Hello,
It is well known that all pre-1.4 versions of VyOS since the Vyatta times actually used 'return' action in place of 'accept' in the firewall rules on the iptables level. See T5096 for example.
That approach allowed the packets forwarded from one interface to the other to be filtered with both 'in' firewall ruleset of the former and 'out' ruleset of the latter.
Recent VyOS 1.4 LTS versions introduced nftables instead of iptables to handle firewall. Current migration script converts, say
... interface ethernet eth0 firewall in name WAN-IN ... interface ethernet eth1 firewall out name LAN-OUT
into
firewall ipv4 forward { filter { default-action accept rule 5 { action jump inbound-interface { name eth0 } jump-target WAN-IN } ... rule 40 { action jump jump-target LAN-OUT outbound-interface { name eth1 } } ...
while rules WAN-IN and LAN-OUT remain basically intact and contain 'accept' and 'drop' actions that translate further into nft 'accept' and 'drop' respectively.
According to my understanding and quick tests this indeed breaks the whole idea of in and out filtering of packets of previous VyOS versions because in the example above the rule 40 will never match any packets forwarded from eth0 to eth1 (they will be either accepted or dropped with rule 5). To allow for these packets to be processed with rule 40 all 'accept' actions within chain WAN-IN should actually be 'return' as it was in previous VyOS versions (on iptables level). So current migration script breaks the configuration.
I feel that this change is really deep as it may lead to unexpected consequences. For example, if you had WAN-OUT filtering of outgoing traffic it may dangerously stop working because forwarded traffic from LAN to WAN may first match LAN-IN ruleset with 'default-action accept' and then never be processed with WAN-OUT.