In April I decided to switch the firewalls for my laptop and a couple of
servers from iptables to nft and nftables.
After several months of use I can report that the experience has been positive.
Pros:
- Simple declarative configuration file. No more hacky shell scripts.
- Atomic (all or nothing) ruleset changes.
- Faster ruleset changes.
- Built-in JSON support.
Cons:
- Occasionally finicky parser.
- Remapping IP ranges can be more verbose than iptables.
The detauls are a bit long for a blog post (even for me!), so they are available as a separate “Nftables Examples” article instead.