I've now used Linux nftables for firewall rules and it went okay
For a long time, Linux has perhaps been in a transition from the
venerable iptables to nftables. I
haven't been terribly enthused about nftables in the past (the
last time I considered it I was persuaded to take a different path) for an assortment of reasons. My recent
use of nftables wasn't because I've changed my spots; instead, it's
because Ubuntu 22.04 has chosen to make nftables the native interface.
If you install a stock 22.04 server, you'll get a system where the
iptables' binary is actually a compatibility shim that sets up
nftables rules. When I had to do some new firewall stuff on an
Ubuntu 22.04 machine recently, I decided that I'd try nftables
through its native interface.
The experience wasn't entirely smooth sailing. Nftables does a number of things differently than iptables, so you have to learn its terminology and rules format, and understand its approach to things. Since I've only dipped into nftables, I have at best a sliver of understanding of the proper nftables way, basically just enough to write some simple firewall rules that worked when I tested them. Depending on your perspective, it's either good or bad that I could actually do this without having to really learn nftables.
(On the one hand, I got things working without too much effort. On the other hand, a lack of true understanding can easily lead to firewall rules that have holes and issues you don't expect.)
Although nftables can be used interactively in a way that's like iptables, I chose to use it in a way more like OpenBSD's pf, where I wrote and modified my rules in /etc/nftables.conf and then reloaded the entire collection of everything with 'nft -f'. This experience is much better than the traditional iptables approach, where the 'load from file' and 'save to file' operations have the feel of a hack rather than a designed format and it can be easier to automate your rule setup with a script.
Some of our other Ubuntu 22.04 systems have existing iptables based
rules (carried forward from their 18.04 versions). So far these all
appear to work correctly, including some iptables rules that use
ipsets. We're likely going to keep them using the
rather than trying to convert them to nftables; we're familiar with
iptables, the rules (still) work, and we wouldn't get much if we
(We have some situations where we add and remove firewall rules on the fly, instead of using a static set of them. This doesn't fit well into the nftables.conf approach, so if we did a native conversion we'd have to try to figure out how to integrate static rules, ideally set up through nftables.conf, and dynamic rules added on top of them.)