MerlinAU MerlinAU v1.4.6 - The Ultimate Firmware Auto-Updater (WEBUI + GNUTON SUPPORT!)

[ExtremeFiretop]

Sorry, I missed tht memo. Its all good!

No worries. Looking at the messaging it's not clear either that the script update function can work 2 ways. So I will probably adjust the wording as well , hopefully between that and the checkbox being grayed out it will make more sense why it auto updates when you hit the button

 

[kriukas]

MerlinAU 1.4.6 Released!

As always, we highly recommend you update ASAP as this includes functional improvements and little bug fixes.
Thanks!

Some bugs:

1. Correct F/W brach is selected for an update, but incorrect ChangeLog is offered for review (confusion):

1. Correct F/W brach is selected for an update, but incorrect ChangeLog is offered for review (confusion):
      __  __           _ _               _    _
     |  \/  |         | (_)         /\  | |  | |
     | \  / | ___ _ __| |_ _ __    /  \ | |  | |
     | |\/| |/ _ | '__| | | '_ \  / /\ \| |  | |
     | |  | |  __| |  | | | | | |/ ____ | |__| |
     |_|  |_|\___|_|  |_|_|_| |_/_/    \_\____/ v1.4.6

============ By ExtremeFiretop & Martinski W. ============

----------------------------------------------------------
  Router's Product Name/Model ID:  GT-AXE16000      (H)ide
  USB-Attached Storage Connected:  True
  F/W Variant Configuration Found: Merlin
  F/W Version Currently Installed: 3004.388.8.4
  F/W Update Version Available:    3006.102.4.0   <<<<
  F/W Update Estimated Run Date:   2025-05-25 05:00:00
----------------------------------------------------------

2. lo.  Log Options Menu

3. cl.  View Latest F/W Changelog

----------------------------------------------------------
Enter selection:  cl


Retrieving Changelog-NG.txt ...

Changelog file is ready to review!

Press 'q' to quit when finished.

5. Press <Enter> to continue...

6. This one:

Asuswrt-Merlin Changelog
========================

3004.388.9_2 (28-Apr-2025)

<............>

3004.388.9 (9-Apr-2025)
  - NOTE: BCM4912 models such as the GT-AX6000 have now been
         migrated to the 3006 firmware series.

 

[kriukas]

The same bug, but in WEBUI - scripts loads outdated ChangeLog branch - NG (3004) versus 3006. While not in the immediate future, this if left unfixed, will strike again.

 

[ExtremeFiretop]

The same bug, but in WEBUI - scripts loads outdated ChangeLog branch - NG (3004) versus 3006. While not in the immediate future, this if left unfixed, will strike again.

The code for Changelog currently doesn't have logic for the router models doing a jump between the firmware branches.

Once you update to 3006 it will grab the correct Changelog. Thanks for reporting.

 

[kriukas]

WEBUI "Approve changelog" option is passivated for any input/changes. In principle, it is correct, that it is passive in the 3004->3006 branch migration, as per best-practices, full factory reset should be done? But in such case, any attempt to execute actual F/W update must be restricted until ChangeLog is confirmed, right?

There is no change in its state AFTER the ChangeLog is retrieved (either correct or not). It is left unknown, if there was any code for blocking changes detection executed, and what has been the conclusion. Are they allowed to be overriden?

Pop-up style dynamic help would be nice to understand the state/consequences...

P.S. ChangeLog cannot by browsed by direction keys - none work at all. Only mouse. Touch screen and mouse prisson?

 

[kriukas]

No password setting vs. access restrictions disablement?

AMTM-MENU versions does not allow to set password, if there is "Access restriction list (Max Limit : 4)" mode set. Yet, WEBUI - allows! For me personally, this is not an issue, but fortunate workaround, because, I do not want to set one of precious access-restrictions entry as per MerlinAU requirement, to point to itself.

What is the issue - is not allowing to set password from ATMT-MENU, because my access restrictions are not simple IP's, but are the subnets. And of course, if subnet is "wider" than router LAN IP and does not include router IP per-se, MerlinAU does not evaluate if router's LAN IP belongs to any of the 4 restriction entries, or not. Nor it should do such a complex input validation - it should *warn* only. A F/W update not by factory procedure automatically means, that the person is either qualified or bear the consequencies. There are many modes of protection, which will block MerlinAU script access to firmware, and script shouldn't try to implement gAI-level solutions.

 

[kriukas]

The code for Changelog currently doesn't have logic for the router models doing a jump between the firmware branches.
Once you update to 3006 it will grab the correct Changelog. Thanks for reporting.

Thats OK. From G [User] I perspective, such GUI items should be disabled then, until development catches on?...

Thought, maybe postpone upgrade, if there are bugs left - might be a firing ground left for tests...

 

[ExtremeFiretop]

No password setting vs. access restrictions disablement?

AMTM-MENU versions does not allow to set password, if there is "Access restriction list (Max Limit : 4)" mode set. Yet, WEBUI - allows! For me personally, this is not an issue, but fortunate workaround, because, I do not want to set one of precious access-restrictions entry as per MerlinAU requirement, to point to itself.

What is the issue - is not allowing to set password from ATMT-MENU, because my access restrictions are not simple IP's, but are the subnets. And of course, if subnet is "wider" than router LAN IP and does not include router IP per-se, MerlinAU does not evaluate if router's LAN IP belongs to any of the 4 restriction entries, or not. Nor it should do such a complex input validation - it should *warn* only. A F/W update not by factory procedure automatically means, that the person is either qualified or bear the consequencies. There are many modes of protection, which will block MerlinAU script access to firmware, and script shouldn't try to implement gAI-level solutions.

WEBUI "Approve changelog" option is passivated for any input/changes. In principle, it is correct, that it is passive in the 3004->3006 branch migration, as per best-practices, full factory reset should be done? But in such case, any attempt to execute actual F/W update must be restricted until ChangeLog is confirmed, right?

There is no change in its state AFTER the ChangeLog is retrieved (either correct or not). It is left unknown, if there was any code for blocking changes detection executed, and what has been the conclusion. Are they allowed to be overriden?

Pop-up style dynamic help would be nice to understand the state/consequences...

P.S. ChangeLog cannot by browsed by direction keys - none work at all. Only mouse. Touch screen and mouse prisson?

I'm not sure I'm following, can you clearly identify what the issue is your experiencing?

Provide examples please.

 

[ExtremeFiretop]

MerlinAU does not evaluate if router's LAN IP belongs to any of the 4 restriction entries, or not. Nor it should do such a complex input validation - it should *warn* only.

Yes it does;

Look at PR: https://github.com/ExtremeFiretop/MerlinAutoUpdate-Router/pull/294
And PR: https://github.com/ExtremeFiretop/MerlinAutoUpdate-Router/pull/295

Can you provide actual photos or logs/examples of the issue your experiencing?

 

[kriukas]

Yes it does;

Look at PR: https://github.com/ExtremeFiretop/MerlinAutoUpdate-Router/pull/294
And PR: https://github.com/ExtremeFiretop/MerlinAutoUpdate-Router/pull/295

Can you provide actual photos or logs/examples of the issue your experiencing?

As I said, from OP, 1st paragraph:

AMTM-MENU versions does not allow to set password, if there is "Access restriction list (Max Limit : 4)" mode set. Yet, WEBUI - allows!

Your PRs are correct: they cover WebUI. They do not tell anything about AMTM-MENU („CLI“) version. Hypothesis: there is no subnet validation in CLI version?

Regarding the examples - I gladly would. May you please double-check the hypothesis above before, is it OK?

 

[ExtremeFiretop]

As I said, from OP, 1st paragraph:

AMTM-MENU versions does not allow to set password, if there is "Access restriction list (Max Limit : 4)" mode set. Yet, WEBUI - allows!

Your PRs are correct: they cover WebUI. They do not tell anything about AMTM-MENU („CLI“) version. Hypothesis: there is no subnet validation in CLI version?

Regarding the examples - I gladly would. May you please double-check the hypothesis above before, is it OK?

hypothesis above is wrong. The PR I showed you is specific for the CLI and has nothing to do with the WebUI.

Please provide the required examples.

 

[ExtremeFiretop]

As I said, from OP, 1st paragraph:

AMTM-MENU versions does not allow to set password, if there is "Access restriction list (Max Limit : 4)" mode set. Yet, WEBUI - allows!

Your PRs are correct: they cover WebUI. They do not tell anything about AMTM-MENU („CLI“) version. Hypothesis: there is no subnet validation in CLI version?

Regarding the examples - I gladly would. May you please double-check the hypothesis above before, is it OK?

For example, here it is working as expected for me:

It's important you show us where your getting stuck in the CLI and how your Web Access restrictions are configured; and give us step by step instructions on how you recreate the problem.
Even if you tell us the message your seeing that's not enough, for example this error:

Can be found both BEFORE and AFTER the login test runs. It's important to know where you get stuck; we can only help when we fully understand the problem/picture.
I understand your having issues with Web Access restrictions, outside of that I need more info.

 

[kriukas]

hypothesis above is wrong. The PR I showed you is specific for the CLI and has nothing to do with the WebUI.
Please provide the required examples.

Thank you for clarification - I needed one before art bellow . Here all is:



and the result:



EDIT: if the warning message in red and fix with 2nd line is implemented as per exact message wording - the functioning is correct from user's perspective, see below:

Meanwhile:



Greenlights:



As I said - I had a workaround in WebUI.

 

[ExtremeFiretop]

Thank you for clarification - I needed one before art bellow . Here all is:

View attachment 65839

and the result:

View attachment 65844

EDIT: if the warning message in red and fix with 2nd line is implemented as per exact message wording - the functioning is correct from user's perspective, see below:

Meanwhile:

View attachment 65848

Greenlights:

View attachment 65847

As I said - I had a workaround in WebUI.

I have found the problem and will provide an update shortly for you to test

 

[ExtremeFiretop]

Hi @kriukas

Please run this to test the latest version:

curl --retry 3 "https://raw.githubusercontent.com/ExtremeFiretop/MerlinAutoUpdate-Router/refs/heads/Fix-Web-Access-Restrictions/MerlinAU.sh" -o "/jffs/scripts/MerlinAU.sh" && chmod +x "/jffs/scripts/MerlinAU.sh"

Please report the results.
Once your happy you can rollback to production with:

sh /jffs/scripts/MerlinAU.sh stable

 

[kriukas]

Dear @ExtremeFiretop,

Thanks for trying. I checked the code before deploying, I saw what was changed, but in my case it wasn't enough.

Please report the results.

Unfortunatelly, this doesn't help with scenario (in my case): when one (can be overlapping?) concrete access exception CIDR range matches router IP range from mathematical (as seen from ASUS/Merlin firewall) POV, but from MerinAU script POV begins "lower" than (in principle <> 'not equal') router IP or subnet, to which this router IP belongs.

As far as I can interpret the code, and my extended grep knowledge is, validation code would finish at:

cidrIPaddrEntry="$(echo "$restrictRuleList" | grep -oE "$lanIPaddrRegEx3")"

- with empty value, as only the last digit and mask suffix are allowed valid digits from IP protocol possible ranges 0-255 & 0-32. But for validation code to be itself valid, it mustn't use symbol/textual approach for isolated IP address octet. It must take mask and apply it to the network address, and to mathematically calculate in binary the start and the end of whole range. Then check if router's IP is within it.

I believe such a code snippet would be widely available if not in shell script, then other comparable PL/pseudo code.

 

[ExtremeFiretop]

Dear @ExtremeFiretop,

Thanks for trying. I checked the code before deploying, I saw what was changed, but in my case it wasn't enough.


Unfortunatelly, this doesn't help with scenario (in my case): when one (can be overlapping?)

I need examples, what does this mean? In your screenshot all you provided was one range where the router was available and that range is now functional.
If you have overlapping ranges that would be an important detail you've been missing out

concrete access exception CIDR range matches router IP range from mathematical (as seen from ASUS/Merlin firewall) POV, but from MerinAU script POV begins "lower" than (in principle <> 'not equal') router IP or subnet, to which this router IP belongs.

As far as I can interpret the code, and my extended grep knowledge is, validation code would finish at:

cidrIPaddrEntry="$(echo "$restrictRuleList" | grep -oE "$lanIPaddrRegEx3")"

- with empty value, as only the last digit and mask suffix are allowed valid digits from IP protocol possible ranges 0-255 & 0-32. But for validation code to be itself valid, it mustn't use symbol/textual approach for isolated IP address octet. It must take mask and apply it to the network address, and to mathematically calculate in binary the start and the end of whole range. Then check if router's IP is within it.

I believe such a code snippet would be widely available if not in shell script, then other comparable PL/pseudo code.

This is lots of info; but unfortunately it's not really clear/useful what point your trying to get across.
Can you provide me with what you mean by "overlapping"? do you mean this?

Have you confirmed or validated that the issue is caused by "overlapping" ? What if you stop overlapping ranges?
Does things start working?

 

[ExtremeFiretop]

Dear @ExtremeFiretop,

Thanks for trying. I checked the code before deploying, I saw what was changed, but in my case it wasn't enough.


Unfortunatelly, this doesn't help with scenario (in my case): when one (can be overlapping?) concrete access exception CIDR range matches router IP range from mathematical (as seen from ASUS/Merlin firewall) POV, but from MerinAU script POV begins "lower" than (in principle <> 'not equal') router IP or subnet, to which this router IP belongs.

As far as I can interpret the code, and my extended grep knowledge is, validation code would finish at:

cidrIPaddrEntry="$(echo "$restrictRuleList" | grep -oE "$lanIPaddrRegEx3")"

- with empty value, as only the last digit and mask suffix are allowed valid digits from IP protocol possible ranges 0-255 & 0-32. But for validation code to be itself valid, it mustn't use symbol/textual approach for isolated IP address octet. It must take mask and apply it to the network address, and to mathematically calculate in binary the start and the end of whole range. Then check if router's IP is within it.

I believe such a code snippet would be widely available if not in shell script, then other comparable PL/pseudo code.

I think just managed to re-create your issue. Seems to actually be within the _CIDR_IPaddrBlockContainsIPaddr_ function.
I think it might be possible the function is failing due to integer overflows with 32-bit arithmetic? Will try to adjust for 64-bit arithmetic and using awk.

If that is correct it would be a similar issue to our cron-job "time calculator" we originally had some problems with.
Will investigate a bit more in the weeds now.

 

[ExtremeFiretop]

Hi @kriukas

Please run this to test the latest version:

curl --retry 3 "https://raw.githubusercontent.com/ExtremeFiretop/MerlinAutoUpdate-Router/refs/heads/Fix-Web-Access-Restrictions/MerlinAU.sh" -o "/jffs/scripts/MerlinAU.sh" && chmod +x "/jffs/scripts/MerlinAU.sh"

Please report the results.
Once your happy you can rollback to production with:

sh /jffs/scripts/MerlinAU.sh stable

 

[kriukas]

I need examples, what does this mean? In your screenshot all you provided was one range where the router was available and that range is now functional.
If you have overlapping ranges that would be an important detail you've been missing out

Dear @ExtremeFiretop,

Frist of all I am sorry fro ambiguous reporting. Sometimes I write comments for myself and forget to delete them in the reply. Overlapping ranges is only sub-hypothesis - how would the script function would terminate in the case of these. In my case there is not overllaping allowed IP ranges.

This is lots of info; but unfortunately it's not really clear/useful what point your trying to get across.
Can you provide me with what you mean by "overlapping"? do you mean this?

View attachment 65855

Have you confirmed or validated that the issue is caused by "overlapping" ? What if you stop overlapping ranges?
Does things start working?

Your example from IP's / DHCP admins way is a bit overkill, but yeah - ^^^^ up here is an obvious example.

My thinking was, if you are making so much validation code changes behind the factual output to the GUI - why not take a scenario, where the validation script, besides stating the router's factual IP, would print out to the GUI the validation confirmation in any case - both wrong or right?

I mean - up to all 4 (max 4!) ranges - separate lines, and validantion result: "router IP [not] in range."

In these days, when even soon-to-be grandpapa's can in principle configure a router restriction, it would make it obvious if there is an error or not.