centOS 7 firewallD remove direct rule

Eventually I find the remove command only work at one-time due to the rules are recorded in the direct.xml

Thus, the solution is easy, edit the direct.xml and comment the corresponded lines or jsut delet them.


After wrestling with a stubbornly persistent redirect rule I realized through testing the following:

  1. iptables rules DB is transient
  2. firewall-cmd --permanent rules DB persists through reboots, rewriting iptables rules DB after reboot

  3. firewall-cmd --permanent --direct rules DB stored in /etc/firewalld/direct.xml persists despite firewall-cmd [--permanent] --direct --remove-rule unless DB file is removed

  4. firewall-cmd [--permanent] --direct --query-rule will lie about persistence of rules in /etc/firewalld/direct.xml