firewalld has since been switched to nftables and things worked out - so this bug is no longer valid (even though no explicit fix has been recorded)