My biggest problem with IPtables is, that it does not support real subroutines. You can use user-defined chains to factor out most of the common code, but there is no way to make them "local". I.e. to be able to say "call this chain, and when the result is DROP, DROP the packet. Otherwise, (for every other decision including ACCEPT), continue further".
I have an IPtables firewall routing between about 9 vlans, some of which have the security status of "outside world", other having various levels of security (currently I have >1600 iptables rules, and some of the filtering - like blacklisting some IP address blocks - is done on the iproute2 "ip rule" level outside iptables). There is no way how can I say "treat such and such traffic outgoing from one of my VLANs as legal, but consult further the rules for the destination machine on the other VLAN", without replicating some of the rules and without being _extremely_ careful about not calling ACCEPT in some chains.
Also, would the interpreted filtering have any performance impact? I am currently able to route about 1.5 Gbit/s of traffic with those >1600 rules on a dual-CPU opteron box. Would nftables be able to handle it as well?