Ubuntu
iptables package

Unknown arg `--icmp-type'

Bug #66106 reported by Oliver Lemke
16
Affects Status Importance Assigned to Milestone
iptables (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Shorewall startup fails because it calls iptables with an unknown argument "--icmp-type".

/var/log/shorewall-init.log:

...
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
iptables v1.3.5: Unknown arg `--icmp-type'
Try `iptables -h' or 'iptables --help' for more information.
   ERROR: Command "/sbin/iptables -A Drop -p icmp --icmp-type fragmentation-need

Revision history for this message
Oliver Lemke (olemke) wrote :

Reassigned to iptables. Shorewall works fine with version 1.3.3-2ubuntu4 but not with 1.3.5.0debian1-1ubuntu1

Revision history for this message
engelsma (dave-engelsma) wrote :

have the same problem.

I commented out all rules relating to pings but I still see the same error described in the "Description".

Revision history for this message
Rocco Stanzione (trappist) wrote :

The new iptables does support --icmp-type, and the following rule:
sudo iptables -A INPUT -p icmp --icmp-type fragmentation-need
works fine. I haven't got a working shorewall config, so it's hard to track it down much further, but I wonder if one of you could try changing the shebang line to #!/bin/bash at the top of /sbin/shorewall, and see if you get the same results. I don't see where a "Drop" chain is ever getting created, and I'm curious to see if some non-POSIX magic is building the rule wrong, because macro.AllowICMPs is the only place in the entire source package where anything like this seems to happen, and the target there is ACCEPT.

Changed in iptables:
status: Unconfirmed → Needs Info
Revision history for this message
Oliver Lemke (olemke) wrote :

# dpkg-query -W iptables
iptables 1.3.5.0debian1-1ubuntu1

# iptables -A INPUT -p icmp --icmp-type fragmentation-need
iptables v1.3.5: Unknown arg `--icmp-type'
Try `iptables -h' or 'iptables --help' for more information.

iptables doesn't seem to support --icmp-type here. :-(

Changing the shebang in shorewall has no effect.

Revision history for this message
KnisterPeter (markus-emedia-solutions-wolf) wrote :

Same for me here.
I've had a working shorewall with iptables 1.3.3.

Also the command "iptables -p icmp -h" which should list the types of icmp packets failes. Therefore I think this is an iptables problem not related to shorewall at all.

Revision history for this message
PetyrRahl (petyr) wrote :

Just adding in another confirmation. Installed shorewall on my laptop and got the exact same problem as people above.

iptables v1.3.5: Unknown arg `--icmp-type'
Try `iptables -h' or 'iptables --help' for more information.
   ERROR: Command "/sbin/iptables -A Drop -p icmp --icmp-type fragmentation-needed -j ACCEPT" Failed

Kai Kasurinen (kai-kasurinen)
Changed in iptables:
status: Needs Info → Confirmed
Revision history for this message
Kubicle (kubicle-deactivatedaccount) wrote :

Also affects guarddog, so definitely looks like an iptables 1.3.5 issue. (was working previously)

$sudo /etc/init.d/guarddog restart
Setting up guarddog firewall...iptables v1.3.5: Unknown arg `--icmp-type'
Try `iptables -h' or 'iptables --help' for more information.
...

Revision history for this message
Jose Bernardo (bernardo-bandos) wrote :

Same problems with guarddog and shorewall, edgy, two machines. My workaround with shorewall was to edit /usr/share/shorewall/action.Drop and /usr/share/shorewall/action.Reject and comment the line with "AllowICMPs - - icmp". Of course the solution is to re-enable icmp-type in iptables, but this might help some to get shorewall working again (without icmp filtering).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.