Published Ports are unreachable from container host when NETAVARK_FW=firewalld is set

Issue Description

Whilst building a firewall policy for my environment using firewalld, I came across the FirewallD integration for Netavark and enabled it by setting "NETAVARK_FW=firewalld" in /etc/environment to be able to control the Container networking better. I then tried to reach some of my published ports of my webserver, but interestingly, i was only able to reach my container services from from remote, e.g. from another device in the same network. Requests coming from the container host directly are hanging after the TCP Handshake.

Steps to reproduce the issue

Set up a new Instance of Rocky Linux or RHEL 9.2 with podman and firewalld installed
Run a rootfull container serving HTTP: sudo podman run --rm -d --publish 8080:8080 nginxinc/nginx-unprivileged:1.25
Run curl on the same host as the container is running on, using any IP address bound on any local interface (using localhost for simplicity here, but all local addresses are showing the same hanging behaviour): curl -v 127.0.0.1:8080 --max-time 10
Watch as curl does a tcp handshake, but then hangs for 10s

Describe the results you received

curl seems to be able to connect, but then hangs after requesting a page:

$ curl 192.168.10.1:8080 -v --max-time 10
*   Trying 192.168.10.1:8080...
* Connected to 192.168.10.1 (192.168.10.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: 192.168.10.1:8080
> User-Agent: curl/7.76.1
> Accept: */*
>
* Operation timed out after 10001 milliseconds with 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

Describe the results you expected

curl shows a HTTP Response almost immediately:

$ curl 192.168.10.1:7011 -v --max-time 10
* About to connect() to 192.168.10.1 port 7011 (#0)
*   Trying 192.168.10.1...
* Connected to 192.168.10.1 (192.168.10.1) port 7011 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.10.1:7011
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.25.2
< Date: Fri, 29 Sep 2023 08:02:14 GMT
< Content-Type: text/html
< Content-Length: 615
< Last-Modified: Tue, 15 Aug 2023 17:03:04 GMT
< Connection: keep-alive
< ETag: "64dbafc8-267"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host 192.168.10.1 left intact

podman info output

host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-1.el9_2.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: 606c693de21bcbab87e31002e46663c5f2dc8a9b'
  cpuUtilization:
    idlePercent: 85.82
    systemPercent: 5.68
    userPercent: 8.5
  cpus: 4
  distribution:
    distribution: '"rhel"'
    version: "9.2"
  eventLogger: file
  hostname: testhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 2105
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 38234
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.0-284.30.1.el9_2.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 4377890816
  memTotal: 16371138560
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.8.4-1.el9_2.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.4
      commit: 5a8fa99a5e41facba2eda4af12fa26313918805b
      rundir: /run/user/38234/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/38234/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-3.el9.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 8392798208
  swapTotal: 8392798208
  uptime: 19h 57m 47.00s (Approximately 0.79 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
store:
  configFile: /home/myuser/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/myuser/.local/share/containers/storage
  graphRootAllocated: 53660876800
  graphRootUsed: 8276926464
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/user/38234/containers
  transientStore: false
  volumePath: /home/cottingma/.local/share/containers/storage/volumes
version:
  APIVersion: 4.4.1
  Built: 1692279033
  BuiltTime: Thu Aug 17 15:30:33 2023
  GitCommit: ""
  GoVersion: go1.19.10
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.1

containers / podman