Hi, when using the firewalld-backend, attacks from IPv6 addresses are recognized and banned by sshguard as expected, but do not actually get added to the ipset. The underlying reason for that seems to be that the way sshguard adds addresses together with netmask or prefix, i.e.
$ firewalld --ipset=sshguard6 --add-entry=<ip>/<prefix>
only works with ipv4 but not ipv6 when using hash:ip in ipset. Since the problem seems to be with ipset, rather than firewalld, I'd assume that the ipset backend has the same issue, but I have not tested that yet.
hash:net instead of
hash:ip as the ipset type might provide a workaround for this, but I don't know the implications of that change, because frankly I don't understand exactly how the two differ.
This happens with ipset v6.38, I have not tested other versions.