Firewall configuration does not change when moving an interface to a bridge

[mattiaswal]

Current Behavior

sfp[1|2] was in zone wan (default?), added them to my LAN bridge, but the firewall configuration did not change. Noticed the error in show firewall:

admin@bpi-a2-08-82:/> show firewall 
Firewall            : active
Lockdown mode       : inactive
Default zone        : block
Log denied traffic  : off

───────────────────────────────────────────────────────────────────
Zone Matrix
               ┌──────┬──────┬──────┬──────┬──────┐
               │  →   │ HOST │ dmz  │ lan  │ wan  │
               ├──────┼──────┼──────┼──────┼──────┤
               │ HOST │  —   │  ✓   │  ✓   │  ✓   │
               │  dmz │  ✗   │  ✗   │  ✗   │  ✓   │
               │  lan │  ✓   │  ✗   │  ✗   │  ✓   │
               │  wan │  ⚠   │  ✗   │  ✗   │  ✗   │
               └──────┴──────┴──────┴──────┴──────┘
               ✓ Allow     ✗ Deny     ⚠ Conditional 

───────────────────────────────────────────────────────────────────
Zones
   NAME   TYPE  DATA                          ALLOWED HOST SERVICES
⚷  block  iif   (none)                        (none)
   dmz    iif   wifi0-untrusted, wifi1-guest  (none)
   lan    iif   lan-br, wifi0-IoT             ANY
   wan    iif   sfp1-sfp2, wan                dhcpv6-client

───────────────────────────────────────────────────────────────────
Policies
   NAME                    ACTION    INGRESS          EGRESS       
⚷  allow-host-ipv6         continue  ANY              HOST
   lan-to-wan              accept    dmz, lan         wan
⚷  default-drop            drop      ANY              ANY

admin@bpi-a2-08-82:/> conf
admin@bpi-a2-08-82:/config/> set interface sfp1 bridge-port bridge lan-br 
admin@bpi-a2-08-82:/config/> set interface sfp2 bridge-port bridge lan-br 
admin@bpi-a2-08-82:/config/>  leave
admin@bpi-a2-08-82:/>

admin@bpi-a2-08-82:~$ cat /etc/firewalld/
policies/ services/ zones/    
admin@bpi-a2-08-82:~$ cat /etc/firewalld/zones/
dmz.xml  lan.xml  wan.xml  
admin@bpi-a2-08-82:~$ cat /etc/firewalld/zones/wan.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
  <short>wan</short>
  <interface name="wan"/>
  <interface name="sfp1"/>
  <interface name="sfp2"/>
  <service name="dhcpv6-client"/>
</zone>

admin@bpi-a2-08-82:~$ cli

See the 'help' command for an introduction to the system

admin@bpi-a2-08-82:/> configure 
admin@bpi-a2-08-82:/config/> show firewall zone 
admin@bpi-a2-08-82:/config/> show firewall zones
Error: Command not found, or incomplete.  Try ? for help or Tab for completion.
admin@bpi-a2-08-82:/config/> show firewall zone wan 
action drop;
interface wan;
service dhcpv6-client;
admin@bpi-a2-08-82:/config/>