nwfilter: plug memory leak with firewall

Introduced in commit 70571ccc (v1.2.4). Caught by valgrind:

==9816== 170 (32 direct, 138 indirect) bytes in 1 blocks are definitely lost in loss record 646 of 821
==9816==    at 0x4A081D4: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9816==    by 0x50836FB: virAlloc (viralloc.c:144)
==9816==    by 0x50AEC2B: virFirewallNew (virfirewall.c:204)
==9816==    by 0x1E2308ED: ebiptablesDriverProbeStateMatch (nwfilter_ebiptables_driver.c:3715)
==9816==    by 0x1E2309AD: ebiptablesDriverInit (nwfilter_ebiptables_driver.c:3742)

* src/nwfilter/nwfilter_ebiptables_driver.c
(ebiptablesDriverProbeStateMatch): Properly clean up.

Signed-off-by: Eric Blake <eblake@redhat.com>

src/nwfilter/nwfilter_ebiptables_driver.c

@@ -3713,6 +3713,7 @@ ebiptablesDriverProbeStateMatch(void)
 {
     unsigned long version;
     virFirewallPtr fw = virFirewallNew();
+    int ret = -1;
 
     virFirewallStartTransaction(fw, 0);
     virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
@@ -3720,7 +3721,7 @@ ebiptablesDriverProbeStateMatch(void)
                            "--version", NULL);
 
     if (virFirewallApply(fw) < 0)
-        return -1;
+        goto cleanup;
 
     /*
      * since version 1.4.16 '-m state --state ...' will be converted to
@@ -3729,7 +3730,10 @@ ebiptablesDriverProbeStateMatch(void)
     if (version >= 1 * 1000000 + 4 * 1000 + 16)
         newMatchState = true;
 
-    return 0;
+    ret = 0;
+ cleanup:
+    virFirewallFree(fw);
+    return ret;
 }
 
 static int