feat(firewall): add IP set blocking convenience API with CIDR interval support and optional rule comments

test/test.rulebuilder-firewall.ts

@@ -137,4 +137,16 @@ tap.test('should build IP set match rule', async () => {
   expect(cmds[0]).toInclude('drop');
 });
 
+tap.test('should build IP set match rule with comment', async () => {
+  const cmds = buildIPSetMatchRule('mytable', 'ip', {
+    setName: 'blocklist',
+    direction: 'input',
+    matchField: 'saddr',
+    action: 'drop',
+    comment: 'managed blocklist',
+  });
+
+  expect(cmds[0]).toInclude('comment "managed blocklist"');
+});
+
 export default tap.start();

test/test.smartnftables.ts

@@ -97,6 +97,24 @@ tap.test('should handle blockIP convenience method', async () => {
   await nft.cleanup();
 });
 
+tap.test('should handle blockIPSet convenience method', async () => {
+  const nft = new SmartNftables({ tableName: 'test' });
+  await nft.initialize();
+
+  await nft.firewall.blockIPSet('bad-actors', {
+    ips: ['1.2.3.4', '5.6.0.0/16'],
+    setName: 'blocked_ipv4',
+    comment: 'test blocklist',
+  });
+
+  const status = nft.status();
+  const group = status.groups['fw:blockset:bad-actors'];
+  expect(group).toBeDefined();
+  expect(group.ruleCount).toEqual(3); // create set, add elements, match rule
+
+  await nft.cleanup({ force: true });
+});
+
 tap.test('should handle stateful tracking convenience', async () => {
   const nft = new SmartNftables({ tableName: 'test' });
   await nft.initialize();