iptables supports ICMP code filtering, but it's not documented in the manpage.
Attached patch fixes the manpage, before:
--icmp-type [!] typename
This allows specification of the ICMP type, which can be a
numeric ICMP type, or one of the ICMP type names shown by
the command
iptables -p icmp -h
After:
--icmp-type [!] type[/code]|typename
This allows specification of the ICMP type, which can be a
numeric ICMP type, type and code, or one of the ICMP type names
shown by the command
iptables -p icmp -h
It changes also the text style: keywords are underlined.
Note: iptables builtin help was already correct:
---------------------
$ iptables -p icmp -h
(...)
icmp match options:
[!] --icmp-type typename match icmp type
(or numeric type or type/code)
(...)
---------------------
--
Victor Stinner
http://www.inl.fr/
diff --git a/extensions/libipt_icmp.man b/extensions/libipt_icmp.man
index 8c1bdbe..0798d7c 100644
--- a/extensions/libipt_icmp.man
+++ b/extensions/libipt_icmp.man
@@ -1,9 +1,14 @@
This extension can be used if `\-\-protocol icmp' is specified. It
provides the following option:
.TP
-[\fB!\fP] \fB\-\-icmp\-type\fP \fItypename\fP
+\fB\-\-icmp\-type\fP [\fB!\fP] \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP
This allows specification of the ICMP type, which can be a numeric
-ICMP type, or one of the ICMP type names shown by the command
+ICMP
+.IR type ,
+.IR type
+and
+.IR code ,
+or one of the ICMP type names shown by the command
.nf
iptables \-p icmp \-h
.fi
