Finalize firewalld port forwarding support

There are two major changes here.

Firstly, this adds proper support for port forwarding from
localhost via a new policy accepting traffic from HOST. This is
the last bit we were missing from the original port-forwarding
implementation.

This requires two new zones: one in which the actual port forward
occurs, and one to allow traffic to 127.0.0.1 to be masqeuraded
so we can talk to the container from localhost.

Secondly, this fixes a bug where we generated incorrect rules
when port-forwarding from a single IP. Instead of doing standard
port-forwarding rules, those need rich rules. This was reported
as #881.

There are also some small code cleanups in how we handle setting
up and tearing down port forwarding. It's still rather ugly, but
at least a little better than it was before.

Fixes #881

Signed-off-by: Matthew Heon <[email protected]>

Author: mheon

docs/netavark-firewalld.7.md

@@ -31,9 +31,9 @@ When it is enabled (set to `yes`), port forwarding with root Podman will become
 Attempting to start a container or pod with the `-p` or `-P` options will return errors.
 When StrictForwardPorts is enabled, all port forwarding must be done through firewalld using the firewall-cmd tool.
 This ensures that containers cannot allow traffic through the firewall without administrator intervention.
-Please note that rootless Podman is unaffected by this setting, and will function as it always has.
+Please note that rootless Podman is unaffected by this setting and will function as it always has.
 
-Instead, containers should be started without forwarded ports specified, and preferably with static IPs.
+Instead, containers should be started without forwarded ports specified and preferably with static IPs.
 
 To forward a port externally, the following command should be run, substituting the desired host and container port numbers, protocol, and the container's IP.
 ```