fix(firewall): allow both forward and NAT rules in same policy

Remove continue statements after applying FORWARD and NAT rules so
a single policy can specify both `from` and `nat` fields. Previously
only the first matched rule was applied and subsequent ones were
skipped. Also guard the unhandled-pattern warning to only log when
both fields are empty, preventing false warnings.

network-go/firewall/firewall.go

@@ -177,23 +177,24 @@ func (o *Orchestrator) reconcilePolicies(ctx context.Context, cfg *config.Networ
 		}
 		logger.Debug("FIREWALL: policy[%d] comment=%q", i, comment)
 
-		// CASE 1: Rule with "from" field — this is a FORWARD ACCEPT rule
+		// Apply FORWARD ACCEPT rule if "from" is specified
+		// (no 'continue' — same policy may also have NAT rules)
 		if policy.From != "" {
 			o.applyForwardRule(ctx, cfg, policy, proto, port, comment)
-			continue
 		}
 
-		// CASE 2: Rule with "nat" field — this is a DNAT/MASQUERADE rule
+		// Apply DNAT/MASQUERADE rule if "nat" is specified
 		if policy.Nat != "" {
 			o.applyNATRule(ctx, cfg, policy, proto, port, comment)
-			continue
 		}
 
-		// Unhandled pattern
+		// Unhandled pattern (no from, no nat)
+		if policy.From == "" && policy.Nat == "" {
 			logger.Warn("FIREWALL: policy[%d] unhandled pattern — service=%s container=%s selector=%s from=%s to=%s port=%d proto=%s nat=%s",
 				i, policy.ServiceName, policy.ContainerName, policy.Selector, policy.From, policy.To, policy.Port, policy.Proto, policy.Nat)
 		}
 	}
+}
 
 func (o *Orchestrator) applyForwardRule(ctx context.Context, cfg *config.NetworksConfig, policy config.PolicyConfig, proto, port, comment string) {
 	sourceIP := o.resolveIP(policy.From)