[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: #923880 - "iptables -m tos --tos mask value is wrong"

Dear all,

On Thu, Jul 31, 2025 at 08:41:51PM +0200, Helmut Grohne wrote:
> > Do you know whether the revert-ipqos-defaults.patch really still is
> > needed?
> 
> As the submitter of the issue, I am in favour of dropping the patch at 
> the beginning of the forky cycle. Rationale as follows.
>  * If I remember correctly, the change was introduced relatively close 
>    to a freeze and it posed difficulties to adapt iptables. Hence, I 
>    proposed *temporarily* reverting the change in ssh to give users
>    more time to adapt and prepare.
>  * It is now clear that iptables will not be fixed. The suggested 
>    workaround is to use numeric values. This workaround is deployable on 
>    old iptables versions.
>  * We're transitioning from iptables to nftables, so compatibility with 
>    iptables becomes less of a concern. It still is, but the weight of 
>    the argument decays.
>  * Debian is now deviating from the rest of the world and such deviation 
>    is always a downside.
> 
> The change likely warrants a NEWS entry.

Helmut - thanks for the summary.

There is additional new information I'd like to share for the Debian
project maintainers to consider. The OpenSSH IPQoS default settings have
been revised to align with modern network practises.

The default traffic class marking for interactive traffic now is 'EF':
https://github.com/openbsd/src/commit/4f5a9e02a96b297056eed4c49ebfa0342c5e1d4f

The default marking for non-interactive traffic now is the operating
system default:
https://github.com/openbsd/src/commit/cc6a50fd6732a5f3010f9a3505e566f6d4da0faf

The rationale is explained in more detail in the commit messages, but in
summary we wish to opportunisticly take advantage of modern WiFi where
EF-marked traffic ought to be mapped to a higher priority queue (AC_VO).
I believe these new defaults will positively impact the experience for
all SSH users.

Coincidentally, EF-marked traffic has the ToS 'Delay' bit enabled, so
these new default settings might offer better harmonization
(backwards-compatibiliity?) with olden 'iptables -m tos --tos' deployments
which contributed towards the decision to revert the previous default
IPQoS.

My hope is that next versions of the OpenSSH package in Debian will
align with the revised upstream choices for default DSCP markings. In
other words, please get rid of the revert patch and don't introduce a
new one! :-)

> > But it seems Colin Watson doesn't want to remove the
> > revert-ipqos-defaults patch without users or developers confirming
> > the issue is resolved.
> 
> This characterization seems unlikely to me. I'd like to hear what
> Colin says himself.

Ah, it certainly was not my intention to put words in anyone's mouth, my
apologies if it came across like that. Based on offlist messages I am
under the impression that Colin would like to see feedback from folks
who engaged with the original problem report (and it seems that's
happening, which is nice!).

Thank you all for your work on Debian.

Kind regards,

Job
Reply to: