Not much different. FreeBSD's pf is a port of OpenBSD's pf, and nftables are heavily influenced by them.
replyAt this point I rather doubt the sanity of people still sticking to iptables tbh.
So there is approximately one concept of "packet filter done right". UI madness is on UI authors.
The primary reason I stick to iptables instead of nft is that I already learned iptables decades ago, and some software I interact with still defaults to iptables and/or does not have full support for nft.
replyWhy do you doubt the sanity of people sticking to iptables? What makes nft compelling?
My main reason is that nft applies configs atomically. It also has very good tracing/debugging features for figuring out how and why things aren't working as expected.
replyThat said, I think many distros are shipping `iptables` as the wrapper/compatibility layer over nft now anyways.
as somebody that's not a network engineer by day and has barely grokked iptables, could you recommend some resources for learning nftables ?
replyThere is iptables-nft, which is iptables with an NFT backend.
reply> nftables are heavily influenced by them
replyAre they? I recently had to learn nftables and they seem to be iptables but with a slightly nicer syntax and without pre-defined chains. But otherwise, nftables directly maps to iptables and neither of them seem similar to pf.