If we are tried to configure port group which contains the same port as standalone and inside the range, the router will accept and allow to commit and save such configuration, but ipset will not create a set properly:
[edit]
vyos@test-06# set firewall group port-group PORTSET1 port 100
[edit]
vyos@test-06# set firewall group port-group PORTSET1 port 200
[edit]
vyos@test-06# set firewall group port-group PORTSET1 port 150-250
vyos@test-06# commit
[ firewall group port-group PORTSET1 ]
ipset v6.23: Element cannot be added to the set: it's already added
Error: call to ipset failed [256]
[edit]
vyos@test-06# show firewall group
port-group PORTSET1 {
port 100
port 200
port 150-250
}
[edit]
vyos@test-06# sudo ipset list
[edit]
vyos@test-06#The second problem is that member_exists function does not work for port range at all, because ipset does not accept range for a test:
root@test-06:/home/vyos# ipset -T TEST1 100-200 ipset v6.23: FROM-TO port range is not allowed in command test with set type bitmap:port and family unspec