diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index ac2802095e..f739259375 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2352,6 +2352,7 @@ virFirewallRuleAddArgFormat;
 virFirewallRuleAddArgList;
 virFirewallRuleAddArgSet;
 virFirewallRuleGetArgCount;
+virFirewallRuleToString;
 virFirewallStartRollback;
 virFirewallStartTransaction;
 
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 0a9ba9ad5c..247430be2e 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -461,14 +461,14 @@ void virFirewallStartRollback(virFirewall *firewall,
 }
 
 
-static char *
-virFirewallRuleToString(virFirewallRule *rule)
+char *
+virFirewallRuleToString(const char *cmd,
+                        virFirewallRule *rule)
 {
-    const char *bin = virFirewallLayerCommandTypeToString(rule->layer);
     g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
     size_t i;
 
-    virBufferAdd(&buf, bin, -1);
+    virBufferAdd(&buf, cmd, -1);
     for (i = 0; i < rule->argsLen; i++) {
         virBufferAddLit(&buf, " ");
         virBufferAdd(&buf, rule->args[i], -1);
@@ -477,6 +477,7 @@ virFirewallRuleToString(virFirewallRule *rule)
     return virBufferContentAndReset(&buf);
 }
 
+
 static int
 virFirewallApplyRuleDirect(virFirewallRule *rule,
                            bool ignoreErrors,
@@ -529,8 +530,10 @@ virFirewallApplyRule(virFirewall *firewall,
                      bool ignoreErrors)
 {
     g_autofree char *output = NULL;
-    g_autofree char *str = virFirewallRuleToString(rule);
     g_auto(GStrv) lines = NULL;
+    g_autofree char *str
+        = virFirewallRuleToString(virFirewallLayerCommandTypeToString(rule->layer), rule);
+
     VIR_INFO("Applying rule '%s'", NULLSTR(str));
 
     if (rule->ignoreErrors)
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 7448825dbc..187748b2bf 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -89,6 +89,9 @@ void virFirewallRuleAddArgList(virFirewall *firewall,
 
 size_t virFirewallRuleGetArgCount(virFirewallRule *rule);
 
+char *virFirewallRuleToString(const char *cmd,
+                              virFirewallRule *rule);
+
 typedef enum {
     /* Ignore all errors when applying rules, so no
      * rollback block will be required */