I migrated one host from iptables to nftables this week, mostly to stop putting it off. nftables has been the recommended replacement for a while now, the tooling has settled down, and most distributions ship it as the default backend anyway, so you are often already using it through the iptables-nft shim without realising.
The thing that actually sold me is the single ruleset. With iptables you juggle separate binaries and separate tables for IPv4 and IPv6, and you end up maintaining two parallel sets of rules that drift apart. With nftables it is one nft command, one ruleset file, and you can write a rule that covers both address families in one place with the inet family. My firewall config went from two files I had to keep in sync to one I can read top to bottom.
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif lo accept
tcp dport { 22, 80, 443 } accept
}
}
That tcp dport { 22, 80, 443 } set in one line, instead of three near-identical rules, is the small daily pleasure. nft list ruleset shows you the whole thing as a coherent document rather than a flat dump of chains.
I kept the old iptables rules saved off to the side, naturally, because I am not deleting a firewall config the same day I rewrite it. But I do not expect to go back. Overdue, and pleasingly dull, which is exactly what you want from a firewall change.