nftables firewall configuration on Rocky 9.1

I have installed K3s with Rancher on Rocky 9.1 machine. According to the manual, firewalld must be turned off. To turn off the firewalld, I performed:

systemctl disable firewalld
systemctl mask --now firewalld

I also enabled the nftables service with systemctl enable nftables.

Now I am trying to configure a reasonable ruleset in the firewall. As I understand, the current Linux versions use something more modern than iptables (I used to be familiar with iptables a long time ago), so I am trying to use nftables.

Here are a few questions that I need help with:

1. is nftables (or the command line tool nft) the right thing to use on Rocky 9.1? Given that I am using K3s version of Kubernetes on the machine (and they produce iptables rules as well as nftables rules, which both appear in Linux), I am confused which is the "right tool" to configure on Rocky 9.1
2. I have read that iptables don't support something that nftables produce, but should I care about it in my setup? Do Kubernetes or K3s have some specific compatibility requirements in regards of which kind of ruleset I create on Linux? Or can it break the network connection if I create a nft ruleset that is incompatible with iptables? What is the actual relation between nftables and iptables? Are there any other tools that do the same thing on Rocky 9.1, and should I use something even more appropriate?

EDIT:
I did some reading about nftables with subsequential debugging of my own error. Therefore I removed the 3rd part of the question which was obviously just a silly mistake. To anyone who may find it useful: nftables drop is a final decision after which the packet never returns. Any chain of type nat hook input is being evaluated not only for forwarding (nat) purposes, but also for the machine itself (input). Putting policy drop to a type nat hook input chain and leaving the chain empty will render the machine unavailable. Even more interestingly, it will only drop the 1st packet and not the whole traffic from the machine. And that was exactly my case. I rendered the machine inaccessible, but I didn't know it, because my connection left alive until reboot. After reboot no new connections were accepted because of nat drop policy. /Hope it helps someone one day/

I am also interested in this topic. What is you goal with this?

I want to limit acces to ports like 10250 for a limited set of ip addresses. It is very difficult however to find out how this can be achieved.

My setup is k3s on Redhat 8. Regards Hans

I ended up with Cilium.See here It enables you to create simple rules in yaml files.

This enables ssh:

---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "ssh"
spec:
  description: "SSH access on Control Plane"
  nodeSelector: {}
  ingress:
  - toPorts:
    - ports:
      - port: "22"
        protocol: TCP

This denies all other traffic:

---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "default-deny"
spec:
  description: "Block all unknown traffic to nodes"
  nodeSelector: {}
  ingress:
  - fromEntities:
    - cluster
    - remote-node

I ended up using Cilium [See here1 It enables me to create a couple of simple yaml files.

Answer to myself - the best understanding up-to date. Please correct me if I'm wrong.

1. Linux uses netfilter for the actual firewall functionality. There are a couple of inspiring pictures in this Wikipedia page. If you don't have a clue, you must see them.
2. netfilter provides way more than just those rules that we are used to see in iptables. But to use those bunch of rules, we need a tool that can access netfilter and give us a chance to interact.
3. Even though iptables may do the thing (and interact with netfilter), it is kinda going to retire, and we should keep up and learn nft. In fact, the nft command will allow way more sophisticated rules than those you made with iptables.
4. To eliminate confusion about nft and nftables - they both relate to the same thing. The command on the terminal is nft, but the service in systemctl is nftables.
5. Another confusion - nftables service is actually not a service. It is just a script that loads a particular ruleset and exits. So you shouldn't actually care whether the nftables service is running or not. It only matters on startup - once you "start the nftables service", it executes a command that loads the configuration file with nft command. So you could just run nft command yourself and do the job.
6. Starting/stopping the firewall service (just as we did with service iptables start in the good old days)? Nope, I guess that's not a thing to do anymore. Well, it could be possible to disable netfilter and basically the whole network stack, but why would I? Or why would you? <<--Update on this point is welcome
7. The second part of the original question - what does and what doesn't iptables command support? Well, iptables don't support much. Once you start reading the nft manual, you soon get to this section and recognize how different it is and how you can actually do much more with nft.