From d8fb35347b3439a7b02f0014e38b9bcd1a4a186b Mon Sep 17 00:00:00 2001
From: Corey Ford <corey@coreyford.name>
Date: Wed, 12 Feb 2025 16:22:34 +0100
Subject: [PATCH] qubes-firewall: Suppress extraneous conntrack output

conntrack generally prints a status message to stderr before exiting,
which interferes with listing connections. Output from dropping
connections was unused.

Fixes QubesOS/qubes-issues#9760
---
 qubesagent/firewall.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
index 7c318453..1e85b5b6 100755
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@@ -183,8 +183,8 @@ def list_targets(self):
     def conntrack_drop(self, src, con):
         subprocess.run(['conntrack', '-D', '--src', src, '--dst', con[1],
                         '--proto', con[0], '--dport', con[2]],
-                       stdout=subprocess.PIPE,
-                       stderr=subprocess.STDOUT)
+                       stdout=subprocess.DEVNULL,
+                       stderr=subprocess.DEVNULL)
 
     def conntrack_get_connections(self, family, source):
         connections = set()
@@ -192,7 +192,7 @@ def conntrack_get_connections(self, family, source):
         with subprocess.Popen(['conntrack', '-L',
                                '--family', f'ipv{family}', '--src', source],
                              stdout=subprocess.PIPE,
-                             stderr=subprocess.STDOUT) as p:
+                             stderr=subprocess.DEVNULL) as p:
             while True:
                 line = p.stdout.readline()
                 if not line: