iptables just got replaced by the nftables wrappers, effectively changing all Ubuntu systems to using nftables rather than regular iptables/ip6tables/ebtables.
Unfortunately those wrappers aren't perfect and don't convert every option properly, nor know about some of the available plugins for those commands.
This means that unless the software using those commands are aware that those are wrappers and adapt their use, they may break at some random point in time.
While nftables is clearly the way forward, just silently switching the existing native tools with the compat wrappers will lead to widespread breakage both from packages in the archive, snaps and a variety of scripts our users may be running.
So far, looking around, known breakages post-nft are expected with at least Docker, Kubernetes and LXD but the same may be true with the many other packages we have that call iptables, ip6tables, ebtables or arptables today.
A migration should include a proper audit of all in-archive users, see if they have a plan/patch for native nft interaction and if not, validate their use of the tools is compatible with the wrappers.
We should also extend that to popular snaps / those we ship by default. Snaps make things worse as they use the tools from their base snap, which in LXD's case is currently 16.04 (soon to switch to 18.04).
Debian and RHEL are already using the new -nft iptables backend in their latest stable releases.
There are still some regressions, but most (all?) are already fixed in upstream iptables git.
I'd suggest updating to latest git before starting the audit.