If you compile iptales-1.2.8-r1 with -fstack-protector, then any action including -p icmp will not work. For instance "iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT" will result in the information that "--icmp-type" is an unknown argument. If you also use -m icmp in the command above, the output will tell you about some references missing to "__guard". Compiling iptables without -fstack-protector works as expected Reproducible: Always Steps to Reproduce: 1. 2. 3.
I'm able to replicate this problem with iptables, but I haven't really been able to come up with a good solution to it. Do you have any ideas on how this can be fixed? If a better solution doesn't appear I'll just have the iptables ebuilds strip the -fstack-protector flag.
iptables-1.2.8-r1 now strips the "-fstack-protector" flag. This will resolve this for the time being. This will probably be more appropriately fixed by moving ProPolice to a shared library.
Is this still an issue? I compiled iptables-1.2.9-r3 with CFLAGS="-march=athlon-xp -O2 -pipe -fstack-protector" and I don't experience these problems.