fix(ipset): count members when "Number of entries" is missing from ipset list

[siamskoi]

What

IPSet.Len() returns the correct entry count on kernels whose ipset list
output omits the Number of entries: header line, fixing the
fw_bouncer_banned_ips metric reporting 0 on those systems.

Why / root cause

IPSet.Len() parsed only the Number of entries: line of ipset list:

  for _, line := range strings.Split(string(out), "\n") {
      if !strings.Contains(strings.ToLower(line), "number of entries:") {
          continue
      }   
      ...
  }   
  return 0

That line is only printed by the newer set protocol. On kernels that expose
set protocol v6 (common on embedded systems — e.g. Keenetic routers
running Entware), ipset list produces no such line:

Name: crowdsec-blacklists-0
Type: hash:net
Revision: 6
Header: family inet hashsize 8192 maxelem 131072 timeout 300
Size in memory: 760832
References: 1
Members:
5.11.143.72 timeout 590431
...

Len() never matches and falls through to return 0. Because the
fw_bouncer_banned_ips gauge is set directly from set.Len()
(pkg/iptables/metrics.go), the metric reports 0 even when the ipsets
hold tens of thousands of entries. The fw_bouncer_dropped_* and
lapi_requests_* metrics are parsed differently and were unaffected.

What changed

• Extracted the parsing into a pure parseIPSetLen() helper.
• Kept the fast path using Number of entries: when present.
• Added a fallback that counts the member lines after the Members:
  header when that line is absent.

Testing

• go test ./pkg/ipsetcmd/ — new table test TestParseIPSetLen covers a
  modern (Number of entries:) output, a protocol-v6 output without that
  line, an empty set, and garbage input.
• Built for linux/arm64 and deployed on a Keenetic router (set protocol
  v6): fw_bouncer_banned_ips now matches the real ipset sizes
  (e.g. 19255 for the CAPI set) instead of 0.

Notes

No behaviour change on kernels that already emit Number of entries: — the
fast path is unchanged; the fallback only triggers when the line is absent.