Ok, I've found something that will work - adding --direct rules. That, I
can do via iptables-save | a 10-line awk script.
A question, though: in iptables, we've got INPUT and FORWARD defined as
using the same chain. Is there a way to do that with firewalld - it's not
clear from what I'm reading.
Once I have this working, I'm going to investigate if I can export them as
rich rules, so in the new format.
mark