This page is terribly written, it gives almost no information about why nftables is better than iptables. What features does it have? What can it do that iptables can't? The page can't be bothered to tell us.
Instead, all we get is a vague 'the system is more configurable than in iptables' and 'the syntax is much better than in iptables' (like what good is that to someone who already has iptables set up? The last thing people want to do is mess with firewall rules on a working system)
Yes, I know that Debian is FOSS and I can help improve it, but why introduce a whole new firewall system where the 'Moving from iptables to nftables' docs are pages and pages of shell commands? Wouldn't some kind of automated update, to help common use cases, be a sensible thing to include in such an update? (Maybe such a thing exists, but the page doesn't bother to tell me about any such thing).
Instead of going on about how to set up nftables from scratch, perhaps they should focus a little more on 'I have a system using your older recommended firewall, what do I need to do to keep things working?'
> Instead of going on about how to set up nftables from scratch, perhaps they should focus a little more on 'I have a system using your older recommended firewall, what do I need to do to keep things working?'
Because you don't need to do anything: you can continue to use iptables. Even in the future, when iptables is removed from kernel, you can continue to use iptables syntax, since iptables user-space program will simply start to output nftables (a.k.a. iptables will be a symbolic link to this: https://wiki.nftables.org/wiki-nftables/index.php/Moving_fro...). nftables is for people who are deploying new systems and want a sane configuration file instead of iptables mess, and at the same time offers improved error messages and better performance, while being more flexible.
So if you want you can continue to use iptables for the future. No need to be snark about OP.
I think the author could have emphasised that more.
«Yes, nftables replaces iptables. You are highly encouraged to migrate from iptables to nftables.» sounds a bit too much like "expect iptables to stop working in another release or two".
Instead, all we get is a vague 'the system is more configurable than in iptables' and 'the syntax is much better than in iptables' (like what good is that to someone who already has iptables set up? The last thing people want to do is mess with firewall rules on a working system)
Yes, I know that Debian is FOSS and I can help improve it, but why introduce a whole new firewall system where the 'Moving from iptables to nftables' docs are pages and pages of shell commands? Wouldn't some kind of automated update, to help common use cases, be a sensible thing to include in such an update? (Maybe such a thing exists, but the page doesn't bother to tell me about any such thing).
Instead of going on about how to set up nftables from scratch, perhaps they should focus a little more on 'I have a system using your older recommended firewall, what do I need to do to keep things working?'