I tested this feature with the following firewall config:

set firewall group domain-group DG_TEST address 'nu.nl'
set firewall group domain-group DG_TEST address 'www.nu.nl'
set firewall interface eth1 out name 'ETH1_OUT'
set firewall name ETH1_OUT default-action 'accept'
set firewall name ETH1_OUT rule 10 action 'drop'
set firewall name ETH1_OUT rule 10 destination group domain-group 'DG_TEST'

I can update the documentation when the feature is implemented.

Confirmed to work correctly on version VyOS 1.4-rolling-202207180802.

In T3435#115394, @n.fort wrote:

Error still present on VyOS 1.4-rolling-202201020317

vyos@vyos:~$ show nat source rules 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 114, in <module>
    print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
IndexError: list index out of range
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
vyos@vyos:~$ show ver

Version:          VyOS 1.4-rolling-202201020317
Release train:    sagitta

Nat config in this example:

vyos@vyos:~$ show config comm | grep nat
set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'

@Viacheslav
Yes, the output of show ip route and sudo ip route are after a reboot.

Just tested this on VyOS 1.4-rolling-202207111030, with the following commands:

I see that the pull request was accepted. I just tested it with the latest rolling and it seems to work as expected.
Thanks a lot!

Because with a rule like that I accept everything coming from nl from wan to lan, or I would need to add the source nl to every rule. That's why I did it with a deny not coming from nl on top, and then specific rules for the traffic that I want to accept.

I just tested it on VyOS 1.4-rolling-202206260217, everything seems to work so far!
It would be nice to also have the negate option, something like:

I saw that the new build was online, so I added the image, rebooted and tried to issue the command again.
Everything seems to work, no error when committing and the route is added.

I will test with the new release and report my results.
Thank you very much!

I only know some python but that looks like the part that gets the gateway from the lease file.
My simple mind would say that the underscore needs to be replaced with a dot, but I have no idea if it really is that simple.