ipset: fix set apply if IndividualCalls=yes

Fixes: rhbz 1644834
Fixes: e6188ec ("FirewallIPSet: Support restore in apply_ipsets, use it in Firewall")

src/firewall/core/fw_ipset.py

@@ -125,7 +125,7 @@ def apply_ipsets(self):
                         raise FirewallError(errors.COMMAND_FAILED, msg)
                     else:
                         obj.applied = True
-                        if "timeout" not in obj.options or \
+                        if "timeout" in obj.options and \
                            obj.options["timeout"] != "0":
                             # no entries visible for ipsets with timeout
                             continue

src/tests/regression/rhbz1601610.at

@@ -57,5 +57,48 @@ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22])
 FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [
 ])
 
+dnl rhbz 1644834
+FWD_CHECK([-q --ipset=foobar --add-entry=10.1.0.0/16])
+FWD_CHECK([-q --runtime-to-permanent])
+FWD_RELOAD
+m4_if(nftables, FIREWALL_BACKEND, [
+NFT_LIST_SET([foobar], 0, [dnl
+table inet firewalld {
+set foobar {
+type ipv4_addr
+flags interval
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
+}
+}
+])], [
+IPSET_LIST_SET([foobar], 0, [dnl
+Name: foobar
+Type: hash:net
+Members:
+10.1.0.0/16
+10.2.0.0/22
+])])
+
+dnl rhbz 1644834, again with IndividualCalls=yes
+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf])
+FWD_RELOAD
+m4_if(nftables, FIREWALL_BACKEND, [
+NFT_LIST_SET([foobar], 0, [dnl
+table inet firewalld {
+set foobar {
+type ipv4_addr
+flags interval
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
+}
+}
+])], [
+IPSET_LIST_SET([foobar], 0, [dnl
+Name: foobar
+Type: hash:net
+Members:
+10.1.0.0/16
+10.2.0.0/22
+])])
+
 FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl
               -e '/ERROR: COMMAND_FAILED:.*element.*exists/d'])