FirewallD in el9 does finally support router-type firewalls “for real”.
The support differs from earlier and is called Policy Objects.
However, the FirewallD in el8 does have policy objects too. Considering that el8 and el9 FirewallD are based on upstream 0.9.11 and 1.2.5, respectively, it is likely that the latter has older behaviour “cleaned out”.
Note that one can use Ansible to configure FirewallD: Chapter 12. Configuring firewalld by using RHEL System Roles Red Hat Enterprise Linux 9 | Red Hat Customer Portal
The rhel-system-roles.firewall seems to have some support for “policies”.
With Ansible playbooks and inventories (or other configuration management system) one has a machine actionable, i.e. deployable, logical copy of config that could be stored (and developed) with version control and outside of the system.
Considering that you will setup relatively static(?) firewall device, you could consider the use of nftables.service instead of firewalld.service. Chapter 13. Getting started with nftables Red Hat Enterprise Linux 9 | Red Hat Customer Portal