I want to git gud at nftables, but the official wiki and every tutorial out there expects you to be an expert in the legacy Linux utility, iptables. :meow-tableflip:
Edit: Also lots of web fine web tools and APIs with outdated or miserable docs. No excuse. Good documentation may unironically be my passion.
this one doesn't seem referential to ip tables.
It seems like you'd be better off learning what you want the tool to do, then learning how to do that in the tool, rather than learning the concept tied with the tool.
That was one of the better tutorials I found.
I have this OCD thing where I don't like using a tool that I don't fully understand---even if it's working perfectly for me at the moment. I'm afraid I'll overlook something in my ignorance and get ransomwared. I worry that the blogs or wikis I copy configurations from are flawed.
I have this OCD thing where I don’t like using a tool that I don’t fully understand—even if it’s working perfectly for me at the moment
I don't know if it's an "OCD thing" or not but I can definitely tell you this: it's a good thing and the absolute best way to become an expert at this.
That's exactly why I suggest "identifying what [you] want to do" and learn how that works on a networking level, in this case you want to set up firewalls. Then learn the tool, figure out what each command does from the Man pages, play around, test it out, etc.
Having good documentation is fantastic. However, I feel like people under value it because so much of it is bad, because so many people under value it.
On the other hand it's amazing how much nicer to use nftables is than iptables with the confusing as hell predefined table thingies linux had.
Also the nftables syntax is amazing and no command line tool should use "--" flags ever again. The syntax is basically like a programming language (I think it's parsed using recursive descent) instead of a weird flag based state machine like every other command line tool. Kinda similar to iproute2.
But I agree linux (and lots of open source software) tools have awful documentation. There probably aren't even well known examples to look at. You basically have to read the source code or something.
Not to mention that an entire rule set can be applied atomically, preventing a situation where rules are half configured and broken. By that same token, you can also just flush an entire ruleset and revert the firewall state to as if nothing was changed. It's so good.
Ah yeah it really sucks, I do a lot of copy and paste for the same reason. If you find a better resource lmk
Honest to god, I've used one of the BSDs for years because linux's documentation is trash. Only switched due to hardware support.
The nftables docs are kind of thin and there is an expectation that you are iptables familiar, it's true.
But if you don't have the preexisting condition called iptables-brain then nftables is such a breath of fresh air by comparison, and in my limited experience it is much more comfortable to work with.
