Iptables has been the primary choice for packet filtering, firewall rule management, and network security in Linux systems for an extended period of time. 
The shift to nftables is driven by the requirement for a firewall framework that is more flexible, efficient, and scalable. Nftables, abbreviated as "netfilter tables," represents a contemporary replacement for iptables, specifically crafted to align with the requirements of modern networking environments.

Starting with iptables version 1.8.0, it supports a new mode (a.k.a iptables-nft) that uses nftables APIs of the kernel while preserving the same original iptables user-facing API. Most of the current linux distributions allow us to use iptables API/syntax but internally use iptables-nft.
The iptables-nft tool was created to facilitate the transition from iptables to nftables, and it has served its purpose well. Its now time to move to the native nftables API.

Motivation:
----------------
Nftables is a successor of iptables and development on iptables within the Linux kernel has mostly stopped.
RHEL9 has deprecated the IPtables interface and in RHEL10, iptables will no longer be supported (i.e., neither the command line tools like iptables-nft, ipset nor the Kernel modules will be available on the platform). 

Currently, in Istio (release 1.22), there is support for auto-detecting iptables-legacy vs. iptables-nft, but it does not support native nftables APIs yet.

The following PR has been created to track the design of an nftables interface for traffic redirection: https://github.com/istio/istio/issues/47821.

Timelines:

----------------
Nftables support for sidecar mode is targetted for Istio 1.27 release (i.e., August, 2025) and Ambient support is more likely to land in Istio 1.28 release (i.e., Nov, 2025) timeframe.
Considering that OSSM 3.2 is tentatively scheduled around Sep/Oct timeframe, we should be able to support sideCar mode in 3.2 release (and possibly Ambient  depending on how things go).