Wesley wrote: > We have several debian servers, all running iptables. On average each has 200 > rules, mostly deny rules. From a best practice perspective, do we need to > upgrade to nftables? >
iptables is currently implemented in terms of nftables. While it is possible that someday that interface will be removed, you don't need to do anything until you see that day arriving. 200 is a lot for a human to manage. You may be able to simplify your iptables rules by taking advantage of ipset for large numbers of IPs (hash:ip) or ports (bitmap:port) that need similar treatment. That's available in nftables as well. -dsr-
