I haven’t dug too far into the bowels of the firewall code, but I was wondering if it would be possible to make DNAT (or SNAT) a valid “state” on firewall rules.
The goal would be to have ONE firewall rule that would allow any DNAT connection. This would save a lot of duplication of work when you create a NAT rule.
From what I know of netfilter, DNAT is just another state along with ESTABLISHED, NEW, etc.