I found out today, via I, Admin, that the Linux kernel, regardless of whether iptables or nftables is installed or not, is tracking connections. That tends to indicate then, that adding rules via nftables will add very little additional overhead. So firewalling a box adds very little additional overhead.
The state of the connection table can be determined by installing:
sudo apt install conntrack
The -L option will show the current state of the table. The -E allows one to watch connection states as they change.
To watch and to sort the state of connections, use:
sudo apt install iptstate
Traffic bandwidth used via particular tcp sessions can be viewed with
sudo apt install tcptrack
In a nutshell, "state" is determined via the data collected by and rules determined by connection tracking. Connection tracking is mostly just a set of timeouts, thresholds, and verifications that help us determine if a packet is "likely" or, ideally "mostly guaranteed" to be part of a known/expected/established layer 4 session. These timeouts, thresholds, and verifications can be seen by catting the various files in /proc/sys/net/netfilter
But back to connection tracking, ... having made the explicit realization that connection tracking is 'always on', and that iptables and nftables only add rule into that path, it becomes easier to realize that network security becomes a very low overhead endeavor. There are very few reason's for not having an 'always on' security posture.
By running
sudo apt install conntrackd
and creating an appropriate conntrackd.conf file, it is possible to build a synchronized, multi-host, active/active firewall solution with little additional effort. conntrackd is designed to replicate the local connection tracking table to other hosts, and to merge other host's connection tracking tables into the local tables.
2018/01/15: Vincent Bernat, in comments below, indicates that "connection tracking is not automatically done. It is done only if the nf_conntrack and/or nf_conntrack_ipv6 modules are loaded (or builtin). This is usually only done by autoloading through the first iptables command". I will need to check that out to confirm from an installation perspective as well as a packet forwarding speed perspective.