I've been meaning to move off iptables for ages, and this week I finally did it. My excuse for waiting was that the old rules worked, which is the excuse everyone uses right up to the day they're staring at four separate tables trying to remember which one drops what.
The thing that sold me on nftables isn't speed or some headline feature. It's that the whole firewall lives in one file that reads like prose, and that one tool handles IPv4 and IPv6 in the same ruleset instead of the iptables-plus-ip6tables double bookkeeping I'd been doing for years.
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif "lo" accept
tcp dport { 22, 80, 443 } accept
ip protocol icmp accept
}
}
That inet family covers both v4 and v6 at once, which on its own removed half my old config. Sets like { 22, 80, 443 } mean one line instead of three. And nft list ruleset shows me the entire live state in a form I can actually read, rather than iptables-save output that I've never once enjoyed looking at.
The migration itself took an evening, most of which was just deciding I trusted the new rules before flipping the policy to drop. If you've been putting this off like I was, it's genuinely less work than the dread suggests. The old iptables command still exists for muscle memory; you just won't want it any more.