Hi!

The Netfilter project proudly presents:

        nftables 1.0.5

This release contains bugfixes (highlights):

- Fixes for the -o/--optimize, run this --optimize option to automagically
  compact your ruleset using sets, maps and concatenations, eg.

     # cat ruleset.nft
     table ip x {
            chain y {
                    type nat hook postrouting priority srcnat; policy drop;
                    ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
                    ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
            }
     }

     # nft -o -c -f ruleset.nft
     Merging:
     ruleset.nft:4:3-52:                ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
     ruleset.nft:5:3-52:                ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
     into:
            snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }

- Fix ethernet and vlan concatenations, eg. define a dynamic set which
  is populated from the packet path.

     add table netdev x
     add chain netdev x y { type filter hook ingress device enp0s25 priority 0; }
     add set netdev x macset { typeof ether daddr . vlan id; flags dynamic,timeout; }
     add rule netdev x y update @macset { ether daddr . vlan id timeout 60s }

  or simply match using a concatenation:

     add rule netdev x y ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } counter accept

- Fix ruleset listing with interface wildcard map, eg.

     table inet filter {
        chain INPUT {
            iifname vmap {
                "eth0" : jump input_lan,
                "wg*" : jump input_vpn
            }
        }
        chain input_lan {}
        chain input_vpn {}
     }

- Fix several regressions in the input lexer which broke valid rulesets.
- Fix slowdown with large lists of singleton interval elements.
- Fix set automerge feature for large lists of singleton interval elements.
- Fix bogus error reporting for exact overlaps.
- Fix segfault when adding elements to invalid set.
- fix device parsing in netdev family in json.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.2.3 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.