Finalize firewalld port forwarding support

There are two major changes here.

Firstly, this adds proper support for port forwarding from
localhost via a new policy accepting traffic from HOST. This is
the last bit we were missing from the original port-forwarding
implementation.

This requires two new zones: one in which the actual port forward
occurs, and one to allow traffic to 127.0.0.1 to be masqeuraded
so we can talk to the container from localhost.

Secondly, this fixes a bug where we generated incorrect rules
when port-forwarding from a single IP. Instead of doing standard
port-forwarding rules, those need rich rules. This was reported
as #881.

There are also some small code cleanups in how we handle setting
up and tearing down port forwarding. It's still rather ugly, but
at least a little better than it was before.

Fixes #881

Signed-off-by: Matthew Heon <matthew.heon@pm.me>