I'm curious about what you think. I believe the logging of dropped/rejected incoming packets other than the WAN interface doesn't work.
All my interfaces have this option
option log '1'
All reject log entries originate from WAN. Yet I know there where other rejects happening, too.
When I look at nftables there is only a chain called reject_from_WAN but there is no reject_from_MGMT for example for my MGMT interface.
This is a screenshot from my MGMT Firewall zone setting:
I'm especially interested in logging rejected forwarding packets rather than input. That's why my input is set to Allow and forward to Reject.
For testing I configured a device in "Covered devices". The resulting nftables did not change though.
The log option does not really apply to inter-zone forwarded traffic due to the nature of the chain setup.
Log rules are only hit for:
dropped/rejected input traffic on a zone
dropped/rejected forward traffic among interfaces of the same zone (in the majority of cases, zones only have one interface)
dropped/rejected output traffic on a zone
Traffic from one zone to another which does not match any of the specific whitelistings will end up in the generic handle_reject chain or the drop policy of chain forward. The per-zone log options do not really apply there since those locations are not zone specific.
I guess the ruleset generation could be extended to add final log rules to forward_$zone chains in case the global forwarding policy is either reject or drop but this is not the case right now (and was not supported in fw3 either).
Edit: Here's a lightly tested patch that should implement the behavior you were expecting: