My three pet gripes:
-
Make iptables-nft the default instead of the ludicrous iptables-zzz-legacy for when a package has iptables as a dependency. The current situation breaks all sorts of things. It is almost as if the legacy version was made the default just out of spite for all the people in favour of the migration to nftables.
-
Sort out the silly situation with "ipsets". The ipset package was an extension to iptables to support sets of ip addresses.
Nftables has its own native handling of sets (nftsets) that is more powerful as it supports generalised sets and not just ip addresses.
But fw4 has pretend ipsets to emulate the legacy ipset package and hide nftsets, even going to the lengths of messing with compile and config options of dnsmasq to make the deception work. It is a mess! Even worse, if a package wants to set up dnsmasq to populate an nftset, it has to go with the convoluted ipsets emulation, whereas on every other Linux distro it just sets up a standard dnsmasq nftset support..... So, once again it is almost as if this was done to spite those in favour of the migration to nftables.... A cynical view I know, but it is born out of frustration. -
All packages that use iptables should be deprecated and the maintainers put on notice that the packages will be removed on the next major release unless migrated. It has been years now and there has been little or no migration effort done on these old legacy packages.