nftables-napi 0.1.0 → 0.1.1

package/binding.gyp

@@ -28,7 +28,9 @@
         "-Wall",
         "-Wextra",
         "-Wpedantic",
-        "-Wno-unused-parameter"
+        "-Wno-unused-parameter",
+        "-D_FORTIFY_SOURCE=2",
+        "-fstack-protector-strong"
       ],
       "ldflags": [
         "-Wl,-z,relro",

package/lib/index.d.ts

@@ -4,21 +4,38 @@
  * Requires CAP_NET_ADMIN or root privileges.
  */
 
-/** Constructor options. All fields are required — no defaults. */
+/** Constructor options. */
 export interface NftManagerOptions {
     /** Base table name. IPv6 table auto-appends '6'. */
     tableName: string;
-    /** Set names. At least 1, no duplicates, non-empty strings. IPv6 sets auto-append '6'. */
+    /**
+     * Input/forward IP set names (≥1 required). Block by source address.
+     * Rules: log prefix "<setName>: " + named counter + drop on input and forward chains.
+     * IPv6 sets auto-append '6'.
+     */
     sets: string[];
+    /**
+     * Output IP set names (optional). Block by destination address.
+     * Rules: named counter + drop on output chain (no log).
+     * IPv6 sets auto-append '6'.
+     */
+    outSets?: string[];
+    /**
+     * Output port set names (optional). Block by tcp/udp destination port.
+     * Rules: single concatenated (proto . port) lookup + named counter + drop on output chain (no log).
+     * Port is added to BOTH IPv4 and IPv6 tables (ports are family-independent).
+     * IPv6 sets auto-append '6'.
+     */
+    outPortSets?: string[];
 }
 
 /** Options for adding a single address. */
 export interface AddAddressOptions {
     /** IPv4 or IPv6 address (e.g., "1.2.3.4" or "2001:db8::1"). */
     ip: string;
-    /** Target set name (must match one from constructor's sets array). */
+    /** Target set name (must match one from constructor's sets or outSets). */
     set: string;
-    /** Timeout in seconds. Omit for permanent ban. */
+    /** Timeout in seconds. Omit for permanent. */
     timeout?: number;
 }
 
@@ -26,7 +43,7 @@ export interface AddAddressOptions {
 export interface RemoveAddressOptions {
     /** IPv4 or IPv6 address to remove. */
     ip: string;
-    /** Target set name (must match one from constructor's sets array). */
+    /** Target set name (must match one from constructor's sets or outSets). */
     set: string;
 }
 
@@ -34,9 +51,9 @@ export interface RemoveAddressOptions {
 export interface AddAddressesOptions {
     /** Array of IPv4/IPv6 addresses. */
     ips: string[];
-    /** Target set name (must match one from constructor's sets array). */
+    /** Target set name (must match one from constructor's sets or outSets). */
     set: string;
-    /** Timeout in seconds. Omit for permanent ban. */
+    /** Timeout in seconds. Omit for permanent. */
     timeout?: number;
 }
 
@@ -44,8 +61,52 @@ export interface AddAddressesOptions {
 export interface RemoveAddressesOptions {
     /** Array of IPv4/IPv6 addresses to remove. */
     ips: string[];
-    /** Target set name (must match one from constructor's sets array). */
+    /** Target set name (must match one from constructor's sets or outSets). */
+    set: string;
+}
+
+/** Options for adding a single port. */
+export interface AddPortOptions {
+    /** Port number (0-65535). */
+    port: number;
+    /** Target port set name (must match one from constructor's outPortSets). */
+    set: string;
+    /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
+    protocol?: 'tcp' | 'udp';
+    /** Timeout in seconds. Omit for permanent. */
+    timeout?: number;
+}
+
+/** Options for removing a single port. */
+export interface RemovePortOptions {
+    /** Port number (0-65535). */
+    port: number;
+    /** Target port set name (must match one from constructor's outPortSets). */
+    set: string;
+    /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
+    protocol?: 'tcp' | 'udp';
+}
+
+/** Options for bulk adding ports. */
+export interface AddPortsOptions {
+    /** Array of port numbers (0-65535). */
+    ports: number[];
+    /** Target port set name (must match one from constructor's outPortSets). */
     set: string;
+    /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
+    protocol?: 'tcp' | 'udp';
+    /** Timeout in seconds. Omit for permanent. */
+    timeout?: number;
+}
+
+/** Options for bulk removing ports. */
+export interface RemovePortsOptions {
+    /** Array of port numbers (0-65535). */
+    ports: number[];
+    /** Target port set name (must match one from constructor's outPortSets). */
+    set: string;
+    /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
+    protocol?: 'tcp' | 'udp';
 }
 
 export class NftManager {
@@ -60,9 +121,17 @@ export class NftManager {
     constructor(options: NftManagerOptions);
 
     /**
-     * Creates IPv4 and IPv6 tables with all configured sets and filter chains.
+     * Creates IPv4 and IPv6 tables with all configured sets, chains, named counters, and filter rules.
      * Idempotent — destroys existing tables first, then recreates.
      *
+     * Creates:
+     * - Named counter "processed" (global traffic counter per chain)
+     * - Named counter per set (blocked traffic counter)
+     * - Input chain with log + counter + drop rules (for sets)
+     * - Forward chain with log + counter + drop rules (for sets)
+     * - Output chain with counter + drop rules (for outSets and outPortSets, no log)
+     * - Per-element counters on all sets
+     *
      * @throws {Error} if nftables operation fails
      */
     createTable(): Promise<void>;
@@ -78,6 +147,7 @@ export class NftManager {
     /**
      * Adds an IP address to a set.
      * Auto-detects IPv4 vs IPv6 and routes to the correct table/set.
+     * Works with both input sets (sets) and output sets (outSets).
      *
      * @param options - Address, target set name, and optional timeout.
      * @throws {TypeError} if options or fields have wrong types
@@ -88,6 +158,7 @@ export class NftManager {
     /**
      * Removes an IP address from a set.
      * Idempotent — no error if IP is not in the set.
+     * Works with both input sets (sets) and output sets (outSets).
      *
      * @param options - Address and target set name.
      * @throws {TypeError} if options or fields have wrong types
@@ -115,4 +186,50 @@ export class NftManager {
      * @throws {Error} if any IP is invalid, set name is unknown, or nftables operation fails
      */
     removeAddresses(options: RemoveAddressesOptions): Promise<void>;
+
+    /**
+     * Adds a port to an output port set.
+     * Port is added to BOTH IPv4 and IPv6 tables (ports are family-independent).
+     * When protocol is omitted, two elements are added: tcp + udp.
+     * When protocol is 'tcp' or 'udp', one element with that protocol is added.
+     *
+     * @param options - Port number, target set name, and optional timeout.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if port is invalid, set name is unknown, or nftables operation fails
+     */
+    addPort(options: AddPortOptions): Promise<void>;
+
+    /**
+     * Removes a port from an output port set.
+     * Idempotent — no error if port is not in the set.
+     * Port is removed from BOTH IPv4 and IPv6 tables.
+     *
+     * @param options - Port number and target set name.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if port is invalid, set name is unknown, or nftables operation fails
+     */
+    removePort(options: RemovePortOptions): Promise<void>;
+
+    /**
+     * Adds multiple ports to an output port set in bulk.
+     * Ports are added to BOTH IPv4 and IPv6 tables.
+     * Empty arrays are a no-op.
+     *
+     * @param options - Array of port numbers, target set name, and optional timeout.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if any port is invalid, set name is unknown, or nftables operation fails
+     */
+    addPorts(options: AddPortsOptions): Promise<void>;
+
+    /**
+     * Removes multiple ports from an output port set in bulk.
+     * Idempotent — no error if ports are not in the set.
+     * Ports are removed from BOTH IPv4 and IPv6 tables.
+     * Empty arrays are a no-op.
+     *
+     * @param options - Array of port numbers and target set name.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if any port is invalid, set name is unknown, or nftables operation fails
+     */
+    removePorts(options: RemovePortsOptions): Promise<void>;
 }

package/lib/index.js

@@ -6,7 +6,7 @@ let binding;
 try {
   binding = require('node-gyp-build')(path.join(__dirname, '..'));
 } catch (e) {
-  // On non-Linux platforms, the native addon may fail to load
+  if (process.platform === 'linux') throw e;
   binding = null;
 }
 
@@ -16,7 +16,7 @@ if (binding) {
   class NftManager {
     constructor() {
       throw new Error(
-        'remnawave-nft only works on Linux with CAP_NET_ADMIN. Native binding failed to load.'
+        'nftables-napi only works on Linux with CAP_NET_ADMIN. Native binding failed to load.'
       );
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nftables-napi",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Native Node.js binding for nftables via libnftnl+libmnl — nftables firewall management",
   "author": {
     "name": "kastov",
@@ -46,8 +46,7 @@
   ],
   "gypfile": true,
   "engines": {
-    "node": ">=24.0.0",
-    "os": "linux"
+    "node": ">=24.0.0"
   },
   "scripts": {
     "install": "node-gyp-build || true",
@@ -57,10 +56,10 @@
     "prebuild:all": "./prebuild-all.sh"
   },
   "dependencies": {
-    "node-gyp-build": "^4.8.4",
-    "node-addon-api": "^8.5.0"
+    "node-gyp-build": "^4.8.4"
   },
   "devDependencies": {
+    "node-addon-api": "^8.5.0",
     "node-gyp": "^12.2.0",
     "prebuildify": "^6.0.1",
     "@types/node": ">= 24 < 25"

package/src/netlink/constants.h

@@ -23,6 +23,10 @@ inline constexpr uint32_t IPV6_SRC_OFFSET = 8;
 inline constexpr uint32_t IPV4_ADDR_LEN = 4;
 inline constexpr uint32_t IPV6_ADDR_LEN = 16;
 
+// Destination address offsets
+inline constexpr uint32_t IPV4_DST_OFFSET = 16;
+inline constexpr uint32_t IPV6_DST_OFFSET = 24;
+
 // Chain priority
 inline constexpr int32_t CHAIN_PRIORITY = -10;
 
@@ -36,4 +40,25 @@ inline constexpr uint32_t SEQ_BLOCK_SIZE = 256;
 // Number of pages for default batch buffer (pagesize * 32 ≈ 128KB)
 inline constexpr uint32_t DEFAULT_BUF_PAGES = 32;
 
+// Output chain
+inline constexpr const char* CHAIN_OUTPUT = "output";
+
+// Transport header dport offset (bytes from transport header base)
+inline constexpr uint32_t TRANSPORT_DPORT_OFFSET = 2;
+inline constexpr uint32_t TRANSPORT_DPORT_LEN = 2;
+
+// Concatenated type: concat_subtype_add(inet_proto, inet_service)
+// nft CLI builds concat types with LAST subtype in low bits:
+// concat_subtype_add(type, subtype) = type << TYPE_BITS | subtype
+// For (inet_proto=12 . inet_service=13): 12 << 6 | 13 = 781
+inline constexpr uint32_t DATATYPE_PROTO_SERVICE = (12 << 6 | 13);
+inline constexpr uint32_t PROTO_SERVICE_KEY_LEN = 8;
+
+// L4 protocol numbers
+inline constexpr uint8_t PROTO_TCP = 6;
+inline constexpr uint8_t PROTO_UDP = 17;
+
+// Named counter
+inline constexpr const char* COUNTER_NAME = "processed";
+
 } // namespace nft

package/src/netlink/nft_config.h

@@ -5,25 +5,36 @@
 
 namespace nft {
 
+enum class SetKind { InIP, OutIP, OutPort };
+
 struct SetDef {
-    std::string name;        // user-facing key = nftables IPv4 set name
-    std::string name_v6;     // name + "6"
-    std::string log_prefix;  // name + ": "
+    std::string name;
+    std::string name_v6;
+    std::string log_prefix;  // non-empty for InIP only
+    SetKind kind;
 };
 
 struct NftConfig {
     std::string table_v4;
     std::string table_v6;
-    std::vector<SetDef> sets;
+    std::vector<SetDef> sets;  // all sets: InIP + OutIP + OutPort
 
     static NftConfig from_names(const std::string& table_name,
-                                const std::vector<std::string>& set_names) {
+                                const std::vector<std::string>& in_sets,
+                                const std::vector<std::string>& out_sets,
+                                const std::vector<std::string>& out_port_sets) {
         NftConfig cfg;
         cfg.table_v4 = table_name;
         cfg.table_v6 = table_name + "6";
-        cfg.sets.reserve(set_names.size());
-        for (const auto& n : set_names) {
-            cfg.sets.push_back({n, n + "6", n + ": "});
+        cfg.sets.reserve(in_sets.size() + out_sets.size() + out_port_sets.size());
+        for (const auto& n : in_sets) {
+            cfg.sets.push_back({n, n + "6", n + ": ", SetKind::InIP});
+        }
+        for (const auto& n : out_sets) {
+            cfg.sets.push_back({n, n + "6", "", SetKind::OutIP});
+        }
+        for (const auto& n : out_port_sets) {
+            cfg.sets.push_back({n, n + "6", "", SetKind::OutPort});
         }
         return cfg;
     }

package/src/netlink/nftnl_raii.h

@@ -24,6 +24,7 @@ extern "C" {
 #include <libnftnl/chain.h>
 #include <libnftnl/set.h>
 #include <libnftnl/rule.h>
+#include <libnftnl/object.h>
 }
 
 #include <memory>
@@ -37,7 +38,7 @@ struct NftnlTableDeleter {
 };
 using UniqueTable = std::unique_ptr<struct nftnl_table, NftnlTableDeleter>;
 
-inline UniqueTable make_table() { return UniqueTable(nftnl_table_alloc()); }
+[[nodiscard]] inline UniqueTable make_table() { return UniqueTable(nftnl_table_alloc()); }
 
 // --- Chain -------------------------------------------------------------------
 
@@ -46,7 +47,7 @@ struct NftnlChainDeleter {
 };
 using UniqueChain = std::unique_ptr<struct nftnl_chain, NftnlChainDeleter>;
 
-inline UniqueChain make_chain() { return UniqueChain(nftnl_chain_alloc()); }
+[[nodiscard]] inline UniqueChain make_chain() { return UniqueChain(nftnl_chain_alloc()); }
 
 // --- Set ---------------------------------------------------------------------
 
@@ -55,7 +56,7 @@ struct NftnlSetDeleter {
 };
 using UniqueSet = std::unique_ptr<struct nftnl_set, NftnlSetDeleter>;
 
-inline UniqueSet make_set() { return UniqueSet(nftnl_set_alloc()); }
+[[nodiscard]] inline UniqueSet make_set() { return UniqueSet(nftnl_set_alloc()); }
 
 // --- Rule --------------------------------------------------------------------
 
@@ -64,6 +65,15 @@ struct NftnlRuleDeleter {
 };
 using UniqueRule = std::unique_ptr<struct nftnl_rule, NftnlRuleDeleter>;
 
-inline UniqueRule make_rule() { return UniqueRule(nftnl_rule_alloc()); }
+[[nodiscard]] inline UniqueRule make_rule() { return UniqueRule(nftnl_rule_alloc()); }
+
+// --- Object (stateful counter/quota) ----------------------------------------
+
+struct NftnlObjDeleter {
+    void operator()(struct nftnl_obj* o) const noexcept { nftnl_obj_free(o); }
+};
+using UniqueObj = std::unique_ptr<struct nftnl_obj, NftnlObjDeleter>;
+
+[[nodiscard]] inline UniqueObj make_obj() { return UniqueObj(nftnl_obj_alloc()); }
 
 } // namespace nft

package/src/netlink/nl_batch.h

@@ -24,10 +24,10 @@ public:
     NlBatch(NlBatch&&) = delete;
     NlBatch& operator=(NlBatch&&) = delete;
 
-    bool is_valid() const;
-    struct nlmsghdr* add_msg(uint16_t type, uint16_t family, uint16_t flags);
-    bool advance();
-    NlResult execute(NlSocket& sock, bool ignore_enoent = false);
+    [[nodiscard]] bool is_valid() const;
+    [[nodiscard]] struct nlmsghdr* add_msg(uint16_t type, uint16_t family, uint16_t flags);
+    [[nodiscard]] bool advance();
+    [[nodiscard]] NlResult execute(NlSocket& sock, bool ignore_enoent = false);
 
 private:
     std::unique_ptr<char[]> buf_;

package/src/netlink/nl_result.h

@@ -2,7 +2,7 @@
 
 #include <string>
 
-struct NlResult {
+struct [[nodiscard]] NlResult {
     bool success;
     std::string error;
 };

package/src/netlink/nl_socket.cpp

@@ -6,6 +6,7 @@ extern "C" {
 
 #include <cerrno>
 #include <cstring>
+#include <sys/select.h>
 #include <sys/socket.h>
 
 static constexpr size_t RECV_BUF_SIZE = 16384;
@@ -84,31 +85,34 @@ NlResult NlSocket::send_batch(struct mnl_nlmsg_batch* batch, bool ignore_enoent)
 
     BatchRecvCtx ctx{ignore_enoent, false, 0};
 
-    // Custom control callback array: override only NLMSG_ERROR (index 2).
-    // Array size = NLMSG_ERROR + 1 = 3, so NLMSG_DONE (3) and others
-    // fall through to default mnl handling.
     mnl_cb_t cb_ctl[NLMSG_ERROR + 1] = {};
     cb_ctl[NLMSG_ERROR] = batch_error_cb;
 
     int fd = mnl_socket_get_fd(nl_);
     char recv_buf[RECV_BUF_SIZE];
 
-    // First read: blocking (kernel response should arrive promptly)
-    ssize_t ret = mnl_socket_recvfrom(nl_, recv_buf, sizeof(recv_buf));
-    if (ret < 0)
-        return {false, std::string("mnl_socket_recvfrom: ") + strerror(errno)};
-    while (ret > 0) {
-        int cb_ret = mnl_cb_run2(recv_buf, static_cast<size_t>(ret), 0, portid_,
-                                  nullptr, &ctx, cb_ctl, NLMSG_ERROR + 1);
-        if (cb_ret <= 0)
+    // Match nft CLI pattern: select() with zero timeout to check for data,
+    // then recv+process in a loop. Continue on errors to collect all ACKs.
+    fd_set readfds;
+    struct timeval tv;
+
+    for (;;) {
+        FD_ZERO(&readfds);
+        FD_SET(fd, &readfds);
+        tv = {0, 0};
+
+        int sel = select(fd + 1, &readfds, nullptr, nullptr, &tv);
+        if (sel <= 0)
             break;
 
-        // Non-blocking read for remaining kernel responses
-        ret = recv(fd, recv_buf, sizeof(recv_buf), MSG_DONTWAIT);
-    }
+        ssize_t ret = mnl_socket_recvfrom(nl_, recv_buf, sizeof(recv_buf));
+        if (ret < 0)
+            return {false, std::string("mnl_socket_recvfrom: ") + strerror(errno)};
 
-    // Drain any leftover messages to keep socket clean for next operation
-    while (recv(fd, recv_buf, sizeof(recv_buf), MSG_DONTWAIT) > 0) {}
+        mnl_cb_run2(recv_buf, static_cast<size_t>(ret), 0, portid_,
+                     nullptr, &ctx, cb_ctl, NLMSG_ERROR + 1);
+        // Continue on error — collect all acknowledgments
+    }
 
     if (ctx.has_error)
         return {false, std::string("batch error: ") + strerror(ctx.error_code)};

package/src/netlink/nl_socket.h

@@ -18,9 +18,9 @@ public:
     NlSocket(NlSocket&&) = delete;
     NlSocket& operator=(NlSocket&&) = delete;
 
-    bool is_valid() const;
+    [[nodiscard]] bool is_valid() const;
 
-    NlResult send_batch(struct mnl_nlmsg_batch* batch, bool ignore_enoent = false);
+    [[nodiscard]] NlResult send_batch(struct mnl_nlmsg_batch* batch, bool ignore_enoent = false);
 
 private:
     struct mnl_socket* nl_;

package/src/netlink/operation.h

@@ -7,5 +7,5 @@ class NlSocket;
 class NlOperation {
 public:
     virtual ~NlOperation() = default;
-    virtual NlResult execute(NlSocket& sock) = 0;
+    [[nodiscard]] virtual NlResult execute(NlSocket& sock) = 0;
 };

package/src/netlink/set_ops.cpp

@@ -15,6 +15,7 @@ extern "C" {
 
 static_assert(nft::FAMILY_IPV4 == NFPROTO_IPV4, "nft::FAMILY_IPV4 must match NFPROTO_IPV4");
 static_assert(nft::FAMILY_IPV6 == NFPROTO_IPV6, "nft::FAMILY_IPV6 must match NFPROTO_IPV6");
+static_assert(nft::PROTO_SERVICE_KEY_LEN == 8, "concatenated proto.service key must be 8 bytes");
 
 enum class SetElemAction { Add, Del };
 
@@ -108,3 +109,90 @@ BulkDelSetElemOp::BulkDelSetElemOp(std::vector<ParsedAddr> addrs,
 NlResult BulkDelSetElemOp::execute(NlSocket& sock) {
     return bulk_set_elem_op(addrs_, sock, SetElemAction::Del, *cfg_, set_idx_);
 }
+
+static NlResult bulk_port_elem_op(
+    const std::vector<PortElem>& elems,
+    NlSocket& sock,
+    SetElemAction action,
+    const nft::NftConfig& cfg,
+    size_t set_idx,
+    uint64_t timeout_ms = 0)
+{
+    const uint16_t msg_type = (action == SetElemAction::Add)
+        ? NFT_MSG_NEWSETELEM : NFT_MSG_DELSETELEM;
+    const uint16_t flags = (action == SetElemAction::Add)
+        ? (NLM_F_CREATE | NLM_F_ACK) : NLM_F_ACK;
+    const bool ignore_enoent = (action == SetElemAction::Del);
+
+    const auto& sd = cfg.sets[set_idx];
+
+    struct FamilyInfo {
+        uint32_t family;
+        const char* table;
+        const char* set_name;
+    };
+    FamilyInfo families[] = {
+        {NFPROTO_IPV4, cfg.table_v4.c_str(), sd.name.c_str()},
+        {NFPROTO_IPV6, cfg.table_v6.c_str(), sd.name_v6.c_str()},
+    };
+
+    for (const auto& fi : families) {
+        for (size_t offset = 0; offset < elems.size(); offset += nft::BULK_CHUNK_SIZE) {
+            size_t end = std::min(offset + static_cast<size_t>(nft::BULK_CHUNK_SIZE), elems.size());
+
+            auto s = nft::make_set();
+            if (!s) return {false, "nftnl_set_alloc failed"};
+
+            nftnl_set_set_str(s.get(), NFTNL_SET_TABLE, fi.table);
+            nftnl_set_set_str(s.get(), NFTNL_SET_NAME, fi.set_name);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_FAMILY, fi.family);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_TYPE, nft::DATATYPE_PROTO_SERVICE);
+            nftnl_set_set_u32(s.get(), NFTNL_SET_KEY_LEN, nft::PROTO_SERVICE_KEY_LEN);
+
+            for (size_t i = offset; i < end; ++i) {
+                auto* e = nftnl_set_elem_alloc();
+                if (!e) return {false, "nftnl_set_elem_alloc failed"};
+                // 8-byte concatenated key: [proto][pad:3][port_hi][port_lo][pad:2]
+                uint8_t key[8] = {};
+                key[0] = elems[i].proto;
+                key[4] = static_cast<uint8_t>(elems[i].port >> 8);
+                key[5] = static_cast<uint8_t>(elems[i].port & 0xFF);
+                nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, key, sizeof(key));
+                if (timeout_ms > 0) {
+                    nftnl_set_elem_set_u64(e, NFTNL_SET_ELEM_TIMEOUT, timeout_ms);
+                }
+                nftnl_set_elem_add(s.get(), e);
+            }
+
+            NlBatch batch;
+            if (!batch.is_valid()) return {false, "failed to allocate batch"};
+
+            auto* nlh = batch.add_msg(msg_type, fi.family, flags);
+            if (!nlh) return {false, "failed to add message to batch"};
+            nftnl_set_elems_nlmsg_build_payload(nlh, s.get());
+
+            if (!batch.advance()) return {false, "batch buffer full"};
+
+            NlResult res = batch.execute(sock, ignore_enoent);
+            if (!res.success) return res;
+        }
+    }
+    return {true, ""};
+}
+
+BulkAddPortElemOp::BulkAddPortElemOp(std::vector<PortElem> elems, uint64_t timeout_ms,
+                                     std::shared_ptr<const nft::NftConfig> config, size_t set_idx)
+    : elems_(std::move(elems)), timeout_ms_(timeout_ms),
+      cfg_(std::move(config)), set_idx_(set_idx) {}
+
+NlResult BulkAddPortElemOp::execute(NlSocket& sock) {
+    return bulk_port_elem_op(elems_, sock, SetElemAction::Add, *cfg_, set_idx_, timeout_ms_);
+}
+
+BulkDelPortElemOp::BulkDelPortElemOp(std::vector<PortElem> elems,
+                                     std::shared_ptr<const nft::NftConfig> config, size_t set_idx)
+    : elems_(std::move(elems)), cfg_(std::move(config)), set_idx_(set_idx) {}
+
+NlResult BulkDelPortElemOp::execute(NlSocket& sock) {
+    return bulk_port_elem_op(elems_, sock, SetElemAction::Del, *cfg_, set_idx_);
+}

package/src/netlink/set_ops.h

@@ -3,6 +3,7 @@
 #include "operation.h"
 #include "nft_config.h"
 #include "parsed_addr.h"
+#include <cstdint>
 #include <memory>
 #include <vector>
 
@@ -30,3 +31,33 @@ private:
     std::shared_ptr<const nft::NftConfig> cfg_;
     size_t set_idx_;
 };
+
+struct PortElem {
+    uint8_t proto;   // nft::PROTO_TCP or nft::PROTO_UDP
+    uint16_t port;
+};
+
+class BulkAddPortElemOp final : public NlOperation {
+public:
+    BulkAddPortElemOp(std::vector<PortElem> elems, uint64_t timeout_ms,
+                      std::shared_ptr<const nft::NftConfig> config, size_t set_idx);
+    NlResult execute(NlSocket& sock) override;
+
+private:
+    std::vector<PortElem> elems_;
+    uint64_t timeout_ms_;
+    std::shared_ptr<const nft::NftConfig> cfg_;
+    size_t set_idx_;
+};
+
+class BulkDelPortElemOp final : public NlOperation {
+public:
+    BulkDelPortElemOp(std::vector<PortElem> elems,
+                      std::shared_ptr<const nft::NftConfig> config, size_t set_idx);
+    NlResult execute(NlSocket& sock) override;
+
+private:
+    std::vector<PortElem> elems_;
+    std::shared_ptr<const nft::NftConfig> cfg_;
+    size_t set_idx_;
+};