Source NAT changes the source address in IP header of a packet. It may also change the source port in the TCP/UDP headers. The typical usage is to change the a private (rfc1918) address/port into a public address/port for packets leaving your network.
Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers.The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.
Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use. Masquerading will modify the source IP address and port of the packet to be the primary IP address assigned to the outgoing interface. If your outgoing interface has a address that is static, then you don't need to use MASQ and can use SNAT which will be a little faster since it doesn't need to figure out what the external IP is every time.
Not familiar with fwbuilder, but they all have more specific meanings in networking, here is how I would define them off the top of my head for general networking:
NAT and PAT:
Changes the IP destination or source and/or the ports in TCP/UDP. The most common uses are so multiple people can share a public IP, or to map public ips to private ips for services.
Policy:
What do with packets that meet certain requirements based on all sort of properties at various network levels. For example, drop them, or send an ICMP message to the requester saying it is closed. Here the primary use is for security to protect your network.
IP Routes:
Decide which interface to send traffic out depending on the destination IP (or possibly more advanced things when you talk about policy based routing). The use here is that this how the internet and most major computer networks work and the higher levels. Generally, NAT happens before routing, so the packet is altered by NAT and then routed according to the result.
General vs. Specific:
Your generalization of "ways to tell the data where to go depending on what it is and where it is coming from" is roughly what "networking" is. To take it to a higher level, to me it is almost like saying "Why are there all these computer words when all they do is move and manipulate data" :-) These terms are all specific aspects of networking which can be a full time vocation.
Best Answer
I don't know about 'gen2' vs 'gen3', but what I can tell you is this:
SPI firewalls filter on Session 'States'
This firewall keeps track of the State of a TCP or UDP session. This provides an advantage over simpler firewalls for example
This can happen even after the session has supposedly ended by crafting packets with the same details as the session. Stateful firewalls depend on the Three Way Handshake between the two nodes for TCP connections, and will not let traffic through if the handshake hasn't taken place (except, of course, the handshake packets themselves). For UDP Traffic, A technique called UDP Hole Punching is used, and the sessions usually get the ESTABLISHED state right away. While nothing is fullproof, SPI firewalls have certainly proved their worth.
Application layer firewalls filter on 'Protocol Signatures'
Now, what does this mean? Consider the following:
Well we know that doesn't really do much, since I run my ssh server on port 443, since most networks allow 443 for general https web traffic. This would be allowed by SPI firewalls because the Session state is typically independent of the protocol.
Application layer firewalls on the other hand look at the traffic and say Hey, this looks more like SSH traffic and not https traffic, I'm stopping this conversation because we don't allow ssh traffic.
In short, each protocol has it's own signature, if you will. App layer firewalls look at the signatures and 'try' to determine the applications using it, and filter from there.
I know you didn't ask this, but it all depends on your needs. You may need one, the other, or both.