I implemented the use of ipsets for a direct rule in firewalld in 2013. The direct.xml is:

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <!-- IPset Blacklisting -->
  <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/>
  <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
  <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
  <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist
src -j PREROUTING_blacklist</passthrough>
  <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/>
  <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
  <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
  <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist
src -j PREROUTING_blacklist</passthrough>
</direct>

I have several ipsets that are modified outside of firewalld.

blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current

These are members of ipset blacklist:

Name: blacklist
Type: list:set
Revision: 3
Header: size 8
Size in memory: 368
References: 0
Number of entries: 6
Members:
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current

This was working until I upgraded to Fedora 26 from Fedora 24. Now, even though an IP is in one of the member iplists, blacklist_ipv4_semipermanent or one of the others, firewalld does not block the IP.

I do not know if this is an issue with ipsets or firewalld, nor do I know whether this is a "feature" or a bug.

Since these ipsets are modified dynamically and need to be accessed from bash scripts, using the internal ipset functionality of firewalld is not my desired choice.

Any insight or help in getting the ipsets working again with firewalld would be greatly appreciated.

Thanks.

John