Context: I’m writing a script that installs specific tools and configures firewall exceptions for them to work properly.
Is the firewall-cmd --reload line redundant?
If I understand correctly, the first 3 lines affect runtime config. The 4th line makes the runtime config permanent. And the 5th line reloads, making the permanent config apply to runtime.
Did I get that right? Is there any benefit to keeping that last line?
Your understanding is correct (or at least, it matches mine). You should either make changes to the runtime configuration and then use --runtime-to-permanent, or make changes to the permanent configuration and then --reload.
A third option would be to make a wrapper function that calls firewall-cmd both with and without --permanent. In theory, this has the fewest potential side-effects. If there are any existing changes in the runtime configuration, It won’t discard them, nor make them permanent.
Then I guess removing --reload makes more sense to me.
If I do it the other way, every new exception needs to have --permanent added to the command before reloading.