I want to tack onto this thread, if that is ok, as I have a very similar request regarding CONFIG_NFT_CONNLIMIT:
In that same thread I posted about the legacy iptables package iptables-mod-conntrack-extra which provides the connlimit kmod (and others) for fw3/iptables.
IMHO it would be wonderful if NFT_CONNLIMIT, NFT_DUP, and others might be built as modules and packaged up in a similar way for fw4 for those of us that want such functionality.