Document 'maclog'; document that ACCEPT rules are required with one-to-one NAT

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4729 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/NAT.xml

@@ -117,6 +117,17 @@
       feature requires kernel 2.4.19 or later and iptables 1.2.6a or later and
       you must have enabled CONFIG_IP_NF_NAT_LOCAL in your kernel.</para>
     </note>
+
+    <para>Entries in <filename>/etc/shorewall/nat</filename> only arrange for
+    address translation; they do not allow traffic to pass through the
+    firewall in violation of your policies. In the above example, suppose that
+    you wish to run a web server on 10.1.1.2 (a.k.a. 130.252.100.18). You
+    would need the following entry in
+    <filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting>#ACTION     SOURCE     DEST            PROTO       DEST        SOURCE         ORIG
+#                                                  PORT(S)     PORT(S)        DEST
+ACCEPT      net        loc:10.1.1.2    tcp         80          -              130.252.100.18</programlisting>
   </section>
 
   <section>

docs/shorewall_extension_scripts.xml

@@ -111,6 +111,14 @@
       is invoked earlier in the [re]start process than is the
       <emphasis>initdone</emphasis> script described above.</para>
     </listitem>
+
+    <listitem>
+      <para>maclog -- (Added in Shorewall version 3.2.5) invoked while mac
+      filtering rules are being created. It is invoked once for each interface
+      having 'maclist' specified and it is invoked just before the logging
+      rule is added to the current chain (the name of that chain will be in
+      $CHAIN).</para>
+    </listitem>
   </itemizedlist>
 
   <para><emphasis role="bold">If your version of Shorewall doesn't have the