Will it solve other iptables drawbacks:
- no session replication between two firewalls.
- rule-matching should be done only for the first packet of a connection. Actually it is done per packet when using the filter table. While you can do this with PREROUTING, it should be done as a standard.
- RELATED state whould be handled natively, ne need to add RELATED rules for this.
- matching TIME_WAIT state as a default is dangerous : a short-lived TCP connection will be maintained in the connections' table for too long.
- using macro for rule maintenance, as done by pf.
pf and most commercial firewalls perform that way. Iptables' design is way broken.