diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 6567fc80c..6b6634bd4 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2125,10 +2125,12 @@ sub setup_mss( ) {
for ( @$interfaces ) {
my $mss = get_interface_option( $_, 'mss' );
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
- add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
- add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
- add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
- add_rule $chainref, "-i $_ -j RETURN" if $clampmss;
+ my $source = match_source_dev $_;
+ my $dest = match_dest_dev $_;
+ add_rule $chainref, "$dest -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
+ add_rule $chainref, "$dest -j RETURN" if $clampmss;
+ add_rule $chainref, "$source -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
+ add_rule $chainref, "$source -j RETURN" if $clampmss;
}
}
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 2f94827b3..371b8a64d 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1028,6 +1028,79 @@ Shorewall has detected the following iptables/netfilter capabilities:
"!tcp").
+
+ ICMP and ICMP6 Types and Codes
+
+ When dealing with ICMP, the DEST PORT specifies the type or type and
+ code. You may specify the numeric type, the numeric type and code
+ separated by a slash (e.g., 3/4) or you may use a type name.
+
+ Type names for IPv4 and their corresponding type or type/code
+ are:
+
+ echo-reply' => 0
+destination-unreachable => 3
+ network-unreachable => 3/0
+ host-unreachable => 3/1
+protocol-unreachable => 3/2
+port-unreachable => 3/3
+fragmentation-needed => 3/4
+source-route-failed => 3/5
+network-unknown => 3/6
+host-unknown => 3/7
+network-prohibited => 3/9
+host-prohibited => 3/10
+TOS-network-unreachable => 3/11
+TOS-host-unreachable => 3/12
+communication-prohibited => 3/13
+host-precedence-violation => 3/14
+precedence-cutoff => 3/15
+source-quench => 4
+redirect => 5
+ network-redirect => 5/0
+ host-redirect => 5/1
+ TOS-network-redirect => 5/2
+ TOS-host-redirect => 5/3
+echo-request => 8
+router-advertisement => 9
+router-solicitation => 10
+time-exceeded => 11
+ ttl-zero-during-transit => 11/0
+ ttl-zero-during-reassembly=> 11/1
+parameter-problem => 12
+ ip-header-bad => 12/0
+ required-option-missing => 12/1
+timestamp-request => 13
+timestamp-reply => 14
+address-mask-request => 17
+address-mask-reply => 18
+
+ Type names for IPv6 and their corresponding type or type/code
+ are:
+
+ destination-unreachable => 1
+ no-route' => 1/0
+ communication-prohibited => 1/1
+ address-unreachable' => 1/2
+ port-unreachable' => 1/3
+packet-too-big => 2
+time-exceeded' => 3
+ttl-exceeded' => 3
+ ttl-zero-during-transit => 3/0
+ ttl-zero-during-reassembly => 3/1
+parameter-problem => 4
+ bad-header => 4/0
+ unknown-header-type => 4/1
+ unknown-option => 4/2
+echo-request => 128
+echo-reply => 129
+router-solicitation => 133
+router-advertisement => 134
+neighbour-solicitation => 135
+neighbour-advertisement => 136
+redirect => 137
+
+