test: Disable firewalld StrictForwardPorts on RHEL 10

[martinpitt]

RHEL 10 started to break podman -p port forwarding to localhost by default [1]. This was a deliberate change [2][3]. We really don't care about firewalling localhost ports from containers (does anybody really?), so revert back to the previous behaviour (which is still the default on Fedora) of having StrictForwardPorts=no.

This obsoletes our naughty cockpit-project/bots#7291

[1] https://issues.redhat.com/browse/RHEL-72937
[2] https://firewalld.org/2024/11/strict-forward-ports
[3] firewalld/firewalld#1380

---

This should make the four skipped tests green again. After this lands, I'll send a bots PR to drop the naughty.

[martinpitt]

works!

[martinpitt]

Ah, no firewalld on c10s TF

[mvollmer]

Thanks! How annoying!

[mvollmer]

Do we need to restrict this to rhel-10? We could just erase StrictForwardPort settings everywhere.

[mvollmer]

Also, could we install a config snippet that overrides StrictPortForward, instead of having to know which file has the changed OS default?

[martinpitt]

Do we need to restrict this to rhel-10

We don't strictly have to, but as the default is explicitly "no" on Fedora and everywhere else, and this is currently a RHEL 10-ism, I'd rather restrict the hack to that, and learn if it creeps in anywhere else. TBH this is so ridiculously broken that I don't expect this to stay around for long -- this needs to go back to the drawing board.

could we install a config snippet

I'd love to, and that's usually the first thing I look for. Changing big distro-provided conffiles is baaad. But firewalld.conf doesn't seem to have anything that resembles an "include conf.d", nor is there any directory like that. But again, I expect this to be a temporary hack.