diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml
index 166276233..1b6b64e41 100644
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@@ -17,7 +17,7 @@
- 2005-10-25
+ 2005-11-18
2001-2005
@@ -1082,7 +1082,14 @@ LOGBURST=""
if accepted, the packet would be sent on eth1. If you see
OUT=
with no interface name, the packet would be
- processed by the firewall itself.
+ processed by the firewall itself.
+
+
+ When a DNAT rule is logged, there will never be an OUT=
+ shown because the packet is being logged before it is routed.
+ Also, DNAT logging will show the original
+ destination IP address and destination port number.
+
diff --git a/Shorewall-docs2/Macros.xml b/Shorewall-docs2/Macros.xml
index b0b1a5b32..46e05b15e 100644
--- a/Shorewall-docs2/Macros.xml
+++ b/Shorewall-docs2/Macros.xml
@@ -141,10 +141,11 @@ ACCEPT loc fw tcp 135,139,445
If a value other than "-" appears in both the macro body and
in the invocation of the macro, then the value in the invocation is
- examined and the appropriate action is taken. If the value in the
- invocation appears to be an address (IP or MAC) or the name of an
- ipset, then it is placed after the value in the macro body.
- Otherwise, it is placed before the value in the macro body.
+ examined and the appropriate action is taken (you will want to be
+ running Shorewall 3.0.1 or later). If the value in the invocation
+ appears to be an address (IP or MAC) or the name of an ipset, then
+ it is placed after the value in the macro body. Otherwise, it is
+ placed before the value in the macro body.
Example 1: