The firewall in 1.4 sets the default action accept instead of drop
1.4 we have default action accept
set firewall name FOO rule 10 action 'accept' set firewall name FOO rule 10 source address '192.0.2.2' set interfaces ethernet eth1 vif 5 firewall local name 'FOO'
Nftables:
vyos@r14# sudo nft list table ip filter table ip filter { chain VYOS_FW_LOCAL { type filter hook input priority filter; policy accept; iifname "eth1.5" counter packets 0 bytes 0 jump NAME_FOO jump VYOS_POST_FW } ... chain NAME_FOO { ip saddr 192.0.2.2 counter packets 0 bytes 0 return comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
The same rules for 1.3 show correct default action drop
[edit] vyos@r1# sudo nft list table ip filter table ip filter { chain INPUT { type filter hook input priority filter; policy accept; counter packets 13644 bytes 1993144 jump VYATTA_PRE_FW_IN_HOOK counter packets 269 bytes 33536 jump VYATTA_FW_LOCAL_HOOK counter packets 13644 bytes 1993144 jump VYATTA_POST_FW_IN_HOOK } ... chain VYATTA_FW_LOCAL_HOOK { iifname "eth1.5" counter packets 0 bytes 0 jump FOO } chain FOO { ip saddr 192.0.2.2 counter packets 0 bytes 0 return comment "FOO-10" counter packets 0 bytes 0 drop comment "FOO-1000000 default-action drop" } }
Old codebase https://github.com/vyos/vyatta-cfg-firewall/blob/d323004c8ab9d0bb917203ed5b705cef38c60c26/templates/firewall/name/node.tag/default-action/node.def#L5
There is missed defaultValue https://github.com/vyos/vyos-1x/blob/fdeba8da3e99256fe449e331d0b833a941315226/interface-definitions/include/firewall/name-default-action.xml.i
The real default values in template https://github.com/vyos/vyos-1x/blob/fdeba8da3e99256fe449e331d0b833a941315226/data/templates/firewall/nftables.tmpl#L84
and https://github.com/vyos/vyos-1x/blob/fdeba8da3e99256fe449e331d0b833a941315226/data/templates/firewall/nftables.tmpl#L142
Also default action accept in the template https://github.com/vyos/vyos-1x/blob/edb2d72c3487b06fffd67dde203219b3c1bd7443/python/vyos/template.py#L553