• Added support for embedding the pasta userspace networking binary directly into nsjail (memfd)
• Improved mount handling so both legacy and new mount APIs more reliably enforce read-only remounts
• Fixed seccomp policy assembly so repeated seccomp_string entries are combined and compiled together
• Expanded built-in test coverage for chroot/read-write mount behavior

BROKEN - seccomp_string(s) from config files are not additive, leading to weaker seccomp policies

• Based on the latest Kafel version (support for conditional system calls, updated system call arguments, and m68k support)
• Support for userland networking via pasta/passt
• Experimental support for the new Linux mount API (fsopen/fspick/fsmount)
• More examples in configs/
• Support for configurations in JSON format

• Improved cgroups2 support
• Improved cgroups2 + docker interoperability
• New configs: hexchat, telegram
• Better support for clone3
• New signals displayed: SIGPWR
• Support for nvim+.clangd
• Improved .clang-format rules
• Print help to stdout if -h | --help was used

• Build fix: Unset LDFLAGS for kafel
• Setup cgroup.subtree_control controllers when necessary in cgroupsv2

• switch to C++14
• various example configs improvements
• using atomics in signal handlers
• improve debug logging
• use only CPUs from current affinity set
• add option to forward fatal signals to the child

• config proto fields remunerated
• various compilation/build error fixes
• process is killed in listen mode once tcp connection is closed
• Support for newly added Linux capabilities (CAP_BPF, CAP_PERFMON, CAP_CHECKPOINT_RESTORE)
• Added global connection limit for listen mode
• Added support for rlimit_mlock, rlimit_rtpr, rlimit_msgq
• Added switch_root option useful for embedded systems that use rootfs
• Fix setting CPU CFS limit
• Allow mount options to contain colons
• Added support for setting cgroup memory.memsw.limit_in_bytes
• Added option to disable TSC

• the TCP proxy mode a socketpair proxy now
• fixes for some configs/ (e.g. for xchat and for znc)
• fixes to the Dockerfile and to the dockerpush.yml
• new clone option recognized (CLONE_NEWPID)
• fixed max_conns_per_ip
• clarification of units for cgroups_mem_max

• even more C++-isms (e.g. RETURN_ON_FAILURE)
• improved EINTR handling
• improved configs for some tools
• changed default RLIMIT_AS to 4GiB
• rudimentary support for cgroups2
• added option to ignore rlimits
• fixed setcwd() w/o CLONE_NEWNS

• even more C++-isms
• clearer main process loop
• refactored cgroup setting code
• ability to specify noexec/nodev/nosuid in mounts
• updated kafel
• added --macvlan_vs_ma option
• better configs/
• changed behavior of --env - empty var means passing it from parent

• More C++'isms across the code
• Removed 'tmpfs_size', '-m none:dest:tmpfs:size=....' can be used for that
• Added support for SECCOMP_FILTER_FLAG_LOG
• Save and restore console state before/after running the subprocesses
• Make use of newer kafel version
• '--iface_own' can be used to put some interface into a jail
• Updated some configs/ (e.g. for Firefox)
• '-s' can be used to specify symlinks via the cmd-line