qubes-firewall: Suppress extraneous conntrack output

conntrack generally prints a status message to stderr before exiting, which interferes with listing connections. Output from dropping connections was unused. Fixes QubesOS/qubes-issues#9760
QubesOS · Feb 12, 2025 · d8fb353 · d8fb353
1 parent c534919
commit d8fb353
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
@@ -183,16 +183,16 @@ def list_targets(self):
     def conntrack_drop(self, src, con):
         subprocess.run(['conntrack', '-D', '--src', src, '--dst', con[1],
                         '--proto', con[0], '--dport', con[2]],
-                       stdout=subprocess.PIPE,
-                       stderr=subprocess.STDOUT)
+                       stdout=subprocess.DEVNULL,
+                       stderr=subprocess.DEVNULL)
 
     def conntrack_get_connections(self, family, source):
         connections = set()
 
         with subprocess.Popen(['conntrack', '-L',
                                '--family', f'ipv{family}', '--src', source],
                              stdout=subprocess.PIPE,
-                             stderr=subprocess.STDOUT) as p:
+                             stderr=subprocess.DEVNULL) as p:
             while True:
                 line = p.stdout.readline()
                 if not line: