It is possible to add and remove chains during runtime by using the --direct option with the firewall-cmd tool. A few examples are presented here, please see the firewall-cmd(1) man page for more information.

It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall.

The direct interface mode is intended for services or applications to add specific firewall rules during run time. The rules are not permanent and need to be applied every time after receiving the start, restart or reload message from firewalld using D-BUS.

~]# firewall-cmd --direct --add-rule ipv4 filter IN_ZONE_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT