Debian Bug report logs - #923879
ssh: IPQoS defaults change interacts badly with iptables -m tos

version graph

Package: openssh-client; Maintainer for openssh-client is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-client is src:openssh (PTS, buildd, popcon).

Affects: iptables

Reported by: Helmut Grohne <helmut@subdivi.de>

Date: Wed, 6 Mar 2019 17:18:01 UTC

Severity: normal

Found in version openssh/1:7.8p1-1

Fixed in version openssh/1:7.9p1-10

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, pkg-netfilter-team@lists.alioth.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#923879; Package openssh-client. (Wed, 06 Mar 2019 17:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to pkg-netfilter-team@lists.alioth.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Wed, 06 Mar 2019 17:18:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: IPQoS defaults change interacts badly with iptables -m tos
Date: Wed, 6 Mar 2019 18:15:41 +0100
Package: openssh-client
Version: 1:7.8p1-1
Control: clone -1 -2
Control: reassign -2 iptables
Control: retitle -2 iptables -m tos --tos mask value is wrong
Control: affects -1 + iptables
Control: affects -2 openssh-client

In openssh/1:7.8p1-1, the default for IPQoS changed from

    IPQoS lowdelay throughput

to

    IPQoS af21 cs1

Good reasons for this change are given in
https://lists.gt.net/openssh/commits/71079.

Now since the old ssh used TOS values, matching them with iptables
naturally involed the tos module. Your match for bulk traffic would
usually look like this:

    iptables -m tos --tos Maximize-Throughput ...

Unfortunately, that becomes "08x/0x3f". That interacts badly with DSCP
class af21. IPTOS_DSCP_AF21 is valued 0x48. The Maximize-Throuput match
now matches interactive traffic. This is very bad.

What I don't understand is why this happens though. The 0x3f mask used
by iptables here is supposed to exclude the ECN bits. DSCP is supposed
to coexist with ECN, so it shouldn't be setting any ECN bits. Why would
it match interactive traffic as bulk then? <netinet/ip.h>, which defines
IPTOS_DSCP_AF21 as 0x48, also defines IPTOS_ECN_MASK as 0x3. This
suggests that iptables' ECN mask is wrong. It should be using 0xfc
rather than 0x3f.

Unfortunately, this is deployed now and ssh's new default breaks users
of -m tos (that matched ssh's old default) now. Thus I suggest reverting
the IPQoS change until iptables has been fixed.

And fixing iptables is going to be "interesting". It also defines --tos
Minimize-Cost, which happens to be bit 6 (RFC 1349). Bit 6 and 7 are ECN
bits though. So offering Minimize-Cost with an ECN mask simply won't
work. I guess the best thing we can do here is acknowledge that TOS and
ECN don't work well together. Indeed the relevant RFCs define bit 7 as
"must be zero". This suggests changing the mask to 0xff is in order.

For ssh, I recommend temporarily reverting to the old default to give
iptables some time.

Helmut

Bug 923879 cloned as bug 923880 Request was from Helmut Grohne <helmut@subdivi.de> to submit@bugs.debian.org. (Wed, 06 Mar 2019 17:18:04 GMT) (full text, mbox, link).

Added indication that 923879 affects iptables Request was from Helmut Grohne <helmut@subdivi.de> to submit@bugs.debian.org. (Wed, 06 Mar 2019 17:18:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#923879; Package openssh-client. (Tue, 02 Apr 2019 11:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Christian Ehrhardt <christian.ehrhardt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Tue, 02 Apr 2019 11:03:06 GMT) (full text, mbox, link).

Message #14 received at 923879@bugs.debian.org (full text, mbox, reply):

From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: 923879@bugs.debian.org
Subject: Related bug 926229
Date: Tue, 2 Apr 2019 12:58:07 +0200
FYI - Related bug filed as
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926229

Message sent on to Helmut Grohne <helmut@subdivi.de>:
Bug#923879. (Mon, 08 Apr 2019 10:36:03 GMT) (full text, mbox, link).

Message #17 received at 923879-submitter@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: 923879-submitter@bugs.debian.org
Subject: Bug #923879 in openssh marked as pending
Date: Mon, 08 Apr 2019 10:33:43 +0000
Control: tag -1 pending

Hello,

Bug #923879 in openssh reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/ssh-team/openssh/commit/3d05afd871dd7b44ae567776f2773acc874a63f8

------------------------------------------------------------------------
Temporarily revert IPQoS defaults to pre-7.8 values

This is just until issues with "iptables -m tos" and VMware have been
fixed.

Closes: #923879, #926229
LP: #1822370
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/923879

Added tag(s) pending. Request was from Colin Watson <cjwatson@debian.org> to 923879-submitter@bugs.debian.org. (Mon, 08 Apr 2019 10:36:03 GMT) (full text, mbox, link).

Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Mon, 08 Apr 2019 10:51:05 GMT) (full text, mbox, link).

Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (Mon, 08 Apr 2019 10:51:05 GMT) (full text, mbox, link).

Message #24 received at 923879-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: 923879-close@bugs.debian.org
Subject: Bug#923879: fixed in openssh 1:7.9p1-10
Date: Mon, 08 Apr 2019 10:49:54 +0000
Source: openssh
Source-Version: 1:7.9p1-10

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923879@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Apr 2019 11:13:04 +0100
Source: openssh
Architecture: source
Version: 1:7.9p1-10
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 923879 926229
Changes:
 openssh (1:7.9p1-10) unstable; urgency=medium
 .
   * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
     "iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
     LP: #1822370).
Checksums-Sha1:
 63e0bffc771c0a2d8be9e5c8b906f5ed263d2e52 3165 openssh_7.9p1-10.dsc
 f4f2fb7f92f7f5aa9bef9d2c5864dc8c1cc92cbe 172960 openssh_7.9p1-10.debian.tar.xz
 4dc7f1bbc1d3bcaa3c8d6e9411cd6c1ea02855d3 14678 openssh_7.9p1-10_source.buildinfo
Checksums-Sha256:
 88d06343d14fad5f72c2d2594b1f108fdcc1967ed7bff7e6e5668e78547ede01 3165 openssh_7.9p1-10.dsc
 d726560e4f437c0385d88a9c06562fe9659646f060574da96a7bd8981113391f 172960 openssh_7.9p1-10.debian.tar.xz
 17e56b2b06f468cd67c3d901535b1a37cdb15fe6319901eb63ee7df1d0acd78c 14678 openssh_7.9p1-10_source.buildinfo
Files:
 c5a99c5d0e7372a6fd5239882df2e2a7 3165 net standard openssh_7.9p1-10.dsc
 e18fb0283d208658441996acec990b65 172960 net standard openssh_7.9p1-10.debian.tar.xz
 736b73b53908af17520514c4f130f29c 14678 net standard openssh_7.9p1-10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlyrHsgACgkQOTWH2X2G
UAtCCg/+NS3xHYQlZR1s+/3nCzfIbw/6DOeC+V341WfFPODbRcKRja9Bblzq+wJN
/bOpgcocT0oK8xyBRT055a2ehDml5jWi7A2jhAvwb92FKi0sJhC6rXLJXi99BXNA
3GIGzuGWEMSHmIRdcT+zpY+EyfdGzAdolA4v4xyQZPXdLEFRb17Qlro4DyKsX36P
c1lYw9ydwLB4C7b7zJudq0Xj3edlyv/dzN3i8wxGQIZUq3UW4re8H1ql2rcaQwFB
qWRWb8VDKYTBd62kaJlqGZVWdAibuSfW7FfY7xg1XgCAYxpAbAdL8bueH5uvDt5i
ITKZEi7fh4/kYFwX9SvdKCUMo4vGqZOGebnPUs9gUuXx5IblzZZ5UpmtRHLbvbVy
zrRvpXgG+sr70zgCReYmE9X2tx7yIq6zBI+JE2vNrvGuNl1C8s4XF1vF8yjebA5k
Mc2hDh2Kfr62AaQ0/LDwpgk4ypyID/4VzmsydZzDJj1gbnVhB2G7pjCnB3cnkv4x
6DHnNiplaRiN3gkBhKJB1A5Kam3n+fxI1M5T2PkozHzI7lDzyq6wgqKZCNp8KypF
4wnns2X5ddrt42WZNpvXob4USFJozNHnJFgU0qI/oNUwE5HjBN9V+++SWkRclgnm
dUNkIeYK7Pxeu8yT4dRs63LmvB15NrOF2M35P/525bn3uXJEEHs=
=Q4+q
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 17 May 2019 07:28:50 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Sep 19 15:38:06 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.