Kamil Jońca wrote: > "Alexander V. Makartsev" <[email protected]> writes: > > [...] > > > > There is also a new kid around called "nft" which should replace > > iptables, but its syntax is super weird and non-intuitive for me, so I > > consider it a downgrade. > > I disagree. I was happy iptables user and some time ago I migrated my > rules to nftables. Indeed this is no 1-1 migration, you have to rethink > your rules, but IMO this is more comfortable. > The main difference (IMO) is that most your dynamic logic shoud go to > sets not to the rules itself.
It is also true that iptables was re-implemented as a front-end to nft in a previous Debian Stable release, so if you don't want any of the new nft features, you can continue using iptables as-is. -dsr-
