Cool! Add application-level rules (like LittleSnitch) and I'm buying (literally, I don't mind paying for such a feature).
You might want to look at OpenSnitch [1]. It requires nfqueue and directly accessing /proc to get info in real time, which is why you'll likely never see it as part of a structured firewall builder like this.