Hi!

The Netfilter project proudly presents:

        nftables 1.0.2

This release contains new features available up to the Linux kernel
5.17-rc release:

* New ruleset optimization -o/--optimize option. You can combine this
  option with the dry run mode (--check) to review the proposed ruleset
  updates without actually loading the ruleset, e.g.

        # nft -c -o -f ruleset.test
        Merging:
                 ruleset.nft:16:3-37:           ip daddr 192.168.0.1 counter accept
                 ruleset.nft:17:3-37:           ip daddr 192.168.0.2 counter accept
                 ruleset.nft:18:3-37:           ip daddr 192.168.0.3 counter accept
        into:
                 ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept

  This option also coalesces rules using concatenation+set, e.g.

      meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
      meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept

   into:

      meta iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.3, eth1 . 1.1.1.2 . 2.2.2.5 } accept

   and it uses verdict maps to coalesce rules with same selectors but different
   verdicts, e.g.

      ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept
      ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop

   into:

      ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop }

- Support for ip and tcp options and sctp chunks in sets, e.g.

        set s5 {
               typeof ip option ra value
               elements = { 1, 1024 }
        }

        set s7 {
               typeof sctp chunk init num-inbound-streams
               elements = { 1, 4 }
        }

        chain c5 {
               ip option ra value @s5 accept
        }

        chain c7 {
               sctp chunk init num-inbound-streams @s7 accept
        }

- Support for tcp fastopen, md5sig and mptcp options.

- mp-tcp subtype matching support, e.g.

        tcp option mptcp subtype 1

- Improved kernel-side filtering via listing options.

- complete JSON support for flowtables.

... this release also include fixes (highlights):

- fix --terse option with anonymous sets.
- fix crash with `nft describe' on invalid field or datatype.
- Big Endian fixes for ct expiration, meta sk{u,g}uid, meta hour,
  ct label, meta {i,o}ifname with wildcard, payload matching with
  bitmasks.
- allow for quote strings as device names in flowtable declarations.
- ethernet matching with reject, e.g.

        ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject

- turn on dynamic flag if rule dynamically updates a set.

... and incremental documentation updates.

This release also includes libnftables C example code now available
under the examples/ folder.

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.