Need addl FORWARD rule in ip6tables to accept off-host packets

[bdruth]

I was working on getting a nginx-based compose stack running under podman w/ IPv6 today and was able to get pretty close using the available info online. https://brandonrozek.com/amp/blog/podman-nginx-tcpv6-http2-ready/ was pretty helpful. However, when all was said and done, using podman-compose 1.0.6 and podman 4.6.2, I ended up in a situation where I could access published port locally on the host, even using the host's IPv6 address, but the same access didn't work off-host, even though the host + IP were routable. ip6tables did show a few different rules for the container, so netavark seemed to be doing something, but I needed to explicitly add a rule in FORWARD - specifically:

ip6tables -I FORWARD -d fd7f:d0f2:f5d:ebdf::4 -p tcp --dport 443 -j ACCEPT

the IPv6 addr there is what the container was assigned out of the range that the compose stack's network had configured. There is a netavark rule in the FORWARD chain, but maybe it's not working as intended?

Chain FORWARD (policy DROP 104 packets, 7024 bytes)
 pkts bytes target     prot opt in     out     source               destination
[...]
93655 6578K NETAVARK_FORWARD  all      *      *       ::/0                 ::/0                 /* netavark firewall plugin rules */

Any idea why I need to add this additional rule?