feat(firewall): add IP set blocking convenience API with CIDR interval support and optional rule comments

ts/nft.manager.ts

@@ -3,7 +3,7 @@ import { buildTableSetup, buildFilterChains, buildTableCleanup } from './nft.rul
 import { NatManager } from './nft.manager.nat.js';
 import { FirewallManager } from './nft.manager.firewall.js';
 import { RateLimitManager } from './nft.manager.ratelimit.js';
-import type { TNftFamily, INftRuleGroup, INftStatus, ISmartNftablesOptions } from './nft.types.js';
+import type { TNftFamily, INftCleanupOptions, INftRuleGroup, INftStatus, ISmartNftablesOptions } from './nft.types.js';
 
 /**
  * SmartNftables — high-level facade for managing nftables rules.
@@ -122,8 +122,8 @@ export class SmartNftables {
   /**
    * Delete the entire nftables table and clear all tracking.
    */
-  public async cleanup(): Promise<void> {
-    if (this.executor.isRoot() && this.initialized) {
+  public async cleanup(options: INftCleanupOptions = {}): Promise<void> {
+    if (this.executor.isRoot() && (this.initialized || options.force)) {
       const commands = buildTableCleanup(this.tableName, this.family);
       await this.executor.execBatch(commands, { continueOnError: true });
     }
@@ -138,7 +138,7 @@ export class SmartNftables {
    * Returns false if not root, not initialized, or the table was removed externally.
    */
   public async tableExists(): Promise<boolean> {
-    if (!this.executor.isRoot() || !this.initialized) {
+    if (!this.executor.isRoot()) {
       return false;
     }
     try {