add action=accept chain=forward comment="defconf: all WAN not DSTNATed" \
connection-nat-state=dstnat in-interface-list=WAN log=yes