There appears to be a change in fw4 that prevents it from correctly parsing ipsets using the loadfile configuration option. This prevents my device from booting, but I found a workaround--which is to not configure ipsets using loadfile but list them one by one.
I was on 22.03.1 previously on an RT3200 which was fine (as with all prior releases) using the loadfile configuration for ipsets. When I did a sysupgrade to 22.03.2 and preserved the configuration, the device failed to complete the boot cycle. I reset the device, and then manually reconfigured it line by line until I found the configuration where it started to fail to boot.
Here was the problem area in /etc/config/firewall:
uci set firewall.trusted=ipset
uci set firewall.@ipset[-1].name=trusted
uci set firewall.@ipset[-1].family=ipv4
uci set firewall.@ipset[-1].match=src_mac
uci set firewall.@ipset[-1].loadfile=/etc/trusted_macs
uci commit
The problem is the loadfile configuration option. When I run "fw4 print" with the above configuration lines, fw4 errors out over and over recursively with:
Skipping invalid entry 'null' in file '/etc/trusted_macs' for set 'trusted'
This fw4 error keeps going on indefinitely which prevents the device boot cycle from completing. For those interested, the file for the ipset data is just a text file with mac addresses, one on each line. This file used to work with 22.03.1 and prior versions. Now it errors out in fw4 on 22.03.2. Here is how it was created:
cat <<EOF > /etc/trusted_macs
MAC ADDRESS HERE
ANOTHER MAC ADDRESS HERE
EOF
The workaround was to not to use the loadfile command for ipsets but list each item using the entry option. For example, if I replace my configuration with the following, then fw4 loads correctly and the device now boots again on 22.03.2:
uci set firewall.trusted=ipset
uci set firewall.@ipset[-1].name=trusted
uci set firewall.@ipset[-1].family=ipv4
uci set firewall.@ipset[-1].match=src_mac
uci list firewall.@ipset[-1].entry=MAC ADDRESS HERE
uci list firewall.@ipset[-1].entry=ANOTHER MAC ADDRESS HERE
uci commit