firewalld, `--add-rich-rule` and missing blacklist set

Question

My server uses Centos8 quite recently installed (~1 year).

After trying to ban an IP:

firewall-cmd --permanent --zone=extz --add-rich-rule='rule family="ipv4" source address="49.88.112.70" drop'

My system seams to be corrupt:

# firewall-cmd --reload
Error: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set blacklist doesn't exist.

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

But the restart of the service works without error messages:

# systemctl restart firewalld

If would like (besides to understand what happened)

1. Either to restore the old situation (a --remove-rich-rule does not seam to be enough)
2. or make the banning method work (somehow add a set with ipset?)

Answer 1

As documented here we create the blacklist set:

# sudo yum install ipset # was already installed
# sudo ipset create blacklist hash:ip hashsize 4096
# firewall-cmd --reload
success

As pointed out by @MichaelHampto in the comments, the error arrises probably from a previous (partial) attempt to reach the same goal (to block IPs); something like the the following: drop ip blacklist with firewalld centos 7

The solution of the error should be correct but is not related with the rich rules.