roles/dch-gw: Explicitly accept forwarded ports

Marking packets matching port-forwarding rules, and then allowing
traffic carrying that mark did not seem to work well. Often, packets
seemed to get dropped for no apparent reason, and outside connections to
NAT'd services was sometimes slow as a result. Explicitly listing every
destination host/port in the `forward` table seems to resolve this
issue.

roles/dch-gw/templates/forward.nft.j2

@@ -16,7 +16,6 @@ table inet filter {
         iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
         iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
         ip daddr @firemon counter accept
-        mark 323 counter accept
         tcp dport smtp counter reject with icmpx type host-unreachable
         oif {{ internet_iface }} accept
     }

roles/dch-gw/templates/port-forwards.nft.j2

@@ -33,13 +33,21 @@ table ip nat {
     }
 
     chain prerouting {
-        ip daddr $outside_address meta mark set 323 dnat tcp dport map @tcp_forward
+        ip daddr $outside_address dnat tcp dport map @tcp_forward
-        ip daddr $outside_address meta mark set 323 dnat udp dport map @udp_forward
+        ip daddr $outside_address dnat udp dport map @udp_forward
     }
 
     chain postrouting {
 {% for item in nat_port_forwards %}
-        ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} meta mark set 323 masquerade
+        ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} masquerade
+{% endfor %}
+    }
+}
+
+table inet filter {
+    chain forward {
+{% for item in nat_port_forwards %}
+        ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} counter accept
 {% endfor %}
     }
 }