Persistence Problems with --permanent firewalld Rules?

I'm in the process of working through the (draft 2) STIG rules for RHEL 7. One rule (RHEL-07-040250) states that I need to verify that rate-limiting is in place for inbound connection attempts. That, if I execute firewall-cmd --direct --get-rule ipv4 filter IN_public_allow, i should find both a --limit and a --limit-burst token. If I find no such rule returned upon executing firewall-cmd --direct --get-rule ipv4 filter IN_public_allow that I should insert a suitable rule. The specific recommendation in the STIG is firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT. Wanting my rule to persist across boots (or even restarts of the firewalld service) I opted to amend that by also executing firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT.

Making this amendment, I end up with a /etc/firewalld/direct.xml with the following contents:

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule priority="0" table="filter" ipv="ipv4" chain="IN_public_allow">-m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT</rule>
</direct>

All seems good. However, if I reboot my system (or even just reload my firewalld configuration), it seems that the service is ignoring this file. When I rerun my rule presence-check (firewall-cmd --direct --get-rule ipv4 filter IN_public_allow), it return null rather than the 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT I expect.

Is this a bug or am I doing something "not quite right". I'll fully admit that I'm unfamiliar with firewalld. I know how I would do stuff in bare iptables, but the STIGs mandate the use of firewalld.