[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#923879: marked as done (ssh: IPQoS defaults change interacts badly with iptables -m tos)

Your message dated Mon, 08 Apr 2019 10:49:54 +0000
with message-id <E1hDRqc-000DRD-UH@fasolo.debian.org>
and subject line Bug#923879: fixed in openssh 1:7.9p1-10
has caused the Debian Bug report #923879,
regarding ssh: IPQoS defaults change interacts badly with iptables -m tos
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
923879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923879
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-client
Version: 1:7.8p1-1
Control: clone -1 -2
Control: reassign -2 iptables
Control: retitle -2 iptables -m tos --tos mask value is wrong
Control: affects -1 + iptables
Control: affects -2 openssh-client

In openssh/1:7.8p1-1, the default for IPQoS changed from

    IPQoS lowdelay throughput

to

    IPQoS af21 cs1

Good reasons for this change are given in
https://lists.gt.net/openssh/commits/71079.

Now since the old ssh used TOS values, matching them with iptables
naturally involed the tos module. Your match for bulk traffic would
usually look like this:

    iptables -m tos --tos Maximize-Throughput ...

Unfortunately, that becomes "08x/0x3f". That interacts badly with DSCP
class af21. IPTOS_DSCP_AF21 is valued 0x48. The Maximize-Throuput match
now matches interactive traffic. This is very bad.

What I don't understand is why this happens though. The 0x3f mask used
by iptables here is supposed to exclude the ECN bits. DSCP is supposed
to coexist with ECN, so it shouldn't be setting any ECN bits. Why would
it match interactive traffic as bulk then? <netinet/ip.h>, which defines
IPTOS_DSCP_AF21 as 0x48, also defines IPTOS_ECN_MASK as 0x3. This
suggests that iptables' ECN mask is wrong. It should be using 0xfc
rather than 0x3f.

Unfortunately, this is deployed now and ssh's new default breaks users
of -m tos (that matched ssh's old default) now. Thus I suggest reverting
the IPQoS change until iptables has been fixed.

And fixing iptables is going to be "interesting". It also defines --tos
Minimize-Cost, which happens to be bit 6 (RFC 1349). Bit 6 and 7 are ECN
bits though. So offering Minimize-Cost with an ECN mask simply won't
work. I guess the best thing we can do here is acknowledge that TOS and
ECN don't work well together. Indeed the relevant RFCs define bit 7 as
"must be zero". This suggests changing the mask to 0xff is in order.

For ssh, I recommend temporarily reverting to the old default to give
iptables some time.

Helmut

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:7.9p1-10

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923879@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Apr 2019 11:13:04 +0100
Source: openssh
Architecture: source
Version: 1:7.9p1-10
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 923879 926229
Changes:
 openssh (1:7.9p1-10) unstable; urgency=medium
 .
   * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
     "iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
     LP: #1822370).
Checksums-Sha1:
 63e0bffc771c0a2d8be9e5c8b906f5ed263d2e52 3165 openssh_7.9p1-10.dsc
 f4f2fb7f92f7f5aa9bef9d2c5864dc8c1cc92cbe 172960 openssh_7.9p1-10.debian.tar.xz
 4dc7f1bbc1d3bcaa3c8d6e9411cd6c1ea02855d3 14678 openssh_7.9p1-10_source.buildinfo
Checksums-Sha256:
 88d06343d14fad5f72c2d2594b1f108fdcc1967ed7bff7e6e5668e78547ede01 3165 openssh_7.9p1-10.dsc
 d726560e4f437c0385d88a9c06562fe9659646f060574da96a7bd8981113391f 172960 openssh_7.9p1-10.debian.tar.xz
 17e56b2b06f468cd67c3d901535b1a37cdb15fe6319901eb63ee7df1d0acd78c 14678 openssh_7.9p1-10_source.buildinfo
Files:
 c5a99c5d0e7372a6fd5239882df2e2a7 3165 net standard openssh_7.9p1-10.dsc
 e18fb0283d208658441996acec990b65 172960 net standard openssh_7.9p1-10.debian.tar.xz
 736b73b53908af17520514c4f130f29c 14678 net standard openssh_7.9p1-10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlyrHsgACgkQOTWH2X2G
UAtCCg/+NS3xHYQlZR1s+/3nCzfIbw/6DOeC+V341WfFPODbRcKRja9Bblzq+wJN
/bOpgcocT0oK8xyBRT055a2ehDml5jWi7A2jhAvwb92FKi0sJhC6rXLJXi99BXNA
3GIGzuGWEMSHmIRdcT+zpY+EyfdGzAdolA4v4xyQZPXdLEFRb17Qlro4DyKsX36P
c1lYw9ydwLB4C7b7zJudq0Xj3edlyv/dzN3i8wxGQIZUq3UW4re8H1ql2rcaQwFB
qWRWb8VDKYTBd62kaJlqGZVWdAibuSfW7FfY7xg1XgCAYxpAbAdL8bueH5uvDt5i
ITKZEi7fh4/kYFwX9SvdKCUMo4vGqZOGebnPUs9gUuXx5IblzZZ5UpmtRHLbvbVy
zrRvpXgG+sr70zgCReYmE9X2tx7yIq6zBI+JE2vNrvGuNl1C8s4XF1vF8yjebA5k
Mc2hDh2Kfr62AaQ0/LDwpgk4ypyID/4VzmsydZzDJj1gbnVhB2G7pjCnB3cnkv4x
6DHnNiplaRiN3gkBhKJB1A5Kam3n+fxI1M5T2PkozHzI7lDzyq6wgqKZCNp8KypF
4wnns2X5ddrt42WZNpvXob4USFJozNHnJFgU0qI/oNUwE5HjBN9V+++SWkRclgnm
dUNkIeYK7Pxeu8yT4dRs63LmvB15NrOF2M35P/525bn3uXJEEHs=
=Q4+q
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: