In accordance with https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/s2-nfs-nfs-firewall-config the callback port on the client does not need to be opened to the NFS server in NFSv4.1+.
The nfs::client::mount::connection define should take this into account when configuring IPTables.
Additionally, users may get an error when attempting to use firewalld since it does not support hostnames (granted, our hostname support in IPTables was a massive hack as well).
This should probably be opened to the world by default since there is no way to know what the IP of an NFS cluster is going to be. We can then rely on xinetd and/or systemd to do the hostname-based filtering.
If the mount option simply specifies the major NFS version, the actual version used will be negotiated with the NFS server. So, the only way we cannot open up the callback port is if the mount also specifies an explicit minor version that is not '0'.
I suspect most users will not specify an explicit NFS minor version, because they may not know which versions are allowed in the NFS server. So, adding the extra logic (and a real test for it), may not be worth the effort.