Package: iptables
Version: 1.4.4-2
Severity: normal
Tags: patch
Whilst fixing an ICMP fragmentation-needed blackhole related network
problem, I noted a couple of areas where the iptables man page could
be clearer. See patch for details.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.31-rc5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iptables depends on:
ii libc6 2.9-25 GNU C Library: Shared libraries
iptables recommends no packages.
iptables suggests no packages.
-- no debconf information
--- libxt_TCPMSS.man.old 2009-10-16 17:13:07.000000000 +0100
+++ libxt_TCPMSS.man 2009-10-16 20:00:04.000000000 +0100
@@ -34,9 +34,19 @@
\-j TCPMSS \-\-clamp\-mss\-to\-pmtu
.TP
\fB\-\-set\-mss\fP \fIvalue\fP
-Explicitly set MSS option to specified value.
+Prior to Linux 2.6.25, explicitly set MSS option to specified value.
+For Linux 2.6.25 and later, ensure MSS option does not exceed the
+specified value.
+
.TP
\fB\-\-clamp\-mss\-to\-pmtu\fP
Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6).
+This may not function as desired where asymmetric routes with differing
+path MTU exist - the kernel uses the path MTU which it would use to send
+packets from itself to the source and destination IP addresses. Prior to
+Linux 2.6.25, only the path MTU to the destination IP address was
+considered by this option; subsequent kernels also consider the path MTU
+to the source IP address.
+
.PP
These options are mutually exclusive.
