Network packet handling in the Linux kernel

Firewalls constantly evolve.  I recently had a need to manage network requests quickly and efficiently with few computing resources.  When it comes to speed, the Linux kernel wins almost every time so let's take a look at our options:

iptables / ipset: the reigning (but aging) champion.

nftables: slowly replacing iptables but performance is worse than iptables (unless you use named sets) and some find the syntax confusing.

bpfilter / XDP (driver support): aims to replace both iptables and nftables but the implementation is complicated so adoption has remained low.

Those are the main contenders.  Of those, I believe nftables with named sets is the most practical at this point.  iptables veterans can use iptables-translate (apt install iptables-nftables-compat) to convert legacy iptables rules to nftables syntax.  If you'd like to learn more, RedHat has a really nice overview of nftables.

Note: Codilime shares some other less common options, as well.  I especially liked the ip rule & ip route suggestions.