nftables syntax is pretty tough to read. I wonder why they didn't go for an easier to read DSL. I do understand it's likely super fast to parse though, and has a 1:1 relationship to its struct in the kernel.

▲

drnick1 5 hours ago | parent | next [-]

I personally stick to iptables. nftables does not seem to be an improvement at all. iptables is terse but logical.

▲

tuetuopay 9 hours ago | parent | prev [-]

I’ll pick nftables over iptables any day, it’s leagues better (granted, it’s not hard). The nftables wiki is great, as the syntax and modules are documented in a single easy to read page.

As an added bonus, you get atomic updates of all chains for free.

Granted, for simple usecases, ufw or firewalld may be simpler though.

▲

sgt 7 hours ago | parent [-]

Definitely an upgrade over iptables. I kinda miss ipchains though.

	▲	pak9rabid 5 hours ago \| parent [-]
		You can still use the iptables interface for nftables rules if you'd like, but I think you miss out on things like atomic application of rulesets, ranges, lists, and variables (not shell variables).