| HN Mirror

My understanding is that nftables and iptables+ip6tables+arptables+ebtables are for exactly the same set of use cases, with the latter being deprecated in favor of the former as the new replacement.

RHEL 8 uses the nftables back end for firewalld by default.

The main difference that I have noticed is that writing configuration files for nftables is considerably more ergonomic than the iptables files which are essentially just unstructured lists of iptables commands.

Generally things like UFW or firewalld are sufficient for host firewalls, but they fall short for routing applications where it is more appropriate to use nftables (or historically, iptables) directly.

Kubernetes and docker both currently use iptables for their routing and will likely migrate to nftables. If/then those projects migrate to nftables I suspect it would also solve the issue where docker port mappings have the ability to unilaterally punch holes in host firewalls, e.g., UFW, because under nftables, tables are just namespaces for chains (with configurable priority) while on iptables the different tables meant specific things and docker made decisions in a branch off of the PREROUTING chain in the nat table, which was encountered before the FORWARD or INPUT chains on the filter table. In this way nftables makes certain expressions more ergonomic than iptables.