I haven’t taken the jump to nftables, I’m just used to iptables and what it can do (like limit / burst stuff, which pf has). I haven’t tried some of the advanced options with pf on the CLI yet. But what I love about it is the man pages, especially the examples (like most of the BSD man pages, linux man pages are always inferior to bsd ones).
It has similar group rules like iptables (I hated them on iptables, but they are straight forward and more readable in pf conf). The only thing that you have to keep in mind is that pf will go through all the rules and match the last rule, meaning that it’s the opposite of iptables, where the first matched gets applied. There is the “quick” flag to match it immediately, but I’d not use it. Just need to remember that the last rule matched will apply, meaning that your order should be something like:
- Block 192.168.1.0/24
- Allow 192.168.1.2
For linux, it’s in reverse, because the first match for the ip 1.2 would be that block for the subnet.
I can’t really give a fair comparison with nftables though, since I’ve never used it. The code size is certainly one thing, but most of all, I have a big trust in the OpenBSD project and everything that comes out of it (like pf, OpenSSH, OpenSMTPD, smapd, OpenBGP, LibreSSL, CARP, doas, OpenNTPD and others). I’m using some of the openbsd software on linux and the only reason I don’t switch over to openbsd on all my servers is that I really got into low power computing. My homelab is almost exclusively aarch64. When I can getaway with it, I run linux containers, when not, I’m planning on deploying a firecracker hypervisor for minimalist virtualization (microVMs seem the way forward, but only linux can run in microvms AFAIK).
Highly doubt it. That’s not because they don’t have some talented staff (depending on which company we’re talking about), but because in a MSP organization, the biggest challenge is changing things. I work for a company selling software to a lot of MSPs and getting them to even upgrade EOL software is hard enough, because they have so many customers that they need to organize with, I can’t imagine having them change to a CLI and have to train their staff to use the CLI, unless they get a really big benefit from it.
Well, some proprietary offerings from different vendors, like switches, routers and firewalls for example, all have ways to configure their appliances both on a GUI and via CLI. Cisco comes to mind first, but HPE, Dell EMC, Huawei and Zyxel, all have two ways of configuring their boxes. Certain servers, like HPE may come with support for things like SLES or RHEL and if you buy them with support, they generally come with a GUI preinstalled (so you can use either the GNOME Network Manager and whatever else in RHEL, or YaST GUI in SLES). I prefer not having to deal with GUIs, but that’s just me.
However, MSPs like having GUIs, which makes newcomers learn faster how to use some systems. But when it comes to troubleshooting, there are a few people here and there who, because they don’t know the basics, don’t know how to read logs and it’s my job to fix stuff for them.