summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* src: tests: files: Remove test files.Varsha Rao2017-11-1613-243/+0
| | | | | | | | This patch removes all the test cases from tests/files. As they are already present in other test files. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Make 'nft export' respect output_fpPhil Sutter2017-11-161-2/+7
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Split code into frontend and libraryPhil Sutter2017-11-167-9/+45
| | | | | | | | | | | | | | | | | | | | | | | This finally creates the libnftables shared object. For some reason, this causes two compiler warnings to appear: | parser_bison.y: In function 'nft_parse': | parser_bison.y:131:3: warning: implicit declaration of function 'nft_set_debug' [-Wimplicit-function-declaration] | nft_set_debug(1, scanner); | ^~~~~~~~~~~~~ | parser_bison.c:64:25: warning: implicit declaration of function 'nft_lex' [-Wimplicit-function-declaration] | #define yylex nft_lex | ^ | parser_bison.c:4745:16: note: in expansion of macro 'yylex' | yychar = yylex (&yylval, &yylloc, scanner); So this patch contains a workaround, namely declaring both functions in src/parser_bison.y. During linking the objects are found, so this is rather a matter of cosmetics. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Unexport enum nftables_exit_codesPhil Sutter2017-11-164-26/+23
| | | | | | | | | | | | | | | | Apart from SUCCESS/FAILURE, these codes were not used by library functions simply because NOMEM and NONL conditions lead to calling exit() instead of propagating the error condition back up the call stack. Instead, make nft_run_cmd_from_*() return either 0 or -1 on error. Usually errno will then contain more details about what happened and/or there are messages in erec. Calls to exit()/return in main() are adjusted to stay compatible. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Eliminate struct mnl_ctxPhil Sutter2017-11-165-221/+150
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The issue leading to this patch was that debug output in nft_mnl_talk() bypasses the application-defined output_fp. While investigating, another problem was discovered: Most of the ad-hoc defined mnl_ctx objects have their field 'debug_mask' set to zero regardless of what netlink_ctx contains (this affects non-batch code path only). The intuitive solution to both of those issues required to extend function parameters of all the non-batch functions as well as the common nft_mnl_talk() one. Instead of complicating them even further, this patch instead makes them accept a pointer to netlink_ctx as first parameter to gather both the old (nf_sock, seqnum) and the new values (debug_mask, octx) from. Since after the above change struct mnl_ctx was not really used anymore, so the remaining places were adjusted as well to allow for removing the struct altogether. Note that cache routines needed special treatment: Although parameters of cache_update() make it a candidate for the same change, it can't be converted since it is called in evaluation phase sometimes in which there is no netlink context available (but just eval context instead). Since netlink_genid_get() needs a netlink context though, the ad-hoc netlink_ctx definition from cache_init() is moved into cache_update() to have it available there already. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Flush iface cache after command executionPhil Sutter2017-11-131-0/+2
| | | | | | | | | | | | | | Commit 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes") was a bit too optimistic in that it missed the remaining need to flush interface cache after each command in interactive mode - otherwise, newly added interfaces won't be recognized. Although cli.c only calls nft_run_cmd_from_buffer(), flush caches in nft_run_cmd_from_filename() as well for matters of consistency. Fixes: 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Print error "this requires root" and exitHarsha Sharma2017-11-061-0/+5
| | | | | | | | If executed without root privileges, print error "this requires root!" and exit. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test case for map expression.Varsha Rao2017-11-061-0/+10
| | | | | | | Add tests for different map expression. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: allow classid as set keyArturo Borrero Gonzalez2017-11-051-0/+1
| | | | | | | | | Allow TC classid as set key. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Reported-by: Tomas Mudrunka <mudrunka@spoje.net> Tested-by: Tomas Mudrunka <mudrunka@spoje.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nft removes required inet dependency expressionsFlorian Westphal2017-10-266-1/+78
| | | | | | | | | | | +inet/meta.t: line: 10: 'add rule inet t input meta nfproto ipv6 tcp dport 22': 'meta nfproto ipv6 tcp dport 22' mismatches 'tcp dport 22' +inet/meta.t: line: 11: 'add rule inet t input meta nfproto ipv4 tcp dport 22': 'meta nfproto ipv4 tcp dport 22' mismatches 'tcp dport 22' +inet/meta.t: line: 13: 'add rule inet t input meta nfproto ipv6 meta l4proto tcp': 'meta nfproto ipv6 meta l4proto 6' mismatches 'meta l4proto 6' +inet/ip_tcp.t: line: 20: 'src/nft add rule inet test input ether type ip tcp dport 22': 'ether type ip tcp dport 22' mismatches 'tcp dport 22' All of these are actual errors, i.e. meaning of rule is changed. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: enable ip/ip.t for bridge protocol, tooFlorian Westphal2017-10-262-0/+761
| | | | | | | This does not add any additional warnings, it just increases coverage to bridge. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: nft removes required payload protocol expressionsFlorian Westphal2017-10-264-0/+144
| | | | | | | | | | | | | This test fails with 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' ip protocol tcp tcp dport 22 is *ONLY* same as 'tcp dport 22' in the ip family. For netdev/inet/bridge, the dependency is required, as it restricts matching to ipv4. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test case that checks icmp6 in-ipv4Florian Westphal2017-10-262-0/+12
| | | | | | | | | | | | | nft does not handle this correctly. This test fails. In: inet input ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1 Out: meta l4proto 58 icmpv6 type destination-unreachable which loses the "ipv4" dependency, i.e. listing should show the rule as-is. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: icmpX: fix expected outputFlorian Westphal2017-10-262-2/+2
| | | | | | | | | | | both of these rules succeed, but they should fail instead. nft removes the ip6 nexthdr' clause, but this is not correct, it is an explicit test for the ipv6 nexthdr value. Implicit dependencies use meta l4proto to skip extension headers (if any), ipv6 nexthdr does not. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix harmess typo in table nameFlorian Westphal2017-10-262-3/+3
| | | | | | table name should be 'test-ip', not inet. Signed-off-by: Florian Westphal <fw@strlen.de>
* libnftables: Get rid of explicit cache flushesPhil Sutter2017-10-269-21/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the past, CLI as a potentially long running process had to make sure it kept it's cache up to date with kernel's rule set. A simple test case is this: | shell a | shell b | | # nft -i | # nft add table ip t | | | nft> list ruleset | | table ip t { | | } | # nft flush ruleset | | | nft> list ruleset | | nft> In order to make sure interactive CLI wouldn't incorrectly list the table again in the second 'list' command, it immediately flushed it's cache after every command execution. This patch eliminates the need for that by making cache updates depend on kernel's generation ID: A cache update stores the current rule set's ID in struct nft_cache, consecutive calls to cache_update() compare that stored value to the current generation ID received from kernel - if the stored value is zero (i.e. no previous cache update did happen) or if it doesn't match the kernel's value (i.e. cache is outdated) the cache is flushed and fully initialized again. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 simplify initial SYNOPSIS lineDuncan Roe2017-10-241-52/+14
| | | | | | | | | In the style of tcpdump.8: where options have short and long forms, only show short form in synopsis but mention long form in description. Re-order option descriptions to match order in synopsis (move -N to just after -n). Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_ prefix to everything exposed through include/nftables/nftables.hPablo Neira Ayuso2017-10-2413-66/+67
| | | | | | | | Prepend nft_ prefix before these are exposed, reduce chances we hit symbol namespace pollution problems when mixing libnftables with other existing libraries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Introduce getters and setters for everythingPhil Sutter2017-10-245-21/+137
| | | | | | | | | | | | | | | | | | | | | | | | | This introduces getter/setter pairs for all parts in struct nft_ctx (and contained structs) which should be configurable. Most of them are simple ones, just allowing to get/set a given field: * nft_ctx_{get,set}_dry_run() -> ctx->check * nft_ctx_output_{get,set}_numeric() -> ctx->output.numeric * nft_ctx_output_{get,set}_stateless() -> ctx->output.stateless * nft_ctx_output_{get,set}_ip2name() -> ctx->output.ip2name * nft_ctx_output_{get,set}_debug() -> ctx->debug_mask * nft_ctx_output_{get,set}_handle() -> ctx->output.handle * nft_ctx_output_{get,set}_echo() -> ctx->output.echo A more complicated case is include paths handling: In order to keep the API simple, remove INCLUDE_PATHS_MAX restraint and dynamically allocate nft_ctx field include_paths instead. So there is: * nft_ctx_add_include_path() -> add an include path to the list * nft_ctx_clear_include_paths() -> flush the list of include paths Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: Use nft_run_cmd_from_buffer()Phil Sutter2017-10-245-36/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make CLI code adhere to intended libnftables API by not open coding what nft_run_cmd_from_buffer() does. This way, nft_run() has no users outside of src/libnftables.c anymore and therefore can become static. Since nft_run_cmd_from_buffer() takes care of scanner initialization and libmnl socket passed to cli_init() is present as nft_ctx field as well, signature of cli_init() can be reduced to just take nft_ctx pointer as single argument. Note that this change introduces two (possibly unwanted) side-effects: * Input descriptor passed to scanner_push_buffer() is changed from the CLI-specific one to the one used by nft_run_cmd_from_buffer(). In practice though, this doesn't make a difference: input descriptor types INDESC_CLI and INDESC_BUFFER are treated equally by erec_print(). Also, scanner_push_buffer() NULLs input descriptor name, so that is not used at all in latter code. * Error messages are printed to stderr instead of cli_nft->output. This could be fixed by introducing an 'error_output' field in nft_ctx for nft_run_cmd_from_buffer() to use when printing error messages. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Introduce nft_ctx_flush_cache()Phil Sutter2017-10-243-4/+9
| | | | | | | | | | | | | | | | This allows an application to explicitly flush caches associated with a given nft context, as seen in cli_complete(). Note that this is a bit inconsistent in that it releases the global interface cache, but nft_ctx_free() does the same so at least it's not a regression. Note that there is no need for explicit cache update routine since cache is populated during command execution depending on whether it is needed or not. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Move library stuff out of main.cPhil Sutter2017-10-248-279/+328
| | | | | | | | This creates src/libnftables.c and include/nftables/nftables.h which will become the central elements of libnftables. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: Fix for wrong argument passed to cache_release in nft_ctx_freePhil Sutter2017-10-201-2/+2
| | | | | | | | | nft_ctx_free() should not refer to the global 'nft' variable, this will break as soon as the function is moved away from main.c. In order to use the cache reference from passed argument, the latter must not be const. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: fix netlink debug flag when listing table/rulesFlorian Westphal2017-10-191-2/+2
| | | | | | | | | | | | | | | nft --debug=netlink list table ... has no effect anymore. Callers pass in debug_mask & DEBUG_NETLINK, which gets converted to 0/1 because the arg is a boolean. Later on this bool is converted back to an integer, but that won't have the desired result. Fixes: be441e1ffdc24 ("src: add debugging mask to context structure") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Use nftnl_expr_fprintf() in netlink_dump_expr()Phil Sutter2017-10-171-4/+2
| | | | | | | This gets rid of the temporary buffer. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix element addition to map with stateful objectPablo Neira Ayuso2017-10-171-3/+8
| | | | | | | | | | | | | | | Expressions with EXPR_F_INTERVAL_END flag set on have no right hand side, so they store no stateful object. Skip them so we don't crash on this. # nft add map x testmap { type inet_service: counter\; flags interval\;} # nft add counter x testcounter # nft add element x testmap { 0-100 : "testcounter" } Segmentation fault This patch also fixes the listing codepath. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1190 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 change "Native Address Translation" to "Network Address Translation"Duncan Roe2017-10-171-1/+1
| | | | | | | | | | A Google search for "Native Address Translation" found 1 entry (http://encyclopedia2.thefreedictionary.com/Native+address+translation) which redirects to .../Network+address+translation. All other matches are to entries about "Network Address Translation". Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove tests for verdict maps.Varsha Rao2017-10-171-20/+0
| | | | | | | | Remove test cases for verdict maps. As they are already there in tests/shell file. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove tests for table.Varsha Rao2017-10-171-9/+0
| | | | | | | | This patch removes test case for table. As test case for it is present in tests/shell file. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove tests for chain.Varsha Rao2017-10-171-22/+0
| | | | | | | | Test cases for chain are there in tests/shell file. So, remove these testcases. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove test cases for variable definition.Varsha Rao2017-10-173-20/+0
| | | | | | | | New test cases for variable definition are added in tests/shell file. So, remove these test cases. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add tests for variable definition.Varsha Rao2017-10-173-0/+74
| | | | | | | This patch adds test cases for a variable definition and redefinition. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove tests for set.Varsha Rao2017-10-171-14/+0
| | | | | | | | This patch removes test case for set. As new test case is added to tests/shell file. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test case for sets.Varsha Rao2017-10-171-0/+17
| | | | | | | This patch adds test case for anonymous sets. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test case for jump chain.Varsha Rao2017-10-171-0/+11
| | | | | | | This patch adds test case for checking jump to non existing chain. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove jump chain tests.Varsha Rao2017-10-174-29/+0
| | | | | | | | | Tests for loop-detect 1, 2 and 3 are already there in tests/shell file. New test for loop-detect.4 has been added to tests/shell file. So, remove them. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add testcases for named limitsHarsha Sharma2017-10-171-0/+27
| | | | | | | | Add testcases for creating named limits and referencing them from rule Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Bump version to v0.8v0.8Pablo Neira Ayuso2017-10-101-3/+3
| | | | | | | | | Update libnftnl dependency up to latest (1.0.8). Dedicate this release to Joe Btfsplk [1], the world worst jinx. [1] https://en.wikipedia.org/wiki/Joe_Btfsplk#/media/File:Joe_Btfsplk_Excerpt.png Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 Document rule replaceDuncan Roe2017-10-091-0/+17
| | | | | | | Insert synopsis and description between those for add|insert and delete Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: make pointers in string arrays constantHarsha Sharma2017-10-094-8/+8
| | | | | | | | Static const char * array should be static const char * const array as per linux-kernel coding style. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: shell: update shell/run-tests.sh to refer to relative path of testcaseHarsha Sharma2017-10-091-1/+1
| | | | | | | | Refer to relative path for tests from any directory if path for testcases is specified. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: IPv4-Mapped IPv6 addresses supportPablo Neira Ayuso2017-10-091-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The scanner rejects IPv4-Mapped IPv6 addresses, eg. # cat test #!/usr/sbin/nft -f flush ruleset table inet global { set blackhole_ipv6 { type ipv6_addr flags interval elements = { ::ffff:0.0.0.0/96 } } } # nft -f test test:8:30-38: Error: syntax error, unexpected string, expecting comma or '}' elements = { ::ffff:0.0.0.0/96 } ^^^^^^^^^^ According to RFC4291, Sect. 2.5.5.2. IPv4-Mapped IPv6 Address: | 80 bits | 16 | 32 bits | +--------------------------------------+--------------------------+ |0000..............................0000|FFFF| IPv4 address | +--------------------------------------+----+---------------------+ Update scanner bits to parse this. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1188 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: skip set element expression in set statement keyAnders K. Pedersen2017-10-0610-5/+112
| | | | | | | | | | | | | | | | | | | | Before this patch the following fails: # nft add rule ip6 filter x \ set add ip6 saddr . ip6 daddr @test nft: netlink_linearize.c:648: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. Aborted This is was previously fixed for flow statements in fbea4a6f4449 ("netlink_linearize: skip set element expression in flow table key"), and this patch implements the same change for set statements by using the set element key in netlink_gen_set_stmt(). nft-test.py is updated to support set types with concatenated data types in order to support testing of this. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 add chain synopsisDuncan Roe2017-10-061-2/+2
| | | | | | | | | | | | | | | | | The man page says this: > {add | create} chain [family] table chain [ { {type} {hook} [device] {priority} } [policy] ] But I suggest it should say this: > {add | create} chain [family] table chain [ { {type} {hook} [device] {priority ;} [policy ;] } ] i.e. the policy tuple should be inside the braces along with type, hook, device & priority. Also the device & priority tuples each need to be followed by a semicolon. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add testcases for named objectsHarsha Sharma2017-10-061-0/+41
| | | | | | | | Add testcases for creating named objects with unique name, defined by user and referencing them from rule. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: files: Remove old tests for chain rename.Varsha Rao2017-10-063-16/+0
| | | | | | | | These tests are not required as new test cases are added in tests/shell file. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add tests for chain rename.Varsha Rao2017-10-062-0/+22
| | | | | | | | This patch adds test cases for renaming chain with existing and non existing chains. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: shell: execute shell/run-tests.sh from any directoryHarsha Sharma2017-10-061-1/+1
| | | | | | | Update shell/run-tests.sh to refer /src/nft with a relative path Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* INSTALL: Update dependency list and configure with libxtables supportHarsha Sharma2017-10-061-0/+11
| | | | | | | | Add configure with libxtables in INSTALL and required dependencies for the same. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Fix debug outputPhil Sutter2017-10-065-18/+32
| | | | | | | | | | | | | | | | | | | When introducing output_fp, debug output in src/evaluate.c was not adjusted and therefore broke. This patch restores eval debug output by applying the following changes: - Change erec_print() and erec_print_list() to take a struct output_ctx pointer as first argument and use output_fp field as destination to print to. - Drop octx_debug_dummy variable and instead use octx pointer from struct eval_ctx for debug output. - Add missing calls to erec_destroy() in eval debug output which should eliminate another mem leak. Fixes: 2535ba7006f22 ("src: get rid of printf") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>