Add AUTOHELPER option

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Macros/macro.Amanda

@@ -12,11 +12,11 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __AMANDA_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
  PARAM	-	-	udp	10080 ; helper=amanda
-?ELSE
+?else
  PARAM	-	-	udp	10080
-?ENDIF
+?endif
 
 PARAM	-	-	tcp	10080
 #

Shorewall/Macros/macro.BLACKLIST

@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
 blacklog
-?ELSE
+?else
 $BLACKLIST_DISPOSITION
-?ENDIF
+?endif

Shorewall/Macros/macro.FTP

@@ -9,8 +9,8 @@
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF ( __CT_TARGET && $HELPERS && __FTP_HELPER  )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
  PARAM	-	-	tcp	21 ; helper=ftp
-?ELSE
+?else
  PARAM	-	-	tcp	21
-?ENDIF
+?endif

Shorewall/Macros/macro.IRC

@@ -10,8 +10,8 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __IRC_HELPER  )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
  PARAM	-	-	tcp	6667 ; helper=irc
-?ELSE
+?else
  PARAM	-	-	tcp	6667
-?ENDIF
+?endif

Shorewall/Macros/macro.PPtP

@@ -12,8 +12,8 @@
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 
-?IF ( __CT_TARGET && $HELPERS && __PPTP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
  PARAM	-	-	tcp	1723 ; helper=pptp
-?ELSE
+?else
  PARAM	-	-	tcp	1723
-?ENDIF
+?endif

Shorewall/Macros/macro.SANE

@@ -10,11 +10,11 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __SANE_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
  PARAM	-	-	tcp	6566 ; helper=sane
-?ELSE
+?else
  PARAM	-	-	tcp	6566
-?ENDIF
+?endif
 
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle

Shorewall/Macros/macro.SIP

@@ -10,8 +10,8 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __SIP_HELPER  )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
  PARAM	-	-	udp	5060 ; helper=sip
-?ELSE
+?else
  PARAM	-	-	udp	5060
-?ENDIF
+?endif

Shorewall/Macros/macro.SMB

@@ -15,12 +15,12 @@ FORMAT 2
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
 
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
  PARAM	-	-	udp	137 ; helper=netbios-ns
  PARAM	-	-	udp	138:139
-?ELSE
+?else
  PARAM	-	-	udp	137:139
-?ENDIF
+?endif
 
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445

Shorewall/Macros/macro.SMBBI

@@ -15,23 +15,23 @@ FORMAT 2
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
 
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
  PARAM	-	-	udp	137 ; helper=netbios-ns
  PARAM	-	-	udp	138:139
-?ELSE
+?else
  PARAM	-	-	udp	137:139
-?ENDIF
+?endif
 
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
  PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
  PARAM	DEST	SOURCE	udp	138:139
-?ELSE
+?else
  PARAM	DEST	SOURCE	udp	137:139
-?ENDIF
+?endif
 
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445

Shorewall/Macros/macro.SNMP

@@ -10,11 +10,11 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __SNMP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
  PARAM	-	-  	udp     161 ; helper=snmp
  PARAM	-	-	udp	162
-?ELSE
+?else
  PARAM	-	-	udp	161:162
-?ENDIF
+?endif
 
 PARAM	-	-	tcp	161

Shorewall/Macros/macro.TFTP

@@ -12,8 +12,8 @@ FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-?IF ( __CT_TARGET && $HELPERS && __TFTP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
  PARAM	-	-	udp	69 ; helper=tftp
-?ELSE
+?else
  PARAM	-	-	udp	69
-?ENDIF
+?endif

Shorewall/Perl/Shorewall/Config.pm

@@ -730,6 +730,7 @@ sub initialize( $;$ ) {
 	  LEGACY_FASTSTART => undef,
 	  USE_PHYSICAL_NAMES => undef,
 	  HELPERS => undef,
+	  AUTOHELPERS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -4524,6 +4525,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
     default_yes_no 'USE_PHYSICAL_NAMES'         , '';
     default_yes_no 'IPSET_WARNINGS'             , 'Yes';
+    default_yes_no 'AUTOHELPERS'                , 'Yes';
 
     if ( supplied $config{HELPERS} ) {
 	my %helpers_temp = %helpers_enabled;

Shorewall/Samples/Universal/shorewall.conf

@@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall/Samples/one-interface/shorewall.conf

@@ -127,6 +127,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -125,6 +125,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -128,6 +128,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall/configfiles/conntrack

@@ -7,7 +7,7 @@
 FORMAT 2
 #ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #								PORT(S)		PORT(S)	GROUP
-?IF __CT_TARGET
+?IF $AUTOHELPERS && __CT_TARGET
 
 ?IF __AMANDA_HELPER
 CT:helper:amanda	all		-		udp	10080

Shorewall/configfiles/shorewall.conf

@@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall/manpages/shorewall.conf.xml

@@ -96,7 +96,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -106,7 +106,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -116,7 +116,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -126,7 +126,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -299,6 +299,49 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
+          (the default), the generated ruleset will automatically associate
+          helpers with applications that require them (FTP, IRC, etc.). When
+          configuring your firewall on systems running kernel 3.5 or later, it
+          is recommended that you:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>Set AUTOHELPERS=No.</para>
+            </listitem>
+
+            <listitem>
+              <para>Either:</para>
+
+              <orderedlist numeration="loweralpha">
+                <listitem>
+                  <para>Modify <ulink
+                  url="shorewall-conntrack.html">shorewall-conntrack</ulink>
+                  (5) to only apply helpers where they are required; or</para>
+                </listitem>
+
+                <listitem>
+                  <para>Specify the appropriate helper in the HELPER column in
+                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+                  (5).</para>
+
+                  <note>
+                    <para>The macros for those applications requiring a helper
+                    automatically specify the appropriate HELPER where
+                    required.</para>
+                  </note>
+                </listitem>
+              </orderedlist>
+            </listitem>
+          </orderedlist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -482,7 +525,7 @@
           </itemizedlist>
 
           <blockquote>
-            <para/>
+            <para></para>
 
             <para>If CONFIG_PATH is not given or if it is set to the empty
             value then the contents of /usr/share/shorewall/configpath are
@@ -739,8 +782,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           </itemizedlist>
 
           <para>When HELPERS is specified on a system running Kernel 3.5.0 or
-          later, automatic association of helpers to connections is disabled.
+          later, automatic association of helpers to connections is
-          </para>
+          disabled.</para>
         </listitem>
       </varlistentry>
 
@@ -889,7 +932,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </varlistentry>
           </variablelist>
 
-          <para/>
+          <para></para>
 
           <blockquote>
             <para>If this variable is not set or is given an empty value
@@ -1099,7 +1142,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
           </itemizedlist>
 
-          <para/>
+          <para></para>
 
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1116,7 +1159,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
               control your firewall after you enable this option.</para>
             </important>
 
-            <para/>
+            <para></para>
 
             <caution>
               <para>Do not use this option if the resulting log messages will
@@ -1780,7 +1823,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">"</emphasis></term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall6/configfiles/shorewall6.conf

@@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
+AUTOHELPERS=Yes
+
 AUTOMAKE=No
 
 BLACKLISTNEWONLY=Yes

Shorewall6/manpages/shorewall6.conf.xml

@@ -82,7 +82,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -92,7 +92,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -102,7 +102,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -112,7 +112,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>
 
@@ -228,6 +228,49 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
+          (the default), the generated ruleset will automatically associate
+          helpers with applications that require them (FTP, IRC, etc.). When
+          configuring your firewall on systems running kernel 3.5 or later, it
+          is recommended that you:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>Set AUTOHELPERS=No.</para>
+            </listitem>
+
+            <listitem>
+              <para>Either:</para>
+
+              <orderedlist numeration="loweralpha">
+                <listitem>
+                  <para>Modify <ulink
+                  url="shorewall-conntrack.html">shorewall6-conntrack</ulink>
+                  (5) to only apply helpers where they are required; or</para>
+                </listitem>
+
+                <listitem>
+                  <para>Specify the appropriate helper in the HELPER column in
+                  <ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
+                  (5).</para>
+
+                  <note>
+                    <para>The macros for those applications requiring a helper
+                    automatically specify the appropriate HELPER where
+                    required.</para>
+                  </note>
+                </listitem>
+              </orderedlist>
+            </listitem>
+          </orderedlist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -648,8 +691,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           </itemizedlist>
 
           <para>When HELPERS is specified on a system running Kernel 3.5.0 or
-          later, automatic association of helpers to connections is disabled.
+          later, automatic association of helpers to connections is
-          </para>
+          disabled.</para>
         </listitem>
       </varlistentry>
 
@@ -962,7 +1005,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
           </itemizedlist>
 
-          <para/>
+          <para></para>
 
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
@@ -979,7 +1022,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
               control your firewall after you enable this option.</para>
             </important>
 
-            <para/>
+            <para></para>
 
             <caution>
               <para>Do not use this option if the resulting log messages will
@@ -1578,7 +1621,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">"</emphasis></term>
 
         <listitem>
-          <para/>
+          <para></para>
         </listitem>
       </varlistentry>