I used it for a project once. It is good, but make sure you have tested backup and restore (from scratch) before you need it. I found that to be a bit more problematic than usual server business. (but that was 6 years ago)

I second the use of nftables instead. Optimally with a pre-made role like this one: https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/documentation/

this could be interesting if “collaborative” meant that different instances could federate

Ran into the real ip problem too in prod where we needed ip6 too and the podman version is too old to have anything newer. But running the proxy with network=host and anything behind is listening on 127.0.0.1:x is working well so far. It’s not so elegant as it could be, but it works smoothly.