Nftables reaches 1.0

In my opinion it has significantly improved over the years. I'm using it at home as well and it's way better than iptables. There are some places where you still can't merge IPv4 and IPv6 rules, resulting in some duplication effort but I found that it remained reasonable (though more unification would always be welcome of course).

The really nice thing compared to iptables is the instant and atomic load of the rules. No more situation where the nat table loads while the filter table fails etc. And the ability to define objects supporting lists about everywhere (ports, hosts etc) is great. I used to do that using scripts requiring a more complex language to automatically produce iterations. Now it is natural in the config language.

What still really annoys me is the lack of command-line help. I promised Pablo I would some day send him a patch for this but still failed to find sufficient time to work on it. Having to go to the wiki to figure you need to type "nft list rulesets" after not having used it for 2 months is pretty annoying, especially when you've been used to "iptables -h" providing very detailed syntax information. But this minor user-interface aspect aside, nftables is a great technology that is far closer from the spirit of traffic filtering than ipfwadm, ipchains or iptables could be, making it extremely user-friendly.

It's difficult to adopt it, but it's really worth it. Most of the effort is to convert the existing config. I would strongly encourage new firewall deployments to start with nftables, as it will be much easier than iptables for the first setup, an will not require any conversion.