Comment 1 for bug 1843468

Debian and RHEL are already using the new -nft iptables backend in their latest stable releases.
There are still some regressions, but most (all?) are already fixed in upstream iptables git.
I'd suggest updating to latest git before starting the audit.