Package: iptables Version: 1.4.4-2 Severity: normal Tags: patch Whilst fixing an ICMP fragmentation-needed blackhole related network problem, I noted a couple of areas where the iptables man page could be clearer. See patch for details.
-- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-rc5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iptables depends on: ii libc6 2.9-25 GNU C Library: Shared libraries iptables recommends no packages. iptables suggests no packages. -- no debconf information
--- libxt_TCPMSS.man.old 2009-10-16 17:13:07.000000000 +0100 +++ libxt_TCPMSS.man 2009-10-16 20:00:04.000000000 +0100 @@ -34,9 +34,19 @@ \-j TCPMSS \-\-clamp\-mss\-to\-pmtu .TP \fB\-\-set\-mss\fP \fIvalue\fP -Explicitly set MSS option to specified value. +Prior to Linux 2.6.25, explicitly set MSS option to specified value. +For Linux 2.6.25 and later, ensure MSS option does not exceed the +specified value. + .TP \fB\-\-clamp\-mss\-to\-pmtu\fP Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). +This may not function as desired where asymmetric routes with differing +path MTU exist - the kernel uses the path MTU which it would use to send +packets from itself to the source and destination IP addresses. Prior to +Linux 2.6.25, only the path MTU to the destination IP address was +considered by this option; subsequent kernels also consider the path MTU +to the source IP address. + .PP These options are mutually exclusive.