Bug 11425 - ipchains man page wrong on ICMP deny/reject handling.
ipchains man page wrong on ICMP deny/reject handling.
Product: Red Hat Linux
Classification: Retired
Component: ipchains (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Cristian Gafton
Depends On:
  Show dependency treegraph
Reported: 2000-05-15 18:54 EDT by Pekka Savola
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-06-27 11:40:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Pekka Savola 2000-05-15 18:54:37 EDT
ipchains man page states:
ACCEPT means to let the packet through.  DENY means  to  drop  the  packet
on the floor.   REJECT  means  the  same  as drop, but is more polite and
easier to debug, since an ICMP message is sent back to the sender
indicating  that  the  packet  was dropped.  (Note that DENY and REJECT are
the same for ICMP packets).

The last sentence on ICMP is _wrong_. ICMP receives no special treatment
if it's in REJECT mode.

I think this is a 'feature we never remembered to add' problem.  Man page
should be changed to reflect the current behaviour though.

This can be easily verified with e.g.:

'ipchains -A input -j REJECT -p icmp'

which produces ICMP port unreachable messages just as UDP/TCP:
01:48:56.045352 netcore.fi > em.netcore.fi: icmp: netcore.fi protocol 1
port 32721 unreachable [tos 0xc0]
Comment 1 Pekka Savola 2000-06-27 11:40:03 EDT
An example of the man page patch here (ipchains isn't being maintained anymore
IIRC, so it's up to Redhat to leave it as it is, or to patch it):

--- ipchains.8.orig     Tue Jun 27 18:28:53 2000
+++ ipchains.8  Tue Jun 27 18:30:49 2000
@@ -70,7 +70,8 @@
-are the same for ICMP packets).  
+are the same for ICMP packets). [Note: this is incorrect; setting ICMP to
+REJECT will cause ICMP port unreachables to be sent!]  
 .sp 0.5
 is only legal for the forward and user defined chains, and can only be
Comment 2 Preston Brown 2000-06-27 11:51:12 EDT
fixed in rawhide.

Note You need to log in before you can comment on or make changes to this bug.