nftables has replaced iptables, and the config syntax differs drastically.

The big benefit is that nftables supports variable definitions, eg.
define ok_icmp = { destination-unreachable, time-exceeded, parameter-problem, echo-request }
...
ip protocol icmp icmp type $ok_icmp accept

The big problem is that admins already template their configs (see below), so now there is a bunch of work for no gain because ultimately the behavior of the firewall is exactly the same. To borrow a phrase from jwz:

Every configuration syntax expands until it implements M4 ... poorly.

m4_divert(-1)

denial of service attack handling --  m4_define(DoS, 1)
clients can share connections, ie. same NAT for iphone+thunderbird, 
so limit to a low number -- m4_define(DoSlimit, 3)

monitoring hosts = 
	m4_define(nagios, 10.5.0.2) m4_define(cacti, 10.5.0.4)

jumphosts = 
	m4_define(dhcp1, 10.0.0.2) m4_define(dhcp2, 10.0.0.3) m4_define(fw6, 10.31.0.5)

generate the log-line for packets that we don't know about
	m4_define(ruleID, "m4_substr(m4_esyscmd(stat -c "%y" m4___file__), 11, 5) ")

m4_divert(0)m4_dnl
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s dhcp1,dhcp2,fw6 -j ACCEPT
-A INPUT -s nagios,cacti -p udp --dport 161 -j ACCEPT
m4_dnl
m4_dnl to limit connections during a DoS attack
m4_ifelse(DoS, 1, `# temp DoS rules
-A INPUT -p tcp --syn -m multiport --dports 143,993 -m connlimit --connlimit-above DoSlimit -j REJECT
#
')m4_dnl
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
m4_dnl
m4_dnl rare packets are last to reduce rule traversal costs
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m multiport --dports 67,68 -j ACCEPT
m4_dnl
m4_dnl reject bad packets nicely for services
-A INPUT -j LOG --log-prefix ruleID
-A INPUT -p tcp -j REJECT
-A INPUT -p udp -j REJECT
COMMIT