Brief info
If a network address in a group has the /32 or /128 netmask, it cannot be removed from this group.
Reproducing
- Add two networks to groups:
set firewall group network-group ng01 network 192.0.2.0/32 set firewall group ipv6-network-group ng02 network 2001:db8::/128 commit
- Check ipset status:
vyos@vyos# sudo ipset list Name: ng01 Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 512 References: 0 Number of entries: 1 Members: 192.0.2.0 Name: ng02 Type: hash:net Revision: 6 Header: family inet6 hashsize 1024 maxelem 65536 Size in memory: 1344 References: 0 Number of entries: 1 Members: 2001:db8::
- Try to delete items:
[edit] vyos@vyos# delete firewall group network-group ng01 network 192.0.2.0/32 [edit] vyos@vyos# delete firewall group ipv6-network-group ng02 network 2001:db8::/128 [edit] vyos@vyos# commit [ firewall group network-group ng01 ] Error: member [192.0.2.0/32] does not exist in [01f21b94-df6d-4975-abeb-5dc159b] [ firewall group ipv6-network-group ng02 ] Error: member [2001:db8::/128] does not exist in [fe0c619d-ceda-4fcc-8765-69dd4df]
Possible reasons
It seems that the problem occurs because the configuration script performs a check for existing by text comparison and an element inside an ipset looks differently: 192.0.2.0 vs 192.0.2.0/32.
Recommended solution
I think that the optimal way to solve the problem is by adding netmasks to elements extracted from an ipset, or removing them from configured items for networks with netmasks /32 or /128, depending on what will be easier.