Juniper QFX5100 VLAN flood input filter doesn't work

[Stanislaw <me () nek0 net>]

Hello, list (again),

I've been trying to use VLAN BUM traffic filter on QFX5100. The 
configuration on the test VLAN was quite trivial:

Model: qfx5100-48s-6q
Junos: 17.2R2.8

# show vlans Testvlan
vlan-id 4030;
forwarding-options {
    filter {
        input Testvlan-ingress;
    }
    flood {
        input Testvlan-flood;
    }
}

I connected two linux hosts to the test VLAN:
# show interfaces ge-0/0/42
unit 0 {
    family ethernet-switching {
        vlan {
            members Testvlan;
        }
    }
}

# show interfaces ge-0/0/43
unit 0 {
    family ethernet-switching {
        vlan {
            members Testvlan;
        }
    }
}

The firewall filter wwas quite simple:
# show firewall family ethernet-switching filter Testvlan-ingress
term accept {
    then accept;
}


The flood input filter I was trying to use.
According to the documentation, only Broadcast, Unknown unicast and 
Multicast (BUM) traffic goes here. The regular unicast traffic should be 
left intact by it.
# show firewall family ethernet-switching filter Testvlan-flood
term allow_arp {
    from {
        ether-type arp;
    }
    then accept;
}
term allow_ipv6_ns {
    from {
        destination-mac-address {
            33:33:ff:00:00:00/24;
        }
        ether-type 0x86dd;
    }
    then accept;
}

term discard_all {
    then discard;
}

I started hosts to ping (and snif) each other.. And I saw only ARP 
requests/responses.

"show ethernet-switching table" displayed that both hosts MAC were 
successfully learned, thus traffic between them should be considered as 
regular unicast.

However, the last term in Testvlan-flood filter was blocking it.
If I replace it with "accept" - traffic begins to flow.

Are any Juniper QFX gurus here? I would really appreciate some advice.