When configuring the firewall, many nodes are accepted with empty values, which are not parsed into rules. Here is an example of commands that are allowed:
set firewall ipv4 forward filter rule 10 add-address-to-group set firewall ipv4 forward filter rule 10 connection-status set firewall ipv4 forward filter rule 10 destination set firewall ipv4 forward filter rule 10 fragment set firewall ipv4 forward filter rule 10 gre set firewall ipv4 forward filter rule 10 icmp set firewall ipv4 forward filter rule 10 ipsec set firewall ipv4 forward filter rule 10 limit set firewall ipv4 forward filter rule 10 log-options set firewall ipv4 forward filter rule 10 outbound-interface set firewall ipv4 forward filter rule 10 recent set firewall ipv4 forward filter rule 10 set set firewall ipv4 forward filter rule 10 source set firewall ipv4 forward filter rule 10 tcp set firewall ipv4 forward filter rule 10 time set firewall ipv4 forward filter rule 10 ttl
Very few of these have subsequent error handling. Some should be obvious to the user that a value is required, like these (though an error should still be thrown if they're configured without children):
set firewall ipv4 forward filter rule 10 destination set firewall ipv4 forward filter rule 10 inbound-interface set firewall ipv4 forward filter rule 10 outbound-interface set firewall ipv4 forward filter rule 10 set set firewall ipv4 forward filter rule 10 source
But some could be misunderstood and lead to an outage or wide open firewall. For instance, let's say someone wanted to block all icmp. They may incorrectly configure:
set firewall ipv4 input filter rule 10 action drop set firewall ipv4 input filter rule 10 icmp
And this would create this rule in nftables, dropping all traffic in subsequent rules:
counter packets 0 bytes 0 drop comment "ipv4-INP-filter-10"
They could also unintentionally allow all traffic by attempting to only allow icmp in a rule.