ChangeLog and doc updates

ChangeLog

@@ -1,4 +1,14 @@
-fwknop-2.6.6 (02//2015):
+fwknop-2.6.6 (04//2015):
+    - [server] Add the ability for fwknopd to function as an generic SPA
+      gateway. This allows scenarios such as the fwknopd system providing DHCP
+      addresses to client systems, but those systems would be blocking by
+      default from accessing the broader Internet until a valid SPA packet is
+      sent to the gateway. Two new access.conf variables support this feature:
+      DISABLE_DNAT (do not build any DNAT rules for forwarded connections) and
+      FORWARD_ALL (allow all traffic to be forwarded instead of specfic
+      services requested within an SPA packet). So far, this feature is only
+      supported on systems running iptables or firewalld. The idea was
+      contributed by github user "spartan1833" via issue 131.
     - [server] Bug fix when compiled with --enable-udp-server to not include
       pcap.h, which is likely not installed whenever libpcap is also not
       installed. This bug was reported by Alexander Kozhevnikov.
@@ -6,8 +16,8 @@ fwknop-2.6.6 (02//2015):
       enables simple memory bug detection in AFL at the cost of a small
       performance hit.
     - [test suite] Handle versions of lcov that don't have the --rc argument
-      which is normally used to force the creation branch coverage stats when
-      code coverage reports are created.
+      which is normally used to force the creation of branch coverage stats
+      when code coverage reports are created.
     - [build] Add --enable-asan-support to autoconf configure script to enable
       Google's Address Sanitizer (ASan) support. This feature is used during
       the testing phase for new fwknop releases.

doc/fwknopd.man.asciidoc

@@ -283,7 +283,10 @@ See the '@sysconfdir@/fwknop/fwknopd.conf' file for the full list and correspond
     built with the MASQUERADE target (since then the internal IP does not
     have to be defined here in the '@sysconfdir@/fwknop/fwknopd.conf' file),
     but if you want *fwknopd* to use the SNAT target, you must also define an
-    IP address with the ``SNAT_TRANSLATE_IP'' variable.
+    IP address with the ``SNAT_TRANSLATE_IP'' variable. Note that this
+    variable is generally deprecated in favor of the ``FORCE_SNAT'' variable
+    in the '@sysconfdir@/fwknop/access.conf' file which enables per-stanza
+    control over the SNAT IP.
 
 *ENABLE_IPT_OUTPUT* '<Y/N>'::
     Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful
@@ -546,6 +549,19 @@ directive starts a new stanza.
     necessary to also specify an IP address for SNAT rules because the
     MASQUERADE target is used instead.
 
+*FORWARD_ALL* '<Y/N>'::
+    In NAT scenarios, control whether all traffic is forwarded through the
+    *fwknopd* system as opposed to just forwarding connections to specific
+    services as requested by the *fwknop* client.
+
+*DISABLE_DNAT* '<Y/N>'::
+    Control whether DNAT rules are created in FORCE_NAT scenarios. This is
+    mainly used in conjunction with the FORWARD_ALL variable to allow
+    *fwknopd* to act essentially as an SPA gateway. I.e., the *fwknop* client
+    is used to gain access via SPA to the broader Internet after being granted
+    an IP via DHCP, but prior to sending the SPA packet all traffic is blocked
+    by default to the Internet.
+
 *GPG_DECRYPT_ID* '<keyID>'::
     Define a GnuPG key ID to use for decrypting SPA messages that
     have been encrypted by an *fwknop* client. This keyword is