Description of problem:
When a port-forwarding rule is added to firewalld, either using firewall-cmd or firewall-config, the port is not actually forwarded.

Version-Release number of selected component (if applicable):
firewalld-0.3.8-1.fc19.x86_64

How reproducible:
Very

Steps to Reproduce:
1. Set up QEMU-KVM VM with NAT networking, with SSH on non-standard port (2222). Ensure ssh is accessible from host.
2. Enable masquerading for the active firewall zone. [firewall-cmd --add-masquerade]
3. Enable port forwarding to the VM for the active firewall zone [firewall-cmd --add-forward-port=port=2222:proto=tcp:toaddr=192.168.122.164]
4. Verify changes [firewall-cmd --list-all]. Masquerading and the port forward should be listed.
4. Attempt to ssh to port 2222 of the host from an external system. 

Actual results:
SSH returns message: Connection Refused


Expected results:
SSH connects to the VM Guest via port forwarding.


Additional info:

If the forwarding rule is removed, ssh returns a "No Route to Host" error, as expected from a closed port.

External NIC and virtual NIC are in the same firewall zone.

Explicitly adding the port made no difference [firewall-cmd --add-port=2222/tcp]

Making the changes permanent and rebooting made no difference.

The Virtual Guest's SSHD can be connected to from the host.