set firewall group network-group internal_net network '10.0.0.0/8'
set firewall name A-FROM-B rule 1 action 'drop'
set firewall name A-FROM-B rule 1 description 'drop traffic from non-internal networks (anti spoofing)'
set firewall name A-FROM-B rule 1 log 'enable'
set firewall name A-FROM-B rule 1 source group network-group '!internal_net'
stannert@vyos# commit
[ firewall ]
Invalid network-group "!internal_net" on firewall rule

[[firewall]] failed
Commit failed
[edit]

stannert@tony# sudo iptables -L | grep A-FROM-B
Chain A-FROM-B (1 references)
LOG        all  --  anywhere             anywhere             /* A-FROM-B-1 */ ! match-set internal_net src LOG level warning prefix "[A-FROM-B-1-D] "
DROP       all  --  anywhere             anywhere             /* A-FROM-B-1 */ ! match-set internal_net src