Hello,
I spent a bit of time and looked into this problem and I must say BanIP does not work on AXT1800 (please note the topic starter is speaking about AX1800 but I think it makes no difference in this case) v.4.0.1 - 4.6.8. And I believe the reason is the strange behavior of ipset. Therefore, I have a question for Gl.iNet staff - does AXT1800 firmware includes the standard version of ipset or this is somehow modified one?
Explanation:
AXT1800 v.4.0.1 - 4.6.8 is built on the top of OpenWrt 21.02-SNAPSHOT r16399+159 ->
OpenWrt 21.02-SNAPSHOT r16399+173-c67509efd7 and uses kernel 4.4.6
I unpacked AXT1800 v.4.0.1, 4.0.2, 4.0.3 firmware and tried the included versions of ipset (together with ipset I copied from my 2 working ATX running v4.2 and 4.6 firmware - they have different timestamps but behave identically)
For comparison sake I was using GL.iNet GL-MT2500 running v4.2.0 built on the top of OpenWrt 21.02-SNAPSHOT r15812+878-46b6ee7ffc and running kernel v. 5.4.211
First of all, ipset running on AXT1800, compalins on the protocol mismatch (a screenshot showing output of ipset running on AXT1800 and MT2500, side by side:
Second and the most important observation: when one run the command "ipset list" the reported ipsets dont include the line "Number of entries" as shown on the following screenshot:
Interesting that x64 OpenWrt 21.02.0-rc3 r16172-2aba3e9784" build does not have this problem either and properly returns existing ipsets:
banip.sh reads info about existing ipsets and extracts the number of entries as shown before:
>cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
and uses the var. cnt latet in f_iptables call. Since cnt is set to NULL, nill or None (whatever programming language you speak) , when accessed the error "out of range" is generated, end of story.
So at this point before I spent more time on I would like to know if someone knows why ipset included in AXT1800 firmware returns incomplete info i.e. the entry "Number of entries" is missing in ipset reports?
Thanks!