When creating an IPv6 firewall and assigning it to an interface, VyOS creates a chain with the name of the firewall, but it is not actually inserted into the VYOS_FW6_LOCAL chain.
The chain should contain something like:
iifname "eth1" counter packets 68105 bytes 39399923 jump LAN-LOCAL-v6
but it does not.
Config
interfaces { ethernet eth1 { address 2001:db8:1::1/64 description LAN firewall { local { ipv6-name LAN-LOCAL-v6 } } } }
nftables rules actually applied
sudo nft list ruleset
table ip6 filter { chain VYOS_FW6_FORWARD { type filter hook forward priority filter; policy accept; jump VYOS_POST_FW6 } chain VYOS_FW6_LOCAL { type filter hook input priority filter; policy accept; jump VYOS_POST_FW6 } chain VYOS_FW6_OUTPUT { type filter hook output priority filter; policy accept; jump VYOS_POST_FW6 } chain VYOS_POST_FW6 { return } chain VYOS_FRAG6_MARK { type filter hook prerouting priority -450; policy accept; exthdr frag exists meta mark set 0x000ffff1 return } chain LAN-LOCAL-v6 { ct state { established, related } counter packets 0 bytes 0 return comment "LAN-LOCAL-v6-1" counter packets 0 bytes 0 drop comment "LAN-LOCAL-v6 default-action drop" } }