At the start of this chapter, I told you that firewalld can get a bit confusing due to the differences between RHEL 7/CentOS 7 and RHEL 8/CentOS 8. But here's where things get downright weird. Even though the direct rule commands create iptables rules and RHEL 8/CentOS 8 uses nftables for the firewalld backend, you can still create direct rules. Just create and verify them the same way that you did in the Creating direct rules in RHEL/CentOS 7 firewalld section. Apparently, firewalld allows these iptables rules to peacefully coexist with the nftables rules. However, if you need to do this on a production system, be sure to thoroughly test your setup before putting it into production.

There's nothing about this in the Red Hat 8 documentation, but there is the firewalld.direct man page if you want to find out more.