The deployment target for this commit was GuestOS. To see the full list of files copied from the components/ folder to each ic-os variant, open each variant’s respective .bzl file.
But note that this commit is not a firewall change. Instead, this change whitelists an additional IPv6 prefix for tests that depend on an SSH connection to a development GuestOS image—this change will have no practical effect on production GuestOS images as SSH is disabled. No changes have actually been made to the firewall itself. So you’re correct that the nftables config that I linked to is rarely modified, as it should be 
You are getting at something important, and something that I’ve pushed for internally, which is better organization of our proposal releases. Many changes to the HostOS are included in GuestOS proposals (and same for changes to SetupOS). This is because we release GuestOS proposals every week, so it defaults as our release notes for the whole IC-OS. Then, every few months when we do HostOS releases, the HostOS proposal only includes ic-os changes from the last week or so (and it includes GuestOS changes, as we’ve just seen). This system is imperfect.
My personal vision is to have a weekly “IC-OS” release that would include changes for all IC-OS images, and then after the release is approved by the community, we would do GuestOS/HostOS upgrades based on the latest approved IC-OS release. This is more of DRE’s domain though (@sat) 