Best part is debugging networking stuff is always really hard. Opening up a packet dump can help in some cases, but when you're trying to figure out why your nftables rule isn't registering a connection in the kernel connection table, you have to do some fun stuff to figure it out.