[ANNOUNCE] nftables 0.3 release

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi!

The Netfilter project presents:

        nftables 0.3

This release contains bug fixes, syntax cleanups, new features, support
for all new features contained in the recent 3.15 kernel release.

Syntax changes
==============

* More compact syntax for the queue action, eg.

nft add rule test input queue num 1

  You can also express the multiqueue as a range, followed by options.

nft add rule test input queue num 1-3 bypass fanout

  Or just simply the options:

nft add rule test input queue bypass

New features
============

* Match input and output bridge interface name through 'meta ibriport'
  and 'meta obriport', e.g.

nft add rule bridge filter input meta ibriport br0 counter

* netlink event monitor, to monitor ruleset events, set changes, etc.
  The most simple way to monitor updates is to run:

nft monitor

* New transaction infrastructure - fully atomic updates for all
  object available in the upcoming 3.16.

Bug fixes
=========

* Fix crash when nftables / nfnetlink support is not present in the kernel.

* Fix crash when using multi-line command in interative mode, eg.

nft -i
nft> list \
.... table filter

* Fix wrong packet and bytes counters when the rule-set is reloaded.

* Fix wrong output in chain priorities

        type route hook output priority -1
                                        ^^

* Fix assertion when using non-equal comparison, eg.

nft add rule filter input ip protocol != icmp counter
                                      ^^

* Range inversions, eg.

nft add rule filter input != 192.168.0.1-192.168.0.10
                          ^^

* Fix 'meta iiftype ether'.

* Fix the udplite selector, due to missing code in the tokenizer.

Ongoing works
=============

There are several open fronts in terms of development:

* Full logging support for all the supported families (ip, ip6, arp,
  bridge and inet).

* Masquerading support.

* Better reject support, which allows you to indicate the explicit reject
  reason.

* JSON/XML import.

* reverse set lookups, eg.

ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 }
         ^^

* more new meta selectors, packet type (unicast, multicast and broadcast),
  cpu, physical interface, realm, etc.

* support for concatenations - multidimensional exact matches in O(1) types

* set selection - automatic selection of the optimal set
  implementation.

Resources
=========

The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, you libnftnl and libmnl are required:

* http://netfilter.org/projects/libnftnl/index.html

Thanks
======

Thanks to all our contributors, testers and bug reporters, whom have
all helped to improve nftables.

On behalf of the Netfilter Core Team,
Happy bytecode execution :)