Nftables: a new packet filtering engine

Could you please expand on the "lot less flexible than iptables" comment? In my experience, I've found it to be far far more flexible than iptables. With the ability to update tables in pf from userspace, not to mention the insane performance boost from tables over individual rules[0], it's not only more flexible but outperforms iptables.

Setting up class-based or priority-based queues is also ridiculously easy with pf and included right in the code, not as some add-on. One of the features mentioned in the article about nftables is the ability to easily jump to a different rule or class of rules. This was solved years and years ago by pf with the use of anchors.

As far as features go, I just gave you three. There are plenty more (scrubbing packets and antispoof instantly come to mind), but perhaps the best is the sane and clearly readable syntax for pf, not to mention the more powerful pfctl tool[1].

As for porting, pf originated with OpenBSD and has been ported to FreeBSD, NetBSD, and Dragonfly BSD. I'm not programmer though, so I can't say for certain how easy it would be to port to Linux, but my understanding is that there are some fairly radical architecture differences in those four BSDs, particularly in regards to the new off-shoot Dragonfly. I would make a SWAG that porting it wouldn't be any more difficult than writing an entirely new packet filter.

[0] There's an out-of-tree module for iptables that allows binary lists and functions similarly to pf's tables I'm told.
[1] As compared to iptables. I have not looked at the userspace component of nftables at all.