public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] Strange behaviour of iptables
@ 2025-01-01 17:33 Matthias Hanft
  2025-01-02  4:34 ` Matt Connell
  0 siblings, 1 reply; 9+ messages in thread
From: Matthias Hanft @ 2025-01-01 17:33 UTC (permalink / raw
  To: gentoo-user

Hi,

when I call

/usr/bin/iptables -L COUNT -n -v -x -w

from bash, everything works well - as it did for years.

When I call the same command from PHP:

exec("/usr/bin/iptables -L COUNT -n -v -x -w", $iptables);

I get (since this month) the message

iptables v1.8.11 (legacy): Illegal option `--numeric' with this command
Try `iptables -h' or 'iptables --help' for more information.

I think it has to do with "xtables-legacy-multi" (which is the
only entry of "eselect iptables list" and the softlink target
for all iptables* commands).

When I remove '-n' from the command line, the error message
changes to

iptables v1.8.11 (legacy): Illegal option `--exact' with this command
Try `iptables -h' or 'iptables --help' for more information.

So it seems that I can't use any parameters at all any more -
from PHP.

What's the trick to get this working again?

Thanks,

-Matt


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Strange behaviour of iptables
  2025-01-01 17:33 [gentoo-user] Strange behaviour of iptables Matthias Hanft
@ 2025-01-02  4:34 ` Matt Connell
  2025-01-02  8:13   ` Matthias Hanft
  0 siblings, 1 reply; 9+ messages in thread
From: Matt Connell @ 2025-01-02  4:34 UTC (permalink / raw
  To: gentoo-user

On Wed, 2025-01-01 at 18:33 +0100, Matthias Hanft wrote:
> 
> So it seems that I can't use any parameters at all any more -
> from PHP.
> 
> What's the trick to get this working again?

Hmm.  I can't replicate this failure.  Using both `php -a` and foo.php,
I get expected results. (I'm using the INPUT chain because that's what
I have with real rules.)

---

   php > exec("/sbin/iptables -L INPUT -n -v -x -w", $iptables);   
   php > var_dump($iptables);                                      
   array(37) {                                                     
     [0]=>                                                         
     string(46) "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"   
   ...
   ...
   
---
   
   $ cat foo.php
   <?php
   exec("/sbin/iptables -L INPUT -n -v -x -w", $iptables);
   var_dump($iptables);
   $ php foo.php
   array(37) {                                                        
     [0]=>                                                            
     string(46) "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"
   ...
   ...
   
---

I noticed that your path to iptables is in /usr/bin/, but `which` on my
system says /sbin/.  Are you running this as root?  What version of PHP
are you using?



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Strange behaviour of iptables
  2025-01-02  4:34 ` Matt Connell
@ 2025-01-02  8:13   ` Matthias Hanft
  2025-01-02  9:33     ` Alexis
  2025-01-02 19:25     ` Matt Connell
  0 siblings, 2 replies; 9+ messages in thread
From: Matthias Hanft @ 2025-01-02  8:13 UTC (permalink / raw
  To: gentoo-user

Matt Connell schrieb:
> 
> I noticed that your path to iptables is in /usr/bin/, but `which` on my
> system says /sbin/.  Are you running this as root?  What version of PHP
> are you using?

Yes, everything is run as root. Indeed I had /sbin/iptables in my PHP script.
Getting this error, I tried "which iptables" in a root bash which showed
/usr/bin/iptables. So I changed this (and even to "/usr/bin/iptables-legacy",
but with no effect, presumably because of...

n ~ # ls -l /sbin/iptables
lrwxrwxrwx 1 root root 20 Apr 18  2024 /sbin/iptables -> xtables-legacy-multi
n ~ # ls -l /usr/bin/iptables
lrwxrwxrwx 1 root root 20 Apr 18  2024 /usr/bin/iptables -> xtables-legacy-multi
n ~ # ls -l /usr/bin/iptables-legacy
lrwxrwxrwx 1 root root 20 Dec 21 09:30 /usr/bin/iptables-legacy -> xtables-legacy-multi

So everything seems to call "xtables-legacy-multi" anyway.

Your "foo.php" does run here, too.  I wonder what's the difference?! PHP is 8.2.24.

The only difference is that my "exec" is in a class method in a PHP file
which is included by "require_once".  And it has worked for years... don't
know exactly when it got broken ("cron @monthly" to count monthly IP traffic).

-Matt


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Strange behaviour of iptables
  2025-01-02  8:13   ` Matthias Hanft
@ 2025-01-02  9:33     ` Alexis
  2025-01-03 10:30       ` Matthias Hanft
  2025-01-02 19:25     ` Matt Connell
  1 sibling, 1 reply; 9+ messages in thread
From: Alexis @ 2025-01-02  9:33 UTC (permalink / raw
  To: gentoo-user

Matthias Hanft <mh@hanft.de> writes:

> Yes, everything is run as root. Indeed I had /sbin/iptables in 
> my PHP
> script.
> Getting this error, I tried "which iptables" in a root bash 
> which
> showed
> /usr/bin/iptables. So I changed this (and even to
> "/usr/bin/iptables-legacy",
> but with no effect, presumably because of...
>
> n ~ # ls -l /sbin/iptables
> lrwxrwxrwx 1 root root 20 Apr 18 2024 /sbin/iptables ->
> xtables-legacy-multi
> n ~ # ls -l /usr/bin/iptables
> lrwxrwxrwx 1 root root 20 Apr 18 2024 /usr/bin/iptables ->
> xtables-legacy-multi
> n ~ # ls -l /usr/bin/iptables-legacy
> lrwxrwxrwx 1 root root 20 Dec 21 09:30 /usr/bin/iptables-legacy 
> ->
> xtables-legacy-multi
>
> So everything seems to call "xtables-legacy-multi" anyway.

Running `xtables-legacy-multi` without any arguments produces 
output stating that it requires a subcommand, 
e.g. `xtables-legacy-multi iptables-legacy`. Running _that_ 
results in:

```
iptables v1.8.11 (legacy): no command specified
Try `iptables -h' or 'iptables --help' for more information.
```

So what happens if you instead do:

```
exec("/usr/bin/xtables-legacy-multi iptables-legacy -L COUNT -n -v 
-x -w", $iptables);
```

?


Alexis.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Strange behaviour of iptables
  2025-01-02  8:13   ` Matthias Hanft
  2025-01-02  9:33     ` Alexis
@ 2025-01-02 19:25     ` Matt Connell
  2025-01-02 23:00       ` Ro Bra
  2025-01-02 23:03       ` Ro Bra
  1 sibling, 2 replies; 9+ messages in thread
From: Matt Connell @ 2025-01-02 19:25 UTC (permalink / raw
  To: gentoo-user

On Thu, 2025-01-02 at 09:13 +0100, Matthias Hanft wrote:
> Your "foo.php" does run here, too.  I wonder what's the difference?!
> PHP is 8.2.24.

Same PHP version here.

> The only difference is that my "exec" is in a class method in a PHP
> file which is included by "require_once".  And it has worked for
> years...

Can you paste your exec method?  I've never tried overriding
(overloading?) a built-in method in this way, I'm a little surprised it
works as well as you say.  Then again I've always used shell_exec so...



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Strange behaviour of iptables
  2025-01-02 19:25     ` Matt Connell
@ 2025-01-02 23:00       ` Ro Bra
  2025-01-02 23:03       ` Ro Bra
  1 sibling, 0 replies; 9+ messages in thread
From: Ro Bra @ 2025-01-02 23:00 UTC (permalink / raw
  To: gentoo-user

????????????????????????????25 20:25 CET geschrieben:
> 
>  
> On Thu, 2025-01-02 at 09:13 +0100, Matthias Hanft wrote:
> > Your "foo.php" does run here, too.  I wonder what's the difference?!
> > PHP is 8.2.24.
> 
> Same PHP version here.
> 
> > The only difference is that my "exec" is in a class method in a PHP
> > file which is included by "require_once".  And it has worked for
> > years...
> 
> Can you paste your exec method?  I've never tried overriding
> (overloading?) a built-in method in this way, I'm a little surprised it
> works as well as you say.  Then again I've always used shell_exec so...


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Strange behaviour of iptables
  2025-01-02 19:25     ` Matt Connell
  2025-01-02 23:00       ` Ro Bra
@ 2025-01-02 23:03       ` Ro Bra
  2025-01-03  1:15         ` Matt Connell
  1 sibling, 1 reply; 9+ messages in thread
From: Ro Bra @ 2025-01-02 23:03 UTC (permalink / raw
  To: gentoo-user

What's going on here?

> Matt Connell <matt@connell.tech> hat am 02.01.2025 20:25 CET geschrieben:
> 
>  
> On Thu, 2025-01-02 at 09:13 +0100, Matthias Hanft wrote:
> > Your "foo.php" does run here, too.  I wonder what's the difference?!
> > PHP is 8.2.24.
> 
> Same PHP version here.
> 
> > The only difference is that my "exec" is in a class method in a PHP
> > file which is included by "require_once".  And it has worked for
> > years...
> 
> Can you paste your exec method?  I've never tried overriding
> (overloading?) a built-in method in this way, I'm a little surprised it
> works as well as you say.  Then again I've always used shell_exec so...


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Strange behaviour of iptables
  2025-01-02 23:03       ` Ro Bra
@ 2025-01-03  1:15         ` Matt Connell
  0 siblings, 0 replies; 9+ messages in thread
From: Matt Connell @ 2025-01-03  1:15 UTC (permalink / raw
  To: gentoo-user

On Fri, 2025-01-03 at 00:03 +0100, Ro Bra wrote:
> What's going on here?

Compare & Contrast troubleshooting.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Strange behaviour of iptables
  2025-01-02  9:33     ` Alexis
@ 2025-01-03 10:30       ` Matthias Hanft
  0 siblings, 0 replies; 9+ messages in thread
From: Matthias Hanft @ 2025-01-03 10:30 UTC (permalink / raw
  To: gentoo-user

Alexis wrote:
> 
> 
> So what happens if you instead do:
> 
> ```
> exec("/usr/bin/xtables-legacy-multi iptables-legacy -L COUNT -n -v 
> -x -w", $iptables);
> ```
> 
> ?

Just the same:

iptables v1.8.11 (legacy): Illegal option `--numeric' with this command
Try `iptables -h' or 'iptables --help' for more information.

If I omit "-n", I get the message "Illegal option `--exact' with this command",
and if I omit "-n" and "-x", it seems to work, but without "-x" I get "2M" bytes
(instead of 2048000 bytes) which is hard to calculate with.

Anyway, I omitted one parameter after another, and the problem seems
to be "-Z" when I want to clear the counters - and it has nothing to do
with PHP; I had overlooked that the monthly PHP cronjob clears the
counters (of course), while an interactive COUNT does not.

So after some tests (without PHP, just from bash) I get the following:

/sbin/iptables -L COUNT -n -v -x -w

does work, while

/sbin/iptables -L -Z COUNT -n -v -x -w

does *not*.

"man iptables" says for the "-L" option:

"It is legal to specify the -Z (zero) option as well, in which case the
chain(s) will be atomically listed and zeroed." (which is what I want and
worked for years).

Just "iptables -Z COUNT" does work, but obviously not in combination with
"-n" and "-x" (which I need for "-L").

I could run "-L -x -n" and "-Z" one after another, but that would not be
atomic any more (which wouldn't be fatal in my case, though).

Could it be an iptables bug since last update? Should I file a bug report?

-Matt


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2025-01-03 10:32 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-01 17:33 [gentoo-user] Strange behaviour of iptables Matthias Hanft
2025-01-02  4:34 ` Matt Connell
2025-01-02  8:13   ` Matthias Hanft
2025-01-02  9:33     ` Alexis
2025-01-03 10:30       ` Matthias Hanft
2025-01-02 19:25     ` Matt Connell
2025-01-02 23:00       ` Ro Bra
2025-01-02 23:03       ` Ro Bra
2025-01-03  1:15         ` Matt Connell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox