I'm not really sure if this is a bug (would probably need to be some rule before the user firewall rules) or rather something that needs to be documented so users are aware, but recently encountered a weird issue where on boot, my WAN interface on a VRF would not receive the default route from dhcp resulting in no internet every boot until I intervened. If I manually ran renew dhcp interface eth0 after boot, then it would receive the default route.

Digging into it a bit, it appeared that the route was received by DHCP, but it wouldn't get added to the FRR configuration (although the dhcp client logs say it ran the relevant vtysh command). I then started logging what was being blocked and saw firewall entries relating to chronyd (UDP 323) on both the ipv4 and v6 loopbacks which made me think to add the firewall rules but not sure if its related. I added the firewall rules to allow traffic between loopback on the local zone and internet vrf and the default route is now added on boot.

The VRF entry looks like:

name INTERNET {
    protocols {
        static {
            route 0.0.0.0/0 {
                dhcp-interface eth0
            }
        }
    }
    table 100
}

Had to add these firewall rules:

rule 2 {
    action accept
    description "Allow loopback traffic"
    destination {
        address 127.0.0.1
    }
    source {
        address 127.0.0.1
    }
}
rule 3 {
    action accept
    description "Allow loopback traffic"
    destination {
        address ::1
    }
    source {
        address ::1
    }
}