SomeWhereOverTheRainBow
Part of the Furniture
Yea it is definitely alittle mind blowing. My working theory is that since the two failing ip addresses are not ranges, they are getting added to the ipset file before the ranges. The ranges are added at the end of the file after all normal ip addresses. So once the ip addresses are loaded the iptable halts loading the rest of the ipset because the 2 ipset are bad. Hence why none of the ranges ever get loaded because they follow after all single ip addresses in the order in which they are present in the ipset file.This part of the process is failing before ipset gets the file as input. This is just writing a text file with the ipset commands. The ranges never make it into the file. Strange, for sure.
According to the link above, skynet is using a single file to load the ipsets. Regular ip addresses are appended to the file first, then ranges found in the filters are appended second. When iptables breaks loading ipset it is still at the point of loading just the ipaddresses. It never makes it to the point of loading the ranges because the load is breaking due to the bad ip addresses from custom filter lists which explains why loading works normal if we don't use the lists with the bad addresses.
Last edited: