---
slug: nftables-sitrep
title: "Nftables Sitrep"
date: "2021-10-20T01:39:11-04:00"
---
In April I decided to switch the firewalls for my laptop and a couple of
servers from [`iptables`][iptables] to [`nft` and nftables][nft].

After several months of use I can report that the experience has been
positive.

Pros:
* Simple declarative configuration file.  No more hacky shell scripts.
* Atomic (all or nothing) ruleset changes.
* Faster ruleset changes.
* Built-in [JSON][] support.

Cons:
* Occasionally finicky parser.
* Remapping IP ranges can be more verbose than [iptables][].

The detauls are a bit long for a blog post (even for me!), so they are
available as a [separate "Nftables Examples" article][nftables-examples]
instead.


[iptables]: https://en.wikipedia.org/wiki/Iptables
  "iptables command-line Linux firewall tool"
[nft]: https://en.wikipedia.org/wiki/Nftables
  "nft command-line tool and nftables Linux firewall subsystem"
[wireguard]: https://wireguard.com/
  "Wireguard VPN"
[json]: https://json.org/
  "JavaScript Object Notation"
[nftables-examples]: {{< relref "/articles/nftables-examples.md" >}}
  "Example nftable laptop and server configs"