batch, uint32_t family, const char* table,
+                                 const char* chain) {
+    return add_rule_with(batch, family, table, chain, [](nftnl_rule* r) {
+        return add_expr_counter_ref(r, COUNTER_NAME);
+    });
+}
+
+// InIP rule: payload(saddr) + lookup(set) + log(prefix) + counter_ref(set_name) + drop
+static bool add_rule_in_ip(NlBatch& batch, uint32_t family, const char* table,
+                           const char* chain, const char* set_name,
+                           uint32_t payload_offset, uint32_t addr_len,
+                           const char* log_prefix, const char* counter_name) {
     return add_rule_with(batch, family, table, chain, [&](nftnl_rule* r) {
         return add_expr_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1, payload_offset, addr_len)
             && add_expr_lookup(r, set_name, NFT_REG_1)
             && add_expr_log(r, log_prefix)
+            && add_expr_counter_ref(r, counter_name)
             && add_expr_drop(r);
     });
 }
 
+// OutIP rule: payload(daddr) + lookup(set) + counter_ref(set_name) + drop (NO log)
+static bool add_rule_out_ip(NlBatch& batch, uint32_t family, const char* table,
+                            const char* chain, const char* set_name,
+                            uint32_t payload_offset, uint32_t addr_len,
+                            const char* counter_name) {
+    return add_rule_with(batch, family, table, chain, [&](nftnl_rule* r) {
+        return add_expr_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1, payload_offset, addr_len)
+            && add_expr_lookup(r, set_name, NFT_REG_1)
+            && add_expr_counter_ref(r, counter_name)
+            && add_expr_drop(r);
+    });
+}
+
+// OutPort rule: meta(l4proto) → REG32_00, payload(transport dport) → REG32_01,
+//               lookup(concat set, REG32_00) + counter_ref + drop
+static bool add_rule_out_port_concat(NlBatch& batch, uint32_t family, const char* table,
+                                     const char* chain, const char* set_name,
+                                     const char* counter_name) {
+    return add_rule_with(batch, family, table, chain, [&](nftnl_rule* r) {
+        // meta l4proto → NFT_REG32_00
+        struct nftnl_expr* meta = nftnl_expr_alloc("meta");
+        if (!meta) return false;
+        nftnl_expr_set_u32(meta, NFTNL_EXPR_META_KEY, NFT_META_L4PROTO);
+        nftnl_expr_set_u32(meta, NFTNL_EXPR_META_DREG, NFT_REG32_00);
+        nftnl_rule_add_expr(r, meta);
+
+        // payload transport dport → NFT_REG32_01
+        struct nftnl_expr* pay = nftnl_expr_alloc("payload");
+        if (!pay) return false;
+        nftnl_expr_set_u32(pay, NFTNL_EXPR_PAYLOAD_BASE, NFT_PAYLOAD_TRANSPORT_HEADER);
+        nftnl_expr_set_u32(pay, NFTNL_EXPR_PAYLOAD_DREG, NFT_REG32_01);
+        nftnl_expr_set_u32(pay, NFTNL_EXPR_PAYLOAD_OFFSET, TRANSPORT_DPORT_OFFSET);
+        nftnl_expr_set_u32(pay, NFTNL_EXPR_PAYLOAD_LEN, TRANSPORT_DPORT_LEN);
+        nftnl_rule_add_expr(r, pay);
+
+        // lookup in concatenated set starting from REG32_00
+        return add_expr_lookup(r, set_name, NFT_REG32_00)
+            && add_expr_counter_ref(r, counter_name)
+            && add_expr_drop(r);
+    });
+}
+
+// ── CreateTableOp ───────────────────────────────────────────────────────────
+
 CreateTableOp::CreateTableOp(std::shared_ptr<const nft::NftConfig> config)
     : cfg_(std::move(config)) {}
 
 NlResult CreateTableOp::execute(NlSocket& sock) {
+    // Phase 1: Delete existing tables (idempotent)
     {
         NlBatch batch;
         if (!batch.is_valid())
@@ -148,65 +253,117 @@ NlResult CreateTableOp::execute(NlSocket& sock) {
         if (!res.success) return res;
     }
 
+    // Phase 2: Create everything
     NlBatch batch;
     if (!batch.is_valid())
         return {false, "failed to allocate batch"};
 
     uint32_t sid = 0;
 
+    // Tables
     if (!add_table(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), NFT_MSG_NEWTABLE, NLM_F_CREATE)
         || !add_table(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), NFT_MSG_NEWTABLE, NLM_F_CREATE))
         return {false, "failed to build tables"};
 
-    // Blacklist sets
-    if (!add_set(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), cfg_->set_v4.c_str(),
-                 DATATYPE_IPADDR, IPV4_ADDR_LEN, sid++)
-        || !add_set(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), cfg_->set_v6.c_str(),
-                    DATATYPE_IP6ADDR, IPV6_ADDR_LEN, sid++))
-        return {false, "failed to build blacklist sets"};
+    // Named counter: "processed" (global traffic counter)
+    if (!add_counter_obj(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), COUNTER_NAME)
+        || !add_counter_obj(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), COUNTER_NAME))
+        return {false, "failed to build 'processed' counter"};
+
+    // Named counters: per-set
+    for (const auto& sd : cfg_->sets) {
+        if (!add_counter_obj(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), sd.name.c_str())
+            || !add_counter_obj(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), sd.name_v6.c_str()))
+            return {false, "failed to build counter for set '" + sd.name + "'"};
+    }
+
+    // Sets
+    for (const auto& sd : cfg_->sets) {
+        uint32_t key_type_v4, key_type_v6, key_len_v4, key_len_v6;
+        const uint8_t* concat_fields = nullptr;
+        size_t concat_count = 0;
+        static constexpr uint8_t proto_port_fields[2] = {1, 2};
 
-    // Droplist sets
-    if (!add_set(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), cfg_->drop_set_v4.c_str(),
-                 DATATYPE_IPADDR, IPV4_ADDR_LEN, sid++)
-        || !add_set(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), cfg_->drop_set_v6.c_str(),
-                    DATATYPE_IP6ADDR, IPV6_ADDR_LEN, sid++))
-        return {false, "failed to build droplist sets"};
+        if (sd.kind == SetKind::OutPort) {
+            key_type_v4 = DATATYPE_PROTO_SERVICE;
+            key_type_v6 = DATATYPE_PROTO_SERVICE;
+            key_len_v4 = PROTO_SERVICE_KEY_LEN;
+            key_len_v6 = PROTO_SERVICE_KEY_LEN;
+            concat_fields = proto_port_fields;
+            concat_count = sizeof(proto_port_fields);
+        } else {
+            key_type_v4 = DATATYPE_IPADDR;
+            key_type_v6 = DATATYPE_IP6ADDR;
+            key_len_v4 = IPV4_ADDR_LEN;
+            key_len_v6 = IPV6_ADDR_LEN;
+        }
+        if (!add_set(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), sd.name.c_str(),
+                     key_type_v4, key_len_v4, sid++, concat_fields, concat_count)
+            || !add_set(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), sd.name_v6.c_str(),
+                        key_type_v6, key_len_v6, sid++, concat_fields, concat_count))
+            return {false, "failed to build set '" + sd.name + "'"};
+    }
 
+    // Chains: input + forward + output
     if (!add_chain(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT, NF_INET_LOCAL_IN)
         || !add_chain(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD, NF_INET_FORWARD)
+        || !add_chain(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_OUTPUT, NF_INET_LOCAL_OUT)
         || !add_chain(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT, NF_INET_LOCAL_IN)
-        || !add_chain(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD, NF_INET_FORWARD))
+        || !add_chain(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD, NF_INET_FORWARD)
+        || !add_chain(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_OUTPUT, NF_INET_LOCAL_OUT))
         return {false, "failed to build chains"};
 
-    const char* bl_lp = cfg_->blacklist_log_prefix.c_str();
-
-    // Blacklist rules
-    if (!add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT,
-                  cfg_->set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, bl_lp)
-        || !add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD,
-                     cfg_->set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, bl_lp)
-        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT,
-                     cfg_->set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, bl_lp)
-        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD,
-                     cfg_->set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, bl_lp))
-        return {false, "failed to build blacklist rules"};
-
-    const char* dl_lp = cfg_->droplist_log_prefix.c_str();
-
-    // Droplist rules
-    if (!add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT,
-                  cfg_->drop_set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, dl_lp)
-        || !add_rule(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD,
-                     cfg_->drop_set_v4.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, dl_lp)
-        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT,
-                     cfg_->drop_set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, dl_lp)
-        || !add_rule(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD,
-                     cfg_->drop_set_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, dl_lp))
-        return {false, "failed to build droplist rules"};
+    // Rules: "counter name processed" on input + forward chains
+    if (!add_rule_counter_ref(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT)
+        || !add_rule_counter_ref(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD)
+        || !add_rule_counter_ref(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT)
+        || !add_rule_counter_ref(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD))
+        return {false, "failed to build 'processed' counter rules"};
+
+    // Rules per set
+    for (const auto& sd : cfg_->sets) {
+        const char* lp = sd.log_prefix.c_str();
+        switch (sd.kind) {
+        case SetKind::InIP:
+            // input + forward: saddr + log + counter_ref + drop
+            if (!add_rule_in_ip(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_INPUT,
+                                sd.name.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, lp, sd.name.c_str())
+                || !add_rule_in_ip(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_FORWARD,
+                                   sd.name.c_str(), IPV4_SRC_OFFSET, IPV4_ADDR_LEN, lp, sd.name.c_str())
+                || !add_rule_in_ip(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_INPUT,
+                                   sd.name_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, lp, sd.name_v6.c_str())
+                || !add_rule_in_ip(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_FORWARD,
+                                   sd.name_v6.c_str(), IPV6_SRC_OFFSET, IPV6_ADDR_LEN, lp, sd.name_v6.c_str()))
+                return {false, "failed to build rules for set '" + sd.name + "'"};
+            break;
+
+        case SetKind::OutIP:
+            // output: daddr + counter_ref + drop (NO log)
+            if (!add_rule_out_ip(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_OUTPUT,
+                                 sd.name.c_str(), IPV4_DST_OFFSET, IPV4_ADDR_LEN,
+                                 sd.name.c_str())
+                || !add_rule_out_ip(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_OUTPUT,
+                                    sd.name_v6.c_str(), IPV6_DST_OFFSET, IPV6_ADDR_LEN,
+                                    sd.name_v6.c_str()))
+                return {false, "failed to build output rules for set '" + sd.name + "'"};
+            break;
+
+        case SetKind::OutPort:
+            // output: single concatenated (proto . port) lookup + counter_ref + drop
+            if (!add_rule_out_port_concat(batch, NFPROTO_IPV4, cfg_->table_v4.c_str(), CHAIN_OUTPUT,
+                                          sd.name.c_str(), sd.name.c_str())
+                || !add_rule_out_port_concat(batch, NFPROTO_IPV6, cfg_->table_v6.c_str(), CHAIN_OUTPUT,
+                                             sd.name_v6.c_str(), sd.name_v6.c_str()))
+                return {false, "failed to build port rules for set '" + sd.name + "'"};
+            break;
+        }
+    }
 
     return batch.execute(sock);
 }
 
+// ── DeleteTableOp ───────────────────────────────────────────────────────────
+
 DeleteTableOp::DeleteTableOp(std::shared_ptr<const nft::NftConfig> config)
     : cfg_(std::move(config)) {}