LinuxQuestions.org - Multiple hop tunnel to chain port forwarding

I was having trouble setting up a db connection from my local machine to a db server that was configured to only accept connections from machines behind its own subnet. I had trouble setting up a multiple hop tunnel for chaining port forwarding through my firewall machine on the same subnet as the db. My first attempt involved two port forwards, on localhost and on the firewall machine, which didn't work for me. This approach I found at http://www.derkeiler.com/Newsgroups/.../msg00267.html involved constructing an end to end connection to the db via the firewall machine

Quote:

When you have to go through multiple hops, it's usually better to get an
end-to-end connection. In this case:

ssh -oproxycommand="ssh -qaxT firewall nc %h %p" -L 5432:localhost:5432 dbserver

If you have a copy of the snail book, section 11.4 (p444) has a discussion
of these two approaches.

The annoyance with the second approach is that it requires having netcat
("nc") or something equivalent on the intermediate host. I hope that
someday OpenSSH will have this feature built in, i.e. connecting an exec
channel to a remote TCP connection.

I'm trying to understand what this command does. I know what these options mean

-L construct a port forwarding tunnel
-q Quiet mode - surpresses warnings/diagnostic messages
-a Disables forwarding of the authentication agent connection (as opposed to -A which enables it)
-x Disables X11 forwarding (as opposed to -X which enables it)
-T disables pseudo-tty allocation

but I'm not clear on what the 'ssh -oproxycommand="ssh -qaxT firewall nc %h %p"'

My guess about what this command does is: I'm constructing and end to end connection between localhost and dbserver via firewall by running the command nc %h %p on firewall - my limited understanding of netcat is it forwards host and port? something like that? Anyways, I just want to understand what this command does, if anyone would like to comment. Thanks.