On Thu, 01 Feb 2024 07:06:08 +0100 "Kevin P. Fleming" <lists.netfilter@xxxxxxxxxxxxx> wrote: > On Wed, Jan 31, 2024, at 23:10, Kerin Millar wrote: > > This has also annoyed me on several occasions. Though I have been using > > nftables for a fairly long time, I still find it more natural to > > organise rulesets based on the conventions of iptables. Old habits die > > hard, as the saying goes. Incidentally, there is an open bug concerning > > this. > > When I switched to nftables last year (after having used iptables since it was created), I was tempted to do the same, but forced myself to rethink my table structures. > > In the end I landed on using address family 'inet' for all filtering, 'ip' for NAT, and both 'ip' and 'ip6' for netdev (because those rules are entirely about matching addresses). This does mean that my 'inet' table contains many seemingly-duplicate rules, but I don't really care since the result is so much cleaner and easier to understand than it was with iptables. Also my nftables rules are machine-generated so that's not visible at the layer where I do admin work :) I ended up using fewer tables, while naming several chains so as to incorporate a faux namespace e.g. "nat/PREROUTING". It works well enough but I cannot say that I have come to like it. -- Kerin Millar