class firewall::virtual::dns($destination, $zone = 'vm') {
  shorewall::rule { 'dns-route-0':
    action          => 'DNS/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => 2000,
  }

  shorewall::rule { 'dns-route-1':
    action          => 'DNAT',
    source          => 'net',
    destination     => "$zone:$destination:53",
    proto           => 'tcp',
    destinationport => '53',
    ratelimit       => '-',
    order           => 2001,
  }

  shorewall::rule { 'dns-route-2':
    action          => 'DNAT',
    source          => '$FW',
    destination     => "fw:$destination:53",
    proto           => 'tcp',
    destinationport => '53',
    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
    ratelimit       => '-',
    order           => 2002,
  }

  shorewall::rule { 'dns-route-3':
    action          => 'DNAT',
    source          => 'net',
    destination     => "$zone:$destination:53",
    proto           => 'udp',
    destinationport => '53',
    ratelimit       => '-',
    order           => 2003,
  }

  shorewall::rule { 'dns-route-4':
    action          => 'DNAT',
    source          => '$FW',
    destination     => "fw:$destination:53",
    proto           => 'udp',
    destinationport => '53',
    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
    ratelimit       => '-',
    order           => 2004,
  }
}