When is it necessary to reload FirewallD configurations?

Why is the below command necessary after making changes to the FirewallD configuration?

firewall-cmd --reload

FirewallD has two separate sets of configuration: runtime and permanent. The runtime configuration are the currently active firewall rules loaded in to the kernel. This configuration is stored in memory and will be lost if the firewalld service is restarted. The permanent configuration set consists of the configuration files that are loaded from disk and in to memory when FirewallD is started or when the configuration is reloaded.

Changes to the runtime configuration isn’t saved to the permanent configuration unless you specify the --permanent argument to firewall-cmd command. However, when you do make permanent configuration changes those changes will not be part of the runtime configuration before you reload it. This is why you’ll see the reload command in nearly all tutorials on FirewallD configuration.

As a rule of thumb, you should reload your FirewallD configuration after using the firewall-cmd --permanent argument to make permanent changes to your firewall configuration. You may want to test your rules without making them permanent, but always reload it afterwards to make sure you undo any unwanted changes.

If you make many changes to your configuration without reloading between the changes, you may run in to situations where the current runtime isn’t aware of the other changes you’ve made to the permanent configuration. This can lead to errors where the firewall-cmd commend fail to make changes to the firewall configuration.

The following example will result in an error unless you reload your runtime configuration before issuing the second command:

firewallctl new --permanent zone --name "test"
firewallctl zone "test" add service "ssh"
Error: INVALID_ZONE test