add content/posts/2021-10-20-nftables-sitrep.md and content/articles/nftables-examples.md

1 files changed, 36 insertions, 0 deletions

diff --git a/content/posts/2021-10-20-nftables-sitrep.md b/content/posts/2021-10-20-nftables-sitrep.md
new file mode 100644
index 0000000..17b421c
--- /dev/null
+++ b/content/posts/2021-10-20-nftables-sitrep.md
@@ -0,0 +1,36 @@
+---
+slug: nftables-sitrep
+title: "Nftables Sitrep"
+date: "2021-10-20T01:39:11-04:00"
+---
+In April I decided to switch the firewalls for my laptop and a couple of
+servers from [`iptables`][iptables] to [`nft` and nftables][nft].
+
+After several months of use I can report that the experience has been
+positive.
+
+Pros:
+* Simple declarative configuration file.  No more hacky shell scripts.
+* Atomic (all or nothing) ruleset changes.
+* Faster ruleset changes.
+* Built-in [JSON][] support.
+
+Cons:
+* Occasionally finicky parser.
+* Remapping IP ranges can be more verbose than [iptables][].
+
+The detauls are a bit long for a blog post (even for me!), so they are
+available as a [separate "Nftables Examples" article][nftables-examples]
+instead.
+
+
+[iptables]: https://en.wikipedia.org/wiki/Iptables
+  "iptables command-line Linux firewall tool"
+[nft]: https://en.wikipedia.org/wiki/Nftables
+  "nft command-line tool and nftables Linux firewall subsystem"
+[wireguard]: https://wireguard.com/
+  "Wireguard VPN"
+[json]: https://json.org/
+  "JavaScript Object Notation"
+[nftables-examples]: {{< relref "/articles/nftables-examples.md" >}}
+  "Example nftable laptop and server configs"