Extend '--add-forward-port' (and the forwart-port) rich rule to support the REDIRECT target

[hwoarang]

There is an interesting case when using --add-forward-port or the forward-port rich rule

Assume an existing REDIRECT iptables rule

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

One may think that the equivalent in firewalld would be

rule family=ipv4 forward-port port=80 protocol=tcp to-port=3128

This is not quite right as it would generate

-A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination :3128

--to-destination :port actually rewrites the port on the packet but leaves the destination address intact. The only way around this is to explicitly set the destination address (to-addr) in the rich rule but this is not as flexible as the REDIRECT target since if the machine's IP change the rule has to be updated whereas REDIRECT does that automatically.

Since the destination IP is an optional argument it would make sense for this forward-port to support the REDIRECT target as least in the rich rule format. How about an extended syntax

forward-port port="" protocol="tcp|udp" to-port="" to-addr="

redirect"

so a REDIRECT target can be generate instead?

Finally, it would be nice to add support for REDIRECT (and DNAT) in the OUTPUT chain as well.

[erig0]

The nftables backend does indeed use "redirect" if to-addr is not specified.

firewalld/src/firewall/core/nftables.py

Lines 1338 to 1346 in b1e7a38

	if toaddr:
	if check_single_address("ipv6", toaddr):
	toaddr = normalizeIP6(toaddr)
	if toport and toport != "":
	expr_fragments.append({"dnat": {"addr": toaddr, "port": self._port_fragment(toport)}})
	else:
	expr_fragments.append({"dnat": {"addr": toaddr}})
	else:
	expr_fragments.append({"redirect": {"port": self._port_fragment(toport)}})