CentOS - Dec 2021 - firewalld: removing rich-rules based on its own list fails

Hi,

I have some ansible roles which each create some firewalld rich-rules. 
For ansible idempotency I tried to remove any dns related rich-rules 
before creating the ones in the playbook. After some searching I came up 
with this:

#!/bin/bash
OLDIFS=$IFS
IFS=''
while read -r line; do firewall-cmd --zone=public --permanent 
--remove-rich-rule=\'$line\'; done <<< $(firewall-cmd
--zone=public
--list-rich-rules | egrep 'dns|53')
IFS=$OLDIFS

But this fails with for example:

Error: INVALID_RULE: internal error in _lexer(): rule family="ipv4" 
source NOT address="46.23.XX.0/24" forward-port port="53"
protocol="udp"
to-port="60053" to-addr="46.23.XX.53"

My googling & variations came up empty. Anyone know why this is failing 
and could possibly share how to make this work?

Thanks!

Best,
Patrick

--On Wednesday, December 22, 2021 8:03 PM +0100 Patrick via CentOS 
<centos at centos.org> wrote:
> Error: INVALID_RULE: internal error in _lexer(): rule
family="ipv4"
> source NOT address="46.23.XX.0/24" forward-port
port="53" protocol="udp"
> to-port="60053" to-addr="46.23.XX.53"
If you don't get help here, you might try one of the firewalld mailing 
lists or other support resources here:

<https://firewalld.org/community.html>

I'm curious to hear what you discover. (This might be a bug that warrants a 
patch for the CentOS package.)