fix: use runtime API for ipset updates to avoid network outages

dvershinin · dvershinin · commit b744b415f790 · 2026-02-20T14:16:11.000+08:00
`fds cron` was causing brief DNS/network connectivity outages because
it called firewalld reload after updating ipset entries. The reload
flushes iptables rules and causes packet loss.

Changed update_ipsets() to use the runtime API (self.fw.setEntries)
which applies changes immediately without reload. The permanent config
created by initial `fds block` commands remains unchanged for
persistence across firewalld restarts.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [0.0.44] - 2026-02-20
+### Fixed
+* `fds cron` no longer causes network connectivity outages by using runtime API for ipset updates instead of firewalld reload
+
 ## [0.0.30] - 2021-08-03
 ### Added
 * Optionally uses aggregation to overcome FirewallD bugs #22
diff --git a/fds.spec b/fds.spec
@@ -19,7 +19,7 @@
 %endif
 
 Name:           fds
-Version:        0.0.43
+Version:        0.0.44
 Release:        1%{?dist}
 Summary:        The go-to FirewallD CLI companion app
 License:        BSD
diff --git a/fds/FirewallWrapper.py b/fds/FirewallWrapper.py
@@ -247,26 +247,36 @@ def get_blocked_countries(self):
         return blocked_countries
 
     def update_ipsets(self):
-        need_reload = False
+        """Update existing ipsets with fresh data using runtime API.
+
+        Uses the runtime API (self.fw.setEntries) which applies changes
+        immediately without requiring a firewalld reload. This avoids
+        brief network connectivity outages that occur during reload.
+        """
         all_ipsets = self.fw.getIPSets()
         from .Countries import Countries
         countries = Countries()
-        is_tor_blocked = False
+        w = WebClient()
+
         for ipset_name in all_ipsets:
-            if ipset_name.startswith('fds-tor-'):
-                is_tor_blocked = True
+            if ipset_name == 'fds-tor-4':
+                log.info('Updating Tor IPv4 exit nodes')
+                entries = w.get_tor_exits(family=4)
+                self.fw.setEntries(ipset_name, entries)
+            elif ipset_name == 'fds-tor-6':
+                log.info('Updating Tor IPv6 exit nodes')
+                entries = w.get_tor_exits(family=6)
+                self.fw.setEntries(ipset_name, entries)
             elif ipset_name.startswith('fds-'):
                 country_code = ipset_name.split('-')[1]
                 if country_code in countries.names_by_code:
                     country_name = countries.names_by_code[country_code]
                     country = countries.get_by_name(country_name)
-                    self.block_country(country, reload=False)
-                    need_reload = True
-        if is_tor_blocked:
-            self.block_tor(reload=False)
-            need_reload = True
-        if need_reload:
-            self.fw.reload()
+                    log.info('Updating {} {}'.format(country.name, country.getFlag()))
+                    entries = w.get_country_networks(country=country)
+                    self.fw.setEntries(ipset_name, entries)
+
+        # No reload needed - runtime API applies immediately
         return True
 
     def reset(self):
