Hi
I believe that forcing nftables to your user base is wrong and will backfire.
Additionally, I strongly believe you'll have your own issues internally with it (a lot of unintentional mistakes).
While addressing some of the limitations of iptables, which is appreciative, nftables never became popular mainly because the syntax is badly designed (utter inefficient and confusing garbage) and the documentation insufficient.
Myself - I have more than 20 years experience in networking and had a few failed attempts already to switch form iptables to nftables. Being involved for so many years in networking, professionally I also got a lot of colleagues and friends in the field, with which I had a lot of exchange around the subject and the outcome was always an aversion against nftables. Wondering why they didn't just improve iptables itself (the subsystem) instead of reinventing the wheel - actually a regression instead of an evolution.
I'd suggest to keep nftables optional and stick with iptables - while still appropriate in this early stage of development.
nftables will involuntarily harm you user base security-wise, by not knowing how (or avoiding) to use nftables, thus decreasing their protection.
For a more conclusive example of how complicated it is to switch form iptables to nftables and also how bad the "improved" nftables syntax is, I'd suggest to have a read at this RedHat blog post:
Then, just for testing yourself - nftables provides an utility for converting iptables to nftables rules (one at a time) called iptables-translate
If you run a linux box, just test it - take your iptables rules and use iptables-translate to inspect the nftables output mess.
A simple syn flood protection rule set:
# original iptables rules
iptables -N syn_flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 20/s --limit-burst 100 -j RETURN
iptables -A syn_flood -j DROP
# iptables-translate
iptables-translate -N syn_flood
iptables-translate -A INPUT -i eth0 -p tcp --syn -j syn_flood
iptables-translate -A syn_flood -m limit --limit 20/s --limit-burst 100 -j RETURN
iptables-translate -A syn_flood -j DROP
# output - nftables "simple and improved" syntax
nft add chain ip filter syn_flood
nft add rule ip filter INPUT iifname "eth0" tcp flags & (fin|syn|rst|ack) == syn counter jump syn_flood
nft add rule ip filter syn_flood limit rate 20/second burst 100 packets counter return
nft add rule ip filter syn_flood counter drop
I rest my case.