All, I've setup a blocklist (hash:net) a whitelist (hash:ip) and a whitelistnet (hash:net) with ipset. It works quite well added to the stateful firewall. However ipset restore fails: 18:02 valkyrie:~> scs ipset × ipset.service - Loading IP Sets Loaded: loaded (/usr/lib/systemd/system/ipset.service; enabled; preset: disabled) Active: failed (Result: exit-code) since Wed 2024-04-10 17:06:05 CDT; 56min ago Process: 1399 ExecStart=/usr/bin/ipset -f /etc/ipset.conf restore (code=exited, status=2) Main PID: 1399 (code=exited, status=2) CPU: 3ms Apr 10 17:06:05 valkyrie systemd[1]: Starting Loading IP Sets... Apr 10 17:06:05 valkyrie ipset[1399]: ipset v7.20: No command specified: unknown argument Name: Apr 10 17:06:05 valkyrie ipset[1399]: Try `ipset help' for more information. Apr 10 17:06:05 valkyrie systemd[1]: ipset.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Apr 10 17:06:05 valkyrie systemd[1]: ipset.service: Failed with result 'exit-code'. Apr 10 17:06:05 valkyrie systemd[1]: Failed to start Loading IP Sets. The sets cannot manually be restored with ipset restore (or ipset restore -file ipset.conf). It results in the same error: # ipset restore <ipset.conf ipset v7.20: No command specified: unknown argument Name: Try `ipset help' for more information. As does: # ipset restore -f ipset.conf ipset v7.20: No command specified: unknown argument Name: Try `ipset help' for more information. The content of the ipset save > ipset.conf file is the same as ipset list, and looks fine, e.g. # cat /etc/ipset.conf Name: blocklist Type: hash:net Revision: 7 Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xf3661058 Size in memory: 8856 References: 0 Number of entries: 194 Members: 167.94.138.0/24 199.45.154.0/23 43.130.0.0/18 43.129.192.0/18 43.157.32.0/24 <snip> Name: whitelist Type: hash:ip Revision: 6 Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xfa0e1f24 Size in memory: 1816 References: 0 Number of entries: 42 Members: 212.187.231.66 93.93.130.214 151.101.129.91 91.193.113.65 87.238.57.227 93.93.130.133 <snip> Name: whitelistnet Type: hash:net Revision: 7 Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xc9e0aa3d Size in memory: 504 References: 0 Number of entries: 1 Members: 151.101.129.0/24 The bug mentioned in the wiki https://wiki.archlinux.org/title/Ipset was not hit. Even though ipset failed to load the sets, iptables started normally. After manually re-creating the tables and restoring the iptables rules, iptables is again using the sets: # iptables -nvL --line-numbers Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelistnet src 2 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist src 3 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set blocklist src 4 0 0 f2b-dovecot 6 -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993,587,465,4190 <snip> I've followed the wiki and the man-page (and help) command to restore the files manually, but nothing seems to work. Any ideas what is going on? I'm brand new to ipset, so I don't have much experience to draw from. Anybody else seeing this or see a reason ipset isn't being restored on startup by ipset.service? -- David C. Rankin, J.D.,P.E.