With the passage of time and the years of loyalty of services to iptables, things are not the same. The level of complexity of the networks and the data traffic have nothing to do today as it was 15-20 years ago. This new tables can be found as Debian Buster news, including nftables. It replaces iptables as the packet filtering management framework, although we still have the option to continue using the latter if we wish. However, since nftables the replacement of iptables will be gradually implemented in RHEL 8.
But we have to keep in mind that some options are not available in nftables because they are still under development.
Differences between iptables vs nftables
▸One of the most distinguishable is the syntax, in iptables, the flags are preceded by two hyphens or one in nftables uses a cleaner syntax, inspired by tcpdump.
▸Multiple actions can be specified on a single line in nftables, with iptables we can only specify one.
▸The counters in iptables are fixed in a fixed way for each table and rules, in nftables these counters can be set optionally.
▸Distributors typically use older versions of the Linux kernel for stability reasons. With the new nftables state machine it is not necessary to update the kernel for a new protocol, it is simply necessary to update the nft utility.
▸It is not necessary to use hyphens (-) or double hyphens (-) for the use of the flags.
▸Tables and chains are fully configurable in nftables, contrary to iptables, which only offers a defined set of tables and chains, nftables allows you to create your own chains and tables with their corresponding configurations.
There are many more differences and some improvements as well as shortcomings due to the development of these but it is up to each one.
