Nftables: a new packet filtering engine

I agree, one more reason is that NAT rules affect connections, while filtering rules affect both packets and connections and are evaluated on a per-packet base.

iptables is, just like the kernel side of nftables, indeed the assembler of firewalling. Userspace is missing a compiler in my opinion though :) One of the differences is that nftables performs file-based parsing by default, so it can collect more information about the entire ruleset. So far it doesn't use much of that context, but I have some ideas for when the important parts are done :)