From 6fa0068c1e49e00ac3e83ad8398d451fb5d0a59d Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 13 Sep 2022 19:22:58 +0200 Subject: [PATCH 1/7] firewall/trivial: rename "shared"/"add" argument in firewall utils to "up" (cherry picked from commit e185f7966d4e495578e8f8dec8077527e3c4fe34) --- src/core/nm-firewall-utils.c | 28 ++++++++++++++-------------- src/core/nm-firewall-utils.h | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 1311f50399..1a9ca465be 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -171,7 +171,7 @@ _share_iptables_chain_add(const char *table, const char *chain) } static void -_share_iptables_set_masquerade(gboolean add, const char *ip_iface, in_addr_t addr, guint8 plen) +_share_iptables_set_masquerade(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) { char str_subnet[_SHARE_IPTABLES_SUBNET_TO_STR_LEN]; gs_free char *comment_name = NULL; @@ -182,7 +182,7 @@ _share_iptables_set_masquerade(gboolean add, const char *ip_iface, in_addr_t add _share_iptables_call("" IPTABLES_PATH "", "--table", "nat", - add ? "--insert" : "--delete", + up ? "--insert" : "--delete", "POSTROUTING", "--source", str_subnet, @@ -310,7 +310,7 @@ _share_iptables_set_shared_chains_delete(const char *chain_input, const char *ch } _nm_unused static void -_share_iptables_set_shared(gboolean add, const char *ip_iface, in_addr_t addr, guint plen) +_share_iptables_set_shared(gboolean up, const char *ip_iface, in_addr_t addr, guint plen) { gs_free char *comment_name = NULL; gs_free char *chain_input = NULL; @@ -320,13 +320,13 @@ _share_iptables_set_shared(gboolean add, const char *ip_iface, in_addr_t addr, g chain_input = _share_iptables_get_name(TRUE, "nm-sh-in", ip_iface); chain_forward = _share_iptables_get_name(TRUE, "nm-sh-fw", ip_iface); - if (add) + if (up) _share_iptables_set_shared_chains_add(chain_input, chain_forward, ip_iface, addr, plen); _share_iptables_call("" IPTABLES_PATH "", "--table", "filter", - add ? "--insert" : "--delete", + up ? "--insert" : "--delete", "INPUT", "--in-interface", ip_iface, @@ -340,7 +340,7 @@ _share_iptables_set_shared(gboolean add, const char *ip_iface, in_addr_t addr, g _share_iptables_call("" IPTABLES_PATH "", "--table", "filter", - add ? "--insert" : "--delete", + up ? "--insert" : "--delete", "FORWARD", "--jump", chain_forward, @@ -349,7 +349,7 @@ _share_iptables_set_shared(gboolean add, const char *ip_iface, in_addr_t addr, g "--comment", comment_name); - if (!add) + if (!up) _share_iptables_set_shared_chains_delete(chain_input, chain_forward); } @@ -599,7 +599,7 @@ _fw_nft_call_sync(GBytes *stdin_buf, GError **error) /*****************************************************************************/ static void -_fw_nft_set(gboolean add, const char *ip_iface, in_addr_t addr, guint8 plen) +_fw_nft_set(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) { nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE); gs_unref_bytes GBytes *stdin_buf = NULL; @@ -614,9 +614,9 @@ _fw_nft_set(gboolean add, const char *ip_iface, in_addr_t addr, guint8 plen) #define _append(p_strbuf, fmt, ...) nm_str_buf_append_printf((p_strbuf), "" fmt "\n", ##__VA_ARGS__) _append(&strbuf, "add table ip %s", table_name); - _append(&strbuf, "%s table ip %s", add ? "flush" : "delete", table_name); + _append(&strbuf, "%s table ip %s", up ? "flush" : "delete", table_name); - if (add) { + if (up) { _append(&strbuf, "add chain ip %s nat_postrouting {" " type nat hook postrouting priority 100; policy accept; " @@ -720,15 +720,15 @@ nm_firewall_config_free(NMFirewallConfig *self) } void -nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared) +nm_firewall_config_apply(NMFirewallConfig *self, gboolean up) { switch (nm_firewall_utils_get_backend()) { case NM_FIREWALL_BACKEND_IPTABLES: - _share_iptables_set_masquerade(shared, self->ip_iface, self->addr, self->plen); - _share_iptables_set_shared(shared, self->ip_iface, self->addr, self->plen); + _share_iptables_set_masquerade(up, self->ip_iface, self->addr, self->plen); + _share_iptables_set_shared(up, self->ip_iface, self->addr, self->plen); break; case NM_FIREWALL_BACKEND_NFTABLES: - _fw_nft_set(shared, self->ip_iface, self->addr, self->plen); + _fw_nft_set(up, self->ip_iface, self->addr, self->plen); break; case NM_FIREWALL_BACKEND_NONE: break; diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h index 3d6c8a6962..7ef5222751 100644 --- a/src/core/nm-firewall-utils.h +++ b/src/core/nm-firewall-utils.h @@ -24,6 +24,6 @@ NMFirewallConfig *nm_firewall_config_new(const char *ip_iface, in_addr_t addr, g void nm_firewall_config_free(NMFirewallConfig *self); -void nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared); +void nm_firewall_config_apply(NMFirewallConfig *self, gboolean up); #endif /* __NM_FIREWALL_UTILS_H__ */ From bfb4452f7d785fec280161cb6c7b1eb2be9ef45a Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 13 Sep 2022 19:24:50 +0200 Subject: [PATCH 2/7] firewall/trivial: rename nm_firewall_config_new() to nm_firewall_config_new_shared() (cherry picked from commit 7ad3fb195608bb868e8ece1aefce0773a7d12e79) --- src/core/devices/nm-device.c | 2 +- src/core/nm-firewall-utils.c | 6 +++--- src/core/nm-firewall-utils.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c index 255d336909..921eb10ecd 100644 --- a/src/core/devices/nm-device.c +++ b/src/core/devices/nm-device.c @@ -12357,7 +12357,7 @@ _dev_ipshared4_start(NMDevice *self) goto out_fail; priv->ipshared_data_4.v4.firewall_config = - nm_firewall_config_new(ip_iface, ip4_addr.address, ip4_addr.plen); + nm_firewall_config_new_shared(ip_iface, ip4_addr.address, ip4_addr.plen); nm_firewall_config_apply(priv->ipshared_data_4.v4.firewall_config, TRUE); priv->ipshared_data_4.v4.l3cd = nm_l3_config_data_ref(l3cd); diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 1a9ca465be..fa14350c22 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -599,7 +599,7 @@ _fw_nft_call_sync(GBytes *stdin_buf, GError **error) /*****************************************************************************/ static void -_fw_nft_set(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) +_fw_nft_set_shared(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) { nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE); gs_unref_bytes GBytes *stdin_buf = NULL; @@ -692,7 +692,7 @@ struct _NMFirewallConfig { }; NMFirewallConfig * -nm_firewall_config_new(const char *ip_iface, in_addr_t addr, guint8 plen) +nm_firewall_config_new_shared(const char *ip_iface, in_addr_t addr, guint8 plen) { NMFirewallConfig *self; @@ -728,7 +728,7 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean up) _share_iptables_set_shared(up, self->ip_iface, self->addr, self->plen); break; case NM_FIREWALL_BACKEND_NFTABLES: - _fw_nft_set(up, self->ip_iface, self->addr, self->plen); + _fw_nft_set_shared(up, self->ip_iface, self->addr, self->plen); break; case NM_FIREWALL_BACKEND_NONE: break; diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h index 7ef5222751..16fe7bd6c6 100644 --- a/src/core/nm-firewall-utils.h +++ b/src/core/nm-firewall-utils.h @@ -20,7 +20,7 @@ NMFirewallBackend nm_firewall_utils_get_backend(void); typedef struct _NMFirewallConfig NMFirewallConfig; -NMFirewallConfig *nm_firewall_config_new(const char *ip_iface, in_addr_t addr, guint8 plen); +NMFirewallConfig *nm_firewall_config_new_shared(const char *ip_iface, in_addr_t addr, guint8 plen); void nm_firewall_config_free(NMFirewallConfig *self); From bbf3d01e8296c28d69d0881198fd1bc5e9649918 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 13 Sep 2022 19:39:14 +0200 Subject: [PATCH 3/7] firewall: more renaming and splitting _fw_nft_set_shared() Blocking calls are ugly. Rename those to have a "_sync()" suffix. Also, split from _fw_nft_set_shared() the part that constructs the stdin for nft. (cherry picked from commit 7362ad626696408890e66d8c4e7f3a761cbe5815) --- src/core/nm-firewall-utils.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index fa14350c22..2ea53bd5ec 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -171,7 +171,7 @@ _share_iptables_chain_add(const char *table, const char *chain) } static void -_share_iptables_set_masquerade(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) +_share_iptables_set_masquerade_sync(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) { char str_subnet[_SHARE_IPTABLES_SUBNET_TO_STR_LEN]; gs_free char *comment_name = NULL; @@ -309,8 +309,8 @@ _share_iptables_set_shared_chains_delete(const char *chain_input, const char *ch _share_iptables_chain_delete("filter", chain_forward); } -_nm_unused static void -_share_iptables_set_shared(gboolean up, const char *ip_iface, in_addr_t addr, guint plen) +static void +_share_iptables_set_shared_sync(gboolean up, const char *ip_iface, in_addr_t addr, guint plen) { gs_free char *comment_name = NULL; gs_free char *chain_input = NULL; @@ -598,11 +598,10 @@ _fw_nft_call_sync(GBytes *stdin_buf, GError **error) /*****************************************************************************/ -static void -_fw_nft_set_shared(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) +static GBytes * +_fw_nft_set_shared_construct(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) { nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE); - gs_unref_bytes GBytes *stdin_buf = NULL; gs_free char *table_name = NULL; gs_free char *ss1 = NULL; char str_subnet[_SHARE_IPTABLES_SUBNET_TO_STR_LEN]; @@ -679,8 +678,7 @@ _fw_nft_set_shared(gboolean up, const char *ip_iface, in_addr_t addr, guint8 ple NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL, &ss1)); - stdin_buf = nm_str_buf_finalize_to_gbytes(&strbuf); - _fw_nft_call_sync(stdin_buf, NULL); + return nm_str_buf_finalize_to_gbytes(&strbuf); } /*****************************************************************************/ @@ -724,12 +722,17 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean up) { switch (nm_firewall_utils_get_backend()) { case NM_FIREWALL_BACKEND_IPTABLES: - _share_iptables_set_masquerade(up, self->ip_iface, self->addr, self->plen); - _share_iptables_set_shared(up, self->ip_iface, self->addr, self->plen); + _share_iptables_set_masquerade_sync(up, self->ip_iface, self->addr, self->plen); + _share_iptables_set_shared_sync(up, self->ip_iface, self->addr, self->plen); break; case NM_FIREWALL_BACKEND_NFTABLES: - _fw_nft_set_shared(up, self->ip_iface, self->addr, self->plen); + { + gs_unref_bytes GBytes *stdin_buf = NULL; + + stdin_buf = _fw_nft_set_shared_construct(up, self->ip_iface, self->addr, self->plen); + _fw_nft_call_sync(stdin_buf, NULL); break; + } case NM_FIREWALL_BACKEND_NONE: break; default: From 558bcd5aae51330cd7ec778b9d973f5fc1657ec1 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 13 Sep 2022 20:18:35 +0200 Subject: [PATCH 4/7] firewall/trivial: rename nm_firewall_config_apply() to nm_firewall_config_apply_sync() Sync/blocking methods are ugly. Their name should highlight this. Also, we may have an async variant, so we will need the "good" name for apply() and apply_finish(). (cherry picked from commit dc66fb7d04514166c890737a5396f6cc1faa470d) --- src/core/devices/nm-device.c | 4 ++-- src/core/nm-firewall-utils.c | 4 +++- src/core/nm-firewall-utils.h | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c index 921eb10ecd..08b7c01ac1 100644 --- a/src/core/devices/nm-device.c +++ b/src/core/devices/nm-device.c @@ -12210,7 +12210,7 @@ _dev_ipsharedx_cleanup(NMDevice *self, int addr_family) } if (priv->ipshared_data_4.v4.firewall_config) { - nm_firewall_config_apply(priv->ipshared_data_4.v4.firewall_config, FALSE); + nm_firewall_config_apply_sync(priv->ipshared_data_4.v4.firewall_config, FALSE); nm_clear_pointer(&priv->ipshared_data_4.v4.firewall_config, nm_firewall_config_free); } @@ -12358,7 +12358,7 @@ _dev_ipshared4_start(NMDevice *self) priv->ipshared_data_4.v4.firewall_config = nm_firewall_config_new_shared(ip_iface, ip4_addr.address, ip4_addr.plen); - nm_firewall_config_apply(priv->ipshared_data_4.v4.firewall_config, TRUE); + nm_firewall_config_apply_sync(priv->ipshared_data_4.v4.firewall_config, TRUE); priv->ipshared_data_4.v4.l3cd = nm_l3_config_data_ref(l3cd); _dev_l3_register_l3cds_set_one(self, L3_CONFIG_DATA_TYPE_SHARED_4, l3cd, FALSE); diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 2ea53bd5ec..65aacb1feb 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -717,8 +717,10 @@ nm_firewall_config_free(NMFirewallConfig *self) nm_g_slice_free(self); } +/*****************************************************************************/ + void -nm_firewall_config_apply(NMFirewallConfig *self, gboolean up) +nm_firewall_config_apply_sync(NMFirewallConfig *self, gboolean up) { switch (nm_firewall_utils_get_backend()) { case NM_FIREWALL_BACKEND_IPTABLES: diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h index 16fe7bd6c6..95fda89008 100644 --- a/src/core/nm-firewall-utils.h +++ b/src/core/nm-firewall-utils.h @@ -24,6 +24,6 @@ NMFirewallConfig *nm_firewall_config_new_shared(const char *ip_iface, in_addr_t void nm_firewall_config_free(NMFirewallConfig *self); -void nm_firewall_config_apply(NMFirewallConfig *self, gboolean up); +void nm_firewall_config_apply_sync(NMFirewallConfig *self, gboolean up); #endif /* __NM_FIREWALL_UTILS_H__ */ From 49ae45f83897a22f1b1e22787c34a808ccb095a9 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Wed, 14 Sep 2022 12:56:29 +0200 Subject: [PATCH 5/7] firewall-utils: move _append() macro to be used by other places (cherry picked from commit 0a0c197916a015ec9872f8eaf22ed1e8fb6ffbf0) --- src/core/nm-firewall-utils.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 65aacb1feb..ec443278b2 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -598,6 +598,8 @@ _fw_nft_call_sync(GBytes *stdin_buf, GError **error) /*****************************************************************************/ +#define _append(p_strbuf, fmt, ...) nm_str_buf_append_printf((p_strbuf), "" fmt "\n", ##__VA_ARGS__) + static GBytes * _fw_nft_set_shared_construct(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen) { @@ -610,8 +612,6 @@ _fw_nft_set_shared_construct(gboolean up, const char *ip_iface, in_addr_t addr, _share_iptables_subnet_to_str(str_subnet, addr, plen); -#define _append(p_strbuf, fmt, ...) nm_str_buf_append_printf((p_strbuf), "" fmt "\n", ##__VA_ARGS__) - _append(&strbuf, "add table ip %s", table_name); _append(&strbuf, "%s table ip %s", up ? "flush" : "delete", table_name); @@ -630,16 +630,15 @@ _fw_nft_set_shared_construct(gboolean up, const char *ip_iface, in_addr_t addr, /* This filter_input chain serves no real purpose, because "accept" only stops * evaluation of the current rule. It cannot fully accept the packet. Since * this chain has no other rules, it is useless in this form. + * + * _append(&strbuf, + * "add chain ip %s filter_input {" + * " type filter hook input priority 0; policy accept; " + * "};", + * table_name); + * _append(&strbuf, "add rule ip %s filter_input tcp dport { 67, 53 } accept;", table_name); + * _append(&strbuf, "add rule ip %s filter_input udp dport { 67, 53 } accept;", table_name); */ - /* - _append(&strbuf, - "add chain ip %s filter_input {" - " type filter hook input priority 0; policy accept; " - "};", - table_name); - _append(&strbuf, "add rule ip %s filter_input tcp dport { 67, 53 } accept;", table_name); - _append(&strbuf, "add rule ip %s filter_input udp dport { 67, 53 } accept;", table_name); - */ _append(&strbuf, "add chain ip %s filter_forward {" From 07c519c37f35bac1aa6e36f45a83fdede44e4dfd Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Thu, 15 Sep 2022 08:56:19 +0200 Subject: [PATCH 6/7] firewall: expose nm_firewall_nft_call() in header file (cherry picked from commit cfeecbedffb8840d3e3cad5affe0273e31d9e9a5) --- src/core/nm-firewall-utils.c | 27 +++++++++++++++------------ src/core/nm-firewall-utils.h | 9 +++++++++ 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index ec443278b2..4ada350cd9 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -111,6 +111,8 @@ _share_iptables_get_name(gboolean is_iptables_chain, const char *prefix, const c return nm_str_buf_finalize(&strbuf, NULL); } +/*****************************************************************************/ + static gboolean _share_iptables_call_v(const char *const *argv) { @@ -486,11 +488,11 @@ _fw_nft_call_timeout_cb(gpointer user_data) return G_SOURCE_CONTINUE; } -static void -_fw_nft_call(GBytes *stdin_buf, - GCancellable *cancellable, - GAsyncReadyCallback callback, - gpointer callback_user_data) +void +nm_firewall_nft_call(GBytes *stdin_buf, + GCancellable *cancellable, + GAsyncReadyCallback callback, + gpointer callback_user_data) { gs_unref_object GSubprocessLauncher *subprocess_launcher = NULL; gs_free_error GError *error = NULL; @@ -498,8 +500,9 @@ _fw_nft_call(GBytes *stdin_buf, call_data = g_slice_new(FwNftCallData); *call_data = (FwNftCallData){ - .task = nm_g_task_new(NULL, cancellable, _fw_nft_call, callback, callback_user_data), - .subprocess = NULL, + .task = + nm_g_task_new(NULL, cancellable, nm_firewall_nft_call, callback, callback_user_data), + .subprocess = NULL, .timeout_source = NULL, }; @@ -554,10 +557,10 @@ _fw_nft_call(GBytes *stdin_buf, g_task_get_context(call_data->task)); } -static gboolean -_fw_nft_call_finish(GAsyncResult *result, GError **error) +gboolean +nm_firewall_nft_call_finish(GAsyncResult *result, GError **error) { - g_return_val_if_fail(nm_g_task_is_valid(result, NULL, _fw_nft_call), FALSE); + g_return_val_if_fail(nm_g_task_is_valid(result, NULL, nm_firewall_nft_call), FALSE); return g_task_propagate_boolean(G_TASK(result), error); } @@ -575,7 +578,7 @@ _fw_nft_call_sync_done(GObject *source, GAsyncResult *result, gpointer user_data { FwNftCallSyncData *data = user_data; - data->success = _fw_nft_call_finish(result, data->error); + data->success = nm_firewall_nft_call_finish(result, data->error); g_main_loop_quit(data->loop); } @@ -590,7 +593,7 @@ _fw_nft_call_sync(GBytes *stdin_buf, GError **error) .error = error, }; - _fw_nft_call(stdin_buf, NULL, _fw_nft_call_sync_done, &data); + nm_firewall_nft_call(stdin_buf, NULL, _fw_nft_call_sync_done, &data); g_main_loop_run(main_loop); return data.success; diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h index 95fda89008..9d883fea7b 100644 --- a/src/core/nm-firewall-utils.h +++ b/src/core/nm-firewall-utils.h @@ -26,4 +26,13 @@ void nm_firewall_config_free(NMFirewallConfig *self); void nm_firewall_config_apply_sync(NMFirewallConfig *self, gboolean up); +/*****************************************************************************/ + +void nm_firewall_nft_call(GBytes *stdin_buf, + GCancellable *cancellable, + GAsyncReadyCallback callback, + gpointer callback_user_data); + +gboolean nm_firewall_nft_call_finish(GAsyncResult *result, GError **error); + #endif /* __NM_FIREWALL_UTILS_H__ */ From 8139b2758461146182a2e5e99e2785d4d76b4771 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Thu, 15 Sep 2022 09:06:58 +0200 Subject: [PATCH 7/7] firewall: move logging stdin argument to nft call (cherry picked from commit b74e2cbfaa3eb93765b431612a10d95cb4b04104) --- src/core/nm-firewall-utils.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 4ada350cd9..3752928d94 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -497,6 +497,7 @@ nm_firewall_nft_call(GBytes *stdin_buf, gs_unref_object GSubprocessLauncher *subprocess_launcher = NULL; gs_free_error GError *error = NULL; FwNftCallData *call_data; + gs_free char *ss1 = NULL; call_data = g_slice_new(FwNftCallData); *call_data = (FwNftCallData){ @@ -506,6 +507,12 @@ nm_firewall_nft_call(GBytes *stdin_buf, .timeout_source = NULL, }; + nm_log_trace(LOGD_SHARING, + "firewall: nft: call command: [ '%s' ]", + nm_utils_buf_utf8safe_escape_bytes(stdin_buf, + NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL, + &ss1)); + if (cancellable) { call_data->cancellable_id = g_cancellable_connect(cancellable, G_CALLBACK(_fw_nft_call_cancelled_cb), @@ -608,7 +615,6 @@ _fw_nft_set_shared_construct(gboolean up, const char *ip_iface, in_addr_t addr, { nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE); gs_free char *table_name = NULL; - gs_free char *ss1 = NULL; char str_subnet[_SHARE_IPTABLES_SUBNET_TO_STR_LEN]; table_name = _share_iptables_get_name(FALSE, "nm-shared", ip_iface); @@ -674,12 +680,6 @@ _fw_nft_set_shared_construct(gboolean up, const char *ip_iface, in_addr_t addr, ip_iface); } - nm_log_trace(LOGD_SHARING, - "firewall: nft command: [ %s ]", - nm_utils_str_utf8safe_escape(nm_str_buf_get_str(&strbuf), - NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL, - &ss1)); - return nm_str_buf_finalize_to_gbytes(&strbuf); }