Hi,

when I call

/usr/bin/iptables -L COUNT -n -v -x -w

from bash, everything works well - as it did for years.

When I call the same command from PHP:

exec("/usr/bin/iptables -L COUNT -n -v -x -w", $iptables);

I get (since this month) the message

iptables v1.8.11 (legacy): Illegal option `--numeric' with this command
Try `iptables -h' or 'iptables --help' for more information.

I think it has to do with "xtables-legacy-multi" (which is the
only entry of "eselect iptables list" and the softlink target
for all iptables* commands).

When I remove '-n' from the command line, the error message
changes to

iptables v1.8.11 (legacy): Illegal option `--exact' with this command
Try `iptables -h' or 'iptables --help' for more information.

So it seems that I can't use any parameters at all any more -
from PHP.

What's the trick to get this working again?

Thanks,

-Matt

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 2025-01-01 at 18:33 +0100, Matthias Hanft wrote:

So it seems that I can't use any parameters at all any more -
from PHP.

What's the trick to get this working again?

Hmm. I can't replicate this failure. Using both `php -a` and foo.php,
I get expected results. (I'm using the INPUT chain because that's what
I have with real rules.)

---

php > exec("/sbin/iptables -L INPUT -n -v -x -w", $iptables);
php > var_dump($iptables);
array(37) {
[0]=>
string(46) "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"
...
...

---

$ cat foo.php
<?php
exec("/sbin/iptables -L INPUT -n -v -x -w", $iptables);
var_dump($iptables);
$ php foo.php
array(37) {
[0]=>
string(46) "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"
...
...

---

I noticed that your path to iptables is in /usr/bin/, but `which` on my
system says /sbin/. Are you running this as root? What version of PHP
are you using?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Matt Connell schrieb:

I noticed that your path to iptables is in /usr/bin/, but `which` on my system says /sbin/. Are you running this as root? What version of PHP
are you using?

Yes, everything is run as root. Indeed I had /sbin/iptables in my PHP script. Getting this error, I tried "which iptables" in a root bash which showed /usr/bin/iptables. So I changed this (and even to "/usr/bin/iptables-legacy", but with no effect, presumably because of...

n ~ # ls -l /sbin/iptables
lrwxrwxrwx 1 root root 20 Apr 18 2024 /sbin/iptables -> xtables-legacy-multi
n ~ # ls -l /usr/bin/iptables
lrwxrwxrwx 1 root root 20 Apr 18 2024 /usr/bin/iptables -> xtables-legacy-multi
n ~ # ls -l /usr/bin/iptables-legacy
lrwxrwxrwx 1 root root 20 Dec 21 09:30 /usr/bin/iptables-legacy -> xtables-legacy-multi

So everything seems to call "xtables-legacy-multi" anyway.

Your "foo.php" does run here, too. I wonder what's the difference?! PHP is 8.2.24.

The only difference is that my "exec" is in a class method in a PHP file
which is included by "require_once". And it has worked for years... don't
know exactly when it got broken ("cron @monthly" to count monthly IP traffic).

-Matt

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

What's going on here?

Matt Connell <matt@connell.tech> hat am 02.01.2025 20:25 CET geschrieben:


On Thu, 2025-01-02 at 09:13 +0100, Matthias Hanft wrote:

Your "foo.php" does run here, too.  I wonder what's the difference?!
PHP is 8.2.24.

Same PHP version here.

The only difference is that my "exec" is in a class method in a PHP
file which is included by "require_once".  And it has worked for
years...

Can you paste your exec method? I've never tried overriding
(overloading?) a built-in method in this way, I'm a little surprised it
works as well as you say. Then again I've always used shell_exec so...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2025-01-03 at 00:03 +0100, Ro Bra wrote:

What's going on here?

Compare & Contrast troubleshooting.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Alexis wrote:

So what happens if you instead do:

```
exec("/usr/bin/xtables-legacy-multi iptables-legacy -L COUNT -n -v
-x -w", $iptables);
```

?

Just the same:

iptables v1.8.11 (legacy): Illegal option `--numeric' with this command
Try `iptables -h' or 'iptables --help' for more information.

If I omit "-n", I get the message "Illegal option `--exact' with this command", and if I omit "-n" and "-x", it seems to work, but without "-x" I get "2M" bytes
(instead of 2048000 bytes) which is hard to calculate with.

Anyway, I omitted one parameter after another, and the problem seems
to be "-Z" when I want to clear the counters - and it has nothing to do
with PHP; I had overlooked that the monthly PHP cronjob clears the
counters (of course), while an interactive COUNT does not.

So after some tests (without PHP, just from bash) I get the following:

/sbin/iptables -L COUNT -n -v -x -w

does work, while

/sbin/iptables -L -Z COUNT -n -v -x -w

does *not*.

"man iptables" says for the "-L" option:

"It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed." (which is what I want and worked for years).

Just "iptables -Z COUNT" does work, but obviously not in combination with
"-n" and "-x" (which I need for "-L").

I could run "-L -x -n" and "-Z" one after another, but that would not be
atomic any more (which wouldn't be fatal in my case, though).

Could it be an iptables bug since last update? Should I file a bug report?

-Matt

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)