Fail2ban Error on Centos 7 KVM instance

On Centos 7 I was struggling with fail2ban on different vm templates eg. OpenVZ and KVM. Previous post is about OpenVZ problems (not only about fail2ban) to which I could not find a solution yet.
Now I would say some words about KVM instance. fail2ban 0.9.2 was running on Centos 7.1.1503 with systemd backend. I was struggling to ban failed ssh attempts with the following config options in jail.local file

[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
bantime = 3600

[sshd]
enabled = true

Nothing seemed to be wrong with these options and log files. But I was getting an error like this

ERROR   ipset create fail2ban-sshd hash:ip timeout 3600
firewall-cmd --direct --add-rule  filter INPUT 0 -p tcp -m multiport -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
-- stdout: '\x1b[91mwrong priority\nusage: --direct --add-rule { ipv4 | ipv6 | eb } \x1b[00m\n'

As is easily seen, this is an error about ipset command which is triggered by fail2ban's actionstart command found in file /etc/fail2ban/action.d/firewallcmd-ipset.conf

actionstart = ipset create fail2ban- hash:ip timeout
             firewall-cmd --direct --add-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j

ipv4 option in the above command was missing and therefore I kept getting the error. By looking at the error output, it is understood that there must be ipv4|ipv6|eb keywords besides --add-rule. Hence adding the keyword ipv4 temporarily solves the problem. Temporarily because, I dont know what would happen if some ipv6 address try logging in your server.

Update: firewallcmd-ipset only works if your kernel has ipset module support. If your kernel is like

2.6.32-042stab108.8

dont expect firewallcmd-ipset work. So one must use firewallcmd-new action in this case, because it only uses firewalld not kernel ipset module.
The problem I faced was because a wrong template file firewallcmd-ipset.conf.