I haven't had reason to use nftables yet (beyond the default config in a distro), but if it's in any way closer to PF, then it's vastly superior to iptables in my eyes. I spent a while configuring OpenBSD firewall/VPN gateway boxes about a decade ago, and the all around superiority of PF was astounding.
