Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 356433

Summary: net-firewall/shorewall-4.4.15.1: Multiple ICMP types are not permitted.
Product: Gentoo Linux Reporter: Navid Zamani <navid.zamani>
Component: [OLD] ServerAssignee: Gentoo Netmon project <netmon>
Status: VERIFIED INVALID    
Severity: normal CC: rentorbuy
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Navid Zamani 2011-02-25 16:19:18 UTC 
Since the last Shorewall update (on hardened it went from 3.x straight to 4.4.15.1), suddenly I can’t add rules with a list of ICMP types.
There is no other information given, that the error message in the summary. The documentation (http://www.shorewall.net/manpages/shorewall-rules.html under DEST PORT(S) states that lists are allowed. So I guess this is a bug. Even if not, it should at least state somewhere, what to do, or why not to do it. This way I’m stuck.

Reproducible: Always

Steps to Reproduce:
1. Make sure =net-firewall/shorewall-4.4.15.1 is installed.
2. Add the following line to /etc/shorewall/rules under the SECTION NEW:
ACCEPT all             all             icmp    $NICE_ICMP_TYPES        -
3. Add the following line to /etc/shorewall/params:
NICE_ICMP_TYPES="0,3,4,5,8,11,12,13,14"
(or anything with more than one item)
4. /etc/init.d/shorewall restart
Actual Results:  
 * Restarting firewall ...
   ERROR: Multiple ICMP types are not permitted : /etc/shorewall/rules (line 19)                                                                                           [ !! ]



Expected Results:  
 * Restarting firewall ...                                                                                                                                                 [ ok ]



(I doubt “emerge --info” or other information is required here. If it is, please tell me, and I will add it.)
Comment 1 Constanze Hausner (RETIRED) gentoo-dev 2011-03-04 16:20:07 UTC 
Hi Navid,

I looked at your problem. I think you misunderstood the documentation or the documentation is wrong. The functionality of multiple icmp-types is no longer present in shorewall. It was removed around version 3.9. I'm sorry if you had problems, but the old stable was really old and I was not able to add all changes to the emerge output. I just recently adopted this packages and was not aware, that the multi-icmp-functionality existed in 3.4 and was dropped.
Comment 2 Navid Zamani 2011-03-04 16:24:38 UTC 
Ah, OK, thank you. :) Sounds like a really pointless change though. So could you point me to where I can find out the reasons it was changed. (I could not find some kind of changelog containing anything related to it. I also could not find an IRC channel to ask them.) Those have to be pretty good, to justify it. After all, you can do it for ports, so why not for ICMP types?
Comment 3 Constanze Hausner (RETIRED) gentoo-dev 2011-03-04 16:29:02 UTC 
The information I have is
http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg01734.html
I looked at the code, the patched was integrated in the code-base.
There is also an irc channel on freenode #shorewall :).
Comment 4 Navid Zamani 2011-03-05 12:22:49 UTC 
Looks like they simply were lazy, and instead of implementing it properly (making one rules.conf ICMP rule into multiple iptables rules… or even better: fixing iptables!), they just disabled it.
Oh well, I asked in their dead IRC channel, and on their mailing list, and will wait for an answer.
Comment 5 Stefan Hausner 2011-04-10 09:12:02 UTC 
Seems like this functionality will return in the 4.4.19 release of shorewall, see:

http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.19-RC1/releasenotes.txt