feat(firewall): add IP set blocking convenience API with CIDR interval support and optional rule comments

ts/nft.types.ts

@@ -73,9 +73,29 @@ export interface INftIPSetConfig {
   name: string;
   type: 'ipv4_addr' | 'ipv6_addr' | 'inet_service';
   elements?: string[];
+  /** Enable interval sets so CIDR/range elements can be stored. */
+  interval?: boolean;
   comment?: string;
 }
 
+export interface INftIPSetBlockOptions {
+  /** Name of the nftables set to create and match against. */
+  setName?: string;
+  /** IPs or CIDR ranges to add to the set. */
+  ips: string[];
+  /** Chain to apply the block rule to. Default: input. */
+  direction?: 'input' | 'forward';
+  /** Set type. Defaults to ipv4_addr for the default ip family. */
+  type?: 'ipv4_addr' | 'ipv6_addr';
+  /** Optional rule comment. */
+  comment?: string;
+}
+
+export interface INftCleanupOptions {
+  /** Delete the table even when this process did not initialize it. */
+  force?: boolean;
+}
+
 // ─── Rule Group (tracking unit) ───────────────────────────────────
 export interface INftRuleGroup {
   id: string;