Looking through the output of "sudo nft -s list ruleset" in VyOS 1.5-rolling-202310110022 the following can be observed:
table ip vyos_conntrack {
...
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter jump VYOS_CT_HELPER
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
counter jump WLB_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter jump VYOS_CT_HELPER
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
notrack
}
chain VYOS_CT_HELPER {
return
}
chain FW_CONNTRACK {
accept
}
chain NAT_CONNTRACK {
return
}
chain WLB_CONNTRACK {
return
}
}
table ip6 vyos_conntrack {
...
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter jump VYOS_CT_HELPER
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter jump VYOS_CT_HELPER
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
notrack
}
chain VYOS_CT_HELPER {
return
}
chain FW_CONNTRACK {
accept
}
chain NAT_CONNTRACK {
return
}
}My interpretation of above is that when "jump FW_CONNTRACK" occurs the action is "accept" which means that the chains that comes after FW_CONNTRACK (in chain PREROUTING and OUTPUT) are never evaluated:
counter jump NAT_CONNTRACK counter jump WLB_CONNTRACK
Suggested fix:
chain FW_CONNTRACK {
return
}