The freeBSD failover code used the "pf" firewall in the capacity of:
--on failover backup event, reject existing connections
--on failover master event, allow existing connectinos
When I implemented the SCALE active/passive failover code, k8s was also being developed and I tried to use nftables. I learned that nftables has an incompatibility with k8s so I skipped adding any firewalls at the time.
k8s is now mostly implemented using iptables so I need to implement the necessary rules for SCALE HA systems.