With the following config, withing minutes of adding rules 55 and 65, VyOS ground to a halt and ran OOM.
Deleting rule 45 brought it immediately back to life.
set firewall name WAN-LAN rule 45 action 'accept' set firewall name WAN-LAN rule 45 description 'KF2' set firewall name WAN-LAN rule 45 destination address '172.21.1.60' set firewall name WAN-LAN rule 45 destination group port-group 'KF2' set firewall name WAN-LAN rule 45 protocol 'udp' set firewall name WAN-LAN rule 45 state new 'enable' set firewall name WAN-LAN rule 55 action 'accept' set firewall name WAN-LAN rule 55 description 'Factorio' set firewall name WAN-LAN rule 55 destination address '172.21.1.61' set firewall name WAN-LAN rule 55 destination port '27015' set firewall name WAN-LAN rule 55 protocol 'tcp' set firewall name WAN-LAN rule 55 state new 'enable' set firewall name WAN-LAN rule 65 action 'accept' set firewall name WAN-LAN rule 65 description 'Factorio' set firewall name WAN-LAN rule 65 destination address '172.21.1.61' set firewall name WAN-LAN rule 65 destination port '27015' set firewall name WAN-LAN rule 65 protocol 'udp' set firewall name WAN-LAN rule 65 state new 'enable' set firewall group port-group KF2 port '7777' set firewall group port-group KF2 port '27015' set firewall group port-group KF2 port '20560' set firewall group port-group KF2 port '123'
Associated NAT rules:
set nat destination rule 40 description 'KF2' set nat destination rule 40 destination port '123,7777,20560,27015' set nat destination rule 40 inbound-interface 'eth0' set nat destination rule 40 protocol 'udp' set nat destination rule 40 translation address '172.21.1.60' set nat destination rule 50 description 'Factorio' set nat destination rule 50 destination port '27105,34197' set nat destination rule 50 inbound-interface 'eth0' set nat destination rule 50 protocol 'udp' set nat destination rule 50 translation address '172.21.1.61' set nat destination rule 60 description 'Factorio' set nat destination rule 60 destination port '27105' set nat destination rule 60 inbound-interface 'eth0' set nat destination rule 60 protocol 'tcp' set nat destination rule 60 translation address '172.21.1.61'