feat: add native firewalld support (#1388)

## Summary

- Add native firewalld support for RHEL/Fedora/CentOS systems
- When firewalld is active, use `firewall-cmd --permanent` instead of
raw iptables
- Rules persist across `firewall-cmd --reload`
- Fall back to iptables when firewalld is not active
- Add `After=firewalld.service` to iptables systemd unit for safety

## Changes

**Install:** Detect firewalld, use `firewall-cmd` to add port,
masquerade, and rich rules. Fall back to iptables if inactive.

**Uninstall:** Detect which method was used and clean up accordingly.

**Tests:** Add `fedora-42-firewalld` CI test with firewalld enabled.

---

Closes https://github.com/angristan/openvpn-install/issues/356
Closes https://github.com/angristan/openvpn-install/pull/1200

.github/workflows/docker-test.yml

@@ -89,6 +89,15 @@ jobs:
               name: tls-auth
               sig: "3"
               key_file: tls-auth.key
+          # Test firewalld support on Fedora
+          - os:
+              name: fedora-42-firewalld
+              image: fedora:42
+              enable_firewalld: true
+            tls:
+              name: tls-crypt-v2
+              sig: "1"
+              key_file: tls-crypt-v2.key
 
     name: ${{ matrix.os.name }}
     steps:
@@ -103,6 +112,7 @@ jobs:
         run: |
           docker build \
             --build-arg BASE_IMAGE=${{ matrix.os.image }} \
+            --build-arg ENABLE_FIREWALLD=${{ matrix.os.enable_firewalld && 'y' || 'n' }} \
             -t openvpn-server \
             -f test/Dockerfile.server .