I didn’t realise intrazone firewalling wasn’t possible in Vyatta/VyOS but wanted it working today.
It appears to work fine if a few lines are commented out of the following files:
/opt/vyatta/share/vyatta-cfg/templates/zone-policy/zone/node.tag/from/node.def
— prevents you from commit’ing a zone to zone rule with the same zone name
/opt/vyatta/share/perl5/Vyatta/Zone.pm
— comment out the section that adds an implicit RETURN for intra-zone traffic
After these changes, a zoneX_to_zoneX chain appears to work fine.