Firewall policy setup error with port forwarding in `firewalld` mode

[cyqsimon]

Description

On RockyLinux 9, trying to start a rootful container with port forwarding while using the firewalld firewall driver causes the startup to fail.

# NETAVARK_FW=firewalld podman run --rm -p=8000:80/tcp docker.io/httpd:latest
Error: netavark: Failed to update firewalld policy netavark_portfwd port forwarding rules: DBus error: org.fedoraproject.FirewallD1.Exception: INVALID_FORWARD: Policy 'netavark_portfwd': A 'forward-port' with 'to-addr' is invalid for egress zone 'HOST'

Steps to reproduce

1. Prepare a RockyLinux 9 machine (I've tested both x86_64 and aarch64; doesn't seem to matter).
2. Install firewalld and podman from repository: dnf install -y firewalld podman.
3. Make sure firewalld.service is running: systemctl start firewalld.service.
4. Try to start a container with firewalld as firewall driver and observe the error.

Versions

kernel: 5.14.0-611.9.1.el9_7.aarch64
podman: 6:5.6.0-7.el9_7
netavark: 2:1.16.0-1.el9
firewalld: 1.3.4-15.el9_6

Additional notes

Interestingly, this issue does not happen on ArchLinux with podman 5.7.0, netavark 1.17.0, and firewalld 2.4.0. I self-compiled netavark 1.17.0 (with aardvark-dns 1.17.0) on RockyLinux 9 and retried, but got the same results. So it seems to me that the most likely explanation is that the firewalld policy syntax used to be stricter, but has since been relaxed some time between 1.3.4 and 2.4.0.

[Luap99]

I am pretty sure we depend on newer firewalld features as @mheon discovered some issues that needed fixing for us so I think that might be expected.

I am not sure there is anything for us here to do, maybe we could add a version check?
Personally I would recommend against using the firewalld driver it still seems to have some issues and just use the nftables one.

[cyqsimon]

FYI #573 (comment) is why I really want to use the firewalld driver. It would make my configuration... quite a bit more agreeable.