nftables-napi 0.1.0 → 0.2.0

package/README.md

@@ -1,8 +1,8 @@
 # nftables-napi
 
-Native Node.js binding for nftables via libnftnl + libmnl. Manages IPv4/IPv6 tables with dynamic sets and timeout support through direct netlink communication — no shell commands, no `nft` CLI.
+Native Node.js binding for nftables via libnftnl + libmnl. Manages IPv4/IPv6 firewall tables with dynamic IP sets, port blocking, named counters, and timeout support through direct netlink communication — no shell commands, no `nft` CLI.
 
-Requires Linux with `CAP_NET_ADMIN` or root.
+Requires Linux kernel ≥ 5.7 with `CAP_NET_ADMIN` or root.
 
 ## Install
 
@@ -34,26 +34,44 @@ RUN apt-get update && apt-get install -y libnftnl13 libmnl0 && rm -rf /var/lib/a
 const { NftManager } = require("nftables-napi");
 
 const nft = new NftManager({
-  tableName: "tablename",
-  sets: ["blacklist", "droplist"],
+  tableName: "myfw",
+  sets: ["blacklist"],
+  outSets: ["blocklist"],
+  outPortSets: ["blocked_ports"],
 });
 
 await nft.createTable();
 
-// Add with timeout (seconds)
+// ── IP blocking (input/forward) ──
+
 await nft.addAddress({ ip: "1.2.3.4", set: "blacklist", timeout: 1800 });
 await nft.addAddress({ ip: "2001:db8::1", set: "blacklist", timeout: 3600 });
-
-// Add permanent (no timeout)
-await nft.addAddress({ ip: "5.6.7.8", set: "droplist" });
-
-// Bulk add
 await nft.addAddresses({ ips: ["10.0.0.1", "10.0.0.2"], set: "blacklist", timeout: 7200 });
 
-// Remove
 await nft.removeAddress({ ip: "1.2.3.4", set: "blacklist" });
 await nft.removeAddresses({ ips: ["10.0.0.1", "10.0.0.2"], set: "blacklist" });
 
+// ── IP blocking (output) ──
+
+await nft.addAddress({ ip: "93.184.216.34", set: "blocklist" });
+await nft.removeAddress({ ip: "93.184.216.34", set: "blocklist" });
+
+// ── Port blocking (output, tcp/udp) ──
+
+// Block port 80 for both TCP and UDP
+await nft.addPort({ port: 80, set: "blocked_ports", timeout: 3600 });
+
+// Block port 443 for TCP only
+await nft.addPort({ port: 443, set: "blocked_ports", protocol: "tcp" });
+
+// Bulk port operations
+await nft.addPorts({ ports: [8080, 8443], set: "blocked_ports", protocol: "tcp" });
+await nft.removePorts({ ports: [8080, 8443], set: "blocked_ports", protocol: "tcp" });
+
+await nft.removePort({ port: 80, set: "blocked_ports" });
+
+// ── Cleanup ──
+
 await nft.deleteTable();
 ```
 
@@ -61,23 +79,119 @@ await nft.deleteTable();
 
 ### `new NftManager(options)`
 
-| Option      | Type       | Required | Description                                                                                      |
-| ----------- | ---------- | -------- | ------------------------------------------------------------------------------------------------ |
-| `tableName` | `string`   | Yes      | Base table name (IPv6 table auto-appends `'6'`)                                                  |
-| `sets`      | `string[]` | Yes      | Set names (1+, unique, non-empty). IPv6 sets auto-append `'6'`. Log prefix: `'{name}: '` |
+| Option | Type | Required | Description |
+| --- | --- | --- | --- |
+| `tableName` | `string` | Yes | Base table name. IPv6 table auto-appends `'6'`. |
+| `sets` | `string[]` | Yes | Input/forward IP set names (≥1). Block by **source** address on input and forward chains. Rules: log + named counter + drop. IPv6 sets auto-append `'6'`. |
+| `outSets` | `string[]` | No | Output IP set names. Block by **destination** address on output chain. Rules: named counter + drop (no log). IPv6 sets auto-append `'6'`. |
+| `outPortSets` | `string[]` | No | Output port set names. Block by **destination port** (TCP/UDP) on output chain using concatenated `inet_proto . inet_service` sets. Ports are added to both IPv4 and IPv6 tables. IPv6 sets auto-append `'6'`. |
 
 ### Methods
 
-All methods return `Promise<void>`.
+All methods return `Promise<void>` and throw on error.
+
+#### Table management
+
+| Method | Description |
+| --- | --- |
+| `createTable()` | Create IPv4/IPv6 tables with all configured sets, chains, named counters, and filter rules. Idempotent — deletes existing tables first. |
+| `deleteTable()` | Delete both tables. Idempotent — no error if tables don't exist. |
+
+#### IP address operations
+
+Work with both `sets` (input/forward) and `outSets` (output).
 
-| Method                                 | Description                                                           |
-| -------------------------------------- | --------------------------------------------------------------------- |
-| `createTable()`                        | Create IPv4/IPv6 tables with all configured sets and filter chains. Idempotent. |
-| `deleteTable()`                        | Delete both tables. Idempotent.                                                 |
-| `addAddress({ ip, set, timeout? })`    | Add IP to set. `timeout` in seconds, omit for permanent.              |
-| `removeAddress({ ip, set })`           | Remove IP from set. Idempotent.                                       |
-| `addAddresses({ ips, set, timeout? })` | Bulk add to set. Chunked for efficient netlink communication.         |
-| `removeAddresses({ ips, set })`        | Bulk remove from set. Idempotent.                                     |
+| Method | Description |
+| --- | --- |
+| `addAddress({ ip, set, timeout? })` | Add IP to set. Auto-detects IPv4/IPv6. `timeout` in seconds, omit for permanent. |
+| `removeAddress({ ip, set })` | Remove IP from set. Idempotent. |
+| `addAddresses({ ips, set, timeout? })` | Bulk add. Chunked internally for efficient netlink communication. Empty array is a no-op. |
+| `removeAddresses({ ips, set })` | Bulk remove. Idempotent. Empty array is a no-op. |
+
+#### Port operations
+
+Work with `outPortSets` only. Ports are added to both IPv4 and IPv6 tables.
+
+| Method | Description |
+| --- | --- |
+| `addPort({ port, set, protocol?, timeout? })` | Add port to set. `protocol`: `'tcp'`, `'udp'`, or omit for both. `timeout` in seconds. |
+| `removePort({ port, set, protocol? })` | Remove port from set. Idempotent. |
+| `addPorts({ ports, set, protocol?, timeout? })` | Bulk add ports. Empty array is a no-op. |
+| `removePorts({ ports, set, protocol? })` | Bulk remove ports. Idempotent. Empty array is a no-op. |
+
+### What `createTable()` builds
+
+For a config with `sets: ["bl"]`, `outSets: ["out"]`, `outPortSets: ["ports"]`:
+
+```
+table ip myfw {
+    counter "processed" { packets 0 bytes 0 }
+    counter "bl"        { packets 0 bytes 0 }
+    counter "out"       { packets 0 bytes 0 }
+    counter "ports"     { packets 0 bytes 0 }
+
+    set bl {
+        type ipv4_addr
+        flags timeout
+        counter
+    }
+
+    set out {
+        type ipv4_addr
+        flags timeout
+        counter
+    }
+
+    set ports {
+        type inet_proto . inet_service
+        flags timeout
+        counter
+    }
+
+    chain input {
+        type filter hook input priority -10; policy accept;
+        counter name "processed"
+        ip saddr @bl log prefix "bl: " counter name "bl" drop
+    }
+
+    chain forward {
+        type filter hook forward priority -10; policy accept;
+        counter name "processed"
+        ip saddr @bl log prefix "bl: " counter name "bl" drop
+    }
+
+    chain output {
+        type filter hook output priority -10; policy accept;
+        ip daddr @out counter name "out" drop
+        meta l4proto . th dport @ports counter name "ports" drop
+    }
+}
+```
+
+IPv6 table (`myfw6`) mirrors the same structure with `ipv6_addr` sets and corresponding offsets.
+
+## Kernel compatibility
+
+Minimum: **Linux 5.7**
+
+| Feature | Kernel | Used for |
+| --- | --- | --- |
+| nftables core | 3.13 | tables, chains, sets, rules |
+| Set timeouts | 4.1 | element expiration |
+| Named counters | 4.10 | traffic accounting |
+| Concatenated sets | 5.6 | port blocking (`inet_proto . inet_service`) |
+| Per-element set expressions | 5.7 | per-element counters |
+
+| Distro | Kernel | Compatible |
+| --- | --- | --- |
+| Ubuntu 22.04+ | 5.15+ | Yes |
+| Ubuntu 20.04 (HWE) | 5.15 | Yes |
+| Ubuntu 20.04 (GA) | 5.4 | No |
+| Debian 11+ | 5.10+ | Yes |
+| Debian 10 | 4.19 | No |
+| RHEL / Rocky 9 | 5.14 | Yes |
+| RHEL / Rocky 8 | 4.18 | No |
+| Alpine 3.16+ | 5.15+ | Yes |
 
 ## Building from source
 
@@ -85,9 +199,15 @@ All methods return `Promise<void>`.
 # Dependencies (Debian/Ubuntu)
 sudo apt install pkg-config libnftnl-dev libmnl-dev build-essential
 
+# Dependencies (Alpine)
+apk add pkgconfig libnftnl-dev libmnl-dev build-base python3
+
 # Build
 npm run build
 
+# Run tests (requires root / CAP_NET_ADMIN)
+npm test
+
 # Prebuild for current platform
 npx prebuildify --napi --strip
 

package/binding.gyp

@@ -1,7 +1,7 @@
 {
   "targets": [
     {
-      "target_name": "remnawave_nft",
+      "target_name": "nftables_napi",
       "sources": [
         "src/addon.cpp",
         "src/nft_manager.cpp",
@@ -28,7 +28,9 @@
         "-Wall",
         "-Wextra",
         "-Wpedantic",
-        "-Wno-unused-parameter"
+        "-Wno-unused-parameter",
+        "-D_FORTIFY_SOURCE=2",
+        "-fstack-protector-strong"
       ],
       "ldflags": [
         "-Wl,-z,relro",

package/lib/index.d.ts

@@ -4,21 +4,38 @@
  * Requires CAP_NET_ADMIN or root privileges.
  */
 
-/** Constructor options. All fields are required — no defaults. */
+/** Constructor options. */
 export interface NftManagerOptions {
     /** Base table name. IPv6 table auto-appends '6'. */
     tableName: string;
-    /** Set names. At least 1, no duplicates, non-empty strings. IPv6 sets auto-append '6'. */
+    /**
+     * Input/forward IP set names (≥1 required). Block by source address.
+     * Rules: log prefix "<setName>: " + named counter + drop on input and forward chains.
+     * IPv6 sets auto-append '6'.
+     */
     sets: string[];
+    /**
+     * Output IP set names (optional). Block by destination address.
+     * Rules: named counter + drop on output chain (no log).
+     * IPv6 sets auto-append '6'.
+     */
+    outSets?: string[];
+    /**
+     * Output port set names (optional). Block by tcp/udp destination port.
+     * Rules: single concatenated (proto . port) lookup + named counter + drop on output chain (no log).
+     * Port is added to BOTH IPv4 and IPv6 tables (ports are family-independent).
+     * IPv6 sets auto-append '6'.
+     */
+    outPortSets?: string[];
 }
 
 /** Options for adding a single address. */
 export interface AddAddressOptions {
     /** IPv4 or IPv6 address (e.g., "1.2.3.4" or "2001:db8::1"). */
     ip: string;
-    /** Target set name (must match one from constructor's sets array). */
+    /** Target set name (must match one from constructor's sets or outSets). */
     set: string;
-    /** Timeout in seconds. Omit for permanent ban. */
+    /** Timeout in seconds. Omit for permanent. */
     timeout?: number;
 }
 
@@ -26,7 +43,7 @@ export interface AddAddressOptions {
 export interface RemoveAddressOptions {
     /** IPv4 or IPv6 address to remove. */
     ip: string;
-    /** Target set name (must match one from constructor's sets array). */
+    /** Target set name (must match one from constructor's sets or outSets). */
     set: string;
 }
 
@@ -34,9 +51,9 @@ export interface RemoveAddressOptions {
 export interface AddAddressesOptions {
     /** Array of IPv4/IPv6 addresses. */
     ips: string[];
-    /** Target set name (must match one from constructor's sets array). */
+    /** Target set name (must match one from constructor's sets or outSets). */
     set: string;
-    /** Timeout in seconds. Omit for permanent ban. */
+    /** Timeout in seconds. Omit for permanent. */
     timeout?: number;
 }
 
@@ -44,8 +61,52 @@ export interface AddAddressesOptions {
 export interface RemoveAddressesOptions {
     /** Array of IPv4/IPv6 addresses to remove. */
     ips: string[];
-    /** Target set name (must match one from constructor's sets array). */
+    /** Target set name (must match one from constructor's sets or outSets). */
+    set: string;
+}
+
+/** Options for adding a single port. */
+export interface AddPortOptions {
+    /** Port number (0-65535). */
+    port: number;
+    /** Target port set name (must match one from constructor's outPortSets). */
+    set: string;
+    /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
+    protocol?: 'tcp' | 'udp';
+    /** Timeout in seconds. Omit for permanent. */
+    timeout?: number;
+}
+
+/** Options for removing a single port. */
+export interface RemovePortOptions {
+    /** Port number (0-65535). */
+    port: number;
+    /** Target port set name (must match one from constructor's outPortSets). */
+    set: string;
+    /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
+    protocol?: 'tcp' | 'udp';
+}
+
+/** Options for bulk adding ports. */
+export interface AddPortsOptions {
+    /** Array of port numbers (0-65535). */
+    ports: number[];
+    /** Target port set name (must match one from constructor's outPortSets). */
     set: string;
+    /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
+    protocol?: 'tcp' | 'udp';
+    /** Timeout in seconds. Omit for permanent. */
+    timeout?: number;
+}
+
+/** Options for bulk removing ports. */
+export interface RemovePortsOptions {
+    /** Array of port numbers (0-65535). */
+    ports: number[];
+    /** Target port set name (must match one from constructor's outPortSets). */
+    set: string;
+    /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
+    protocol?: 'tcp' | 'udp';
 }
 
 export class NftManager {
@@ -60,9 +121,17 @@ export class NftManager {
     constructor(options: NftManagerOptions);
 
     /**
-     * Creates IPv4 and IPv6 tables with all configured sets and filter chains.
+     * Creates IPv4 and IPv6 tables with all configured sets, chains, named counters, and filter rules.
      * Idempotent — destroys existing tables first, then recreates.
      *
+     * Creates:
+     * - Named counter "processed" (global traffic counter per chain)
+     * - Named counter per set (blocked traffic counter)
+     * - Input chain with log + counter + drop rules (for sets)
+     * - Forward chain with log + counter + drop rules (for sets)
+     * - Output chain with counter + drop rules (for outSets and outPortSets, no log)
+     * - Per-element counters on all sets
+     *
      * @throws {Error} if nftables operation fails
      */
     createTable(): Promise<void>;
@@ -78,6 +147,7 @@ export class NftManager {
     /**
      * Adds an IP address to a set.
      * Auto-detects IPv4 vs IPv6 and routes to the correct table/set.
+     * Works with both input sets (sets) and output sets (outSets).
      *
      * @param options - Address, target set name, and optional timeout.
      * @throws {TypeError} if options or fields have wrong types
@@ -88,6 +158,7 @@ export class NftManager {
     /**
      * Removes an IP address from a set.
      * Idempotent — no error if IP is not in the set.
+     * Works with both input sets (sets) and output sets (outSets).
      *
      * @param options - Address and target set name.
      * @throws {TypeError} if options or fields have wrong types
@@ -115,4 +186,50 @@ export class NftManager {
      * @throws {Error} if any IP is invalid, set name is unknown, or nftables operation fails
      */
     removeAddresses(options: RemoveAddressesOptions): Promise<void>;
+
+    /**
+     * Adds a port to an output port set.
+     * Port is added to BOTH IPv4 and IPv6 tables (ports are family-independent).
+     * When protocol is omitted, two elements are added: tcp + udp.
+     * When protocol is 'tcp' or 'udp', one element with that protocol is added.
+     *
+     * @param options - Port number, target set name, and optional timeout.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if port is invalid, set name is unknown, or nftables operation fails
+     */
+    addPort(options: AddPortOptions): Promise<void>;
+
+    /**
+     * Removes a port from an output port set.
+     * Idempotent — no error if port is not in the set.
+     * Port is removed from BOTH IPv4 and IPv6 tables.
+     *
+     * @param options - Port number and target set name.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if port is invalid, set name is unknown, or nftables operation fails
+     */
+    removePort(options: RemovePortOptions): Promise<void>;
+
+    /**
+     * Adds multiple ports to an output port set in bulk.
+     * Ports are added to BOTH IPv4 and IPv6 tables.
+     * Empty arrays are a no-op.
+     *
+     * @param options - Array of port numbers, target set name, and optional timeout.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if any port is invalid, set name is unknown, or nftables operation fails
+     */
+    addPorts(options: AddPortsOptions): Promise<void>;
+
+    /**
+     * Removes multiple ports from an output port set in bulk.
+     * Idempotent — no error if ports are not in the set.
+     * Ports are removed from BOTH IPv4 and IPv6 tables.
+     * Empty arrays are a no-op.
+     *
+     * @param options - Array of port numbers and target set name.
+     * @throws {TypeError} if options or fields have wrong types
+     * @throws {Error} if any port is invalid, set name is unknown, or nftables operation fails
+     */
+    removePorts(options: RemovePortsOptions): Promise<void>;
 }

package/lib/index.js

@@ -6,7 +6,7 @@ let binding;
 try {
   binding = require('node-gyp-build')(path.join(__dirname, '..'));
 } catch (e) {
-  // On non-Linux platforms, the native addon may fail to load
+  if (process.platform === 'linux') throw e;
   binding = null;
 }
 
@@ -16,7 +16,7 @@ if (binding) {
   class NftManager {
     constructor() {
       throw new Error(
-        'remnawave-nft only works on Linux with CAP_NET_ADMIN. Native binding failed to load.'
+        'nftables-napi only works on Linux with CAP_NET_ADMIN. Native binding failed to load.'
       );
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nftables-napi",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Native Node.js binding for nftables via libnftnl+libmnl — nftables firewall management",
   "author": {
     "name": "kastov",
@@ -46,8 +46,7 @@
   ],
   "gypfile": true,
   "engines": {
-    "node": ">=24.0.0",
-    "os": "linux"
+    "node": ">=24.0.0"
   },
   "scripts": {
     "install": "node-gyp-build || true",
@@ -57,10 +56,10 @@
     "prebuild:all": "./prebuild-all.sh"
   },
   "dependencies": {
-    "node-gyp-build": "^4.8.4",
-    "node-addon-api": "^8.5.0"
+    "node-gyp-build": "^4.8.4"
   },
   "devDependencies": {
+    "node-addon-api": "^8.5.0",
     "node-gyp": "^12.2.0",
     "prebuildify": "^6.0.1",
     "@types/node": ">= 24 < 25"

package/src/netlink/constants.h

@@ -23,6 +23,10 @@ inline constexpr uint32_t IPV6_SRC_OFFSET = 8;
 inline constexpr uint32_t IPV4_ADDR_LEN = 4;
 inline constexpr uint32_t IPV6_ADDR_LEN = 16;
 
+// Destination address offsets
+inline constexpr uint32_t IPV4_DST_OFFSET = 16;
+inline constexpr uint32_t IPV6_DST_OFFSET = 24;
+
 // Chain priority
 inline constexpr int32_t CHAIN_PRIORITY = -10;
 
@@ -36,4 +40,25 @@ inline constexpr uint32_t SEQ_BLOCK_SIZE = 256;
 // Number of pages for default batch buffer (pagesize * 32 ≈ 128KB)
 inline constexpr uint32_t DEFAULT_BUF_PAGES = 32;
 
+// Output chain
+inline constexpr const char* CHAIN_OUTPUT = "output";
+
+// Transport header dport offset (bytes from transport header base)
+inline constexpr uint32_t TRANSPORT_DPORT_OFFSET = 2;
+inline constexpr uint32_t TRANSPORT_DPORT_LEN = 2;
+
+// Concatenated type: concat_subtype_add(inet_proto, inet_service)
+// nft CLI builds concat types with LAST subtype in low bits:
+// concat_subtype_add(type, subtype) = type << TYPE_BITS | subtype
+// For (inet_proto=12 . inet_service=13): 12 << 6 | 13 = 781
+inline constexpr uint32_t DATATYPE_PROTO_SERVICE = (12 << 6 | 13);
+inline constexpr uint32_t PROTO_SERVICE_KEY_LEN = 8;
+
+// L4 protocol numbers
+inline constexpr uint8_t PROTO_TCP = 6;
+inline constexpr uint8_t PROTO_UDP = 17;
+
+// Named counter
+inline constexpr const char* COUNTER_NAME = "processed";
+
 } // namespace nft

package/src/netlink/nft_config.h

@@ -5,25 +5,36 @@
 
 namespace nft {
 
+enum class SetKind { InIP, OutIP, OutPort };
+
 struct SetDef {
-    std::string name;        // user-facing key = nftables IPv4 set name
-    std::string name_v6;     // name + "6"
-    std::string log_prefix;  // name + ": "
+    std::string name;
+    std::string name_v6;
+    std::string log_prefix;  // non-empty for InIP only
+    SetKind kind;
 };
 
 struct NftConfig {
     std::string table_v4;
     std::string table_v6;
-    std::vector<SetDef> sets;
+    std::vector<SetDef> sets;  // all sets: InIP + OutIP + OutPort
 
     static NftConfig from_names(const std::string& table_name,
-                                const std::vector<std::string>& set_names) {
+                                const std::vector<std::string>& in_sets,
+                                const std::vector<std::string>& out_sets,
+                                const std::vector<std::string>& out_port_sets) {
         NftConfig cfg;
         cfg.table_v4 = table_name;
         cfg.table_v6 = table_name + "6";
-        cfg.sets.reserve(set_names.size());
-        for (const auto& n : set_names) {
-            cfg.sets.push_back({n, n + "6", n + ": "});
+        cfg.sets.reserve(in_sets.size() + out_sets.size() + out_port_sets.size());
+        for (const auto& n : in_sets) {
+            cfg.sets.push_back({n, n + "6", n + ": ", SetKind::InIP});
+        }
+        for (const auto& n : out_sets) {
+            cfg.sets.push_back({n, n + "6", "", SetKind::OutIP});
+        }
+        for (const auto& n : out_port_sets) {
+            cfg.sets.push_back({n, n + "6", "", SetKind::OutPort});
         }
         return cfg;
     }

package/src/netlink/nftnl_raii.h

@@ -24,6 +24,7 @@ extern "C" {
 #include <libnftnl/chain.h>
 #include <libnftnl/set.h>
 #include <libnftnl/rule.h>
+#include <libnftnl/object.h>
 }
 
 #include <memory>
@@ -37,7 +38,7 @@ struct NftnlTableDeleter {
 };
 using UniqueTable = std::unique_ptr<struct nftnl_table, NftnlTableDeleter>;
 
-inline UniqueTable make_table() { return UniqueTable(nftnl_table_alloc()); }
+[[nodiscard]] inline UniqueTable make_table() { return UniqueTable(nftnl_table_alloc()); }
 
 // --- Chain -------------------------------------------------------------------
 
@@ -46,7 +47,7 @@ struct NftnlChainDeleter {
 };
 using UniqueChain = std::unique_ptr<struct nftnl_chain, NftnlChainDeleter>;
 
-inline UniqueChain make_chain() { return UniqueChain(nftnl_chain_alloc()); }
+[[nodiscard]] inline UniqueChain make_chain() { return UniqueChain(nftnl_chain_alloc()); }
 
 // --- Set ---------------------------------------------------------------------
 
@@ -55,7 +56,7 @@ struct NftnlSetDeleter {
 };
 using UniqueSet = std::unique_ptr<struct nftnl_set, NftnlSetDeleter>;
 
-inline UniqueSet make_set() { return UniqueSet(nftnl_set_alloc()); }
+[[nodiscard]] inline UniqueSet make_set() { return UniqueSet(nftnl_set_alloc()); }
 
 // --- Rule --------------------------------------------------------------------
 
@@ -64,6 +65,15 @@ struct NftnlRuleDeleter {
 };
 using UniqueRule = std::unique_ptr<struct nftnl_rule, NftnlRuleDeleter>;
 
-inline UniqueRule make_rule() { return UniqueRule(nftnl_rule_alloc()); }
+[[nodiscard]] inline UniqueRule make_rule() { return UniqueRule(nftnl_rule_alloc()); }
+
+// --- Object (stateful counter/quota) ----------------------------------------
+
+struct NftnlObjDeleter {
+    void operator()(struct nftnl_obj* o) const noexcept { nftnl_obj_free(o); }
+};
+using UniqueObj = std::unique_ptr<struct nftnl_obj, NftnlObjDeleter>;
+
+[[nodiscard]] inline UniqueObj make_obj() { return UniqueObj(nftnl_obj_alloc()); }
 
 } // namespace nft

package/src/netlink/nl_batch.h

@@ -24,10 +24,10 @@ public:
     NlBatch(NlBatch&&) = delete;
     NlBatch& operator=(NlBatch&&) = delete;
 
-    bool is_valid() const;
-    struct nlmsghdr* add_msg(uint16_t type, uint16_t family, uint16_t flags);
-    bool advance();
-    NlResult execute(NlSocket& sock, bool ignore_enoent = false);
+    [[nodiscard]] bool is_valid() const;
+    [[nodiscard]] struct nlmsghdr* add_msg(uint16_t type, uint16_t family, uint16_t flags);
+    [[nodiscard]] bool advance();
+    [[nodiscard]] NlResult execute(NlSocket& sock, bool ignore_enoent = false);
 
 private:
     std::unique_ptr<char[]> buf_;

package/src/netlink/nl_result.h

@@ -2,7 +2,7 @@
 
 #include <string>
 
-struct NlResult {
+struct [[nodiscard]] NlResult {
     bool success;
     std::string error;
 };