125377 – can't generate icmp rules for iptables

Bug 125377 - can't generate icmp rules for iptables

Summary: can't generate icmp rules for iptables

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	iptables
Sub Component:
Version:	2
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-06-05 13:52 UTC by Lynda Sweetman
Modified:	2007-11-30 22:10 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-06-07 09:36:59 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lynda Sweetman 2004-06-05 13:52:37 UTC

Description of problem:When I attempt to add an INPUT rule in 
iptables with '-m icmp --icmp-type all' I get "iptables: Invalid 
argument". I try to load ipt_icmp through /etc/sysconfig/iptables-
config. When my computer boots, it returns a FAILED when the iptables 
modules are being loaded. When I manually try loading each one that 
is listed in /etc/sysconfig/iptables-config, only the ipt_icmp fails. 
There is a /lib/iptables/libipt_icmp.so, but no /lib/modules/2.6.5-
1.358/kernel/net/ipv4/netfilter/ipt_icmp.ko. Is this why I get a 
FAILED? I have iptables set up on a minimal install, on a computer 
that is a bridge/router/firewall for a cable modem internet 
connection. I have 4 NICs enslaved in a bridge, all with one IP 
address, which is the LAN's gateway. The bridge works fine, and I can 
hand out IP addresses thru dhcpd okay. I can also ping the bridge 
interface alright from the firewall, but I cannot ping it from the 
computers attached, nor ping any other computer also connected to the 
bridge. I can ping internet addresses okay (which are masqueraded and 
forwarded), but nothing locally. If I allow all activity on the LAN 
side (which I have done), do I need the icmp module loaded to be able 
to ping all LAN interfaces? I also noticed that there are no ftp or 
ftp_conntrack modules listed in /lib/modules/2.6.5-
1.358/kernel/net/ipv4/netfilter/. Is this intentional?


Version-Release number of selected component (if applicable):iptables-
1.2.9-2.3.1


How reproducible:Every time


Steps to Reproduce:
1.Entered 'ipt_icmp' in the correct format after "IPTABLES MODULES" 
in /etc/sysconfig/iptables-config; saved and exited.
2.Restarted the iptables service or rebooted.
3.
  
Actual results:Loading additional iptables modules: (shows names of 
modules) [FAILED]
iptables shows 'invalid argument' for adding rules using the icmp 
module.

Expected results:The ipt_icmp module should have loaded, and adding 
icmp rules should not return error messages.


Additional info:I am running bridge-utils-0.9.6-3.1. Is this a bridge 
or an iptables problem? It seems like other people can ping their 
bridges and through them. Or do I need ebtables to do just that?

Comment 1 Lynda Sweetman 2004-06-06 13:30:46 UTC

Whoops. There are ftp modules, what was I thinking?

Comment 2 Thomas Woerner 2004-06-07 09:36:59 UTC

There is no kernel module ipt_icmp and no icmp-type "all".
You have to use "-p icmp -m icmp --icmp-type any".

"iptables -p icmp -h" prints all icmp type names.

Note You need to log in before you can comment on or make changes to this bug.