Your message dated Mon, 08 Apr 2019 10:49:54 +0000 with message-id <[email protected]> and subject line Bug#923879: fixed in openssh 1:7.9p1-10 has caused the Debian Bug report #923879, regarding ssh: IPQoS defaults change interacts badly with iptables -m tos to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 923879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923879 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openssh-client Version: 1:7.8p1-1 Control: clone -1 -2 Control: reassign -2 iptables Control: retitle -2 iptables -m tos --tos mask value is wrong Control: affects -1 + iptables Control: affects -2 openssh-client In openssh/1:7.8p1-1, the default for IPQoS changed from IPQoS lowdelay throughput to IPQoS af21 cs1 Good reasons for this change are given in https://lists.gt.net/openssh/commits/71079. Now since the old ssh used TOS values, matching them with iptables naturally involed the tos module. Your match for bulk traffic would usually look like this: iptables -m tos --tos Maximize-Throughput ... Unfortunately, that becomes "08x/0x3f". That interacts badly with DSCP class af21. IPTOS_DSCP_AF21 is valued 0x48. The Maximize-Throuput match now matches interactive traffic. This is very bad. What I don't understand is why this happens though. The 0x3f mask used by iptables here is supposed to exclude the ECN bits. DSCP is supposed to coexist with ECN, so it shouldn't be setting any ECN bits. Why would it match interactive traffic as bulk then? <netinet/ip.h>, which defines IPTOS_DSCP_AF21 as 0x48, also defines IPTOS_ECN_MASK as 0x3. This suggests that iptables' ECN mask is wrong. It should be using 0xfc rather than 0x3f. Unfortunately, this is deployed now and ssh's new default breaks users of -m tos (that matched ssh's old default) now. Thus I suggest reverting the IPQoS change until iptables has been fixed. And fixing iptables is going to be "interesting". It also defines --tos Minimize-Cost, which happens to be bit 6 (RFC 1349). Bit 6 and 7 are ECN bits though. So offering Minimize-Cost with an ECN mask simply won't work. I guess the best thing we can do here is acknowledge that TOS and ECN don't work well together. Indeed the relevant RFCs define bit 7 as "must be zero". This suggests changing the mask to 0xff is in order. For ssh, I recommend temporarily reverting to the old default to give iptables some time. Helmut
--- End Message ---
--- Begin Message ---Source: openssh Source-Version: 1:7.9p1-10 We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <[email protected]> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 08 Apr 2019 11:13:04 +0100 Source: openssh Architecture: source Version: 1:7.9p1-10 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <[email protected]> Changed-By: Colin Watson <[email protected]> Closes: 923879 926229 Changes: openssh (1:7.9p1-10) unstable; urgency=medium . * Temporarily revert IPQoS defaults to pre-7.8 values until issues with "iptables -m tos" and VMware have been fixed (closes: #923879, #926229; LP: #1822370). Checksums-Sha1: 63e0bffc771c0a2d8be9e5c8b906f5ed263d2e52 3165 openssh_7.9p1-10.dsc f4f2fb7f92f7f5aa9bef9d2c5864dc8c1cc92cbe 172960 openssh_7.9p1-10.debian.tar.xz 4dc7f1bbc1d3bcaa3c8d6e9411cd6c1ea02855d3 14678 openssh_7.9p1-10_source.buildinfo Checksums-Sha256: 88d06343d14fad5f72c2d2594b1f108fdcc1967ed7bff7e6e5668e78547ede01 3165 openssh_7.9p1-10.dsc d726560e4f437c0385d88a9c06562fe9659646f060574da96a7bd8981113391f 172960 openssh_7.9p1-10.debian.tar.xz 17e56b2b06f468cd67c3d901535b1a37cdb15fe6319901eb63ee7df1d0acd78c 14678 openssh_7.9p1-10_source.buildinfo Files: c5a99c5d0e7372a6fd5239882df2e2a7 3165 net standard openssh_7.9p1-10.dsc e18fb0283d208658441996acec990b65 172960 net standard openssh_7.9p1-10.debian.tar.xz 736b73b53908af17520514c4f130f29c 14678 net standard openssh_7.9p1-10_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlyrHsgACgkQOTWH2X2G UAtCCg/+NS3xHYQlZR1s+/3nCzfIbw/6DOeC+V341WfFPODbRcKRja9Bblzq+wJN /bOpgcocT0oK8xyBRT055a2ehDml5jWi7A2jhAvwb92FKi0sJhC6rXLJXi99BXNA 3GIGzuGWEMSHmIRdcT+zpY+EyfdGzAdolA4v4xyQZPXdLEFRb17Qlro4DyKsX36P c1lYw9ydwLB4C7b7zJudq0Xj3edlyv/dzN3i8wxGQIZUq3UW4re8H1ql2rcaQwFB qWRWb8VDKYTBd62kaJlqGZVWdAibuSfW7FfY7xg1XgCAYxpAbAdL8bueH5uvDt5i ITKZEi7fh4/kYFwX9SvdKCUMo4vGqZOGebnPUs9gUuXx5IblzZZ5UpmtRHLbvbVy zrRvpXgG+sr70zgCReYmE9X2tx7yIq6zBI+JE2vNrvGuNl1C8s4XF1vF8yjebA5k Mc2hDh2Kfr62AaQ0/LDwpgk4ypyID/4VzmsydZzDJj1gbnVhB2G7pjCnB3cnkv4x 6DHnNiplaRiN3gkBhKJB1A5Kam3n+fxI1M5T2PkozHzI7lDzyq6wgqKZCNp8KypF 4wnns2X5ddrt42WZNpvXob4USFJozNHnJFgU0qI/oNUwE5HjBN9V+++SWkRclgnm dUNkIeYK7Pxeu8yT4dRs63LmvB15NrOF2M35P/525bn3uXJEEHs= =Q4+q -----END PGP SIGNATURE-----
--- End Message ---
