core: merge branch 'bg/iptables-sharing-rules-bgo692673'

Remove iptables rules for connection sharing upon termination to avoid
the presence of duplicate rules when NM is restarted.

https://bugzilla.gnome.org/show_bug.cgi?id=692673

3 files changed, 12 insertions, 10 deletions

diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index 2b4dc1eda5..e843b9b7f4 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -6636,16 +6636,16 @@ start_sharing (NMDevice *self, NMIP4Config *config)
 	req = nm_device_get_act_request (self);
 	g_assert (req);
 
-	add_share_rule (req, "filter", "INPUT --in-interface %s --protocol tcp --destination-port 53 --jump ACCEPT", ip_iface);
-	add_share_rule (req, "filter", "INPUT --in-interface %s --protocol udp --destination-port 53 --jump ACCEPT", ip_iface);
-	add_share_rule (req, "filter", "INPUT --in-interface %s --protocol tcp --destination-port 67 --jump ACCEPT", ip_iface);
-	add_share_rule (req, "filter", "INPUT --in-interface %s --protocol udp --destination-port 67 --jump ACCEPT", ip_iface);
-	add_share_rule (req, "filter", "FORWARD --in-interface %s --jump REJECT", ip_iface);
-	add_share_rule (req, "filter", "FORWARD --out-interface %s --jump REJECT", ip_iface);
-	add_share_rule (req, "filter", "FORWARD --in-interface %s --out-interface %s --jump ACCEPT", ip_iface, ip_iface);
-	add_share_rule (req, "filter", "FORWARD --source %s/%s --in-interface %s --jump ACCEPT", str_addr, str_mask, ip_iface);
-	add_share_rule (req, "filter", "FORWARD --destination %s/%s --out-interface %s --match state --state ESTABLISHED,RELATED --jump ACCEPT", str_addr, str_mask, ip_iface);
 	add_share_rule (req, "nat", "POSTROUTING --source %s/%s ! --destination %s/%s --jump MASQUERADE", str_addr, str_mask, str_addr, str_mask);
+	add_share_rule (req, "filter", "FORWARD --destination %s/%s --out-interface %s --match state --state ESTABLISHED,RELATED --jump ACCEPT", str_addr, str_mask, ip_iface);
+	add_share_rule (req, "filter", "FORWARD --source %s/%s --in-interface %s --jump ACCEPT", str_addr, str_mask, ip_iface);
+	add_share_rule (req, "filter", "FORWARD --in-interface %s --out-interface %s --jump ACCEPT", ip_iface, ip_iface);
+	add_share_rule (req, "filter", "FORWARD --out-interface %s --jump REJECT", ip_iface);
+	add_share_rule (req, "filter", "FORWARD --in-interface %s --jump REJECT", ip_iface);
+	add_share_rule (req, "filter", "INPUT --in-interface %s --protocol udp --destination-port 67 --jump ACCEPT", ip_iface);
+	add_share_rule (req, "filter", "INPUT --in-interface %s --protocol tcp --destination-port 67 --jump ACCEPT", ip_iface);
+	add_share_rule (req, "filter", "INPUT --in-interface %s --protocol udp --destination-port 53 --jump ACCEPT", ip_iface);
+	add_share_rule (req, "filter", "INPUT --in-interface %s --protocol tcp --destination-port 53 --jump ACCEPT", ip_iface);
 
 	nm_act_request_set_shared (req, TRUE);
 
diff --git a/src/nm-activation-request.c b/src/nm-activation-request.c
index 30e98fcacb..04a39dba8b 100644
--- a/src/nm-activation-request.c
+++ b/src/nm-activation-request.c
@@ -346,7 +346,7 @@ nm_act_request_add_share_rule (NMActRequest *req,
 	rule = g_malloc0 (sizeof (ShareRule));
 	rule->table = g_strdup (table);
 	rule->rule = g_strdup (table_rule);
-	priv->share_rules = g_slist_append (priv->share_rules, rule);
+	priv->share_rules = g_slist_prepend (priv->share_rules, rule);
 }
 
 /********************************************************************/
diff --git a/src/nm-manager.c b/src/nm-manager.c
index c2b4e531ab..f647c8f9e4 100644
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@@ -4418,6 +4418,8 @@ nm_manager_stop (NMManager *self)
 	/* Remove all devices */
 	while (priv->devices)
 		remove_device (self, NM_DEVICE (priv->devices->data), TRUE, TRUE);
+
+	_active_connection_cleanup (self);
 }
 
 static gboolean