Tested on VyOS 1.4-rolling-202201100317, on also on previous 1.4-2022 versions
Its not possible to add rules that contains "matches everything except" pattern.
Neither of this works (they where all tested separately, in fresh install):
set firewall name FOO rule 10 protocol !gre set firewall name FOO rule 10 source address !198.51.100.1 set firewall name FOO rule 10 source port !22
I can see the fix, but now trying invert selection on tcp flags doesn't work
vyos@vyos# run show config comm | grep fire
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO rule 10 tcp flags 'syn'
set firewall name FOO rule 40 action 'accept'
set firewall name FOO rule 40 protocol '!gre'
[edit]
vyos@vyos# set firewall name FOO rule 10 tcp flags !syn
[edit]
vyos@vyos# commit
[ firewall ]
Failed to apply firewall
[[firewall]] failed
Commit failed
[edit]
vyos@vyos# set firewall name FOO rule 10 tcp flags
Possible completions:
<text> Multiple comma-separated flags
syn Syncronise flag
ack Acknowledge flag
fin Finish flag
rst Reset flag
urg Urgent flag
psh Push flag
When specifying more than one flag, flags should be comma-separated.
For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with
the SYN flag set, and the ACK, FIN and RST flags unsetSolved:
vyos@vyos# run show config comm | grep fire
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO rule 10 tcp flags not ack
set firewall name FOO rule 10 tcp flags syn
set firewall name FOO rule 40 action 'accept'
set firewall name FOO rule 40 protocol '!gre'
[edit]
vyos@vyos# sudo nft list chain ip filter NAME_FOO
table ip filter {
chain NAME_FOO {
tcp flags & (syn | ack) == syn counter packets 0 bytes 0 return comment "FOO-10"
meta l4proto != gre counter packets 0 bytes 0 return comment "FOO-40"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}