Address-group commits with duplicate, but fails when adding rule later.
VyOS 1.1.8
When creating an address-group and adding a range and a single ip that is also in that range, it will commit with warning but then not allow rules referencing the address-group to be committed.

vyos@vyos# commit
[ firewall name ETH0_IN rule 20 source group address-group WOWDCS-ADMIN-IPs ]
Group [WOWDCS-ADMIN-IPs] has not been defined

firewall name ETH0_IN failed
[ firewall name VYOSFW rule 10 source group address-group WOWDCS-ADMIN-IPs ]
Group [WOWDCS-ADMIN-IPs] has not been defined

firewall name VYOSFW failed
Commit failed


Can you check behavior on 1.2 ?

@jwhipple can you confirm that issue exists on 1.2?

This behavior is observed in v1.2-rolling+201810011457.

The range feature is quite problematic since IPset doesn't really support ranges, and "ipset -A foo" really adds 20 addressed to the group "foo". Thus, if you add a range and then add a single address to that range, and then delete that address (or the range), your IPset setup ends up in an inconsistent state where that address is supposed to be there according to the VyOS config, but actually isn't.

The only way to get around it would be to re-create ranges when something is deleted, but do we really want it? For now, disallowing it seems like a sensible solution.
I'm moving the task to 1.3.0 for the time being, this is a design issue we may want to address in the firewall scripts rewrite.

