VyOS always creates the input and forward nft chains with policy accept. This prevents the defense-in-depth approach to block everything except allowed ports, because interfaces, that are not configured in set firewall interfaces permit all traffic.

I've started the work here: https://github.com/glueckself/vyos-1x/commit/197ea70f28fa284ac12155f5347432ee3c8ba75b

My initial approach was to make it a non-breaking change, setting policy accept when no default-policy is configured. Because the nft_action filter replaces the accept action with return, in case of policy drop, this causes the packet to be dropped, even if there are rules that would accept it (because they only return, until the packet is at the end of the chain where it's dropped). However, removing the return "return" makes this a breaking change, as with policy accept+return, packets could be accepted in the in rulesets, but dropped in the out ruleset (because both in and out rulesets are merged in the VYOS_FW_FORWARD chain). From what I understand, nft stops processing on the accept, which would prevent out rules from being processed.

One idea to solve this would be to use the postrouting chain for out-rules - but this would also be a behaviour change, as it would now affect packets coming from the router itself.

The code is in an very early state. Also, this is my first time working on VyOS and first time working with nft. I do have networking experience and a bit of experience with python. Please let me know if there are any issues with my approach, and how I should proceed with the nft_action filter.