[BR]: ipset based action can cause an error by actionstop with newer ipset versions (it is in use by a kernel component)

[sebres]

Stop of fail2ban may cause an error in ipset based actions (by a race condition with "it is in use by a kernel component").

ERROR   b53aa8b8 -- exec: iptables -w -D INPUT -p tcp -m multiport --dports 8085 -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
ipset flush f2b-sshd
ipset destroy f2b-sshd
ERROR   b53aa8b8 -- stderr: 'ipset v7.17: Set cannot be destroyed: it is in use by a kernel component'
ERROR   b53aa8b8 -- returned 1
ERROR   Failed to stop jail 'sshd' action 'iptables-ipset-proto6': Error stopping action Jail('sshd')/iptables-ipset-proto6

Similar error found on GH that explains the RC.

It is not a large issue, since the set is flushed (empty) and can remain as a leak that doesn't really bothers without any reference and usage, especially if it restart, since the existing set will not cause any error.

Anyway as possible solution (workaround):

actionstop = <_ipt_del_rules>
              <actionflush>
-             ipset destroy <ipmset>
+             # wait a bit if set cannot be destroyed immediately after removal of iptables (still in use):
+             ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }