Problem scenario
A NIC or network interface is not being protected by a zone in the firewalld. You run firewall-cmd commands with different flags, but some NIC (e.g., a virtual NIC) will not persistently remain in a zone. You want your firewall-cmd commands to have a permanent effect. The --permanent flag is supposed to work, but it is not helping. What should you do?
Solution
If a firewall-cmd command fails with a --permanent flag, do this as the workaround: 1) reboot so you know there are no temporary (or intended as temporary) firewall changes in memory or in effect. 2) run the firewall-cmd command without the --permanent flag. 3) run this: firewall-cmd --runtime-to-permanent
Runtime configuration is temporary configuration. The changes can be applied to the kernel with the --runtime-to-permanent flag. To read more, see this https://firewalld.org/documentation/configuration/runtime-versus-permanent.html.
The above solution involves successive commands. If you just want to run one Linux command, see also How Do You Get a NIC to Permanently Be in a firewalld Zone with a Single Command?