Apply Louis Lagendijk's patch for Shorewall-init

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -1470,10 +1470,22 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
     fi
 
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+    local count
+    local max
 
-    heading "Conntrack Table ($count out of $max)"
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
+	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+	heading "Conntrack Table ($count out of $max)"
+    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
+	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
+	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
+
+	heading "Conntrack Table ($count out of $max)"
+    else
+	heading "Conntrack Table"
+    fi
 
     if [ $g_family -eq 4 ]; then
     	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack

Shorewall-init/shorewall-init

@@ -63,18 +63,19 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
       else
+          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
       fi
   done
@@ -95,8 +96,8 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
       fi
   done
 

Shorewall-lite/manpages/shorewall-lite.xml

@@ -352,6 +352,20 @@
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -465,7 +479,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -829,6 +844,19 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to iptables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1073,6 +1101,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -3503,7 +3503,7 @@ sub optimize_level8( $$$ ) {
     %renamed = ();
 
     while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;

Shorewall/Perl/Shorewall/Config.pm

@@ -4118,7 +4118,7 @@ sub IPSet_Match() {
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4140,7 @@ sub IPSet_Match_Nomatch() {
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 
 sub IPSET_V5() {
@@ -4615,6 +4615,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
+	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,6 +4631,7 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
+	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );

Shorewall/Perl/Shorewall/Providers.pm

@@ -454,10 +454,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
+
+    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
+
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    my $physical    = get_physical $interface;
+    #
+    # Switch to the logical name if a physical name was passed
+    #
+    my $physical;
+
+    if ( $interface eq $interfaceref->{name} ) {
+	#
+	# The logical interface name was specified
+	#
+	$physical = $interfaceref->{physical};
+    } else {
+	#
+	# A Physical name was specified
+	#
+	$physical = $interface;
+	#
+	# Switch to the logical name unless it is a wildcard
+	#
+	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
+    } 
+
     my $gatewaycase = '';
 
     if ( $physical =~ /\+$/ ) {

Shorewall/Perl/Shorewall/Rules.pm

@@ -1673,9 +1673,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
+			       undef,
+			       1 );
 	}
 
 	fatal_error 'TARGET must be specified' if $target eq '-';

Shorewall/Perl/Shorewall/Tc.pm

@@ -229,9 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
     sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
-
-	$and_or ||= '';
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';
 
 	if ( $params =~ /-/ ) {
 	    #

Shorewall/Perl/Shorewall/Zones.pm

@@ -193,6 +193,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
+#                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1375,6 +1376,7 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
+						       wildcard   => $wildcard,
 						     };
 
     if ( $zone ) {
@@ -1531,6 +1533,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
+						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
     }

Shorewall/install.sh

@@ -205,7 +205,7 @@ done
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*|CYGWIN)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)

Shorewall/manpages/shorewall-mangle.xml

@@ -27,7 +27,7 @@
 
     <para>This file was introduced in Shorewall 4.6.0 and is intended to
     replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
     file is only processed by the compiler if:</para>
 
     <orderedlist numeration="loweralpha">

Shorewall/manpages/shorewall-tcfilters.xml

@@ -88,9 +88,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
-          followed by a number or a comma separated list of src and/or dst
-          enclosed in square brackets ([...]). See <ulink
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -105,9 +107,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
-          followed by a number or a comma separated list of src and/or dst
-          enclosed in square brackets ([...]). See <ulink
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
 

Shorewall/manpages/shorewall-tcrules.xml

@@ -6,6 +6,8 @@
     <refentrytitle>shorewall-mangle</refentrytitle>
 
     <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
   </refmeta>
 
   <refnamediv>
@@ -28,10 +30,10 @@
 
     <important>
       <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
-      of rules in this file will continue after a match. So the final mark for
-      each packet will be the one assigned by the LAST tcrule that
-      matches.</para>
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
+      evaluation of rules in this file will continue after a match. So the
+      final mark for each packet will be the one assigned by the LAST tcrule
+      that matches.</para>
 
       <para>If you use multiple internet providers with the 'track' option, in
       /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -311,8 +313,8 @@
               <para>When using Shorewall's built-in traffic shaping tool, the
               <emphasis>major</emphasis> class is the device number (the first
               device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
-              major class 1, the second device is major class 2, and so on)
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
+              is major class 1, the second device is major class 2, and so on)
               and the <emphasis>minor</emphasis> class is the class's MARK
               value in <ulink
               url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -487,7 +489,8 @@
               [<replaceable>option</replaceable>] ...") after any matches
               specified at the end of the rule. If the target is not one known
               to Shorewall, then it must be defined as a builtin action in
-              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink
+              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
               (5).</para>
 
               <para>The following rules are equivalent:</para>
@@ -500,8 +503,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
 
               <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
-              third rule above can be specified as follows:</para>
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
+              then the third rule above can be specified as follows:</para>
 
               <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
             </listitem>

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -366,6 +366,20 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -465,7 +479,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -827,6 +842,19 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to ip6tables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1071,6 +1099,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-tcfilters.xml

@@ -88,9 +88,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch </firstterm>capability. The ipset name may optionally be
-          followed by a number or a comma separated list of src and/or dst
-          enclosed in square brackets ([...]). See <ulink
+          Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
+          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -105,9 +107,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
-          followed by a number or a comma separated list of src and/or dst
-          enclosed in square brackets ([...]). See <ulink
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
+          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
           details.</para>
         </listitem>

docs/FTP.xml

@@ -294,9 +294,164 @@ xt_tcpudp               3328  0
     /etc/shorewall/shorewall.conf to point to that directory.</para>
   </section>
 
+  <section>
+    <title>FTP with Kernel 3.5 and Later</title>
+
+    <para>Because of the potential for attackers to subvert Netfilter helpers
+    like the one for FTP, the Netfilter team are in the process of eliminating
+    the automatic association of helpers to connections. In the 3.5 kernel, it
+    is possible to disable this automatic association, and the team have
+    announced that automatic association will eventually be eliminated. While
+    it is certainly more secure to add explicit rules that create these
+    associations, for Shorewall to require users to add those rules would
+    present a gross inconvenience during a Shorewall upgrade. To make
+    Shorewall and kernel upgrades as smooth as possible, several new features
+    were added to the Shorewall 4.5.7:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Shorewall automatically disables the kernel's automatic
+        association of helpers to connections on kernel 3.5 and later.</para>
+      </listitem>
+
+      <listitem>
+        <para>An automatic association of helpers with connections that
+        performs the same function as in the pre-3.5 kernels has been added.
+        This automatic association is controlled by the AUTOHELPERS
+        shorewall.conf option which is set to 'Yes' by default.</para>
+      </listitem>
+
+      <listitem>
+        <para>A HELPERS column has been added to the /etc/shorewall/rules In
+        the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the
+        specified helper is automatically associated with the
+        connection.</para>
+      </listitem>
+
+      <listitem>
+        <para>HELPERS may be specified in action files, macros and in the
+        rules file itself. In the RELATED section: The rule will only match
+        related connections that have the named helper attached. - The
+        standard Macros for applications requiring a helper (FTP, IRC, etc)
+        have been modified to automatically specify the correct helper in the
+        HELPER column.</para>
+      </listitem>
+
+      <listitem>
+        <para>HELPER is now a valid action in /etc/shorewall/rules. This
+        action requires that a helper be present in the HELPER column and
+        causes the specified helper to be associated with connections matching
+        the rule. No destination zone should be specified in HELPER rules.
+        HELPER rules allow specification of a helper for connections that are
+        ACCEPTed by the applicable policy.</para>
+
+        <para> Example (loc-&gt;net policy is ACCEPT) - In
+        /etc/shorewall/rules:</para>
+
+        <programlisting>#ACTION     SOURCE       DEST
+FTP(HELPER) loc          - </programlisting>
+
+        <para>or equivalently </para>
+
+        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
+#                                       PORT(S)
+HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
+      </listitem>
+
+      <listitem>
+        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
+        HELPERS column) can be taylored using the new HELPERS option in
+        shorewall.conf. </para>
+      </listitem>
+    </itemizedlist>
+
+    <para>By making AUTOHELPERS=Yes the default, users can upgrade their
+    systems to a 3.5+ kernel without disrupting the operation of their
+    firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and
+    follow one of two strategies:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Use the HELPERS column in the rules file to enable helpers as
+        needed (preferred); or</para>
+      </listitem>
+
+      <listitem>
+        <para>Taylor the conntrack file to enable helpers on only those
+        connections that are required.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>With either of these approaches, the list if available helpers can
+    be trimmed using the HELPERS option and rules can be added to the RELATED
+    section of the rules file to further restrict the effect of helpers. The
+    implementation of these new function places conditional rules in the
+    /etc/shorewall[6]/conntrack file. These rules are included conditionally
+    based in the setting of AUTOHELPERS.</para>
+
+    <para> Example:</para>
+
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+?if $AUTOHELPERS &amp;&amp; __CT_TARGET
+?if __FTP_HELPER
+CT:helper:ftp           all             -               tcp     21
+?endif
+...
+?endif</programlisting>
+
+    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
+    and 'ftp' is not listed in that setting. For example, if you only need FTP
+    access from your 'loc' zone, then add this rule outside of the outer-most
+    ?if....?endif shown above.</para>
+
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+...
+CT:helper:ftp           loc             -               tcp     21</programlisting>
+
+    <para> For an overview of Netfilter Helpers and Shorewall's support for
+    dealing with them, see <ulink
+    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
+
+    <para>See <ulink
+    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
+    for additional information. </para>
+  </section>
+
   <section id="Ports">
     <title>FTP on Non-standard Ports</title>
 
+    <para>If you are running kernel 3.5 or later and Shorewall 4.5.7 or later,
+    then please read the preceding section. You can add appropriate entries
+    into <ulink url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>
+    or <ulink
+    url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink> to
+    associate the FTP helpers with a nonstandard port.</para>
+
+    <para>Examples using port 12345:</para>
+
+    <para><filename>/etc/shorewall/rules:</filename></para>
+
+    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
+#                                                             PORT(S)
+DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
+
+    <para>That entry will accept ftp connections on port 12345 from the net
+    and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>
+
+    <para><filename>/etc/shorewall/conntrack:</filename></para>
+
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+...
+CT:helper:ftp           loc             -               tcp     12345</programlisting>
+
+    <para>That rule automatically associates the ftp helper with TCP port
+    12345 from the 'loc' zone.</para>
+
+    <para>Otherwise, read on.</para>
+
     <note>
       <para>If you are running <emphasis role="bold">kernel 2.6.19 or
       earlier</emphasis>, replace <emphasis

docs/MultiISP.xml

@@ -820,9 +820,9 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
         url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
         (5) will not disable route filtering on a given interface. You must
         set ROUTE_FILTER=No in <ulink
-        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-        (5), then set the <emphasis role="bold">routefilter</emphasis> option
-        on those interfaces on which you want route filtering.</para>
+        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5), then
+        set the <emphasis role="bold">routefilter</emphasis> option on those
+        interfaces on which you want route filtering.</para>
       </important>
     </section>
 

docs/Shorewall_and_Aliased_Interfaces.xml

@@ -182,6 +182,13 @@ ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
       <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
 #                                                                   PORT(S)   DEST
 DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    </programlisting>
+
+      <para>If I wished to forward tcp port 10000 on that virtual interface to
+      port 22 on local host 192.168.1.3, the rule would be:</para>
+
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
+#                                                                   PORT(S)   DEST
+DNAT      net        loc:192.168.1.3:22   tcp        10000          -         206.124.146.178    </programlisting>
     </section>
 
     <section id="SNAT">