I think the issue is if you are dynamically updating the rules then you might have an intermediate state where some packages are processed according to some set of rules which is neither the set of rules at the start nor at the end. Wheras with anchors you can flip between different sets of rules atomically. (though I suspect you can do the same with iptables but it'll called something different)