I can understand and work well with firewalld, ufw and of course, iptables. I have a CCNA (Cisco network certification) so I know a thing or two about networking (although it's not my specialty).
I'm interested in migrating to nftables but find it impossible to learn it. Even learning the Rust programming language is a walk in the park compared to learning nftables.
A lot of people say that nftables syntax is easier than iptables. I can't understand how anyone could say that. To me, iptables syntax is a lot easier, logical, simple to understand. Nftables syntax on the other hand seems like an alien language with alien grammar. It's very hard to understand and comprehend its logic.
I've tried the Arch Wiki, the Gentoo Wiki, the manpages and of course the official nftables wiki. I only get more confused the more I try to understand the nftables "language".
Is there a resource like "Nftables for Dummies"?
If you know the nftables language and can work well with it, how did you learn it? Or the way most people use it is by writing iptables rules and using that tool to "translate" iptables rules to nftables? Does anyone actually understands and has mastered the nftables language?
If you want to learn it, go through the exercise of building out a ruleset by hand. Take the iptables ruleset of some server with which you're familiar (or use the Arch wiki's example iptables firewall [1] if you don't have a good example at hand), and convert it line-by-line to nftables. Look up in the nftables docs for an equivalent of each iptables line (you're looking in all the right places for documentation -- nftables own wiki has lots of good information, as does the Arch and Gentoo wikis).
When you install nftables, many distros will include a small starter config file at `/etc/nftables.conf` or /etc/sysconfig/nftables.conf`. Add rules to that file, and run `sudo nft -f /etc/nftables.conf` (or `sudo nft -f /etc/sysconfig/nftables.conf`) after each change to replace your old ruleset with your updated version. The `nft` command will check your syntax before applying the new ruleset, and if there's an error, it will instead abort and show you an error message that points to the problem line.
Then use `sudo nft list ruleset` to view your current ruleset -- you'll notice some cases where nftables has re-written your rules to use the canonical form of the rule (or substituted a constant for a standard value etc).
You can use the `iptables-translate` tool if you get stuck, but it won't really help you learn anything -- just as running some tool that generates a bunch of Rust code won't help you learn Rust. If you want to learn Rust, you have to write Rust code -- and if you want to learn nftables, you have to write nftables rulesets.
[1] https://wiki.archlinux.org/title/Simple_stateful_firewall