Ubuntu
openssh package

Merge ~paelzer/ubuntu/+source/openssh:disco-lp-1822370-revert-QoS-defaults into ubuntu/+source/openssh:ubuntu/disco-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/openssh
  3. disco-lp-1822370-revert-QoS-defaults
  4. Merge into ubuntu/disco-devel
Proposed by Christian Ehrhardt 
Status: Rejected
Rejected by: Christian Ehrhardt 
Proposed branch: ~paelzer/ubuntu/+source/openssh:disco-lp-1822370-revert-QoS-defaults
Merge into: ubuntu/+source/openssh:ubuntu/disco-devel
Diff against target: 143 lines (+121/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/lp-1822370-revert-IPQos-defaults.patch (+112/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Needs Information
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+365396@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - if possible we'd like to fix this in Buster and do a very late sync.
But if not we want to have the Ubuntu solution at least ready and discussable - that is what this MP represents.

PPA at https://launchpad.net/~paelzer/+archive/ubuntu/bug-1822370-openssh-qos-defaults

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This looks fix released in debian and ubuntu (in disco even) already:
openssh (1:7.9p1-10) unstable; urgency=medium

  * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
    "iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
    LP: #1822370).

 -- Colin Watson <email address hidden> Mon, 08 Apr 2019 11:13:04 +0100

1:7.9p1-10 is in disco. Can we close this MP?

review: Needs Information
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Yes this is done by the work of cjwatson (which was the preferred way anyway).
Closing the MP

Unmerged commits

a3132ad... by Christian Ehrhardt 

changelog: revert QoS defaults (LP: #1822370)

Signed-off-by: Christian Ehrhardt <email address hidden>

d498f85... by Christian Ehrhardt 

d/p/lp-1822370-revert-IPQos-defaults.patch: revert QoS defaults (LP: #1822370)

revert QoS defaults as the new defaults trigger issues with
'iptables -m tos' and target systems running under VMWare

Signed-off-by: Christian Ehrhardt <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index cc103b7..69c51d6 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+openssh (1:7.9p1-9ubuntu1) disco; urgency=medium
7+
8+ * d/p/lp-1822370-revert-IPQos-defaults.patch: revert QoS defaults
9+ as the new defaults trigger issues with 'iptables -m tos' and
10+ target systems running under VMWare (LP: #1822370).
11+
12+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 02 Apr 2019 13:01:35 +0200
13+
14 openssh (1:7.9p1-9) unstable; urgency=medium
15
16 * Apply upstream patch to make scp handle shell-style brace expansions
17diff --git a/debian/patches/lp-1822370-revert-IPQos-defaults.patch b/debian/patches/lp-1822370-revert-IPQos-defaults.patch
18new file mode 100644
19index 0000000..bd5db93
20--- /dev/null
21+++ b/debian/patches/lp-1822370-revert-IPQos-defaults.patch
22@@ -0,0 +1,112 @@
23+From 5ee8448ad7c306f05a9f56769f95336a8269f379 Mon Sep 17 00:00:00 2001
24+From: "job@openbsd.org" <job@openbsd.org>
25+Date: Wed, 4 Apr 2018 15:12:17 +0000
26+Subject: [PATCH] upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
27+ AF21 for
28+
29+interactive and CS1 for bulk
30+
31+AF21 was selected as this is the highest priority within the low-latency
32+service class (and it is higher than what we have today). SSH is elastic
33+and time-sensitive data, where a user is waiting for a response via the
34+network in order to continue with a task at hand. As such, these flows
35+should be considered foreground traffic, with delays or drops to such
36+traffic directly impacting user-productivity.
37+
38+For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
39+networks implementing a scavanger/lower-than-best effort class to
40+discriminate scp(1) below normal activities, such as web surfing. In
41+general this type of bulk SSH traffic is a background activity.
42+
43+An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
44+is that they are recognisable values on all common platforms (IANA
45+https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
46+for AF21 specifically a definition of the intended behavior exists
47+https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
48+of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
49+for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
50+
51+The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
52+802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
53+or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
54+MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
55+
56+OK deraadt@, "no objection" djm@
57+
58+OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
59+
60+# IF MODIFIED
61+Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
62+Original-Author: "job@openbsd.org" <job@openbsd.org>
63+Origin: backport (revert), https://anongit.mindrot.org/openssh.git/commit/?id=5ee8448ad7c306f05a9f56769f95336a8269f379
64+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
65+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926229
66+Last-Update: 2019-04-02
67+
68+---
69+ readconf.c | 6 +++---
70+ servconf.c | 6 +++---
71+ ssh_config.5 | 10 ++++++----
72+ sshd_config.5 | 10 ++++++----
73+ 4 files changed, 18 insertions(+), 14 deletions(-)
74+
75+--- a/readconf.c
76++++ b/readconf.c
77+@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
78+ if (options->visual_host_key == -1)
79+ options->visual_host_key = 0;
80+ if (options->ip_qos_interactive == -1)
81+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
82++ options->ip_qos_interactive = IPTOS_LOWDELAY;
83+ if (options->ip_qos_bulk == -1)
84+- options->ip_qos_bulk = IPTOS_DSCP_CS1;
85++ options->ip_qos_bulk = IPTOS_THROUGHPUT;
86+ if (options->request_tty == -1)
87+ options->request_tty = REQUEST_TTY_AUTO;
88+ if (options->proxy_use_fdpass == -1)
89+--- a/servconf.c
90++++ b/servconf.c
91+@@ -403,9 +403,9 @@ fill_default_server_options(ServerOption
92+ if (options->permit_tun == -1)
93+ options->permit_tun = SSH_TUNMODE_NO;
94+ if (options->ip_qos_interactive == -1)
95+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
96++ options->ip_qos_interactive = IPTOS_LOWDELAY;
97+ if (options->ip_qos_bulk == -1)
98+- options->ip_qos_bulk = IPTOS_DSCP_CS1;
99++ options->ip_qos_bulk = IPTOS_THROUGHPUT;
100+ if (options->version_addendum == NULL)
101+ options->version_addendum = xstrdup("");
102+ if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
103+--- a/ssh_config.5
104++++ b/ssh_config.5
105+@@ -1055,11 +1055,9 @@ If one argument is specified, it is used
106+ If two values are specified, the first is automatically selected for
107+ interactive sessions and the second for non-interactive sessions.
108+ The default is
109+-.Cm af21
110+-(Low-Latency Data)
111++.Cm lowdelay
112+ for interactive sessions and
113+-.Cm cs1
114+-(Lower Effort)
115++.Cm throughput
116+ for non-interactive sessions.
117+ .It Cm KbdInteractiveAuthentication
118+ Specifies whether to use keyboard-interactive authentication.
119+--- a/sshd_config.5
120++++ b/sshd_config.5
121+@@ -866,11 +866,9 @@ If one argument is specified, it is used
122+ If two values are specified, the first is automatically selected for
123+ interactive sessions and the second for non-interactive sessions.
124+ The default is
125+-.Cm af21
126+-(Low-Latency Data)
127++.Cm lowdelay
128+ for interactive sessions and
129+-.Cm cs1
130+-(Lower Effort)
131++.Cm throughput
132+ for non-interactive sessions.
133+ .It Cm KbdInteractiveAuthentication
134+ Specifies whether to allow keyboard-interactive authentication.
135diff --git a/debian/patches/series b/debian/patches/series
136index ff60114..f2b71a9 100644
137--- a/debian/patches/series
138+++ b/debian/patches/series
139@@ -31,3 +31,4 @@ check-filenames-in-scp-client.patch
140 fix-key-type-check.patch
141 request-rsa-sha2-cert-signatures.patch
142 scp-handle-braces.patch
143+lp-1822370-revert-IPQos-defaults.patch

Subscribers

People subscribed via source and target branches