You are correct. IP firewall filter does not apply to dhcp-client.
I have already requested to change this (Ticket#2018042422003031).
However, this is by design and will not be changed.
The work around is to create bridge for the WAN interface (if not already bridged) and apply bridge filter, e.g.
/interface bridge
add name=bridge-wan
/interface bridge port
add bridge=bridge-wan interface=ether1
/interface bridge filter
add action=log chain=input comment="rogue dhcp reply" dst-port=68 in-bridge=bridge-wan \
ip-protocol=udp log-prefix="[Rogue DHCP]" mac-protocol=ip \
src-address=!x.x.x.x/32 src-port=67
Where x.x.x.x is the IP address of your authoritative DHCP server.
Better, upgrade to 6.40.8, 6.42.2 or >=6.43rc7 in which the (unicast) dhcp renewal is fixed:
*) dhvpv4-client - fixed DHCP client stuck in renewing state;