I cannot take credit.

My thanks to Anthony, Thomas, and Jiri on this list for their help.

I just worked out the kinks for my particular use.

Here are what I use:
/etc/firewalld/direct.xml (from Anthony)
<!-- /etc/firewalld/direct.xml -->
<direct>
  <!-- IPset Blacklisting -->
  <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/>
  <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
  <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
  <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough>
  <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/>
  <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
  <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
  <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough>
</direct>
/etc/systemd/system/ipset.service (from Anthony)
Description=ipset - IP set restore & save
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save

[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177

[Install]
WantedBy=basic.target
This is from the email from Anthony:
The way I did this was to create a minimal ipset configuration and execute
'/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are 
stored in /etc/sysconfig/ipset.save prior to enabling ipset.service

My initial ipset.save without any ip addresses added looks like:

create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 
create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 
create blacklist list:set size 8 
add blacklist blacklist_ipv4
add blacklist blacklist_ipv6

Then do 'systemctl enable ipset && systemctl start ipset'

Together, the additions to the direct.xml configuration and the ipset.service 
have allowed me to add or remove ip addresses from the blacklist without the 
worry of what happens upon restart, etc.
My own ipset save file is a bit more complex:
create blacklist_ipv4_permanent hash:ip family inet hashsize 4096 maxelem 65536
create blacklist_ipv4_semipermanent hash:ip family inet hashsize 4096 maxelem 65536
create blacklist_ipv4_current hash:ip family inet hashsize 4096 maxelem 65536
create blacklist_ipv6_permanent hash:ip family inet6 hashsize 4096 maxelem 65536
create blacklist_ipv6_semipermanent hash:ip family inet6 hashsize 4096 maxelem 65536
create blacklist_ipv6_current hash:ip family inet6 hashsize 4096 maxelem 65536
create blacklist list:set size 8
add blacklist blacklist_ipv4_permanent
add blacklist blacklist_ipv4_semipermanent
add blacklist blacklist_ipv4_current
add blacklist blacklist_ipv6_permanent
add blacklist blacklist_ipv6_semipermanent
add blacklist blacklist_ipv6_current
It is up to you how you want to add IPs to the ipsets.

I have another script that runs periodically to parse various log files to determine IPs to blacklist and add them to blacklist_ipv4_current. Once a day, the script reads IPs that are in the current list and which have been in historical lists of 'current' IPs and adds them to semipermanent or discards them if not. Does the same for historical semipermanent and adds them to permanent. It keeps the firewall up to date with 'bad guys.' That script is pretty complex and I'd rather not post it. I am not working with IPv6 to any extent yet.

I currently have 8616 IPs in my blacklist.

Nathanael, Hope this helps you and others.

John

On 07/16/2014 01:46 PM, Nathanael d. Noblet wrote:
Hello John,

  Once you have this working, would you mind posting your config/scripts
for others to benefit from? I'd like to use ipsets as well but haven't
had a chance to look deeply into them. Your setup sounds like it would
be a great start.