[pkg-netfilter-team] Bug#923879: ssh: IPQoS defaults change interacts badly with iptables -m tos

Helmut Grohne helmut at subdivi.de
Wed Mar 6 17:15:41 GMT 2019 

Package: openssh-client
Version: 1:7.8p1-1
Control: clone -1 -2
Control: reassign -2 iptables
Control: retitle -2 iptables -m tos --tos mask value is wrong
Control: affects -1 + iptables
Control: affects -2 openssh-client

In openssh/1:7.8p1-1, the default for IPQoS changed from

    IPQoS lowdelay throughput

to

    IPQoS af21 cs1

Good reasons for this change are given in
https://lists.gt.net/openssh/commits/71079.

Now since the old ssh used TOS values, matching them with iptables
naturally involed the tos module. Your match for bulk traffic would
usually look like this:

    iptables -m tos --tos Maximize-Throughput ...

Unfortunately, that becomes "08x/0x3f". That interacts badly with DSCP
class af21. IPTOS_DSCP_AF21 is valued 0x48. The Maximize-Throuput match
now matches interactive traffic. This is very bad.

What I don't understand is why this happens though. The 0x3f mask used
by iptables here is supposed to exclude the ECN bits. DSCP is supposed
to coexist with ECN, so it shouldn't be setting any ECN bits. Why would
it match interactive traffic as bulk then? <netinet/ip.h>, which defines
IPTOS_DSCP_AF21 as 0x48, also defines IPTOS_ECN_MASK as 0x3. This
suggests that iptables' ECN mask is wrong. It should be using 0xfc
rather than 0x3f.

Unfortunately, this is deployed now and ssh's new default breaks users
of -m tos (that matched ssh's old default) now. Thus I suggest reverting
the IPQoS change until iptables has been fixed.

And fixing iptables is going to be "interesting". It also defines --tos
Minimize-Cost, which happens to be bit 6 (RFC 1349). Bit 6 and 7 are ECN
bits though. So offering Minimize-Cost with an ECN mask simply won't
work. I guess the best thing we can do here is acknowledge that TOS and
ECN don't work well together. Indeed the relevant RFCs define bit 7 as
"must be zero". This suggests changing the mask to 0xff is in order.

For ssh, I recommend temporarily reverting to the old default to give
iptables some time.

Helmut

More information about the pkg-netfilter-team mailing list