I have been promising myself I would move off iptables for about two years, and this weekend I finally did it on my home server. The push was nothing dramatic: I had to add one IPv6 rule and realised I was about to maintain two parallel rulesets, iptables and ip6tables, that did almost the same thing in almost the same words. That is exactly the duplication nftables exists to kill.
The conversion was less painful than I had built it up to be. iptables-translate did most of the mechanical work, turning my old rules into nft syntax line by line, and the result was genuinely readable afterwards. One inet table handles both v4 and v6, so the IPv6 rule I had been dreading became a single extra line rather than a second file.
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif "lo" accept
tcp dport { 22, 80, 443 } accept
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
}
}
The bit that sold me was the atomic reload. nft -f loads the whole file in one transaction: it either all applies or none of it does. No more half-applied rulesets where a typo on line forty locks you out with thirty-nine rules already live. I should have done this two years ago.