Vrf and iptables

I am trying to filter packet at vrf enslaved interface

set interfaces ethernet eth0 vif 496 address ‘1.1.1.2/30’
set interfaces ethernet eth0 vif 496 description ‘ACCES TO INTERNET’
set interfaces ethernet eth0 vif 496 firewall local name ‘FW_FROM_INET’
set interfaces ethernet eth0 vif 496 vrf ‘INET-VRF’

after that firewall rule generated
ubnt2@vyos-g2:~$ sudo iptables -L VYATTA_FW_LOCAL_HOOK -nv
Chain VYATTA_FW_LOCAL_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 FW_FROM_INET all – eth0.496 * 0.0.0.0/0 0.0.0.0/0

but no packets passed through this rule
I had to add master interface to iptables
ubnt2@vyos-g2:~$ sudo iptables --append VYATTA_FW_LOCAL_HOOK -i INET-VRF --jump FW_FROM_INET

and now I can see incoming packets:
ubnt2@vyos-g2:~$ sudo iptables -L VYATTA_FW_LOCAL_HOOK -nv
Chain VYATTA_FW_LOCAL_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 FW_FROM_INET all – eth0.496 * 0.0.0.0/0 0.0.0.0/0
5760 665K FW_FROM_INET all – INET-VRF * 0.0.0.0/0 0.0.0.0/0

probably this is the way of vrf kernel implementaion, but there is no any mentions in vyos user guide

VRF is in infant, it’s literally two months old. I never used it with firewalling so far, sorry but you need to check Linux capabilities yourself. But please enlighten us afterwards.

Maybe zone based firewalling would be an option adding the VRF master interface to the zone interface list

I read docs, it is written:
||
Iptables on ingress supports PREROUTING with skb->dev set to the real
egress device and both INPUT and PREROUTING rules with skb->dev set to
the VRF device. For egress POSTROUTING and OUTPUT rules can be written
using either the VRF device or real egress device.
||
so this is the normal behaviour.
but we have problem with firewall in case of using vrf, because we can not apply firewall rules to vrf
master interface. perhaps in future there will be an ability to specify firewall rules in vrf description.

@vzotov this is possible already with zone based firewalling