Temporarily revert IPQoS defaults to pre-7.8 values

This is just until issues with "iptables -m tos" and VMware have been
fixed.

Closes: #923879, #926229
LP: #1822370

9 files changed, 132 insertions, 14 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index 6e6c8addb..65e73673d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
-7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
+6b56cd57db9061296231f14d537f1ebaf25e8877
+6b56cd57db9061296231f14d537f1ebaf25e8877
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 openssh_7.9p1.orig.tar.gz
diff --git a/debian/README.Debian b/debian/README.Debian
index 48f42c4e8..dbe6c2958 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -270,6 +270,26 @@ For further discussion, see:
 
   https://bugs.launchpad.net/bugs/1674330
 
+IPQoS defaults reverted to pre-7.8 values
+-----------------------------------------
+
+OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for
+interactive traffic and CS1 for bulk.  This caused some problems with other
+software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this
+change for the time being.
+
+This is *temporary*, and we expect to come back into sync with upstream
+OpenSSH once those other issues have been fixed.  If you want to restore the
+upstream default, add this to ssh_config and sshd_config:
+
+  IPQoS af21 cs1
+
+For further discussion, see:
+
+  https://bugs.debian.org/923879
+  https://bugs.debian.org/926229
+  https://bugs.launchpad.net/1822370
+
 -- 
 Matthew Vernon <matthew@debian.org>
 Colin Watson <cjwatson@debian.org>
diff --git a/debian/changelog b/debian/changelog
index cc103b7ff..49cd2ad29 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openssh (1:7.9p1-10) UNRELEASED; urgency=medium
+
+  * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
+    "iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
+    LP: #1822370).
+
+ -- Colin Watson <cjwatson@debian.org>  Mon, 08 Apr 2019 10:57:05 +0100
+
 openssh (1:7.9p1-9) unstable; urgency=medium
 
   * Apply upstream patch to make scp handle shell-style brace expansions
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
new file mode 100644
index 000000000..a329b9be1
--- /dev/null
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -0,0 +1,93 @@
+From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Mon, 8 Apr 2019 10:46:29 +0100
+Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
+ AF21 for"
+
+This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
+
+The IPQoS default changes have some unfortunate interactions with
+iptables (see https://bugs.debian.org/923880) and VMware, so I'm
+temporarily reverting them until those have been fixed.
+
+Bug-Debian: https://bugs.debian.org/923879
+Bug-Debian: https://bugs.debian.org/926229
+Bug-Ubuntu: https://bugs.launchpad.net/1822370
+Last-Update: 2019-04-08
+
+Patch-Name: revert-ipqos-defaults.patch
+---
+ readconf.c    | 4 ++--
+ servconf.c    | 4 ++--
+ ssh_config.5  | 6 ++----
+ sshd_config.5 | 6 ++----
+ 4 files changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index 661b8bf40..6d046f063 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
+        if (options->visual_host_key == -1)
+                options->visual_host_key = 0;
+        if (options->ip_qos_interactive == -1)
+-               options->ip_qos_interactive = IPTOS_DSCP_AF21;
++               options->ip_qos_interactive = IPTOS_LOWDELAY;
+        if (options->ip_qos_bulk == -1)
+-               options->ip_qos_bulk = IPTOS_DSCP_CS1;
++               options->ip_qos_bulk = IPTOS_THROUGHPUT;
+        if (options->request_tty == -1)
+                options->request_tty = REQUEST_TTY_AUTO;
+        if (options->proxy_use_fdpass == -1)
+diff --git a/servconf.c b/servconf.c
+index c5dd617ef..bf2669147 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options)
+        if (options->permit_tun == -1)
+                options->permit_tun = SSH_TUNMODE_NO;
+        if (options->ip_qos_interactive == -1)
+-               options->ip_qos_interactive = IPTOS_DSCP_AF21;
++               options->ip_qos_interactive = IPTOS_LOWDELAY;
+        if (options->ip_qos_bulk == -1)
+-               options->ip_qos_bulk = IPTOS_DSCP_CS1;
++               options->ip_qos_bulk = IPTOS_THROUGHPUT;
+        if (options->version_addendum == NULL)
+                options->version_addendum = xstrdup("");
+        if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+diff --git a/ssh_config.5 b/ssh_config.5
+index 1a8e24bd1..f6c1b3b33 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
++.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
++.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to use keyboard-interactive authentication.
+diff --git a/sshd_config.5 b/sshd_config.5
+index ba50a30f1..03f813e72 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
++.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
++.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to allow keyboard-interactive authentication.
diff --git a/debian/patches/series b/debian/patches/series
index ff6011442..b0da97283 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ check-filenames-in-scp-client.patch
 fix-key-type-check.patch
 request-rsa-sha2-cert-signatures.patch
 scp-handle-braces.patch
+revert-ipqos-defaults.patch
diff --git a/readconf.c b/readconf.c
index 661b8bf40..6d046f063 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
         if (options->visual_host_key == -1)
                 options->visual_host_key = 0;
         if (options->ip_qos_interactive == -1)
-                options->ip_qos_interactive = IPTOS_DSCP_AF21;
+                options->ip_qos_interactive = IPTOS_LOWDELAY;
         if (options->ip_qos_bulk == -1)
-                options->ip_qos_bulk = IPTOS_DSCP_CS1;
+                options->ip_qos_bulk = IPTOS_THROUGHPUT;
         if (options->request_tty == -1)
                 options->request_tty = REQUEST_TTY_AUTO;
         if (options->proxy_use_fdpass == -1)
diff --git a/servconf.c b/servconf.c
index c5dd617ef..bf2669147 100644
--- a/servconf.c
+++ b/servconf.c
@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options)
         if (options->permit_tun == -1)
                 options->permit_tun = SSH_TUNMODE_NO;
         if (options->ip_qos_interactive == -1)
-                options->ip_qos_interactive = IPTOS_DSCP_AF21;
+                options->ip_qos_interactive = IPTOS_LOWDELAY;
         if (options->ip_qos_bulk == -1)
-                options->ip_qos_bulk = IPTOS_DSCP_CS1;
+                options->ip_qos_bulk = IPTOS_THROUGHPUT;
         if (options->version_addendum == NULL)
                 options->version_addendum = xstrdup("");
         if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
index 1a8e24bd1..f6c1b3b33 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
 interactive sessions and the second for non-interactive sessions.
 The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
 for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
 for non-interactive sessions.
 .It Cm KbdInteractiveAuthentication
 Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
index ba50a30f1..03f813e72 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
 interactive sessions and the second for non-interactive sessions.
 The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
 for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
 for non-interactive sessions.
 .It Cm KbdInteractiveAuthentication
 Specifies whether to allow keyboard-interactive authentication.