Bug 11425

Summary: ipchains man page wrong on ICMP deny/reject handling.
Product: [Retired] Red Hat Linux Reporter: Pekka Savola <pekkas>
Component: ipchainsAssignee: Cristian Gafton <gafton>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 6.2   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-06-27 15:40:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pekka Savola 2000-05-15 22:54:37 UTC 
ipchains man page states:
---
ACCEPT means to let the packet through.  DENY means  to  drop  the  packet
on the floor.   REJECT  means  the  same  as drop, but is more polite and
easier to debug, since an ICMP message is sent back to the sender
indicating  that  the  packet  was dropped.  (Note that DENY and REJECT are
the same for ICMP packets).
---

The last sentence on ICMP is _wrong_. ICMP receives no special treatment
if it's in REJECT mode.

I think this is a 'feature we never remembered to add' problem.  Man page
should be changed to reflect the current behaviour though.

This can be easily verified with e.g.:

'ipchains -A input -j REJECT -p icmp'

which produces ICMP port unreachable messages just as UDP/TCP:
---
01:48:56.045352 netcore.fi > em.netcore.fi: icmp: netcore.fi protocol 1
port 32721 unreachable [tos 0xc0]
---
Comment 1 Pekka Savola 2000-06-27 15:40:03 UTC 
An example of the man page patch here (ipchains isn't being maintained anymore
IIRC, so it's up to Redhat to leave it as it is, or to patch it):

--- ipchains.8.orig     Tue Jun 27 18:28:53 2000
+++ ipchains.8  Tue Jun 27 18:30:49 2000
@@ -70,7 +70,8 @@
 .I DENY 
 and 
 .I REJECT 
-are the same for ICMP packets).  
+are the same for ICMP packets). [Note: this is incorrect; setting ICMP to
+REJECT will cause ICMP port unreachables to be sent!]  
 .sp 0.5
 .I MASQ
 is only legal for the forward and user defined chains, and can only be
Comment 2 Preston Brown 2000-06-27 15:51:12 UTC 
fixed in rawhide.