Goal

• firewalld startup and restart (e.g. package upgrade) should handle the rule application atomically

Acceptance Criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

• startup should limit round trips to nftables/kernel; remove corner cases around ipset (nftables backend)

• DO NOT restart firewalld on package update, continue running existing code
  OR
• "systemctl restart firewalld" should temporarily set `CleanupOnExit=yes`; see the CLI option below
• new CLI command --enable-cleanup-on-exit, --disable-cleanup-on-exit; this is currently only a permanent config option