Rob,
I never noted I have a problem. The ipset script is the one I currently use. As I recall, the iptables was verbatim from another operator - and it worked as well. I can't recall who gave me that script. The ipset script is the one I edited, per your message in 2018. I have made no updates to the iptables script; and left lots of old notes and comments intact - hence some of the comments may disagree.
I edited it to use ipset approximately 2 years ago, hence the remaining while statement. I'm sure anyone utilizing the ipset script would like it be as straightforward as possible - are you suggesting (pseudo-code confuses me):
---
#!/bin/sh # load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="<AMPRGW>"
cd /var/lib/ampr-ripd || exit 1
ipset -N ipipfilter hash:ip 2>/dev/null ipset flush ipipfilter ipset -A ipipfilter $AMPRGW
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip do ipset -A ipipfilter $ip done
-----
I tested it and it seems to work. Also believe diffutils doesn't need to be installed, either. I'll update the OpenWrt Wiki.
I only noted it in this particular best practices/tools thread due to messages in SEP2018: https://mailman.ampr.org/mailman/private/44net/2018-September/009294.html
I like to "lock down" my router as much as possible. I do understand we've chatted in the past that my methods may be too paranoid; but I'd prefer to have a extra step to secure the IPENCAP interface.
73,
- Lynwood KB3VWG