On Fri, 2020-07-31 at 18:44 -0700, Thomas Groman via Dng wrote:
> I upgraded one of my larger and more complex servers from ASCII to
> Beowulf. Switching to NFT was very easy after the upgrade. Just
> create the rules, (have flush have the beginning), remove the
> iptables if-pre-up hook if you made one, copy the example init script
> from /usr/share/doc/nftables/example, set it executable, and rc-
> update add nftables default. then openrc to bring the system to the
> new defined default runlevel
>
While it clearly worked for you with openrc it is broken on sysvinit as
the example /usr/share/doc/nftables/examples/sysvinit/nftables.init has
this:

# Default-Start:
# Default-Stop:      0 1 2 3 4 5 6

in the LSB header, not the required:

# Default-Start:    S
# Default-Stop:     0 1 6

On 2020-08-02 17:00, Hendrik Boom wrote:
> What is NFT?
>
It stands for Net Filter Tables. It handles more than iptables (also
ip6tables, arptables and ebtables) and it's been developed by the Net
Filter team, hence the name. The binary is also nft.

It is obviously coming in very slowly (it's been around for at least 5
years). And users are still translating it back to iptables syntax
using iptables-legacy.

Beowulf still installs with iptables. Buster uses nftables.

Firewalld can use nftables as a backend. UFW can't.

--
Marjorie