Don't unconditionally detect helpers when LOAD_HELPERS_ONLY=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Config.pm

@@ -3319,26 +3319,26 @@ sub Amanda_Helper() {
     have_helper( 'amanda', 'udp', 10080 );
 }
 
-sub FTP_Helper() {
-    have_helper( 'ftp', 'tcp', 21 );
-}
-
 sub FTP0_Helper() {
     have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
 }
 
+sub FTP_Helper() {
+    have_helper( 'ftp', 'tcp', 21 ) || FTP0_Helper;
+}
+
 sub H323_Helpers() {
     have_helper( 'RAS', 'udp', 1719 );
 }
 
-sub IRC_Helper() {
-    have_helper( 'irc', 'tcp', 6667 );
-}
-
 sub IRC0_Helper() {
     have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
 }
 
+sub IRC_Helper() {
+    have_helper( 'irc', 'tcp', 6667 ) || IRC0_Helper;
+}
+
 sub Netbios_ns_Helper() {
     have_helper( 'netbios-ns', 'udp', 137 );
 }
@@ -3347,34 +3347,34 @@ sub PPTP_Helper() {
     have_helper( 'pptp', 'tcp', 1729 );
 }
 
-sub SANE_Helper() {
-    have_helper( 'sane', 'tcp', 6566 );
-}
-
 sub SANE0_Helper() {
     have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
 }
 
-sub SIP_Helper() {
+sub SANE_Helper() {
-    have_helper( 'sip', 'udp', 5060 );
+    have_helper( 'sane', 'tcp', 6566 ) || SANE0_Helper;
 }
 
 sub SIP0_Helper() {
     have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
 }
 
+sub SIP_Helper() {
+    have_helper( 'sip', 'udp', 5060 ) || SIP0_Helper;
+}
+
 sub SNMP_Helper() {
     have_helper( 'snmp', 'udp', 161 );
 }
 
-sub TFTP_Helper() {
-    have_helper( 'tftp', 'udp', 69 );
-}
-
 sub TFTP0_Helper() {
     have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
 }
 
+sub TFTP_Helper() {
+    have_helper( 'tftp', 'udp', 69 ) || TFTP0_Helper;
+}
+
 sub Connlimit_Match() {
     qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
 }
@@ -3624,17 +3624,6 @@ sub determine_capabilities() {
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
 
-    if ( have_capability 'CT_TARGET' ) {
-	$capabilities{$_} = detect_capability $_ for ( values( %helpers_map ),
-						       'FTP0_HELPER',
-						       'IRC0_HELPER',
-						       'SANE0_HELPER',
-						       'SIP0_HELPER',
-						       'TFTP0_HELPER' );
-    } else {
-	$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
-    }
-
     unless ( $config{ LOAD_HELPERS_ONLY } ) {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@@ -3718,6 +3707,12 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	
+	if ( have_capability 'CT_TARGET' ) {
+	    $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
+	} else {
+	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
+	}
+
 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );
 	qt1( "$iptables -F $sillyname1" );

Shorewall/manpages/shorewall-tcrules.xml

@@ -515,7 +515,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               role="bold">-</emphasis>|<emphasis
               role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
 
-              <para>Added in Shorewall 4.4.24. </para>
+              <para>Added in Shorewall 4.4.24.</para>
 
               <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
               <emphasis role="bold">:F</emphasis> but the resulting rule is
@@ -1014,10 +1014,7 @@ Normal-Service       =&gt; 0x00</programlisting>
           <para>Names a Netfiler protocol <firstterm>helper</firstterm> module
           such as <option>ftp</option>, <option>sip</option>,
           <option>amanda</option>, etc. A packet will match if it was accepted
-          by the named helper module. You can also append "-" and a port
+          by the named helper module.</para>
-          number to the helper module name (e.g., <emphasis
-          role="bold">ftp-21</emphasis>) to specify the port number that the
-          original connection was made on.</para>
 
           <para>Example: Mark all FTP data connections with mark
           4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER

Shorewall6/manpages/shorewall6-tcrules.xml

@@ -420,12 +420,12 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               role="bold">:P</emphasis>, in which case the rule is added to
               the PREROUTING chain.</para>
 
-              <para> If <emphasis role="bold">+</emphasis> is included,
+              <para>If <emphasis role="bold">+</emphasis> is included, packets
-              packets matching the rule will have their HL (hop limit)
+              matching the rule will have their HL (hop limit) incremented by
-              incremented by <replaceable>number</replaceable>. Similarly, if
+              <replaceable>number</replaceable>. Similarly, if <emphasis
-              <emphasis role="bold">-</emphasis> is included, matching packets
+              role="bold">-</emphasis> is included, matching packets have
-              have their HL decremented by <replaceable>number</replaceable>.
+              their HL decremented by <replaceable>number</replaceable>. If
-              If neither <emphasis role="bold">+</emphasis> nor <emphasis
+              neither <emphasis role="bold">+</emphasis> nor <emphasis
               role="bold">-</emphasis> is given, the HL of matching packets is
               set to <replaceable>number</replaceable>. The valid range of
               values for <replaceable>number</replaceable> is 1-255.</para>
@@ -870,10 +870,7 @@ Normal-Service       =&gt; 0x00</programlisting>
           <para>Optional. Names a Netfiler protocol
           <firstterm>helper</firstterm> module such as <option>ftp</option>,
           <option>sip</option>, <option>amanda</option>, etc. A packet will
-          match if it was accepted by the named helper module. You can also
+          match if it was accepted by the named helper module. </para>
-          append "-" and a port number to the helper module name (e.g.,
-          <emphasis role="bold">ftp-21</emphasis>) to specify the port number
-          that the original connection was made on.</para>
 
           <para>Example: Mark all FTP data connections with mark
           4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER

docs/Internals.xml

@@ -483,7 +483,7 @@ export -p</programlisting>
         <title>Pre-processor</title>
 
         <para>Unlike preprocessors like ccp, the Shorewall pre-processor does
-        it's work each time that the higher-level functions ask for the next
+        it's work each time that the higher-level modules asks for the next
         line of input.</para>
 
         <para>The major exported functions in the pre-processor are:</para>
@@ -499,8 +499,8 @@ export -p</programlisting>
               role="bold">open_file</emphasis> calls <emphasis
               role="bold">find_file</emphasis> who traverses the CONFIG_PATH
               looking for a file with the requested name. If the file is found
-              and has non-zero size, it is opened and module-global variables
+              and has non-zero size, it is opened, module-global variables are
-              are set as follows, and the fully-qualified name of the file is
+              set as follows, and the fully-qualified name of the file is
               returned by the function.</para>
 
               <variablelist>
@@ -540,8 +540,9 @@ export -p</programlisting>
             <listitem>
               <para>Sometimes, the higher-level modules need to suspend
               processing of the current file and open another file. An obvious
-              example is when the Rules module needs to process a macro file.
+              example is when the Rules module encounters a macro invocation
-              The push_open function is called in these cases.</para>
+              and needs to process the corresponding macro file. The push_open
+              function is called in these cases.</para>
 
               <para><emphasis role="bold">push_open</emphasis> pushes
               <emphasis role="bold">$currentfile</emphasis>, <emphasis
@@ -595,7 +596,7 @@ export -p</programlisting>
             <term>first_entry( $ )</term>
 
             <listitem>
-              <para>This function is called to determine what happens when the
+              <para>This function is called to specify what happens when the
               first non-commentary and no-blank line is read from the open
               file. The argument may be either a scalar or a function
               reference. If the argument is a scalar then it is treaded as a
@@ -634,8 +635,8 @@ export -p</programlisting>
                NORMAL_READ         =&gt; -1     # All options
             };</programlisting>
 
-              <para>The actual argument may be a bit-wise OR of any of the
+              <para>The actual argument may be a bit-wise OR of any of these
-              above constants.</para>
+              constants.</para>
 
               <para>The function does not return the logical line; that line
               is rather stored in the module-global variable <emphasis
@@ -658,14 +659,15 @@ export -p</programlisting>
               role="bold">split_line1</emphasis> functions return an array
               containing the contents of those columns.</para>
 
-              <para>The arguments to split_line1 are:</para>
+              <para>The arguments to <emphasis
+              role="bold">split_line1</emphasis> are:</para>
 
               <itemizedlist>
                 <listitem>
                   <para>A <option>name</option> =&gt;
                   <replaceable>column-number</replaceable> pair for each of
-                  the columns in the file. These are used to handle lines that
+                  the columns in the file. These are used to process lines
-                  use the <ulink
+                  that use the <ulink
                   url="configuration_file_basics.htm#Pairs">alternate input
                   methods</ulink> and also serve to define the number of
                   columns in the file's records.</para>
@@ -676,13 +678,14 @@ export -p</programlisting>
                   =&gt; <replaceable>number-of-columns</replaceable> pairs.
                   For example "{ COMMENT =&gt; 0, FORMAT 2 }" allows COMMENT
                   lines of an unlimited number of space-separated tokens and
-                  it allows FORMAT lines with exactly two columns. </para>
+                  it allows FORMAT lines with exactly two columns. The hash
+                  reference must be the last argument passed.</para>
                 </listitem>
               </itemizedlist>
 
               <para>If there are fewer space-separated tokens on the line than
-              specified in the arguments, then "-" is returned for the the
+              specified in the arguments, then "-" is returned for the omitted
-              trailing columns that were omitted.</para>
+              trailing columns.</para>
             </listitem>
           </varlistentry>
 
@@ -713,7 +716,7 @@ export -p</programlisting>
 
               <simplelist>
                 <member>"ERROR: @_" followed by the name of the file and the
-                line number where the error occurred. </member>
+                line number where the error occurred.</member>
               </simplelist>
 
               <para>The mesage is written to the STARTUP_LOG, if any.</para>
@@ -781,7 +784,69 @@ export -p</programlisting>
       </section>
 
       <section>
-        <title/>
+        <title>Script File Handling</title>
+
+        <para>The functions involved in script file creation are:</para>
+
+        <variablelist>
+          <varlistentry>
+            <term>create_temp_script( $$ )</term>
+
+            <listitem>
+              <para>This function creates and opens a temporary file in the
+              directory where the final script is to be placed; this function
+              is not called when the <command>check</command> command is being
+              processed. The first argument is the fully-qualified name of the
+              output script; the second (boolean) argument determines if the
+              compilation is for export. The function returns no meaningful
+              value but sets module-global variables as follows:</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>$script</term>
+
+                  <listitem>
+                    <para>Handle of the open script file.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>$dir</term>
+
+                  <listitem>
+                    <para>The directory in which the script was
+                    created.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>$tempfile</term>
+
+                  <listitem>
+                    <para>The name of the temporary file.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>$file</term>
+
+                  <listitem>
+                    <para>This fully-qualified name of the script file.</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>finalize_script( $ )</term>
+
+            <listitem>
+              <para>This function closes the temporary file and renames it to
+              the </para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
 
         <para/>
       </section>