I use and recommend nftables, and while it's very usable I also think it's important to acknowledge that nftables is not yet at full feature parity with iptables.
All the basics are there and I'm already using it for my home firewall so don't get the wrong idea, but if you use any of the more interesting iptables features you might want to test those features out in nft before committing yourself to it. Your kernel version is key.
Also, let me extend a Thank You to everyone who's worked to make nftables a reality! My favorite parts are atomic ruleset replacement and the ability to do 'log and drop' in one rule.
Damn, it does not support NETMAP which I use on one of my machines. :( Maybe I could work around that though by rethinking how I rewrite the addresses. But either way I will start using nftables everywhere I can after upgrading to stretch.
But that is nothing at all like NETMAP, unless I use a script to generate a map for all 65k addresses in the subnet. Maybe you are thinking of IP sets?
More details can be found here:
- https://wiki.nftables.org/wiki-nftables/index.php/Supported_...
- https://wiki.nftables.org/wiki-nftables/index.php/List_of_up...
All the basics are there and I'm already using it for my home firewall so don't get the wrong idea, but if you use any of the more interesting iptables features you might want to test those features out in nft before committing yourself to it. Your kernel version is key.
Also, let me extend a Thank You to everyone who's worked to make nftables a reality! My favorite parts are atomic ruleset replacement and the ability to do 'log and drop' in one rule.
Edit: Added link to actual feature comparison