nftables can use b-trees instead of the orderd lists offerd by iptables so that graph must be a bad test. bpfilter can do things the others can't, but that doesn't explain the similar results of the other two.

I understand that simplifying security is not simple, but it's way more effective than having no security at all because it's too complicated to set up.

And there are already examples that I mentioned earlier (AFWall+ on Android and Glasswire on Windows) that are easy to understand and setup and they are effective.

I'm not sure but I think even Kaspersky Internet Security on Windows had something similar to Glasswire to choose which programs to allow.

As for efictiveness, I can tell for sure that AFWall+ on Android definitely works and no app can access the internet if I don't allow it.

As for Linux distriutions, I have always used Debian / Ubuntu based and I have programs (.deb) that requires them, so I cannot move to a distro that already has an integrated firewall like OpenSUSE.

Anyway it is what it is, but it's a shame that Ubuntu spent last 10 years into changing the themes, wallpapers, icons, Mir, whatever stupid thing instead of working something really needed like an integrated easy to use firewall.

At least the good part is that Linux has such a tiny market share that not many people care to attack it, so not having a firewall at the moment is not such big dea.

Took me a long time to get my head around IPTables which is confusing as hell compared to any commercial firewall. (IMHO IPTables requires way too much effort for stuff which is trivial on most firewalls)

And now enter nftables, with virtually no good practical documentation that I could find, and 10 times the power and 100 times the effort. (Please, please, please prove me wrong )

Oh well progress requires sacrifices.

I have not given nftables enough time to comment about it. It's somewhat controversial I agree with eydee Linux (mostly userland) has not prioritized routing. I don't think that it's a bad thing. You use the right tool for the right job. I would much rather have better process isolation, driver support and newer graphics APIs combined with all the userful userland tools that come with that than user-friendly network routing. I would actually prioritize user-friendly audio routing above application-network routing in Linux. Currently pavucontrol kind of works for a few cases, but I digress.

Linux:
It's a pain to maintain PBR in Linux (so much constant admin). It has been the most reliable over the years. You can use firejail or user-base-routing like previously mentioned but it's even more admin. It can give you extra functionality compared to PBR like described in the next paragraph. For routers I mostly use openwrt. It takes more time to configure, but the device support is crazy good. I have tried shorewall and vyatta but did not end up using it for more than a year. Testing nftables is not my highest priority right now. I'll hopefully get to it before the end of the year.

Windows:
In Windows I route my default internet to a void and only allow specific applications to access specific internet connects. For example Windows updates goes to local WSUS, gaming and browser goes to VPN and monitoring goes to both VPN and directly to my ISP. Telemetry crap from unauthorized applications goes to the void. It's not fool proof as applications still have access to different interfaces, but works in 99% of my cases. These features are not built into Windows but there are many commercial applications that does this for you. I'm working on one myself in my free time. It's so much easier and clearer if you route and monitor on application level.

BSD:
I have relied on openbsd and pfsense (freebsd) for firewalls. The simplicity of those systems is the selling point, admin is relatively easy. I have had some bad experiences with jails and bhyve when managing big servers with various configurations and docker on BSD is a joke, again right tool for the right job. I don't know of any user-friendly tools that you can just install on a workstation that is as easy to use as the tools that are available to Windows.

Other:
I have worked for an major ISP for a few years and did consulting at various small ISPs. I have used proprietary solutions like FortiGate, Juniper, Huawei, Cisco, Check Point, Mikrotik etc. I am pro open source so don't really like to discuss those besides rant on how extremely bad and old some Juniper, Check Point and Mikrotik bugs are.

For now it's probably the best to write your own scripts/apps and maintain configurations that needs to be manually changed over time just like audio. I don't have time for it, so I'm simply not routing audio or application specific networking on my workstation.

For a long while I maintained a different fork of Droidwall so I have very intimate knowledge about how AFWall+ works because my fork worked the same way. It's doesn't do remotely what you think it does. Apps installed on Android as part of the sandbox system are assigned a UID. AFWall takes those UIDs and maps them into the iptables and blocks it on all ports. It's not doing anything different than GUFW does with UFW or if you run an iptables command by hand. The catch is Linux itself doesn't have those UID's to map to apps for AFWall to be forked and run on any distro.

Here's a rough example of the iptables command that AFWall runs to allow an app to access the network since it denies access by default:
iptables -I <chainname> -input -m owner --uid-owner <appuid> <targetrule>

That basically says allow a UID in a specific chain (wifi or cellular access) to access the network by allowing all ports. It's not doing anything special. If you remove the UIDs from Android then AFWall is worthless. So what you want on Linux is just not possible through something like AFWall.

There's also lots of things underneath (kernel packets and special UIDs for example) that are allowed that you don't see because if it's all blocked then nothing works so if you think AFwall is preventing all data leakage you're sorely mistaken. The only real benefit to Droidwall or it's forks was adblocking and possibly preventing an app with too many permissions from siphoning data. However, in the app filled world now many apps fail if they don't have access to the Internet and if it's an app as simple as say a File Manager that's asking for permission to the network you're better off finding a different File Manager.

Not exactly what you are asking, but close enough that it solved my problem. You can filter based on cgroups, and running a process with systemd will handily put it into a cgroup, and then you can firewall that process however you like. systemd-run also comes in handy here.

That, and of course the fact that every distro I know of comes with a firewall enabled and locked down out of the box.

Why do you need firewall anyways.?

Did you look here:

It's the official wiki with complete documentation, examples, migration guides, articles. Everything you should need.

It's stalled by now, but may be resurrected in the future, see this informative article: