Re: #923880 - "iptables -m tos --tos mask value is wrong"
Hi Job,
Thanks for reaching out.
On Wed, Jul 30, 2025 at 10:57:06AM +0000, Job Snijders wrote:
> Today I stumbled across the "temporary workaround" patch that is
> https://sources.debian.org/src/openssh/1:8.4p1-5+deb11u3/debian/patches/revert-ipqos-defaults.patch/
> caused by this report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923880
>
> Reading the associated threads it seems that VMware fixed their
> products by now, but I wasn't able to find pointers to threads that
> describe the problem in iptables and the solution (or if any solution
> was created?).
>
> Do you know whether the revert-ipqos-defaults.patch really still is
> needed?
As the submitter of the issue, I am in favour of dropping the patch at
the beginning of the forky cycle. Rationale as follows.
* If I remember correctly, the change was introduced relatively close
to a freeze and it posed difficulties to adapt iptables. Hence, I
proposed *temporarily* reverting the change in ssh to give users
more time to adapt and prepare.
* It is now clear that iptables will not be fixed. The suggested
workaround is to use numeric values. This workaround is deployable on
old iptables versions.
* We're transitioning from iptables to nftables, so compatibility with
iptables becomes less of a concern. It still is, but the weight of
the argument decays.
* Debian is now deviating from the rest of the world and such deviation
is always a downside.
The change likely warrants a NEWS entry.
> But it seems Colin Watson doesn't want to remove the
> revert-ipqos-defaults patch without users or developers confirming the
> issue is resolved.
This characterization seems unlikely to me. I'd like to hear what Colin
says himself.
Helmut
Reply to: