I don't think that's a good reason. Ipchains (and even ipfwadm before)
had major deficiencies - a crippling one being their lack of state.
Iptables addressed those issues and that's why everybody quickly
switched to it: the benefits it provided for people serious about
firewalling infinitely outweighed the time they'd have to spend learning
the tool.
FWIW I've been involved in huge/complicated firewalls the only issue we
had with iptables was when restoring thousands of rules: it took a bit
of time; and even then, the increasing power of PCs made it increasingly
negligible over time. Ipset was later included in the kernel and solved
our "issue".
So, as an advanced user of iptables I don't have/see any issue that
would be solved by nftables. Sure, one could translate its iptables
rules to nftables but the problem is learning how to use nftables later
on. For instance, why did it just take me more than 10 minutes to find
out how to simply list rules ?
`man nft` ? {list | flush} ruleset [family] ;
`nft list` -> error.
How/where am I supposed to find out that I have to type `nft list
tables` (which I found searching on a random post on the web). And how
are "tables" related to a "ruleset" ? etc.
Also, with bpfilter advertised to replace nftables/iptables (maybe
someday), people will be reluctant to learn nftables.
Just to be clear, I'm not arguing with you nor any of the devs - I'm
just stating my experience, which is pretty much the same among all the
"network" guys I know.
> Qubes tries to provide a straightforward experience for relatively
> inexperienced users, and the nft/iptables mix per distribution is a
> compromise to that end.
Probably, but it would be interesting to understand what exactly
nftables provides that iptables can't. Marek's post in the issue I've
linked to in another post mentioned something about whonix.
>
> The docs need to be updated to provide nft rules throughout.
^ this. + sample usage of nftables.