This is certainly an interesting approach. I wonder what sort of scope
there would be for porting the virtual nftables code to a network
processor? A lot of high end networking hardware works with custom
networking processors (CPU's tuned to packet inspection/direction).
On a slightly un-related note is the nftables VM sufficient enough to
replicate traffic shaping functionality?