feat: add native firewalld support (#1388)

## Summary

- Add native firewalld support for RHEL/Fedora/CentOS systems
- When firewalld is active, use `firewall-cmd --permanent` instead of
raw iptables
- Rules persist across `firewall-cmd --reload`
- Fall back to iptables when firewalld is not active
- Add `After=firewalld.service` to iptables systemd unit for safety

## Changes

**Install:** Detect firewalld, use `firewall-cmd` to add port,
masquerade, and rich rules. Fall back to iptables if inactive.

**Uninstall:** Detect which method was used and clean up accordingly.

**Tests:** Add `fedora-42-firewalld` CI test with firewalld enabled.

---

Closes https://github.com/angristan/openvpn-install/issues/356
Closes https://github.com/angristan/openvpn-install/pull/1200

test/Dockerfile.server

@@ -5,7 +5,10 @@ ARG BASE_IMAGE=ubuntu:24.04
 FROM ${BASE_IMAGE}
 
 ARG BASE_IMAGE
+# Set to "y" to install and enable firewalld for testing
+ARG ENABLE_FIREWALLD=n
 ENV DEBIAN_FRONTEND=noninteractive
+ENV ENABLE_FIREWALLD=${ENABLE_FIREWALLD}
 
 # Install basic dependencies based on the OS
 # dnsutils/bind-utils provides dig for DNS testing with Unbound
@@ -16,10 +19,12 @@ RUN if command -v apt-get >/dev/null; then \
     elif command -v dnf >/dev/null; then \
         dnf install -y --allowerasing \
             iproute iptables curl procps-ng systemd tar gzip bind-utils \
+        && if [ "$ENABLE_FIREWALLD" = "y" ]; then dnf install -y firewalld; fi \
         && dnf clean all; \
     elif command -v yum >/dev/null; then \
         yum install -y \
             iproute iptables curl procps-ng systemd tar gzip bind-utils \
+        && if [ "$ENABLE_FIREWALLD" = "y" ]; then yum install -y firewalld; fi \
         && yum clean all; \
     elif command -v pacman >/dev/null; then \
         pacman -Syu --noconfirm \
@@ -31,6 +36,11 @@ RUN if command -v apt-get >/dev/null; then \
         && zypper clean -a; \
     fi
 
+# Enable firewalld if requested (must be done after systemd is available)
+RUN if [ "$ENABLE_FIREWALLD" = "y" ] && command -v firewall-cmd >/dev/null; then \
+        systemctl enable firewalld; \
+    fi
+
 # Create TUN device (will be mounted at runtime)
 RUN mkdir -p /dev/net
 

test/server-entrypoint.sh

@@ -77,15 +77,22 @@ fi
 # Verify all expected files were created
 echo "Verifying installation..."
 MISSING_FILES=0
-for f in \
-	/etc/openvpn/server/server.conf \
-	/etc/openvpn/server/ca.crt \
-	/etc/openvpn/server/ca.key \
-	"/etc/openvpn/server/$TLS_KEY_FILE" \
-	/etc/openvpn/server/crl.pem \
-	/etc/openvpn/server/easy-rsa/pki/ca.crt \
-	/etc/iptables/add-openvpn-rules.sh \
-	/root/testclient.ovpn; do
+# Build list of required files
+REQUIRED_FILES=(
+	/etc/openvpn/server/server.conf
+	/etc/openvpn/server/ca.crt
+	/etc/openvpn/server/ca.key
+	"/etc/openvpn/server/$TLS_KEY_FILE"
+	/etc/openvpn/server/crl.pem
+	/etc/openvpn/server/easy-rsa/pki/ca.crt
+	/root/testclient.ovpn
+)
+# Only check for iptables script if firewalld is not active
+if ! systemctl is-active --quiet firewalld; then
+	REQUIRED_FILES+=(/etc/iptables/add-openvpn-rules.sh)
+fi
+
+for f in "${REQUIRED_FILES[@]}"; do
 	if [ ! -f "$f" ]; then
 		echo "ERROR: Missing file: $f"
 		MISSING_FILES=$((MISSING_FILES + 1))
@@ -380,21 +387,58 @@ echo ""
 # Verify OpenVPN server (started by systemd via install script)
 echo "Verifying OpenVPN server..."
 
-# Verify iptables NAT rules exist (applied by iptables-openvpn service)
-echo "Verifying iptables NAT rules..."
-for _ in $(seq 1 10); do
-	if iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
-		echo "PASS: NAT POSTROUTING rule for 10.8.0.0/24 exists"
-		break
+# Verify firewall rules exist
+echo "Verifying firewall rules..."
+if systemctl is-active --quiet firewalld; then
+	# firewalld is active - verify masquerade is enabled
+	echo "firewalld detected, checking masquerade..."
+	for _ in $(seq 1 10); do
+		if firewall-cmd --query-masquerade 2>/dev/null; then
+			echo "PASS: firewalld masquerade is enabled"
+			break
+		fi
+		sleep 1
+	done
+	if ! firewall-cmd --query-masquerade 2>/dev/null; then
+		echo "FAIL: firewalld masquerade is not enabled"
+		echo "Current firewalld config:"
+		firewall-cmd --list-all 2>&1 || true
+		exit 1
+	fi
+	# Verify port is open
+	if firewall-cmd --list-ports | grep -q "1194/udp"; then
+		echo "PASS: OpenVPN port is open in firewalld"
+	else
+		echo "FAIL: OpenVPN port not found in firewalld"
+		firewall-cmd --list-ports
+		exit 1
+	fi
+	# Verify VPN subnet rich rule exists
+	if firewall-cmd --list-rich-rules | grep -q 'source address="10.8.0.0/24"'; then
+		echo "PASS: VPN subnet rich rule is configured"
+	else
+		echo "FAIL: VPN subnet rich rule not found in firewalld"
+		echo "Current rich rules:"
+		firewall-cmd --list-rich-rules
+		exit 1
+	fi
+else
+	# iptables mode - verify NAT rules
+	echo "iptables mode, checking NAT rules..."
+	for _ in $(seq 1 10); do
+		if iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
+			echo "PASS: NAT POSTROUTING rule for 10.8.0.0/24 exists"
+			break
+		fi
+		sleep 1
+	done
+	if ! iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
+		echo "FAIL: NAT POSTROUTING rule for 10.8.0.0/24 not found"
+		echo "Current NAT rules:"
+		iptables -t nat -L POSTROUTING -n -v
+		systemctl status iptables-openvpn 2>&1 || true
+		exit 1
 	fi
-	sleep 1
-done
-if ! iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
-	echo "FAIL: NAT POSTROUTING rule for 10.8.0.0/24 not found"
-	echo "Current NAT rules:"
-	iptables -t nat -L POSTROUTING -n -v
-	systemctl status iptables-openvpn 2>&1 || true
-	exit 1
 fi
 
 # Verify IP forwarding is enabled