From 50bd1d63983a8d462b59029ec449b14e66d625cb Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 12 Aug 2012 07:25:11 -0700
Subject: [PATCH] Add AUTOHELPER option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Macros/macro.Amanda                 |  6 +-
 Shorewall/Macros/macro.BLACKLIST              |  6 +-
 Shorewall/Macros/macro.FTP                    |  6 +-
 Shorewall/Macros/macro.IRC                    |  6 +-
 Shorewall/Macros/macro.PPtP                   |  6 +-
 Shorewall/Macros/macro.SANE                   |  6 +-
 Shorewall/Macros/macro.SIP                    |  6 +-
 Shorewall/Macros/macro.SMB                    |  6 +-
 Shorewall/Macros/macro.SMBBI                  | 12 ++--
 Shorewall/Macros/macro.SNMP                   |  6 +-
 Shorewall/Macros/macro.TFTP                   |  6 +-
 Shorewall/Perl/Shorewall/Config.pm            |  2 +
 Shorewall/Samples/Universal/shorewall.conf    |  2 +
 .../Samples/one-interface/shorewall.conf      |  2 +
 .../Samples/three-interfaces/shorewall.conf   |  2 +
 .../Samples/two-interfaces/shorewall.conf     |  2 +
 Shorewall/configfiles/conntrack               |  2 +-
 Shorewall/configfiles/shorewall.conf          |  2 +
 Shorewall/manpages/shorewall.conf.xml         | 65 +++++++++++++++----
 Shorewall6/Samples6/Universal/shorewall6.conf |  2 +
 .../Samples6/one-interface/shorewall6.conf    |  2 +
 .../Samples6/three-interfaces/shorewall6.conf |  2 +
 .../Samples6/two-interfaces/shorewall6.conf   |  2 +
 Shorewall6/configfiles/shorewall6.conf        |  2 +
 Shorewall6/manpages/shorewall6.conf.xml       | 61 ++++++++++++++---
 25 files changed, 165 insertions(+), 57 deletions(-)

diff --git a/Shorewall/Macros/macro.Amanda b/Shorewall/Macros/macro.Amanda
index 7d9197813..bf45c2d69 100644
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -12,11 +12,11 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __AMANDA_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
  PARAM	-	-	udp	10080 ; helper=amanda
-?ELSE
+?else
  PARAM	-	-	udp	10080
-?ENDIF
+?endif
 
 PARAM	-	-	tcp	10080
 #
diff --git a/Shorewall/Macros/macro.BLACKLIST b/Shorewall/Macros/macro.BLACKLIST
index c51675fb1..cebff9453 100644
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
 blacklog
-?ELSE
+?else
 $BLACKLIST_DISPOSITION
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.FTP b/Shorewall/Macros/macro.FTP
index 40ac654d5..038857a53 100644
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -9,8 +9,8 @@
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF ( __CT_TARGET && $HELPERS && __FTP_HELPER  )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
  PARAM	-	-	tcp	21 ; helper=ftp
-?ELSE
+?else
  PARAM	-	-	tcp	21
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.IRC b/Shorewall/Macros/macro.IRC
index 07cd26dec..020bee064 100644
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -10,8 +10,8 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __IRC_HELPER  )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
  PARAM	-	-	tcp	6667 ; helper=irc
-?ELSE
+?else
  PARAM	-	-	tcp	6667
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.PPtP b/Shorewall/Macros/macro.PPtP
index 330f2e128..b4ba427e8 100644
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -12,8 +12,8 @@
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 
-?IF ( __CT_TARGET && $HELPERS && __PPTP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
  PARAM	-	-	tcp	1723 ; helper=pptp
-?ELSE
+?else
  PARAM	-	-	tcp	1723
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.SANE b/Shorewall/Macros/macro.SANE
index 4013737f8..40721e64d 100644
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -10,11 +10,11 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __SANE_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
  PARAM	-	-	tcp	6566 ; helper=sane
-?ELSE
+?else
  PARAM	-	-	tcp	6566
-?ENDIF
+?endif
 
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
diff --git a/Shorewall/Macros/macro.SIP b/Shorewall/Macros/macro.SIP
index 318217df7..015d8b688 100644
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -10,8 +10,8 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __SIP_HELPER  )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
  PARAM	-	-	udp	5060 ; helper=sip
-?ELSE
+?else
  PARAM	-	-	udp	5060
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.SMB b/Shorewall/Macros/macro.SMB
index 12a954846..20208fdf3 100644
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -15,12 +15,12 @@ FORMAT 2
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
 
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
  PARAM	-	-	udp	137 ; helper=netbios-ns
  PARAM	-	-	udp	138:139
-?ELSE
+?else
  PARAM	-	-	udp	137:139
-?ENDIF
+?endif
 
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
diff --git a/Shorewall/Macros/macro.SMBBI b/Shorewall/Macros/macro.SMBBI
index 09d833cf7..08311d3fe 100644
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -15,23 +15,23 @@ FORMAT 2
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
 
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
  PARAM	-	-	udp	137 ; helper=netbios-ns
  PARAM	-	-	udp	138:139
-?ELSE
+?else
  PARAM	-	-	udp	137:139
-?ENDIF
+?endif
 
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
  PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
  PARAM	DEST	SOURCE	udp	138:139
-?ELSE
+?else
  PARAM	DEST	SOURCE	udp	137:139
-?ENDIF
+?endif
 
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445
diff --git a/Shorewall/Macros/macro.SNMP b/Shorewall/Macros/macro.SNMP
index d1e26b598..bbc906fbc 100644
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -10,11 +10,11 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __SNMP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
  PARAM	-	-  	udp     161 ; helper=snmp
  PARAM	-	-	udp	162
-?ELSE
+?else
  PARAM	-	-	udp	161:162
-?ENDIF
+?endif
 
 PARAM	-	-	tcp	161
diff --git a/Shorewall/Macros/macro.TFTP b/Shorewall/Macros/macro.TFTP
index bd303f322..8e7ccb4f3 100644
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -12,8 +12,8 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __TFTP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
  PARAM	-	-	udp	69 ; helper=tftp
-?ELSE
+?else
  PARAM	-	-	udp	69
-?ENDIF
+?endif
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index b0103c3b8..5a2d46206 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -730,6 +730,7 @@ sub initialize( $;$ ) {
 	  LEGACY_FASTSTART => undef,
 	  USE_PHYSICAL_NAMES => undef,
 	  HELPERS => undef,
+	  AUTOHELPERS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -4524,6 +4525,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
     default_yes_no 'USE_PHYSICAL_NAMES'         , '';
     default_yes_no 'IPSET_WARNINGS'             , 'Yes';
+    default_yes_no 'AUTOHELPERS'                , 'Yes';
 
     if ( supplied $config{HELPERS} ) {
 	my %helpers_temp = %helpers_enabled;
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index d334682db..512802886 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 38af1be72..6eabebf6d 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -127,6 +127,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index e4f7b5142..9d6ba575f 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -125,6 +125,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 58ff0e882..2db35263c 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -128,6 +128,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack
index 3ff7ec943..dbb55854d 100644
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -7,7 +7,7 @@
 FORMAT 2
 #ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #								PORT(S)		PORT(S)	GROUP
-?IF __CT_TARGET
+?IF $AUTOHELPERS && __CT_TARGET
 
 ?IF __AMANDA_HELPER
 CT:helper:amanda	all		-		udp	10080
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 8d7f3a0df..68b6b97c7 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 4cd86e8f6..ef09c1dd6 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -106,7 +106,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -116,7 +116,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -126,7 +126,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -299,6 +299,49 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
+          (the default), the generated ruleset will automatically associate
+          helpers with applications that require them (FTP, IRC, etc.). When
+          configuring your firewall on systems running kernel 3.5 or later, it
+          is recommended that you:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>Set AUTOHELPERS=No.</para>
+            </listitem>
+
+            <listitem>
+              <para>Either:</para>
+
+              <orderedlist numeration="loweralpha">
+                <listitem>
+                  <para>Modify <ulink
+                  url="shorewall-conntrack.html">shorewall-conntrack</ulink>
+                  (5) to only apply helpers where they are required; or</para>
+                </listitem>
+
+                <listitem>
+                  <para>Specify the appropriate helper in the HELPER column in
+                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+                  (5).</para>
+
+                  <note>
+                    <para>The macros for those applications requiring a helper
+                    automatically specify the appropriate HELPER where
+                    required.</para>
+                  </note>
+                </listitem>
+              </orderedlist>
+            </listitem>
+          </orderedlist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -482,7 +525,7 @@
           </itemizedlist>
 
           <blockquote>
-            <para/>
+            <para></para>
 
             <para>If CONFIG_PATH is not given or if it is set to the empty
             value then the contents of /usr/share/shorewall/configpath are
@@ -739,8 +782,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           </itemizedlist>
 
           <para>When HELPERS is specified on a system running Kernel 3.5.0 or
-          later, automatic association of helpers to connections is disabled.
-          </para>
+          later, automatic association of helpers to connections is
+          disabled.</para>
         </listitem>
       </varlistentry>
 
@@ -889,7 +932,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </varlistentry>
           </variablelist>
 
-          <para/>
+          <para></para>
 
           <blockquote>
             <para>If this variable is not set or is given an empty value
@@ -1099,7 +1142,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
           </itemizedlist>
 
-          <para/>
+          <para></para>
 
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1116,7 +1159,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
               control your firewall after you enable this option.</para>
             </important>
 
-            <para/>
+            <para></para>
 
             <caution>
               <para>Do not use this option if the resulting log messages will
@@ -1780,7 +1823,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">"</emphasis></term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index af44a223e..826db4099 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 5b2864e23..518ac9030 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index 3cf36656e..01b81f97f 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index 35beedfbd..0d9360a14 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 096f64b58..946060722 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 1eda02d4f..48d48d08b 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -82,7 +82,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -92,7 +92,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -102,7 +102,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -112,7 +112,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -228,6 +228,49 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
+          (the default), the generated ruleset will automatically associate
+          helpers with applications that require them (FTP, IRC, etc.). When
+          configuring your firewall on systems running kernel 3.5 or later, it
+          is recommended that you:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>Set AUTOHELPERS=No.</para>
+            </listitem>
+
+            <listitem>
+              <para>Either:</para>
+
+              <orderedlist numeration="loweralpha">
+                <listitem>
+                  <para>Modify <ulink
+                  url="shorewall-conntrack.html">shorewall6-conntrack</ulink>
+                  (5) to only apply helpers where they are required; or</para>
+                </listitem>
+
+                <listitem>
+                  <para>Specify the appropriate helper in the HELPER column in
+                  <ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
+                  (5).</para>
+
+                  <note>
+                    <para>The macros for those applications requiring a helper
+                    automatically specify the appropriate HELPER where
+                    required.</para>
+                  </note>
+                </listitem>
+              </orderedlist>
+            </listitem>
+          </orderedlist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -648,8 +691,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           </itemizedlist>
 
           <para>When HELPERS is specified on a system running Kernel 3.5.0 or
-          later, automatic association of helpers to connections is disabled.
-          </para>
+          later, automatic association of helpers to connections is
+          disabled.</para>
         </listitem>
       </varlistentry>
 
@@ -962,7 +1005,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
           </itemizedlist>
 
-          <para/>
+          <para></para>
 
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
@@ -979,7 +1022,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
               control your firewall after you enable this option.</para>
             </important>
 
-            <para/>
+            <para></para>
 
             <caution>
               <para>Do not use this option if the resulting log messages will
@@ -1578,7 +1621,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">"</emphasis></term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>