lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Tue, 9 Aug 2022 21:54:38 +0200
From:   Pablo Neira Ayuso <>
To:     netfilter <>,
        netfilter-devel <>
Subject: [ANNOUNCE] nftables 1.0.5 release


The Netfilter project proudly presents:

        nftables 1.0.5

This release contains bugfixes (highlights):

- Fixes for the -o/--optimize, run this --optimize option to automagically
  compact your ruleset using sets, maps and concatenations, eg.

     # cat ruleset.nft
     table ip x {
            chain y {
                    type nat hook postrouting priority srcnat; policy drop;
                    ip saddr tcp dport 8000 snat to
                    ip saddr tcp dport 8001 snat to

     # nft -o -c -f ruleset.nft
     ruleset.nft:4:3-52:                ip saddr tcp dport 8000 snat to
     ruleset.nft:5:3-52:                ip saddr tcp dport 8001 snat to
            snat to ip saddr . tcp dport map { . 8000 : . 80, . 8001 : . 90 }

- Fix ethernet and vlan concatenations, eg. define a dynamic set which
  is populated from the packet path.

     add table netdev x
     add chain netdev x y { type filter hook ingress device enp0s25 priority 0; }
     add set netdev x macset { typeof ether daddr . vlan id; flags dynamic,timeout; }
     add rule netdev x y update @macset { ether daddr . vlan id timeout 60s }

  or simply match using a concatenation:

     add rule netdev x y ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } counter accept

- Fix ruleset listing with interface wildcard map, eg.

     table inet filter {
        chain INPUT {
            iifname vmap {
                "eth0" : jump input_lan,
                "wg*" : jump input_vpn
        chain input_lan {}
        chain input_vpn {}

- Fix several regressions in the input lexer which broke valid rulesets.
- Fix slowdown with large lists of singleton interval elements.
- Fix set automerge feature for large lists of singleton interval elements.
- Fix bogus error reporting for exact overlaps.
- Fix segfault when adding elements to invalid set.
- fix device parsing in netdev family in json.

See changelog for more details (attached to this email).

You can download this new release from:

To build the code, libnftnl >= 1.2.3 and libmnl >= 1.0.4 are required:


Visit our wikipage for user documentation at:


For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:


Happy firewalling.

View attachment "changes-nftables-1.0.5.txt" of type "text/plain" (3293 bytes)

Powered by blists - more mailing lists