* [gentoo-user] Strange behaviour of iptables
@ 2025-01-01 17:33 Matthias Hanft
2025-01-02 4:34 ` Matt Connell
0 siblings, 1 reply; 9+ messages in thread
From: Matthias Hanft @ 2025-01-01 17:33 UTC (permalink / raw
To: gentoo-user
Hi,
when I call
/usr/bin/iptables -L COUNT -n -v -x -w
from bash, everything works well - as it did for years.
When I call the same command from PHP:
exec("/usr/bin/iptables -L COUNT -n -v -x -w", $iptables);
I get (since this month) the message
iptables v1.8.11 (legacy): Illegal option `--numeric' with this command
Try `iptables -h' or 'iptables --help' for more information.
I think it has to do with "xtables-legacy-multi" (which is the
only entry of "eselect iptables list" and the softlink target
for all iptables* commands).
When I remove '-n' from the command line, the error message
changes to
iptables v1.8.11 (legacy): Illegal option `--exact' with this command
Try `iptables -h' or 'iptables --help' for more information.
So it seems that I can't use any parameters at all any more -
from PHP.
What's the trick to get this working again?
Thanks,
-Matt
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Strange behaviour of iptables
2025-01-01 17:33 [gentoo-user] Strange behaviour of iptables Matthias Hanft
@ 2025-01-02 4:34 ` Matt Connell
2025-01-02 8:13 ` Matthias Hanft
0 siblings, 1 reply; 9+ messages in thread
From: Matt Connell @ 2025-01-02 4:34 UTC (permalink / raw
To: gentoo-user
On Wed, 2025-01-01 at 18:33 +0100, Matthias Hanft wrote:
>
> So it seems that I can't use any parameters at all any more -
> from PHP.
>
> What's the trick to get this working again?
Hmm. I can't replicate this failure. Using both `php -a` and foo.php,
I get expected results. (I'm using the INPUT chain because that's what
I have with real rules.)
---
php > exec("/sbin/iptables -L INPUT -n -v -x -w", $iptables);
php > var_dump($iptables);
array(37) {
[0]=>
string(46) "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"
...
...
---
$ cat foo.php
<?php
exec("/sbin/iptables -L INPUT -n -v -x -w", $iptables);
var_dump($iptables);
$ php foo.php
array(37) {
[0]=>
string(46) "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"
...
...
---
I noticed that your path to iptables is in /usr/bin/, but `which` on my
system says /sbin/. Are you running this as root? What version of PHP
are you using?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Strange behaviour of iptables
2025-01-02 4:34 ` Matt Connell
@ 2025-01-02 8:13 ` Matthias Hanft
2025-01-02 9:33 ` Alexis
2025-01-02 19:25 ` Matt Connell
0 siblings, 2 replies; 9+ messages in thread
From: Matthias Hanft @ 2025-01-02 8:13 UTC (permalink / raw
To: gentoo-user
Matt Connell schrieb:
>
> I noticed that your path to iptables is in /usr/bin/, but `which` on my
> system says /sbin/. Are you running this as root? What version of PHP
> are you using?
Yes, everything is run as root. Indeed I had /sbin/iptables in my PHP script.
Getting this error, I tried "which iptables" in a root bash which showed
/usr/bin/iptables. So I changed this (and even to "/usr/bin/iptables-legacy",
but with no effect, presumably because of...
n ~ # ls -l /sbin/iptables
lrwxrwxrwx 1 root root 20 Apr 18 2024 /sbin/iptables -> xtables-legacy-multi
n ~ # ls -l /usr/bin/iptables
lrwxrwxrwx 1 root root 20 Apr 18 2024 /usr/bin/iptables -> xtables-legacy-multi
n ~ # ls -l /usr/bin/iptables-legacy
lrwxrwxrwx 1 root root 20 Dec 21 09:30 /usr/bin/iptables-legacy -> xtables-legacy-multi
So everything seems to call "xtables-legacy-multi" anyway.
Your "foo.php" does run here, too. I wonder what's the difference?! PHP is 8.2.24.
The only difference is that my "exec" is in a class method in a PHP file
which is included by "require_once". And it has worked for years... don't
know exactly when it got broken ("cron @monthly" to count monthly IP traffic).
-Matt
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Strange behaviour of iptables
2025-01-02 8:13 ` Matthias Hanft
@ 2025-01-02 9:33 ` Alexis
2025-01-03 10:30 ` Matthias Hanft
2025-01-02 19:25 ` Matt Connell
1 sibling, 1 reply; 9+ messages in thread
From: Alexis @ 2025-01-02 9:33 UTC (permalink / raw
To: gentoo-user
Matthias Hanft <mh@hanft.de> writes:
> Yes, everything is run as root. Indeed I had /sbin/iptables in
> my PHP
> script.
> Getting this error, I tried "which iptables" in a root bash
> which
> showed
> /usr/bin/iptables. So I changed this (and even to
> "/usr/bin/iptables-legacy",
> but with no effect, presumably because of...
>
> n ~ # ls -l /sbin/iptables
> lrwxrwxrwx 1 root root 20 Apr 18 2024 /sbin/iptables ->
> xtables-legacy-multi
> n ~ # ls -l /usr/bin/iptables
> lrwxrwxrwx 1 root root 20 Apr 18 2024 /usr/bin/iptables ->
> xtables-legacy-multi
> n ~ # ls -l /usr/bin/iptables-legacy
> lrwxrwxrwx 1 root root 20 Dec 21 09:30 /usr/bin/iptables-legacy
> ->
> xtables-legacy-multi
>
> So everything seems to call "xtables-legacy-multi" anyway.
Running `xtables-legacy-multi` without any arguments produces
output stating that it requires a subcommand,
e.g. `xtables-legacy-multi iptables-legacy`. Running _that_
results in:
```
iptables v1.8.11 (legacy): no command specified
Try `iptables -h' or 'iptables --help' for more information.
```
So what happens if you instead do:
```
exec("/usr/bin/xtables-legacy-multi iptables-legacy -L COUNT -n -v
-x -w", $iptables);
```
?
Alexis.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Strange behaviour of iptables
2025-01-02 8:13 ` Matthias Hanft
2025-01-02 9:33 ` Alexis
@ 2025-01-02 19:25 ` Matt Connell
2025-01-02 23:00 ` Ro Bra
2025-01-02 23:03 ` Ro Bra
1 sibling, 2 replies; 9+ messages in thread
From: Matt Connell @ 2025-01-02 19:25 UTC (permalink / raw
To: gentoo-user
On Thu, 2025-01-02 at 09:13 +0100, Matthias Hanft wrote:
> Your "foo.php" does run here, too. I wonder what's the difference?!
> PHP is 8.2.24.
Same PHP version here.
> The only difference is that my "exec" is in a class method in a PHP
> file which is included by "require_once". And it has worked for
> years...
Can you paste your exec method? I've never tried overriding
(overloading?) a built-in method in this way, I'm a little surprised it
works as well as you say. Then again I've always used shell_exec so...
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Strange behaviour of iptables
2025-01-02 19:25 ` Matt Connell
@ 2025-01-02 23:00 ` Ro Bra
2025-01-02 23:03 ` Ro Bra
1 sibling, 0 replies; 9+ messages in thread
From: Ro Bra @ 2025-01-02 23:00 UTC (permalink / raw
To: gentoo-user
????????????????????????????25 20:25 CET geschrieben:
>
>
> On Thu, 2025-01-02 at 09:13 +0100, Matthias Hanft wrote:
> > Your "foo.php" does run here, too. I wonder what's the difference?!
> > PHP is 8.2.24.
>
> Same PHP version here.
>
> > The only difference is that my "exec" is in a class method in a PHP
> > file which is included by "require_once". And it has worked for
> > years...
>
> Can you paste your exec method? I've never tried overriding
> (overloading?) a built-in method in this way, I'm a little surprised it
> works as well as you say. Then again I've always used shell_exec so...
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Strange behaviour of iptables
2025-01-02 19:25 ` Matt Connell
2025-01-02 23:00 ` Ro Bra
@ 2025-01-02 23:03 ` Ro Bra
2025-01-03 1:15 ` Matt Connell
1 sibling, 1 reply; 9+ messages in thread
From: Ro Bra @ 2025-01-02 23:03 UTC (permalink / raw
To: gentoo-user
What's going on here?
> Matt Connell <matt@connell.tech> hat am 02.01.2025 20:25 CET geschrieben:
>
>
> On Thu, 2025-01-02 at 09:13 +0100, Matthias Hanft wrote:
> > Your "foo.php" does run here, too. I wonder what's the difference?!
> > PHP is 8.2.24.
>
> Same PHP version here.
>
> > The only difference is that my "exec" is in a class method in a PHP
> > file which is included by "require_once". And it has worked for
> > years...
>
> Can you paste your exec method? I've never tried overriding
> (overloading?) a built-in method in this way, I'm a little surprised it
> works as well as you say. Then again I've always used shell_exec so...
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Strange behaviour of iptables
2025-01-02 23:03 ` Ro Bra
@ 2025-01-03 1:15 ` Matt Connell
0 siblings, 0 replies; 9+ messages in thread
From: Matt Connell @ 2025-01-03 1:15 UTC (permalink / raw
To: gentoo-user
On Fri, 2025-01-03 at 00:03 +0100, Ro Bra wrote:
> What's going on here?
Compare & Contrast troubleshooting.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Strange behaviour of iptables
2025-01-02 9:33 ` Alexis
@ 2025-01-03 10:30 ` Matthias Hanft
0 siblings, 0 replies; 9+ messages in thread
From: Matthias Hanft @ 2025-01-03 10:30 UTC (permalink / raw
To: gentoo-user
Alexis wrote:
>
>
> So what happens if you instead do:
>
> ```
> exec("/usr/bin/xtables-legacy-multi iptables-legacy -L COUNT -n -v
> -x -w", $iptables);
> ```
>
> ?
Just the same:
iptables v1.8.11 (legacy): Illegal option `--numeric' with this command
Try `iptables -h' or 'iptables --help' for more information.
If I omit "-n", I get the message "Illegal option `--exact' with this command",
and if I omit "-n" and "-x", it seems to work, but without "-x" I get "2M" bytes
(instead of 2048000 bytes) which is hard to calculate with.
Anyway, I omitted one parameter after another, and the problem seems
to be "-Z" when I want to clear the counters - and it has nothing to do
with PHP; I had overlooked that the monthly PHP cronjob clears the
counters (of course), while an interactive COUNT does not.
So after some tests (without PHP, just from bash) I get the following:
/sbin/iptables -L COUNT -n -v -x -w
does work, while
/sbin/iptables -L -Z COUNT -n -v -x -w
does *not*.
"man iptables" says for the "-L" option:
"It is legal to specify the -Z (zero) option as well, in which case the
chain(s) will be atomically listed and zeroed." (which is what I want and
worked for years).
Just "iptables -Z COUNT" does work, but obviously not in combination with
"-n" and "-x" (which I need for "-L").
I could run "-L -x -n" and "-Z" one after another, but that would not be
atomic any more (which wouldn't be fatal in my case, though).
Could it be an iptables bug since last update? Should I file a bug report?
-Matt
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-01-03 10:32 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-01 17:33 [gentoo-user] Strange behaviour of iptables Matthias Hanft
2025-01-02 4:34 ` Matt Connell
2025-01-02 8:13 ` Matthias Hanft
2025-01-02 9:33 ` Alexis
2025-01-03 10:30 ` Matthias Hanft
2025-01-02 19:25 ` Matt Connell
2025-01-02 23:00 ` Ro Bra
2025-01-02 23:03 ` Ro Bra
2025-01-03 1:15 ` Matt Connell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox