Do we know where the extra iptables rules are coming from?

I don't see anything firewall related in: roles/copr/hypervisor/*

I don't think we add anything ourselves? Libvirt though modifies iptables on VM boot/termination. Is libvirt known to work with nftables correctly?
We need to make VMs globally accessible over ipv6, and ipv4 over libvirt NAT.

It definitely does in rhel9... but I am reminded that those machines are rhel8 still. Perhaps thats the issue?

Could be?

This comment won't make the decision easier, but sooner or later we should have some firewall managed "centrally" for all our VMs on hypervisors, and I've seen even the RHEL9 libvirt (and not yet fixed for C10S) having troubles with modern firewall.

The nftables issue on Fedora was analyzed by Laine here:
https://github.com/fedora-copr/copr/issues/3945
And I was able to make it work with the suggested custom nft rules.

We still have to keep iptables on RHEL 8 machines, though.

See also: https://matrix.to/#/!JMiyDwIilrGoiSmkqy:matrix.org/$ZZTjf32bR00NDJ7CTDRHGIm_a3F5iJ5kkulOMlNUSkM?via=fedora.im&via=matrix.org&via=envs.net

ok, so should we just close this now I guess?

reopen if there's anymore to do.