diff --git a/nftables/acl_security.pl b/nftables/acl_security.pl
index eedad70c9..51b413480 100644
--- a/nftables/acl_security.pl
+++ b/nftables/acl_security.pl
@@ -36,10 +36,13 @@ print ui_table_row(
 
 foreach my $a (
 	qw(view active create setup chains sets rules raw delete
-	   apply bootup import clear quick manual)
+	   apply bootup import clear quick quick_ip quick_port
+	   quick_service quick_forward manual)
     )
 {
-	print ui_table_row($text{'acl_'.$a}, ui_yesno_radio($a, $o->{$a}));
+	my $enabled = $o->{$a};
+	$enabled = $o->{'quick'} if ($a =~ /^quick_/ && !defined($enabled));
+	print ui_table_row($text{'acl_'.$a}, ui_yesno_radio($a, $enabled));
 	}
 }
 
@@ -58,7 +61,8 @@ else {
 	}
 foreach my $a (
 	qw(view active create setup chains sets rules raw delete
-	   apply bootup import clear quick manual)
+	   apply bootup import clear quick quick_ip quick_port
+	   quick_service quick_forward manual)
     )
 {
 	$_[0]->{$a} = $in{$a} || 0;
diff --git a/nftables/defaultacl b/nftables/defaultacl
index 0547aaebb..721cfe05b 100644
--- a/nftables/defaultacl
+++ b/nftables/defaultacl
@@ -13,4 +13,8 @@ bootup=1
 import=1
 clear=1
 quick=1
+quick_ip=1
+quick_port=1
+quick_service=1
+quick_forward=1
 manual=1
diff --git a/nftables/edit_rule.cgi b/nftables/edit_rule.cgi
index 3b1a82e9f..1bf2a1371 100755
--- a/nftables/edit_rule.cgi
+++ b/nftables/edit_rule.cgi
@@ -32,6 +32,8 @@ my $saddr_val;
 my $daddr_val;
 my $sport_val;
 my $dport_val;
+my $nat_addr_val;
+my $nat_port_val;
 my @addr_set_opts;
 my @port_set_opts;
 my %set_families;
@@ -99,6 +101,8 @@ $saddr_val = $saddr_set ? "" : $rule->{'saddr'};
 $daddr_val = $daddr_set ? "" : $rule->{'daddr'};
 $sport_val = $sport_set ? "" : $rule->{'sport'};
 $dport_val = $dport_set ? "" : $rule->{'dport'};
+$nat_addr_val = $rule->{'nat_addr'};
+$nat_port_val = $rule->{'nat_port'};
 
 @addr_set_opts = (["", $text{'edit_set_none'}]);
 @port_set_opts = (["", $text{'edit_set_none'}]);
@@ -198,20 +202,39 @@ print ui_table_row(
 );
 
 # Action
+my $show_nat_actions =
+    ($chain_def && (($chain_def->{'type'} || '') eq 'nat')) ||
+    ($action_sel && $action_sel =~ /^(redirect|dnat)$/);
+my @action_opts = (
+	["accept", $text{'index_accept'}],
+	["drop", $text{'index_drop'}],
+	["reject", $text{'index_reject'}],
+	["return", $text{'edit_return'}],
+);
+push(@action_opts,
+	["redirect", $text{'edit_redirect_action'}],
+	["dnat", $text{'edit_dnat_action'}])
+    if ($show_nat_actions);
+push(@action_opts,
+	["jump", $text{'edit_jump_action'}],
+	["goto", $text{'edit_goto_action'}]);
 print ui_table_row(
 	hlink($text{'edit_action'}, "action"),
-	ui_select(
-		"action",
-		$action_sel,
-		[
-			["accept", $text{'index_accept'}],
-			["drop", $text{'index_drop'}],
-			["reject", $text{'index_reject'}],
-			["return", $text{'edit_return'}],
-			["jump", $text{'edit_jump_action'}],
-			["goto", $text{'edit_goto_action'}],
-		]
-	)
+	ui_select("action", $action_sel, \@action_opts)
+);
+
+my $nat_show = $action_sel && $action_sel =~ /^(redirect|dnat)$/;
+my $nat_addr_style = $action_sel && $action_sel eq 'dnat' ? "" : " style='display:none'";
+my $nat_port_style = $nat_show ? "" : " style='display:none'";
+print ui_table_row(
+	hlink($text{'edit_nat_addr'}, "nat_addr"),
+	ui_textbox("nat_addr", $nat_addr_val, 30),
+	undef, undef, ["id='nftables_nat_addr_row'".$nat_addr_style]
+);
+print ui_table_row(
+	hlink($text{'edit_nat_port'}, "nat_port"),
+	ui_textbox("nat_port", $nat_port_val, 10),
+	undef, undef, ["id='nftables_nat_port_row'".$nat_port_style]
 );
 
 # Addresses
@@ -400,6 +423,9 @@ my $icmpv6_js = js_array(@icmpv6_types);
 my $icmp_any = $text{'edit_proto_any'};
 $icmp_any =~ s/\\/\\\\/g;
 $icmp_any =~ s/"/\\"/g;
+my $table_family = $table->{'family'} || '';
+$table_family =~ s/\\/\\\\/g;
+$table_family =~ s/"/\\"/g;
 my $set_fam_js = js_object(%set_families);
 
 print "<script>\n";
@@ -407,6 +433,7 @@ print "(function() {\n";
 print "  var icmpTypes = $icmp_js;\n";
 print "  var icmpv6Types = $icmpv6_js;\n";
 print "  var icmpAnyLabel = \"$icmp_any\";\n";
+print "  var tableFamily = \"$table_family\";\n";
 print "  var setFamilies = $set_fam_js;\n";
 print <<'EOF';
   function byName(name) {
@@ -454,6 +481,13 @@ print <<'EOF';
   function guessFamily(addr) {
     return addr.indexOf(":") >= 0 ? "ip6" : "ip";
   }
+  function natTarget(addr, port) {
+    if (addr) {
+      if (port) return addr.indexOf(":") >= 0 ? "[" + addr + "]:" + port : addr + ":" + port;
+      return addr;
+    }
+    return port ? ":" + port : "";
+  }
   function familyForSet(name) {
     return setFamilies && setFamilies[name] ? setFamilies[name] : "";
   }
@@ -468,6 +502,7 @@ print <<'EOF';
   function buildRule() {
     var direct = byName("edit_direct");
     if (direct && direct.checked) return;
+    toggleNatFields();
     var parts = [];
 
     var iif = ifaceVal("iif");
@@ -573,6 +608,19 @@ print <<'EOF';
     var go = val("goto");
     if (action === "jump" && jump) parts.push("jump " + jump);
     else if (action === "goto" && go) parts.push("goto " + go);
+    else if (action === "redirect") {
+      var redirectTarget = natTarget("", val("nat_port"));
+      parts.push(redirectTarget ? "redirect to " + redirectTarget : "redirect");
+    }
+    else if (action === "dnat") {
+      var natAddr = val("nat_addr");
+      var natPort = val("nat_port");
+      var dnatTarget = natTarget(natAddr, natPort);
+      var dnatExpr = "dnat";
+      if (natAddr && tableFamily === "inet") dnatExpr += " " + guessFamily(natAddr);
+      if (dnatTarget) dnatExpr += " to " + dnatTarget;
+      parts.push(dnatExpr);
+    }
     else if (action && action !== "jump" && action !== "goto") parts.push(action);
 
     var comment = val("comment");
@@ -603,6 +651,17 @@ print <<'EOF';
     if (!on) buildRule();
   }
 
+  function setRowVisible(id, visible) {
+    var el = document.getElementById(id);
+    if (el) el.style.display = visible ? "" : "none";
+  }
+
+  function toggleNatFields() {
+    var action = val("action");
+    setRowVisible("nftables_nat_addr_row", action === "dnat");
+    setRowVisible("nftables_nat_port_row", action === "redirect" || action === "dnat");
+  }
+
   function uniqList(list) {
     var seen = {};
     var out = [];
@@ -683,6 +742,7 @@ print <<'EOF';
       el.addEventListener("input", buildRule);
       el.addEventListener("change", buildRule);
     }
+    toggleNatFields();
     updateIcmpTypes();
     toggleDirect();
     buildRule();
diff --git a/nftables/index.cgi b/nftables/index.cgi
index c79eb13aa..956b8391b 100755
--- a/nftables/index.cgi
+++ b/nftables/index.cgi
@@ -18,10 +18,301 @@ if (!$can_view_saved &&
 	}
 my $partial = $in{'partial'};
 if (!$partial) {
-	ui_print_header(nft_version_text(), $text{'index_title'}, "", "intro", 1, 1,
-		undef, restart_button());
+	ui_print_header(nft_version_text() || "", 
+			$text{'index_title'}, "", "intro", 1, 1,
+			undef, restart_button());
 	}
 
+# quick_hidden_fields(table-index, &table, selected-view)
+# Returns hidden table selectors for quick action forms
+sub quick_hidden_fields
+{
+my ($idx, $table, $view) = @_;
+return ui_hidden("table", $idx).
+       ui_hidden("table_family", $table->{'family'}).
+       ui_hidden("table_name", $table->{'name'}).
+       ui_hidden("view", $view);
+}
+
+# quick_service_autocomplete()
+# Returns the quick service textbox and JavaScript-backed matcher
+sub quick_service_autocomplete
+{
+my $placeholder = quote_escape($text{'quick_service_placeholder'});
+my $results_style = "display: none; position: absolute; z-index: 1000; ".
+       "left: 0; right: auto; width: 100%; min-width: 0; ".
+       "max-height: 18em; overflow: auto; ".
+       "border: 1px solid var(--border-color-input-results, ".
+       "var(--border-color-input, #3f4855)); ".
+       "border-radius: var(--border-radius-input, 3px); ".
+       "background-color: var(--bg-color-input, #fff); ".
+       "color: var(--text-color, inherit);";
+my $results = ui_tag('div', undef, {
+	'id' => 'nftables_quick_service_results',
+	'role' => 'listbox',
+	'style' => $results_style,
+});
+my $input = ui_textbox(
+	       "service_text",
+	       "",
+	       32,
+	       undef,
+	       undef,
+	       "autocomplete='off' placeholder='".$placeholder."'"
+       );
+my $wrap = ui_tag('span', $input.$results, {
+	'id' => 'nftables_quick_service_wrap',
+	'style' => 'position: relative; display: inline-block; max-width: 100%;',
+});
+return ui_hidden("service", "").
+       $wrap.
+       quick_service_autocomplete_javascript();
+}
+
+# quick_service_autocomplete_javascript()
+# Returns JavaScript for the quick service autocomplete widget
+sub quick_service_autocomplete_javascript
+{
+my $labels = convert_to_json({
+	'no_matches' => $text{'quick_service_nomatch'},
+	'failed' => $text{'quick_service_searchfail'},
+});
+my $js = <<EOF;
+(function() {
+var labels = $labels;
+if (!window.fetch) {
+	return;
+}
+var mode = document.querySelector('form[action="manage_port.cgi"] input[name="mode"][value="service"]');
+if (!mode || !mode.form) {
+	return;
+}
+var form = mode.form;
+var input = form.querySelector('input[name="service_text"]');
+var hidden = form.querySelector('input[name="service"]');
+var box = document.getElementById('nftables_quick_service_results');
+if (!input || !hidden || !box) {
+	return;
+}
+var timer = null;
+var serial = 0;
+var currentQuery = "";
+var results = [];
+var active = -1;
+
+function trim(value) {
+	return (value || "").replace(/^\\s+|\\s+\$/g, "");
+}
+
+function showBox() {
+	placeBox();
+	box.style.display = "block";
+}
+
+function hideBox() {
+	box.style.display = "none";
+	box.textContent = "";
+	results = [];
+	active = -1;
+}
+
+function placeBox() {
+	var rect = input.getBoundingClientRect();
+	var below = window.innerHeight - rect.bottom;
+	var above = rect.top;
+	box.style.width = input.offsetWidth + "px";
+	var preferred = Math.min(box.scrollHeight || 288, 288);
+	if (below < preferred && above >= preferred) {
+		box.style.top = "auto";
+		box.style.bottom = (input.offsetHeight + 2) + "px";
+	}
+	else {
+		box.style.top = (input.offsetHeight + 2) + "px";
+		box.style.bottom = "auto";
+	}
+}
+
+function styleRow(row, selected) {
+	row.style.padding = "0.25em 0.45em";
+	row.style.cursor = "pointer";
+	row.style.whiteSpace = "nowrap";
+	row.style.overflow = "hidden";
+	row.style.textOverflow = "ellipsis";
+	row.style.borderTop = "1px solid var(--border-color-input-results, #3f4855)";
+	row.style.backgroundColor = selected ?
+		"var(--bg-color-input-results-hover, rgba(127,127,127,0.16))" :
+		"";
+}
+
+function setActive(index) {
+	active = index;
+	var rows = box.querySelectorAll('[data-service-id]');
+	for (var i = 0; i < rows.length; i++) {
+		styleRow(rows[i], i === active);
+	}
+	var row = rows[active];
+	if (row) {
+		var top = row.offsetTop;
+		var bottom = top + row.offsetHeight;
+		if (top < box.scrollTop) {
+			box.scrollTop = top;
+		}
+		else if (bottom > box.scrollTop + box.clientHeight) {
+			box.scrollTop = bottom - box.clientHeight;
+		}
+	}
+}
+
+function choose(item) {
+	if (!item) {
+		return;
+	}
+	hidden.value = item.id || "";
+	input.value = item.label || item.id || "";
+	hideBox();
+}
+
+function message(text) {
+	box.textContent = "";
+	var row = document.createElement("div");
+	row.textContent = text;
+	row.style.padding = "0.25em 0.45em";
+	row.style.fontStyle = "italic";
+	box.appendChild(row);
+	results = [];
+	active = -1;
+	showBox();
+}
+
+function draw(items, query) {
+	box.textContent = "";
+	results = items || [];
+	if (!results.length) {
+		if (query) {
+			message(labels.no_matches);
+		}
+		else {
+			hideBox();
+		}
+		return;
+	}
+	results.forEach(function(item, index) {
+		var row = document.createElement("div");
+		row.setAttribute("role", "option");
+		row.setAttribute("data-service-id", item.id || "");
+		row.textContent = item.label || item.id || "";
+		styleRow(row, false);
+		row.addEventListener("mousedown", function(event) {
+			event.preventDefault();
+			choose(item);
+		});
+		row.addEventListener("mousemove", function() {
+			setActive(index);
+		});
+		box.appendChild(row);
+	});
+	showBox();
+	setActive(0);
+}
+
+function search() {
+	var query = trim(input.value);
+	currentQuery = query;
+	if (!query) {
+		hideBox();
+		return;
+	}
+	var mySerial = ++serial;
+	fetch("search_services.cgi?q=" + encodeURIComponent(query) + "&limit=20", {
+		credentials: "same-origin"
+	}).then(function(response) {
+		if (!response.ok) {
+			throw new Error("service search failed");
+		}
+		return response.json();
+	}).then(function(items) {
+		if (mySerial !== serial || query !== currentQuery) {
+			return;
+		}
+		draw(items, query);
+	}).catch(function() {
+		if (mySerial === serial) {
+			message(labels.failed);
+		}
+	});
+}
+
+input.addEventListener("input", function() {
+	hidden.value = "";
+	if (timer) {
+		clearTimeout(timer);
+	}
+	timer = setTimeout(search, 200);
+});
+
+input.addEventListener("focus", function() {
+	if (trim(input.value) && !hidden.value) {
+		search();
+	}
+});
+
+input.addEventListener("keydown", function(event) {
+	var open = box.style.display !== "none";
+	if (!open) {
+		return;
+	}
+	if (event.key === "ArrowDown") {
+		event.preventDefault();
+		if (results.length) {
+			setActive((active + 1) % results.length);
+		}
+	}
+	else if (event.key === "ArrowUp") {
+		event.preventDefault();
+		if (results.length) {
+			setActive((active + results.length - 1) % results.length);
+		}
+	}
+	else if (event.key === "Enter" && active >= 0 && results[active]) {
+		event.preventDefault();
+		choose(results[active]);
+	}
+	else if (event.key === "Escape") {
+		hideBox();
+	}
+});
+
+form.addEventListener("submit", function() {
+	if (!hidden.value) {
+		hidden.value = trim(input.value);
+	}
+});
+
+document.addEventListener("mousedown", function(event) {
+	var wrap = document.getElementById("nftables_quick_service_wrap");
+	if (wrap && !wrap.contains(event.target)) {
+		hideBox();
+	}
+});
+
+window.addEventListener("resize", function() {
+	if (box.style.display !== "none") {
+		placeBox();
+	}
+});
+
+window.addEventListener("scroll", function() {
+	if (box.style.display !== "none") {
+		placeBox();
+	}
+}, true);
+})();
+EOF
+return ui_tag('script', $js, {
+	'type' => 'text/javascript',
+});
+}
+
 # Check for nft command
 my $cmd = get_nft_command();
 if (!$cmd) {
@@ -443,29 +734,103 @@ else {
 			}
 		$rules_html .= ui_tabs_end(1);
 
-		if (check_acl('quick') && find_input_chain($curr)) {
-			my $ip_placeholder =
-			    text('quick_ip_placeholder', '1.2.3.4', '2001:db8::1/64');
-			foreach my $action (
-				['allow', $text{'index_allowip_go'}],
-				['block', $text{'index_blockip_go'}],
-			    )
-			{
+		if (check_quick_acl() && !table_supports_quick_l4($curr)) {
+			my @proto_opts = (
+				['tcp', 'TCP'],
+				['udp', 'UDP'],
+			);
+			my $has_input_chain = find_input_chain($curr) ? 1 : 0;
+			if ($has_input_chain) {
+				my $ip_placeholder =
+				    text('quick_ip_placeholder', '1.2.3.4', '2001:db8::1/64');
+				if (check_quick_acl('ip')) {
+					foreach my $action (
+						['allow', $text{'index_allowip_go'}],
+						['block', $text{'index_blockip_go'}],
+					    )
+					{
+						$rules_html .=
+						    "<br>".ui_form_start("manage_ip.cgi", "post");
+						$rules_html .= quick_hidden_fields($in{'table'}, $curr, $tab);
+						$rules_html .= ui_submit($action->[1], $action->[0]).
+						    ui_textbox(
+							"ip",
+							undef,
+							22,
+							undef,
+							undef,
+							"placeholder='".
+							    quote_escape($ip_placeholder)."'"
+						    );
+						$rules_html .= ui_form_end();
+						}
+					}
+				if (check_quick_acl('port')) {
+					$rules_html .=
+					    "<br>".ui_form_start("manage_port.cgi", "post");
+					$rules_html .= quick_hidden_fields($in{'table'}, $curr, $tab);
+					$rules_html .= ui_hidden("mode", "port");
+					$rules_html .= ui_submit($text{'index_allowport_go'}, "allow_port").
+					    ui_textbox(
+						"port",
+						undef,
+						14,
+						undef,
+						undef,
+						"placeholder='".
+						    quote_escape($text{'quick_port_placeholder'})."'"
+					    ).
+					    " ".
+					    ui_select("proto", "tcp", \@proto_opts, 1, 0, 1);
+					$rules_html .= ui_form_end();
+					}
+
+				if (check_quick_acl('service')) {
+					$rules_html .=
+					    "<br>".ui_form_start("manage_port.cgi", "post");
+					$rules_html .= quick_hidden_fields($in{'table'}, $curr, $tab);
+					$rules_html .= ui_hidden("mode", "service");
+					$rules_html .=
+					    ui_submit($text{'index_allowservice_go'},
+						    "allow_service").
+					    quick_service_autocomplete();
+					$rules_html .= ui_form_end();
+					}
+				}
+			if (check_quick_acl('forward')) {
 				$rules_html .=
-				    "<br>".ui_form_start("manage_ip.cgi", "post");
-				$rules_html .= ui_hidden("table", $in{'table'});
-				$rules_html .=
-				    ui_hidden("table_family", $curr->{'family'});
-				$rules_html .= ui_hidden("table_name", $curr->{'name'});
-				$rules_html .= ui_submit($action->[1], $action->[0]).
+				    "<br>".ui_form_start("manage_forward.cgi", "post");
+				$rules_html .= quick_hidden_fields($in{'table'}, $curr, $tab);
+				$rules_html .= ui_submit($text{'index_forward_go'}, "forward").
 				    ui_textbox(
-					"ip",
+					"src_port",
 					undef,
-					22,
+					10,
 					undef,
 					undef,
-					"placeholder='".
-					    quote_escape($ip_placeholder)."'"
+					"placeholder='".quote_escape($text{'quick_forward_src'})."'"
+				    ).
+				    " ".
+				    ui_select("proto", "tcp", \@proto_opts, 1, 0, 1).
+				    " ".
+				    $text{'quick_forward_to'}.
+				    " ".
+				    ui_textbox(
+					"dst_port",
+					undef,
+					10,
+					undef,
+					undef,
+					"placeholder='".quote_escape($text{'quick_forward_dst'})."'"
+				    ).
+				    " ".
+				    ui_textbox(
+					"dst_addr",
+					undef,
+					32,
+					undef,
+					undef,
+					"placeholder='".quote_escape($text{'quick_forward_addr'})."'"
 				    );
 				$rules_html .= ui_form_end();
 				}
diff --git a/nftables/lang/en b/nftables/lang/en
index 98a19cade..7d044b08d 100644
--- a/nftables/lang/en
+++ b/nftables/lang/en
@@ -58,14 +58,37 @@ index_edit_manual=Edit Config Files
 index_edit_manualdesc=Edit saved nftables configuration files manually.
 index_allowip_go=Allow IP/CIDR
 index_blockip_go=Block IP/CIDR
+index_allowport_go=Add allowed port
+index_allowservice_go=Add allowed service
+index_forward_go=Add port forward
 quick_ip_placeholder=$1 or $2
+quick_port_placeholder=80 or 8000-8080
+quick_service_placeholder=ssh, http or dns
+quick_service_nomatch=No matching services
+quick_service_searchfail=Service lookup failed
+quick_forward_src=from port
+quick_forward_to=to
+quick_forward_dst=port
+quick_forward_addr=destination IP, blank for this system
+quick_source_ports=source
 quick_allow_err=Failed to allow IP/CIDR
 quick_block_err=Failed to block IP/CIDR
+quick_port_err=Failed to add allowed port
+quick_service_err=Failed to add allowed service
+quick_forward_err=Failed to add port forward
 quick_eaction=No quick action selected.
 quick_etable=No such table selected.
 quick_echain=Table $1 has no input chain to add this rule to.
-quick_efamily=Table $1 cannot contain IP source address rules.
+quick_efamily=Table $1 cannot contain these quick firewall rules.
 quick_eip=Enter a valid IPv4 or IPv6 address, with an optional CIDR prefix.
+quick_eport=Enter a valid TCP or UDP port number, or a range like 8000-8080.
+quick_eportrange=Port ranges must start with a lower port number.
+quick_eproto=Select TCP or UDP as the network protocol.
+quick_eservice=Enter or select a valid service to allow.
+quick_eservice_empty=Service $1 has no usable TCP, UDP or protocol definitions for nftables.
+quick_eforward_addr=Enter a valid IPv4 or IPv6 destination address, without a CIDR prefix.
+quick_eforward_family=Table $1 cannot forward to that destination address family.
+quick_eforward_target=Enter a destination port and/or destination address for the forward.
 quick_edup=An equivalent quick rule for $1 already exists.
 quick_failed=Failed to save and apply quick rule: $1
 index_unapply=Revert Configuration
@@ -172,15 +195,23 @@ index_accept=Accept
 index_drop=Drop
 index_reject=Reject
 index_return_action=Return
+index_redirect=Redirect
+index_dnat=DNAT
+index_redirect_to=Redirect to $1
+index_dnat_to=DNAT to $1
 edit_title_new=Create Rule
 edit_title_edit=Edit Rule
 edit_comment=Comment
 edit_action=Action
 edit_return=Return
+edit_redirect_action=Redirect
+edit_dnat_action=DNAT
 edit_jump_action=Jump
 edit_goto_action=Goto
 edit_jump=Jump target chain
 edit_goto=Goto target chain
+edit_nat_addr=Forward to address
+edit_nat_port=Forward to port
 edit_proto=Protocol
 edit_proto_any=Any
 edit_saddr=Source address
@@ -361,5 +392,9 @@ acl_apply=Apply saved configuration
 acl_bootup=Enable firewall at boot
 acl_import=Import active tables
 acl_clear=Clear active tables
-acl_quick=Use quick allow/block controls
+acl_quick=Use quick controls
+acl_quick_ip=Use quick IP allow/block controls
+acl_quick_port=Use quick allowed port controls
+acl_quick_service=Use quick allowed service controls
+acl_quick_forward=Use quick port forward controls
 acl_manual=Edit config files manually
diff --git a/nftables/manage_forward.cgi b/nftables/manage_forward.cgi
new file mode 100755
index 000000000..e1f1cd42a
--- /dev/null
+++ b/nftables/manage_forward.cgi
@@ -0,0 +1,61 @@
+#!/usr/bin/perl
+# manage_forward.cgi
+# Quickly add a simple port forward in the selected table
+
+require './nftables-lib.pl';    ## no critic
+use strict;
+use warnings;
+our (%in, %text);
+ReadParse();
+assert_quick_acl('forward');
+error_setup($text{'quick_forward_err'});
+
+my @tables = get_nftables_save();
+my $table_idx = $in{'table'};
+my $table;
+if (defined($in{'table_family'}) && defined($in{'table_name'})) {
+	for (my $i = 0 ; $i <= $#tables ; $i++) {
+		if ($tables[$i]->{'family'} eq $in{'table_family'} &&
+			$tables[$i]->{'name'} eq $in{'table_name'})
+		{
+			$table_idx = $i;
+			$table = $tables[$i];
+			last;
+			}
+		}
+	}
+else {
+	$table = $tables[$table_idx];
+	}
+$table || error($text{'quick_etable'});
+assert_table_acl($table);
+
+my $err = add_quick_forward_rule(
+	$table,
+	$in{'src_port'},
+	$in{'proto'},
+	$in{'dst_port'},
+	$in{'dst_addr'}
+);
+error($err) if ($err);
+
+$err = save_table_configuration($table, @tables);
+error(text('quick_failed', $err)) if ($err);
+
+# Quick forwarding is expected to affect the live firewall immediately.
+$err = apply_restore();
+error(text('quick_failed', $err)) if ($err);
+
+webmin_log(
+	"create",
+	"forward",
+	$in{'src_port'},
+	{'table' => $table->{'name'}, 'family' => $table->{'family'}}
+);
+my $redir = "index.cgi?table_family=".
+	    urlize($table->{'family'}).
+	    "&table_name=".
+	    urlize($table->{'name'});
+$redir .= "&view=".urlize($in{'view'})
+	if (($in{'view'} || '') =~ /^(chains|sets)$/);
+redirect($redir);
diff --git a/nftables/manage_ip.cgi b/nftables/manage_ip.cgi
index eb5be4ec8..a63595196 100755
--- a/nftables/manage_ip.cgi
+++ b/nftables/manage_ip.cgi
@@ -7,7 +7,7 @@ use strict;
 use warnings;
 our (%in, %text);
 ReadParse();
-assert_acl('quick');
+assert_quick_acl('ip');
 
 my $action = $in{'allow'} ? 'allow' : $in{'block'} ? 'block' : '';
 error_setup(
@@ -48,7 +48,10 @@ error(text('quick_failed', $err)) if ($err);
 
 webmin_log($action, "ip", $in{'ip'},
 	{'table' => $table->{'name'}, 'family' => $table->{'family'}});
-redirect("index.cgi?table_family=".
+my $redir = "index.cgi?table_family=".
 	    urlize($table->{'family'}).
 	    "&table_name=".
-	    urlize($table->{'name'}));
+	    urlize($table->{'name'});
+$redir .= "&view=".urlize($in{'view'})
+	if (($in{'view'} || '') =~ /^(chains|sets)$/);
+redirect($redir);
diff --git a/nftables/manage_port.cgi b/nftables/manage_port.cgi
new file mode 100755
index 000000000..6192919da
--- /dev/null
+++ b/nftables/manage_port.cgi
@@ -0,0 +1,69 @@
+#!/usr/bin/perl
+# manage_port.cgi
+# Quickly allow a port or service in the selected table
+
+require './nftables-lib.pl';    ## no critic
+use strict;
+use warnings;
+our (%in, %text);
+ReadParse();
+
+my $mode = $in{'mode'} || '';
+assert_quick_acl($mode eq 'service' ? 'service' : 'port');
+error_setup(
+	$mode eq 'service' ? $text{'quick_service_err'} : $text{'quick_port_err'}
+);
+
+my @tables = get_nftables_save();
+my $table_idx = $in{'table'};
+my $table;
+if (defined($in{'table_family'}) && defined($in{'table_name'})) {
+	for (my $i = 0 ; $i <= $#tables ; $i++) {
+		if ($tables[$i]->{'family'} eq $in{'table_family'} &&
+			$tables[$i]->{'name'} eq $in{'table_name'})
+		{
+			$table_idx = $i;
+			$table = $tables[$i];
+			last;
+			}
+		}
+	}
+else {
+	$table = $tables[$table_idx];
+	}
+$table || error($text{'quick_etable'});
+assert_table_acl($table);
+
+my $err;
+my $service = $in{'service'};
+if (!defined($service) || $service eq '') {
+	$service = $in{'service_text'};
+	}
+if ($mode eq 'service') {
+	$err = add_quick_service_rule($table, $service);
+	}
+else {
+	$err = add_quick_port_rule($table, $in{'port'}, $in{'proto'});
+	}
+error($err) if ($err);
+
+$err = save_table_configuration($table, @tables);
+error(text('quick_failed', $err)) if ($err);
+
+# Quick allow actions are expected to affect the live firewall immediately.
+$err = apply_restore();
+error(text('quick_failed', $err)) if ($err);
+
+webmin_log(
+	"allow",
+	$mode eq 'service' ? "service" : "port",
+	$mode eq 'service' ? $service : $in{'port'},
+	{'table' => $table->{'name'}, 'family' => $table->{'family'}}
+);
+my $redir = "index.cgi?table_family=".
+	    urlize($table->{'family'}).
+	    "&table_name=".
+	    urlize($table->{'name'});
+$redir .= "&view=".urlize($in{'view'})
+	if (($in{'view'} || '') =~ /^(chains|sets)$/);
+redirect($redir);
diff --git a/nftables/nftables-lib.pl b/nftables/nftables-lib.pl
index 3e056c832..7f1ea9c82 100644
--- a/nftables/nftables-lib.pl
+++ b/nftables/nftables-lib.pl
@@ -29,6 +29,25 @@ my ($action) = @_;
 check_acl($action) || error(text('acl_ecannot'));
 }
 
+# check_quick_acl([quick-action])
+# Returns true if the current user can use a quick action
+sub check_quick_acl
+{
+my ($action) = @_;
+return 0 if (!check_acl('quick'));
+return 1 if (!$action);
+my $key = "quick_".$action;
+return !defined($access{$key}) || $access{$key} ? 1 : 0;
+}
+
+# assert_quick_acl([quick-action])
+# Fails if the current user cannot use a quick action
+sub assert_quick_acl
+{
+my ($action) = @_;
+check_quick_acl($action) || error(text('acl_ecannot'));
+}
+
 # table_acl_name(&table)
 # Returns the ACL token for a table
 sub table_acl_name
@@ -702,6 +721,244 @@ my ($rule) = @_;
 return if (!$rule || ref($rule) ne 'HASH');
 return 'allow' if (($rule->{'comment'} || '') eq 'Webmin quick allow');
 return 'block' if (($rule->{'comment'} || '') eq 'Webmin quick block');
+return 'port' if (($rule->{'comment'} || '') eq 'Webmin quick port');
+return 'service' if (($rule->{'comment'} || '') =~ /^Webmin quick service\b/);
+return 'forward' if (($rule->{'comment'} || '') eq 'Webmin quick forward');
+return;
+}
+
+# quick_rule_rank(type)
+# Returns the insertion priority for generated quick rules
+sub quick_rule_rank
+{
+my ($type) = @_;
+return 0 if ($type && $type eq 'allow');
+return 1 if ($type && $type eq 'block');
+return 2 if ($type && ($type eq 'port' ||
+		       $type eq 'service' ||
+		       $type eq 'forward'));
+return 9;
+}
+
+# insert_quick_rule(&table, chain, &rule, rank)
+# Inserts a quick rule before normal rules but after lower ranked quick rules
+sub insert_quick_rule
+{
+my ($table, $chain, $rule, $rank) = @_;
+$table->{'rules'} ||= [ ];
+my $insert = scalar(@{$table->{'rules'} || [ ]});
+for (my $i = 0 ; $i < @{$table->{'rules'} || [ ]} ; $i++) {
+	my $r = $table->{'rules'}->[$i];
+	next if (!$r || ref($r) ne 'HASH');
+	next if (($r->{'chain'} || '') ne $chain);
+	my $rrank = quick_rule_rank(quick_rule_type($r));
+	if ($rrank > $rank) {
+		$insert = $i;
+		last;
+		}
+	}
+splice(@{$table->{'rules'}}, $insert, 0, $rule);
+reindex_table_rules($table);
+return;
+}
+
+# table_supports_quick_l4(&table)
+# Returns an error if quick TCP/UDP rules cannot be added to this table
+sub table_supports_quick_l4
+{
+my ($table) = @_;
+return text('quick_etable') if (!$table || ref($table) ne 'HASH');
+return if (($table->{'family'} || '') =~ /^(inet|ip|ip6)$/);
+return text('quick_efamily', nft_table_spec($table));
+}
+
+# parse_quick_port(port|range)
+# Returns a validated port expression and optional error
+sub parse_quick_port
+{
+my ($port) = @_;
+$port = "" if (!defined($port));
+$port =~ s/^\s+//;
+$port =~ s/\s+$//;
+return (undef, text('quick_eport')) if ($port eq '');
+if ($port =~ /^(\d+)$/) {
+	my $p = $1;
+	return valid_profile_port_number($p)
+	    ? ($p, undef)
+	    : (undef, text('quick_eport'));
+	}
+if ($port =~ /^(\d+)-(\d+)$/) {
+	my ($from, $to) = ($1, $2);
+	return (undef, text('quick_eport'))
+	    if (!valid_profile_port_number($from) ||
+		!valid_profile_port_number($to));
+	return (undef, text('quick_eportrange')) if ($from >= $to);
+	return ("$from-$to", undef);
+	}
+return (undef, text('quick_eport'));
+}
+
+# normalize_quick_proto(proto)
+# Returns a supported transport protocol for quick port operations
+sub normalize_quick_proto
+{
+my ($proto) = @_;
+$proto = lc($proto || '');
+return $proto if ($proto eq 'tcp' || $proto eq 'udp');
+return;
+}
+
+# port_interval(port|range)
+# Returns numeric start and end values for a port expression
+sub port_interval
+{
+my ($port) = @_;
+return ($1, $1) if (defined($port) && $port =~ /^(\d+)$/);
+return ($1, $2) if (defined($port) && $port =~ /^(\d+)-(\d+)$/);
+return;
+}
+
+# port_expr_covers(existing, wanted)
+# Returns true if one port expression covers another
+sub port_expr_covers
+{
+my ($existing, $wanted) = @_;
+return 1 if (defined($existing) && defined($wanted) && $existing eq $wanted);
+my ($es, $ee) = port_interval($existing);
+my ($ws, $we) = port_interval($wanted);
+return defined($es) && defined($ws) && $es <= $ws && $ee >= $we;
+}
+
+# set_contains_port(&set, port|range)
+# Returns true if an inet_service set covers a port expression
+sub set_contains_port
+{
+my ($set, $port) = @_;
+return 0 if (!$set || ref($set) ne 'HASH');
+return 0 if (!$set->{'elements'} || ref($set->{'elements'}) ne 'ARRAY');
+foreach my $e (@{$set->{'elements'}}) {
+	return 1 if (port_expr_covers($e, $port));
+	}
+return 0;
+}
+
+# add_ports_to_set(&set, ports...)
+# Adds ports to an inet_service set and returns true if it changed
+sub add_ports_to_set
+{
+my ($set, @ports) = @_;
+return 0 if (!$set || ref($set) ne 'HASH' || !@ports);
+my @old = $set->{'elements'} && ref($set->{'elements'}) eq 'ARRAY'
+	? @{$set->{'elements'}}
+	: ( );
+my @new = normalize_port_set_elements(@old, @ports);
+return 0 if (join("\0", @old) eq join("\0", @new));
+$set->{'elements'} = \@new;
+if (grep { /-/ } @new) {
+	my $flags = $set->{'flags'} || '';
+	if ($flags !~ /(?:^|[,\s])interval(?:$|[,\s])/) {
+		$set->{'flags'} = $flags ? $flags.", interval" : "interval";
+		}
+	}
+return 1;
+}
+
+# find_accept_port_set(&table, chain, proto)
+# Finds a port set already accepted by an input rule for a protocol
+sub find_accept_port_set
+{
+my ($table, $chain, $proto) = @_;
+return if (!$table || ref($table) ne 'HASH');
+return if (!$table->{'rules'} || ref($table->{'rules'}) ne 'ARRAY');
+foreach my $r (@{$table->{'rules'}}) {
+	next if (!$r || ref($r) ne 'HASH');
+	next if (($r->{'chain'} || '') ne $chain);
+	next if (($r->{'action'} || '') ne 'accept');
+	next if (($r->{'proto'} || '') ne $proto);
+	my $setname = set_name_from_value($r->{'dport'});
+	next if (!$setname);
+	my $sets = $table->{'sets'} && ref($table->{'sets'}) eq 'HASH'
+		? $table->{'sets'}
+		: {};
+	my $set = $sets->{$setname};
+	next if (!$set || set_type_kind($set->{'type'}) ne 'port');
+	return $setname;
+	}
+return;
+}
+
+# quick_accept_port_covered(&table, chain, proto, port|range)
+# Returns true if an existing accept rule already covers a port
+sub quick_accept_port_covered
+{
+my ($table, $chain, $proto, $port) = @_;
+return 0 if (!$table || ref($table) ne 'HASH');
+foreach my $r (@{$table->{'rules'} || [ ]}) {
+	next if (!$r || ref($r) ne 'HASH');
+	next if (($r->{'chain'} || '') ne $chain);
+	next if (($r->{'action'} || '') ne 'accept');
+	next if (($r->{'proto'} || '') ne $proto);
+	my $dport = $r->{'dport'};
+	next if (!defined($dport) || $dport eq '');
+	my $setname = set_name_from_value($dport);
+	if ($setname) {
+		my $sets = $table->{'sets'} && ref($table->{'sets'}) eq 'HASH'
+			? $table->{'sets'}
+			: {};
+		return 1
+		    if (set_contains_port($sets->{$setname}, $port));
+		next;
+		}
+	return 1 if (port_expr_covers($dport, $port));
+	}
+return 0;
+}
+
+# add_quick_accept_port(&table, port|range, proto, comment)
+# Adds or merges an accepted destination-port rule. Returns changed and error.
+sub add_quick_accept_port
+{
+my ($table, $port, $proto, $comment) = @_;
+my $err = table_supports_quick_l4($table);
+return (0, $err) if ($err);
+$proto = normalize_quick_proto($proto);
+return (0, text('quick_eproto')) if (!$proto);
+($port, $err) = parse_quick_port($port);
+return (0, $err) if ($err);
+
+my $chain = find_input_chain($table);
+return (0, text('quick_echain', nft_table_spec($table))) if (!$chain);
+
+my $setname = find_accept_port_set($table, $chain, $proto);
+if ($setname) {
+	my $changed = add_ports_to_set($table->{'sets'}->{$setname}, $port);
+	return ($changed, undef);
+	}
+return (0, undef)
+    if (quick_accept_port_covered($table, $chain, $proto, $port));
+
+my $rule = {
+	'chain' => $chain,
+	'proto' => $proto,
+	'dport' => $port,
+	'action' => 'accept',
+	'comment' => $comment || 'Webmin quick port',
+};
+$rule->{'text'} = format_rule_text($rule);
+insert_quick_rule($table, $chain, $rule,
+	quick_rule_rank(quick_rule_type($rule)));
+return (1, undef);
+}
+
+# add_quick_port_rule(&table, port|range, proto)
+# Adds an accepted destination-port quick rule
+sub add_quick_port_rule
+{
+my ($table, $port, $proto) = @_;
+my ($changed, $err) =
+    add_quick_accept_port($table, $port, $proto, 'Webmin quick port');
+return $err if ($err);
+return text('quick_edup', $port) if (!$changed);
 return;
 }
 
@@ -726,7 +983,6 @@ if (($table->{'family'} || '') eq 'ip' && $family ne 'ip' ||
 my $chain = find_input_chain($table);
 return text('quick_echain', nft_table_spec($table)) if (!$chain);
 
-$table->{'rules'} ||= [ ];
 foreach my $r (@{$table->{'rules'} || [ ]}) {
 	next if (!$r || ref($r) ne 'HASH');
 	next if (($r->{'chain'} || '') ne $chain);
@@ -749,31 +1005,642 @@ my $rule = {
 };
 $rule->{'text'} = format_rule_text($rule);
 
-my $insert = scalar(@{$table->{'rules'} || [ ]});
+insert_quick_rule($table, $chain, $rule,
+	$action eq 'allow' ? quick_rule_rank('allow') : quick_rule_rank('block'));
+return;
+}
 
-# Keep quick allow rules first, then quick block rules, then normal input
-# rules. This makes the quick controls predictable regardless of later rules.
-for (my $i = 0 ; $i < @{$table->{'rules'} || [ ]} ; $i++) {
-	my $r = $table->{'rules'}->[$i];
-	next if (!$r || ref($r) ne 'HASH');
-	next if (($r->{'chain'} || '') ne $chain);
-	my $qt = quick_rule_type($r);
-	if ($action eq 'allow') {
-		next if ($qt && $qt eq 'allow');
-		$insert = $i;
-		last;
+# builtin_quick_service_defs()
+# Returns built-in service definitions used when /etc/services is unavailable
+sub builtin_quick_service_defs
+{
+my @defs = (
+	[ 'ssh',      [ [ 'tcp', '22' ] ] ],
+	[ 'http',     [ [ 'tcp', '80' ] ] ],
+	[ 'https',    [ [ 'tcp', '443' ] ] ],
+	[ 'dns',      [ [ 'tcp', '53' ], [ 'udp', '53' ] ], [ 'domain' ] ],
+	[ 'smtp',     [ [ 'tcp', '25' ] ] ],
+	[ 'submission', [ [ 'tcp', '587' ] ], [ 'msa' ] ],
+	[ 'smtps',    [ [ 'tcp', '465' ] ], [ 'submissions' ] ],
+	[ 'imap',     [ [ 'tcp', '143' ] ] ],
+	[ 'imaps',    [ [ 'tcp', '993' ] ] ],
+	[ 'pop3',     [ [ 'tcp', '110' ] ] ],
+	[ 'pop3s',    [ [ 'tcp', '995' ] ] ],
+	[ 'ftp',      [ [ 'tcp', '21' ] ] ],
+	[ 'ntp',      [ [ 'udp', '123' ] ] ],
+);
+my @rv;
+foreach my $d (@defs) {
+	my ($id, $ports, $aliases) = @$d;
+	my $svc = {
+		'id' => $id,
+		'aliases' => $aliases || [ ],
+		'ports' => {},
+		'source_ports' => {},
+		'protocols' => [ ],
+	};
+	foreach my $p (@$ports) {
+		push(@{$svc->{'ports'}->{$p->[0]}}, $p->[1]);
 		}
-	else {
-		next if ($qt && ($qt eq 'allow' || $qt eq 'block'));
-		$insert = $i;
-		last;
+	$svc->{'label'} = quick_service_label($svc);
+	push(@rv, $svc);
+	}
+return @rv;
+}
+
+# read_etc_service_defs([services-file])
+# Returns service definitions from /etc/services canonical names and aliases
+sub read_etc_service_defs
+{
+my ($file) = @_;
+$file ||= "/etc/services";
+my %defs;
+if (open(my $fh, "<", $file)) {
+	while(my $line = <$fh>) {
+		$line =~ s/#.*$//;
+		$line =~ s/^\s+//;
+		$line =~ s/\s+$//;
+		next if ($line eq '');
+		my ($name, $portproto, @aliases) = split(/\s+/, $line);
+		next if (!$name || !$portproto);
+		next if ($name !~ /^[A-Za-z0-9_.+-]+$/);
+		next if ($portproto !~ /^(\d+)\/(tcp|udp)$/i);
+		my ($port, $proto) = ($1, lc($2));
+		next if (!valid_profile_port_number($port));
+		@aliases = grep { /^[A-Za-z0-9_.+-]+$/ } @aliases;
+		$defs{$name} ||= {
+			'id' => $name,
+			'aliases' => [ ],
+			'ports' => {},
+			'source_ports' => {},
+			'protocols' => [ ],
+		};
+		push(@{$defs{$name}->{'ports'}->{$proto}}, $port);
+		push(@{$defs{$name}->{'aliases'}}, @aliases);
+		}
+	close($fh);
+	}
+foreach my $id (keys %defs) {
+	my %aliases_seen;
+	$defs{$id}->{'aliases'} =
+	    [ grep { !$aliases_seen{$_}++ } @{$defs{$id}->{'aliases'}} ];
+	foreach my $proto (keys %{$defs{$id}->{'ports'}}) {
+		my %seen;
+		$defs{$id}->{'ports'}->{$proto} =
+		    [ normalize_port_set_elements(grep { !$seen{$_}++ }
+			    @{$defs{$id}->{'ports'}->{$proto}}) ];
+		}
+	$defs{$id}->{'label'} = quick_service_label($defs{$id});
+	}
+return values %defs;
+}
+
+# setup_quick_service_defs()
+# Returns quick service definitions from the module's dynamic profile services
+sub setup_quick_service_defs
+{
+my @rv;
+foreach my $svc (setup_services()) {
+	my $id = $svc->{'id'};
+	next if (!$id);
+	my $def = {
+		'id' => $id,
+		'ports' => {},
+		'source_ports' => {},
+		'protocols' => [ ],
+		'rules' => [ @{$svc->{'rules'} || [ ]} ],
+	};
+	foreach my $rule (@{$def->{'rules'}}) {
+		if ($rule =~ /^(tcp|udp)\s+dport\s+(\S+)\s+accept$/) {
+			push(@{$def->{'ports'}->{$1}}, $2);
+			}
+		elsif ($rule =~ /^(tcp|udp)\s+sport\s+(\S+)\s+accept$/) {
+			push(@{$def->{'source_ports'}->{$1}}, $2);
+			}
+		}
+	$def->{'label'} = quick_service_label($def);
+	push(@rv, $def);
+	}
+return @rv;
+}
+
+# quick_service_label(&service)
+# Returns a service label with ports and protocols
+sub quick_service_label
+{
+my ($svc) = @_;
+my $name = $svc->{'id'} || "";
+my @details;
+foreach my $kind ('ports', 'source_ports') {
+	my $ports = $svc->{$kind} || {};
+	my %by_ports;
+	foreach my $proto (sort keys %$ports) {
+		my @ports = @{$ports->{$proto} || [ ]};
+		next if (!@ports);
+		push(@{$by_ports{join(", ", @ports)}}, uc($proto));
+		}
+	foreach my $plist (sort port_sort keys %by_ports) {
+		my $prefix = $kind eq 'source_ports' ? text('quick_source_ports')." " : "";
+		push(@details, $prefix.$plist." ".join("/", @{$by_ports{$plist}}));
 		}
 	}
-splice(@{$table->{'rules'}}, $insert, 0, $rule);
-reindex_table_rules($table);
+if ($svc->{'protocols'} && @{$svc->{'protocols'}}) {
+	push(@details, map { uc($_) } @{$svc->{'protocols'}});
+	}
+return @details ? $name." (".join("; ", @details).")" : $name;
+}
+
+# merge_quick_service(&defs, &service)
+# Adds or replaces one quick service definition
+sub merge_quick_service
+{
+my ($defs, $svc) = @_;
+return if (!$defs || !$svc || ref($svc) ne 'HASH' || !$svc->{'id'});
+$defs->{$svc->{'id'}} = $svc;
 return;
 }
 
+# quick_services([services-file])
+# Returns available service definitions for the quick service selector
+sub quick_services
+{
+my ($services_file) = @_;
+my %defs;
+foreach my $svc (builtin_quick_service_defs()) {
+	merge_quick_service(\%defs, $svc);
+	}
+foreach my $svc (read_etc_service_defs($services_file)) {
+	merge_quick_service(\%defs, $svc);
+	}
+foreach my $svc (setup_quick_service_defs()) {
+	merge_quick_service(\%defs, $svc);
+	}
+return sort { lc($a->{'label'}) cmp lc($b->{'label'}) } values %defs;
+}
+
+# service_search_text(&service)
+# Returns searchable service names and aliases
+sub service_search_text
+{
+my ($svc) = @_;
+return lc(join(" ",
+	$svc->{'id'} || "",
+	$svc->{'label'} || "",
+	@{$svc->{'aliases'} || [ ]}
+));
+}
+
+# search_quick_services(query, [limit], [services-file])
+# Returns quick service definitions matching a short search string
+sub search_quick_services
+{
+my ($query, $limit, $services_file) = @_;
+$query = "" if (!defined($query));
+$query =~ s/^\s+//;
+$query =~ s/\s+$//;
+return ( ) if ($query eq "");
+$limit ||= 20;
+$limit = 1 if ($limit < 1);
+$limit = 50 if ($limit > 50);
+my $q = lc($query);
+my @ranked;
+foreach my $svc (&quick_services($services_file)) {
+	my $id = lc($svc->{'id'} || "");
+	my $label = lc($svc->{'label'} || $svc->{'id'} || "");
+	my @aliases = map { lc($_) } @{$svc->{'aliases'} || [ ]};
+	my $search = service_search_text($svc);
+	my $rank;
+	if ($id eq $q) {
+		$rank = 0;
+		}
+	elsif (grep { $_ eq $q } @aliases) {
+		$rank = 1;
+		}
+	elsif ($id =~ /^\Q$q\E/) {
+		$rank = 2;
+		}
+	elsif (grep { /^\Q$q\E/ } @aliases) {
+		$rank = 3;
+		}
+	elsif ($label =~ /^\Q$q\E/) {
+		$rank = 4;
+		}
+	elsif ($id =~ /\Q$q\E/) {
+		$rank = 5;
+		}
+	elsif ($search =~ /\Q$q\E/) {
+		$rank = 6;
+		}
+	else {
+		next;
+		}
+	push(@ranked, [ $rank, $label, $svc ]);
+	}
+@ranked = sort { $a->[0] <=> $b->[0] || $a->[1] cmp $b->[1] } @ranked;
+my @rv;
+foreach my $r (@ranked) {
+	push(@rv, $r->[2]);
+	last if (@rv >= $limit);
+	}
+return @rv;
+}
+
+# quick_service_by_id(service-id, [services-file])
+# Returns a quick service definition by ID
+sub quick_service_by_id
+{
+my ($id, $services_file) = @_;
+$id = "" if (!defined($id));
+$id =~ s/^\s+//;
+$id =~ s/\s+$//;
+return if ($id !~ /^[A-Za-z0-9_.+-]+$/);
+foreach my $svc (quick_services($services_file)) {
+	return $svc if ($svc->{'id'} eq $id);
+	foreach my $alias (@{$svc->{'aliases'} || [ ]}) {
+		return $svc if ($alias eq $id);
+		}
+	}
+return;
+}
+
+# quick_service_rules(&service)
+# Returns nftables accept rule texts for a quick service definition
+sub quick_service_rules
+{
+my ($svc) = @_;
+return if (!$svc || ref($svc) ne 'HASH');
+return @{$svc->{'rules'}} if ($svc->{'rules'} && @{$svc->{'rules'}});
+my @rules;
+foreach my $proto (sort keys %{$svc->{'ports'} || {}}) {
+	foreach my $port (@{$svc->{'ports'}->{$proto} || [ ]}) {
+		push(@rules, "$proto dport $port accept");
+		}
+	}
+foreach my $proto (sort keys %{$svc->{'source_ports'} || {}}) {
+	foreach my $port (@{$svc->{'source_ports'}->{$proto} || [ ]}) {
+		push(@rules, "$proto sport $port accept");
+		}
+	}
+foreach my $proto (@{$svc->{'protocols'} || [ ]}) {
+	push(@rules, "meta l4proto $proto accept");
+	}
+return @rules;
+}
+
+# quick_rule_text_compatible(&table, rule-text)
+# Returns true if a rule text does not conflict with the table family
+sub quick_rule_text_compatible
+{
+my ($table, $text) = @_;
+my $family = $table->{'family'} || '';
+return 0 if ($family eq 'ip' && $text =~ /(?:^|\s)ip6\s/);
+return 0 if ($family eq 'ip6' && $text =~ /(?:^|\s)ip\s/);
+return 1;
+}
+
+# quick_add_raw_input_rule(&table, chain, rule-text, comment)
+# Adds a raw quick input rule if it does not already exist
+sub quick_add_raw_input_rule
+{
+my ($table, $chain, $text, $comment) = @_;
+$text =~ s/^\s+//;
+$text =~ s/\s+$//;
+return 0 if ($text eq '');
+return 0 if (!quick_rule_text_compatible($table, $text));
+my $out = quick_rule_with_comment($text, $comment);
+foreach my $r (@{$table->{'rules'} || [ ]}) {
+	next if (!$r || ref($r) ne 'HASH');
+	next if (($r->{'chain'} || '') ne $chain);
+	return 0 if (($r->{'text'} || '') eq $out || ($r->{'text'} || '') eq $text);
+	}
+my $rule = parse_rule_text($out);
+$rule->{'chain'} = $chain;
+$rule->{'text'} = $out;
+insert_quick_rule($table, $chain, $rule,
+	quick_rule_rank(quick_rule_type($rule)));
+return 1;
+}
+
+# quick_rule_with_comment(rule-text, comment)
+# Appends a comment to a rule text if it does not already have one
+sub quick_rule_with_comment
+{
+my ($text, $comment) = @_;
+return $text if ($text =~ /(?:^|\s)comment\s+/);
+my $c = escape_nft_string($comment || "");
+return $c ne "" ? $text." comment \"".$c."\"" : $text;
+}
+
+# add_quick_service_rule(&table, service-id)
+# Adds accept rules for a known service to the table's input chain
+sub add_quick_service_rule
+{
+my ($table, $service_id) = @_;
+my $err = table_supports_quick_l4($table);
+return $err if ($err);
+my $chain = find_input_chain($table);
+return text('quick_echain', nft_table_spec($table)) if (!$chain);
+my $svc = quick_service_by_id($service_id);
+return text('quick_eservice') if (!$svc);
+my @rules = quick_service_rules($svc);
+return text('quick_eservice_empty', $service_id) if (!@rules);
+
+my $changed = 0;
+my $comment = "Webmin quick service: ".$svc->{'id'};
+foreach my $text (@rules) {
+	if ($text =~ /^(tcp|udp)\s+dport\s+(\S+)\s+accept$/) {
+		my ($ok, $perr) =
+		    add_quick_accept_port($table, $2, $1, $comment);
+		return $perr if ($perr);
+		$changed ||= $ok;
+		}
+	else {
+		my $ok = quick_add_raw_input_rule(
+			$table, $chain, $text, $comment);
+		$changed ||= $ok;
+		}
+	}
+return $changed ? undef : text('quick_edup', $svc->{'label'});
+}
+
+# parse_quick_forward_addr(address, &table)
+# Validates a port-forward destination address
+sub parse_quick_forward_addr
+{
+my ($addr, $table) = @_;
+$addr = "" if (!defined($addr));
+$addr =~ s/^\s+//;
+$addr =~ s/\s+$//;
+return (undef, undef, undef) if ($addr eq '');
+return (undef, undef, text('quick_eforward_addr')) if ($addr =~ m{/});
+my $family;
+if (check_ipaddress($addr)) {
+	$family = 'ip';
+	}
+elsif (check_ip6address($addr)) {
+	$family = 'ip6';
+	}
+else {
+	return (undef, undef, text('quick_eforward_addr'));
+	}
+if (($table->{'family'} || '') eq 'ip' && $family ne 'ip' ||
+    ($table->{'family'} || '') eq 'ip6' && $family ne 'ip6') {
+	return (undef, undef,
+		text('quick_eforward_family', nft_table_spec($table)));
+	}
+return ($addr, $family, undef);
+}
+
+# find_base_chain(&table, hook, [type])
+# Finds the best base chain for a hook and optional type
+sub find_base_chain
+{
+my ($table, $hook, $type) = @_;
+return if (!$table || !$table->{'chains'} || ref($table->{'chains'}) ne 'HASH');
+foreach my $name (sort keys %{$table->{'chains'}}) {
+	my $chain = $table->{'chains'}->{$name} || {};
+	next if (($chain->{'hook'} || '') ne $hook);
+	next if (defined($type) && ($chain->{'type'} || '') ne $type);
+	return $name if ($name eq $hook);
+	}
+foreach my $name (sort keys %{$table->{'chains'}}) {
+	my $chain = $table->{'chains'}->{$name} || {};
+	next if (($chain->{'hook'} || '') ne $hook);
+	next if (defined($type) && ($chain->{'type'} || '') ne $type);
+	return $name;
+	}
+return;
+}
+
+# unique_chain_name(&table, base-name)
+# Returns an unused chain name in a table
+sub unique_chain_name
+{
+my ($table, $base) = @_;
+$base ||= "chain";
+my $name = $base;
+my $i = 1;
+while ($table->{'chains'}->{$name}) {
+	$name = $base."_".$i++;
+	}
+return $name;
+}
+
+# ensure_prerouting_nat_chain(&table)
+# Finds or creates a NAT prerouting chain for quick port forwards
+sub ensure_prerouting_nat_chain
+{
+my ($table) = @_;
+my $chain = find_base_chain($table, 'prerouting', 'nat');
+return $chain if ($chain);
+my $base = $table->{'chains'}->{'prerouting'} ? 'prerouting_nat' : 'prerouting';
+$chain = unique_chain_name($table, $base);
+$table->{'chains'}->{$chain} = {
+	'type' => 'nat',
+	'hook' => 'prerouting',
+	'priority' => '-100',
+	'policy' => 'accept',
+};
+return $chain;
+}
+
+# quick_text_rule_exists(&table, chain, rule-text)
+# Returns true if exact rule text already exists in a chain
+sub quick_text_rule_exists
+{
+my ($table, $chain, $text) = @_;
+foreach my $r (@{$table->{'rules'} || [ ]}) {
+	next if (!$r || ref($r) ne 'HASH');
+	next if (($r->{'chain'} || '') ne $chain);
+	return 1 if (($r->{'text'} || '') eq $text);
+	}
+return 0;
+}
+
+# format_forward_target(&table, addr, addr-family, port)
+# Formats the dnat or redirect statement for a quick port forward
+sub format_forward_target
+{
+my ($table, $addr, $addr_family, $port) = @_;
+if ($addr) {
+	my $target = format_nat_target($addr, $port);
+	my $stmt = "dnat ";
+	$stmt .= $addr_family." " if (($table->{'family'} || '') eq 'inet');
+	return $stmt."to ".$target;
+	}
+return "redirect to :".$port;
+}
+
+# parse_nat_target(target)
+# Splits a redirect/dnat target into address and port parts
+sub parse_nat_target
+{
+my ($target) = @_;
+return (undef, undef) if (!defined($target) || $target eq '');
+return (undef, $1) if ($target =~ /^:(.+)$/);
+return ($1, $2) if ($target =~ /^\[([^\]]+)\]:(.+)$/);
+return ($1, $2) if ($target =~ /^([^:]+):([^:]+)$/);
+return ($target, undef);
+}
+
+# format_nat_target(address, port)
+# Formats a redirect/dnat target from address and port parts
+sub format_nat_target
+{
+my ($addr, $port) = @_;
+$addr = undef if (defined($addr) && $addr eq '');
+$port = undef if (defined($port) && $port eq '');
+if (defined($addr)) {
+	my $target = $addr;
+	if (defined($port)) {
+		$target = $addr =~ /:/ ? "[".$addr."]:".$port : $addr.":".$port;
+		}
+	return $target;
+	}
+return defined($port) ? ":".$port : "";
+}
+
+# format_nat_expr(&rule)
+# Formats a redirect or dnat expression from a structured rule
+sub format_nat_expr
+{
+my ($rule) = @_;
+my $action = $rule->{'action'} || '';
+return if ($action !~ /^(redirect|dnat)$/);
+my $target = format_nat_target($rule->{'nat_addr'}, $rule->{'nat_port'});
+my $out = $action;
+if ($action eq 'dnat' && $rule->{'nat_family'}) {
+	$out .= " ".$rule->{'nat_family'};
+	}
+$out .= " to ".$target if ($target ne '');
+return $out;
+}
+
+# quick_forward_has_established(&table, chain)
+# Returns true if a forward chain already accepts established traffic
+sub quick_forward_has_established
+{
+my ($table, $chain) = @_;
+foreach my $r (@{$table->{'rules'} || [ ]}) {
+	next if (!$r || ref($r) ne 'HASH');
+	next if (($r->{'chain'} || '') ne $chain);
+	next if (($r->{'action'} || '') ne 'accept');
+	return 1 if (($r->{'ct_state'} || '') =~ /\bestablished\b/);
+	}
+return 0;
+}
+
+# quick_forward_accept_covered(&table, chain, proto, port, addr)
+# Returns true if a forward accept rule already covers a DNAT destination
+sub quick_forward_accept_covered
+{
+my ($table, $chain, $proto, $port, $addr) = @_;
+foreach my $r (@{$table->{'rules'} || [ ]}) {
+	next if (!$r || ref($r) ne 'HASH');
+	next if (($r->{'chain'} || '') ne $chain);
+	next if (($r->{'action'} || '') ne 'accept');
+	next if (($r->{'proto'} || '') ne $proto);
+	next if (($r->{'daddr'} || '') ne $addr);
+	return 1 if (port_expr_covers($r->{'dport'}, $port));
+	}
+return 0;
+}
+
+# add_quick_forward_filter(&table, proto, port, addr, addr-family)
+# Adds matching forward-chain accepts for remote DNAT destinations
+sub add_quick_forward_filter
+{
+my ($table, $proto, $port, $addr, $addr_family) = @_;
+my $chain = find_base_chain($table, 'forward', 'filter');
+$chain ||= find_base_chain($table, 'forward');
+return 0 if (!$chain);
+my $changed = 0;
+if (!quick_forward_has_established($table, $chain)) {
+	my $est = {
+		'chain' => $chain,
+		'ct_state' => 'established,related',
+		'action' => 'accept',
+		'comment' => 'Webmin quick forward',
+	};
+	$est->{'text'} = format_rule_text($est);
+	insert_quick_rule($table, $chain, $est,
+		quick_rule_rank(quick_rule_type($est)));
+	$changed = 1;
+	}
+if (!quick_forward_accept_covered($table, $chain, $proto, $port, $addr)) {
+	my $rule = {
+		'chain' => $chain,
+		'daddr' => $addr,
+		'daddr_family' => $addr_family,
+		'proto' => $proto,
+		'dport' => $port,
+		'action' => 'accept',
+		'comment' => 'Webmin quick forward',
+	};
+	$rule->{'text'} = format_rule_text($rule);
+	insert_quick_rule($table, $chain, $rule,
+		quick_rule_rank(quick_rule_type($rule)));
+	$changed = 1;
+	}
+return $changed;
+}
+
+# add_quick_forward_rule(&table, src-port, proto, dst-port, dst-addr)
+# Adds a simple port forward to the selected table
+sub add_quick_forward_rule
+{
+my ($table, $src_port, $proto, $dst_port, $dst_addr) = @_;
+my $err = table_supports_quick_l4($table);
+return $err if ($err);
+$proto = normalize_quick_proto($proto);
+return text('quick_eproto') if (!$proto);
+($src_port, $err) = parse_quick_port($src_port);
+return $err if ($err);
+$dst_port = "" if (!defined($dst_port));
+$dst_port =~ s/^\s+//;
+$dst_port =~ s/\s+$//;
+if ($dst_port ne "") {
+	($dst_port, $err) = parse_quick_port($dst_port);
+	return $err if ($err);
+	}
+else {
+	$dst_port = undef;
+	}
+my ($addr, $addr_family, $addr_err) =
+    parse_quick_forward_addr($dst_addr, $table);
+return $addr_err if ($addr_err);
+return text('quick_eforward_target') if (!$addr && !$dst_port);
+
+my $chain = ensure_prerouting_nat_chain($table);
+my $target = format_forward_target($table, $addr, $addr_family, $dst_port);
+my $rule_text = "$proto dport $src_port $target";
+$rule_text = quick_rule_with_comment($rule_text, 'Webmin quick forward');
+my $changed = 0;
+if (!quick_text_rule_exists($table, $chain, $rule_text)) {
+	my $rule = parse_rule_text($rule_text);
+	$rule->{'chain'} = $chain;
+	$rule->{'text'} = $rule_text;
+	insert_quick_rule($table, $chain, $rule,
+		quick_rule_rank(quick_rule_type($rule)));
+	$changed = 1;
+	}
+
+my $filter_port = $dst_port || $src_port;
+if ($addr) {
+	my $ok = add_quick_forward_filter(
+		$table, $proto, $filter_port, $addr, $addr_family);
+	$changed ||= $ok;
+	}
+else {
+	my ($ok, $perr) =
+	    add_quick_accept_port($table, $filter_port, $proto,
+		'Webmin quick forward');
+	return $perr if ($perr);
+	$changed ||= $ok;
+	}
+return $changed ? undef : text('quick_edup', $src_port);
+}
+
 # move_rule_in_chain(&table, chain, index, direction)
 # Moves one rule within its chain and returns true if changed
 sub move_rule_in_chain
@@ -1095,6 +1962,32 @@ while ($i < @tokens) {
 		$i++;
 		next;
 		}
+	if ($tok =~ /^(redirect|dnat)$/) {
+		my $action = $tok;
+		my $j = $i + 1;
+		my @nt = ($tok);
+		if ($action eq 'dnat' && $j < @tokens &&
+		    ($tokens[$j] eq 'ip' || $tokens[$j] eq 'ip6')) {
+			$rule{'nat_family'} = $tokens[$j];
+			push(@nt, $tokens[$j]);
+			$j++;
+			}
+		if ($j < @tokens && $tokens[$j] eq 'to') {
+			push(@nt, $tokens[$j]);
+			$j++;
+			if ($j < @tokens) {
+				my ($addr, $port) = parse_nat_target($tokens[$j]);
+				$rule{'nat_addr'} = $addr if (defined($addr));
+				$rule{'nat_port'} = $port if (defined($port));
+				push(@nt, $tokens[$j]);
+				$j++;
+				}
+			}
+		$rule{'action'} = $action;
+		push(@exprs, {'type' => 'nat', 'text' => join(" ", @nt)});
+		$i = $j;
+		next;
+		}
 	if ($tok =~ /^(accept|drop|reject|return)$/) {
 		$rule{'action'} = $tok;
 		push(@exprs, {'type' => 'action', 'text' => $tok});
@@ -1261,6 +2154,16 @@ if ($exprs && ref($exprs) eq 'ARRAY' && @$exprs) {
 				}
 			next;
 			}
+		if ($type eq 'nat') {
+			if (!$used{'nat'}) {
+				my $nat = format_nat_expr($rule);
+				if ($nat) {
+					push(@parts, $nat);
+					$used{'nat'} = 1;
+					}
+				}
+			next;
+			}
 		if ($type eq 'jump') {
 			if (!$used{'jump'} && $rule->{'jump'}) {
 				push(@parts, "jump ".$rule->{'jump'});
@@ -1338,7 +2241,12 @@ if (!$used{'jump'} && $rule->{'jump'}) {
 if (!$used{'goto'} && $rule->{'goto'}) {
 	push(@parts, "goto ".$rule->{'goto'});
 	}
-if ($rule->{'action'} && !$rule->{'jump'} && !$rule->{'goto'}) {
+if (!$used{'nat'}) {
+	my $nat = format_nat_expr($rule);
+	push(@parts, $nat) if ($nat);
+	}
+if ($rule->{'action'} && !$rule->{'jump'} && !$rule->{'goto'} &&
+    $rule->{'action'} !~ /^(redirect|dnat)$/) {
 	push(@parts, $rule->{'action'});
 	}
 if (defined($rule->{'comment'}) && $rule->{'comment'} ne '') {
@@ -3101,6 +4009,18 @@ elsif ($r->{'action'}) {
 	if ($r->{'action'} eq 'return') {
 		$action_label = text('index_return_action');
 		}
+	elsif ($r->{'action'} eq 'redirect') {
+		my $target = format_nat_target($r->{'nat_addr'}, $r->{'nat_port'});
+		$action_label = $target ne '' ?
+			text('index_redirect_to', html_escape($target)) :
+			text('index_redirect');
+		}
+	elsif ($r->{'action'} eq 'dnat') {
+		my $target = format_nat_target($r->{'nat_addr'}, $r->{'nat_port'});
+		$action_label = $target ne '' ?
+			text('index_dnat_to', html_escape($target)) :
+			text('index_dnat');
+		}
 	else {
 		$action_label = text('index_'.lc($r->{'action'}));
 		}
diff --git a/nftables/save_rule.cgi b/nftables/save_rule.cgi
index 82afcd570..6b2fd78d0 100755
--- a/nftables/save_rule.cgi
+++ b/nftables/save_rule.cgi
@@ -81,6 +81,9 @@ else {
 		$rule->{'action'} = undef;
 		$rule->{'jump'} = undef;
 		$rule->{'goto'} = undef;
+		$rule->{'nat_addr'} = undef;
+		$rule->{'nat_port'} = undef;
+		$rule->{'nat_family'} = undef;
 		if ($action eq 'jump') {
 			$rule->{'jump'} = $in{'jump'};
 			}
@@ -90,6 +93,29 @@ else {
 		else {
 			$rule->{'action'} = $action;
 			}
+		if ($action eq 'redirect') {
+			my $nat_port = $in{'nat_port'};
+			$nat_port =~ s/^\s+// if (defined($nat_port));
+			$nat_port =~ s/\s+$// if (defined($nat_port));
+			$rule->{'nat_port'} =
+			    (defined($nat_port) && $nat_port ne '') ? $nat_port : undef;
+			}
+		elsif ($action eq 'dnat') {
+			my $nat_addr = $in{'nat_addr'};
+			my $nat_port = $in{'nat_port'};
+			$nat_addr =~ s/^\s+// if (defined($nat_addr));
+			$nat_addr =~ s/\s+$// if (defined($nat_addr));
+			$nat_port =~ s/^\s+// if (defined($nat_port));
+			$nat_port =~ s/\s+$// if (defined($nat_port));
+			$rule->{'nat_addr'} =
+			    (defined($nat_addr) && $nat_addr ne '') ? $nat_addr : undef;
+			$rule->{'nat_port'} =
+			    (defined($nat_port) && $nat_port ne '') ? $nat_port : undef;
+			$rule->{'nat_family'} =
+			    $rule->{'nat_addr'} &&
+			    (($table->{'family'} || '') eq 'inet') ?
+			    guess_addr_family($rule->{'nat_addr'}) : undef;
+			}
 
 		my $saddr = $in{'saddr'};
 		my $daddr = $in{'daddr'};
diff --git a/nftables/search_services.cgi b/nftables/search_services.cgi
new file mode 100755
index 000000000..0f7433f22
--- /dev/null
+++ b/nftables/search_services.cgi
@@ -0,0 +1,22 @@
+#!/usr/bin/perl
+# search_services.cgi
+# Return matching quick service definitions for the autocomplete widget
+
+require './nftables-lib.pl';    ## no critic
+use strict;
+use warnings;
+our (%in);
+ReadParse();
+assert_quick_acl('service');
+
+my $limit = $in{'limit'} || 20;
+$limit = 20 if ($limit !~ /^\d+$/);
+my @services = search_quick_services($in{'q'}, $limit);
+my @results = map {
+	{
+		'id' => $_->{'id'},
+		'label' => $_->{'label'} || $_->{'id'},
+	}
+} @services;
+
+print_json(\@results);
diff --git a/nftables/t/rulesets/basic.nft b/nftables/t/rulesets/basic.nft
deleted file mode 100644
index 2d43483b6..000000000
--- a/nftables/t/rulesets/basic.nft
+++ /dev/null
@@ -1,8 +0,0 @@
-table inet filter {
-    chain input {
-        type filter hook input priority 0; policy drop;
-        iif "lo" accept
-        ip saddr 192.168.1.0/24 tcp dport 22 accept comment "ssh"
-        ct state established,related accept
-    }
-}
diff --git a/nftables/t/rulesets/firewalld-priority.nft b/nftables/t/rulesets/firewalld-priority.nft
deleted file mode 100644
index e07b9d902..000000000
--- a/nftables/t/rulesets/firewalld-priority.nft
+++ /dev/null
@@ -1,8 +0,0 @@
-table inet firewalld {
-    flags owner,persist
-
-    chain filter_INPUT {
-        type filter hook input priority filter + 10; policy accept;
-        ct state { established, related } accept
-    }
-}
diff --git a/nftables/t/rulesets/sets.nft b/nftables/t/rulesets/sets.nft
deleted file mode 100644
index 16c6c0572..000000000
--- a/nftables/t/rulesets/sets.nft
+++ /dev/null
@@ -1,18 +0,0 @@
-table inet filter {
-    set trusted_v4 {
-        type ipv4_addr;
-        flags interval;
-        elements = { 192.168.1.0/24, 10.0.0.1 }
-    }
-    set web_ports {
-        type inet_service;
-        elements = {
-            80,
-            443
-        }
-    }
-    chain input {
-        type filter hook input priority 0; policy drop;
-        ip saddr @trusted_v4 tcp dport @web_ports accept
-    }
-}
diff --git a/nftables/t/run-tests.t b/nftables/t/run-tests.t
index 6bb0b52b7..90456d85c 100755
--- a/nftables/t/run-tests.t
+++ b/nftables/t/run-tests.t
@@ -40,6 +40,18 @@ $ENV{'FOREIGN_ROOT_DIRECTORY'} = $rootdir;
 chdir("$bindir/..") or die "chdir: $!";
 
 require "$bindir/../nftables-lib.pl";
+our %access;
+
+{
+    local %access = (quick => 1);
+    ok(check_quick_acl('forward'), 'quick sub-acl defaults to allowed');
+    $access{quick_forward} = 0;
+    ok(!check_quick_acl('forward'), 'quick sub-acl can deny one action');
+    $access{quick_forward} = 1;
+    ok(check_quick_acl('forward'), 'quick sub-acl can allow one action');
+    $access{quick} = 0;
+    ok(!check_quick_acl('forward'), 'quick master acl denies sub-actions');
+}
 
 my $services_file = "$confdir/services";
 open(my $sfh, ">", $services_file) or die "services: $!";
@@ -71,6 +83,16 @@ sub check_fields
     }
 }
 
+sub write_ruleset
+{
+    my ($dir, $name, $content) = @_;
+    my $file = "$dir/$name";
+    open(my $fh, ">", $file) or die "$name: $!";
+    print $fh $content;
+    close($fh);
+    return $file;
+}
+
 my @cases = (
     {
         name => 'tcp dport accept',
@@ -117,6 +139,30 @@ my @cases = (
         expect => { proto => 'tcp', dport => '22', action => 'accept' },
         preserve => 'meta skgid 1000',
     },
+    {
+        name => 'redirect target',
+        line => 'tcp dport 2023 redirect to :20022 comment "Webmin quick forward"',
+        expect => {
+            proto => 'tcp',
+            dport => '2023',
+            action => 'redirect',
+            nat_port => '20022',
+            comment => 'Webmin quick forward',
+        },
+    },
+    {
+        name => 'dnat target',
+        line => 'tcp dport 8080 dnat ip to 192.0.2.10:80 comment "Webmin quick forward"',
+        expect => {
+            proto => 'tcp',
+            dport => '8080',
+            action => 'dnat',
+            nat_family => 'ip',
+            nat_addr => '192.0.2.10',
+            nat_port => '80',
+            comment => 'Webmin quick forward',
+        },
+    },
 );
 
 foreach my $c (@cases) {
@@ -134,7 +180,28 @@ foreach my $c (@cases) {
     check_fields($c->{name}.' roundtrip', $r2, $c->{expect});
 }
 
-my $ruleset = "$bindir/rulesets/basic.nft";
+my $redirect_desc = describe_rule(parse_rule_text(
+    'tcp dport 2026 redirect to :20026 comment "Webmin quick forward"'));
+like($redirect_desc, qr/Redirect.*:20026.*Destination port 2026/,
+     'redirect rule summary includes target port');
+my $dnat_desc = describe_rule(parse_rule_text(
+    'tcp dport 2024 dnat ip to 10.211.55.21:20024 comment "Webmin quick forward"'));
+like($dnat_desc, qr/DNAT.*10\.211\.55\.21:20024.*Destination port 2024/,
+     'dnat rule summary includes target address and port');
+is(format_forward_target({ family => 'ip' }, '10.211.55.21', 'ip', '20024'),
+   'dnat to 10.211.55.21:20024',
+   'ip quick forward omits inet-only dnat family');
+
+my $ruleset = write_ruleset($confdir, "basic.nft", <<'EOF');
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        iif "lo" accept
+        ip saddr 192.168.1.0/24 tcp dport 22 accept comment "ssh"
+        ct state established,related accept
+    }
+}
+EOF
 my @tables = get_nftables_save($ruleset);
 ok(@tables == 1, 'ruleset table count');
 my $t = $tables[0];
@@ -147,32 +214,63 @@ is($chain->{hook}, 'input', 'chain hook');
 is($chain->{priority}, '0', 'chain priority');
 is($chain->{policy}, 'drop', 'chain policy');
 
-my $ruleset_prio = "$bindir/rulesets/firewalld-priority.nft";
+my $ruleset_prio = write_ruleset($confdir, "externally-managed-priority.nft", <<'EOF');
+table inet externally_managed {
+    flags owner,persist
+
+    chain managed_INPUT {
+        type filter hook input priority filter + 10; policy accept;
+        ct state { established, related } accept
+    }
+}
+EOF
 my @tables_prio = get_nftables_save($ruleset_prio);
-ok(@tables_prio == 1, 'firewalld priority table count');
-is($tables_prio[0]->{flags}, 'owner,persist', 'firewalld table flags');
-ok(table_is_externally_managed($tables_prio[0]), 'firewalld table is externally managed');
+ok(@tables_prio == 1, 'externally managed priority table count');
+is($tables_prio[0]->{flags}, 'owner,persist', 'externally managed table flags');
+ok(table_is_externally_managed($tables_prio[0]),
+   'table with owner,persist flags is externally managed');
 is(active_table_status($tables_prio[0], []), 'external',
    'external active table status');
 is(active_table_status({ family => 'inet', name => 'filter' }, [ $t ]), 'webmin',
    'saved active table status');
 is(active_table_status({ family => 'inet', name => 'loose' }, []), 'unclaimed',
    'unclaimed active table status');
-my $fw_chain = $tables_prio[0]->{chains}->{filter_INPUT};
-ok($fw_chain, 'firewalld priority chain present');
-is($fw_chain->{type}, 'filter', 'firewalld priority chain type');
-is($fw_chain->{hook}, 'input', 'firewalld priority chain hook');
-is($fw_chain->{priority}, 'filter + 10', 'firewalld priority chain priority');
-is($fw_chain->{policy}, 'accept', 'firewalld priority chain policy');
+my $managed_chain = $tables_prio[0]->{chains}->{managed_INPUT};
+ok($managed_chain, 'externally managed priority chain present');
+is($managed_chain->{type}, 'filter', 'externally managed priority chain type');
+is($managed_chain->{hook}, 'input', 'externally managed priority chain hook');
+is($managed_chain->{priority}, 'filter + 10',
+   'externally managed symbolic priority preserved');
+is($managed_chain->{policy}, 'accept',
+   'externally managed priority chain policy');
 is(scalar @{$tables_prio[0]->{rules}}, 1,
-   'firewalld priority chain definition is not parsed as a rule');
+   'externally managed chain definition is not parsed as a rule');
 
 my @rules = @{$t->{rules}};
 check_fields('ruleset r1', $rules[0], { iif => 'lo', action => 'accept' });
 check_fields('ruleset r2', $rules[1], { saddr => '192.168.1.0/24', proto => 'tcp', dport => '22', action => 'accept', comment => 'ssh' });
 check_fields('ruleset r3', $rules[2], { ct_state => 'established,related', action => 'accept' });
 
-my $ruleset_sets = "$bindir/rulesets/sets.nft";
+my $ruleset_sets = write_ruleset($confdir, "sets.nft", <<'EOF');
+table inet filter {
+    set trusted_v4 {
+        type ipv4_addr;
+        flags interval;
+        elements = { 192.168.1.0/24, 10.0.0.1 }
+    }
+    set web_ports {
+        type inet_service;
+        elements = {
+            80,
+            443
+        }
+    }
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ip saddr @trusted_v4 tcp dport @web_ports accept
+    }
+}
+EOF
 my @tables_sets = get_nftables_save($ruleset_sets);
 ok(@tables_sets == 1, 'sets ruleset table count');
 my $ts = $tables_sets[0];
@@ -257,6 +355,112 @@ my $quick_ip_table = {
 like(add_quick_ip_rule($quick_ip_table, '2001:db8::1/64', 'allow'),
      qr/cannot contain/, 'wrong address family rejected');
 
+my $quick_port_table = {
+    family => 'inet',
+    name => 'quickports',
+    chains => {
+        input => { hook => 'input' },
+    },
+    sets => {
+        allowed_tcp => {
+            name => 'allowed_tcp',
+            type => 'inet_service',
+            elements => [ '22' ],
+            raw_lines => [ ],
+        },
+    },
+    rules => [
+        {
+            chain => 'input',
+            index => 0,
+            proto => 'tcp',
+            dport => '@allowed_tcp',
+            action => 'accept',
+            text => 'tcp dport @allowed_tcp accept',
+        },
+    ],
+};
+is(add_quick_port_rule($quick_port_table, '8443', 'tcp'), undef,
+   'quick port added to accepted set');
+is_deeply($quick_port_table->{sets}->{allowed_tcp}->{elements},
+          [ '22', '8443' ], 'quick port set extended');
+like(add_quick_port_rule($quick_port_table, '8443', 'tcp'), qr/exists/,
+     'duplicate quick port rejected');
+
+my ($customsvc) = grep { $_->{id} eq 'customsvc' }
+                  read_etc_service_defs($services_file);
+ok($customsvc, '/etc/services service parsed');
+is($customsvc->{id}, 'customsvc', '/etc/services service id');
+like($customsvc->{label}, qr/customsvc \(4242 TCP; 4243 UDP\)/,
+     '/etc/services service label includes ports and protocol');
+is_deeply([ sort { $a cmp $b } quick_service_rules($customsvc) ],
+          [ 'tcp dport 4242 accept',
+            'udp dport 4243 accept' ],
+          '/etc/services service rules generated');
+my @service_matches = search_quick_services('customsvc', 5, $services_file);
+ok(@service_matches, 'quick service search returns matches');
+is($service_matches[0]->{id}, 'customsvc',
+   'quick service search ranks exact service IDs first');
+my @alias_service_matches = search_quick_services('custom-alias', 5, $services_file);
+is($alias_service_matches[0]->{id}, 'customsvc',
+   'quick service search matches /etc/services aliases');
+is(quick_service_by_id('custom-alias', $services_file)->{id}, 'customsvc',
+   'quick service lookup accepts /etc/services aliases');
+my @empty_service_matches = search_quick_services('', 5, $services_file);
+is(scalar(@empty_service_matches), 0,
+   'empty quick service search returns no matches');
+
+my $forward_table = {
+    family => 'inet',
+    name => 'forward',
+    chains => {
+        input => { type => 'filter', hook => 'input', priority => 0, policy => 'drop' },
+        forward => { type => 'filter', hook => 'forward', priority => 0, policy => 'drop' },
+    },
+    sets => {},
+    rules => [],
+};
+is(add_quick_forward_rule($forward_table, '8080', 'tcp', '80', '192.0.2.10'), undef,
+   'quick forward added');
+ok($forward_table->{chains}->{prerouting}, 'quick forward created prerouting chain');
+is($forward_table->{chains}->{prerouting}->{type}, 'nat',
+   'quick forward prerouting chain is nat');
+ok(scalar(grep {
+        $_->{chain} eq 'prerouting' &&
+        $_->{text} eq 'tcp dport 8080 dnat ip to 192.0.2.10:80 comment "Webmin quick forward"'
+    } @{$forward_table->{rules}}),
+   'quick forward DNAT rule added');
+ok(scalar(grep {
+        $_->{chain} eq 'forward' &&
+        $_->{text} eq 'ct state established,related accept comment "Webmin quick forward"'
+    } @{$forward_table->{rules}}),
+   'quick forward established rule added');
+ok(scalar(grep {
+        $_->{chain} eq 'forward' &&
+        $_->{text} eq 'ip daddr 192.0.2.10 tcp dport 80 accept comment "Webmin quick forward"'
+    } @{$forward_table->{rules}}),
+   'quick forward destination accept added');
+
+my $redirect_table = {
+    family => 'inet',
+    name => 'redirect',
+    chains => {
+        input => { type => 'filter', hook => 'input', priority => 0, policy => 'drop' },
+        forward => { type => 'filter', hook => 'forward', priority => 0, policy => 'drop' },
+    },
+    sets => {},
+    rules => [],
+};
+is(add_quick_forward_rule($redirect_table, '2023', 'tcp', '20022', ''), undef,
+   'quick local redirect added');
+my ($redirect_rule) = grep {
+        $_->{chain} eq 'prerouting' &&
+        $_->{text} eq 'tcp dport 2023 redirect to :20022 comment "Webmin quick forward"'
+    } @{$redirect_table->{rules}};
+ok($redirect_rule, 'quick local redirect rule added');
+check_fields('quick local redirect rule', $redirect_rule,
+             { proto => 'tcp', dport => '2023', action => 'redirect', nat_port => '20022' });
+
 my %setup_services = map { $_->{id} => $_ } setup_services();
 is($setup_services{ssh}->{port}, '2022, 2200, 2223',
    'ssh service uses configured sshd ports');