** Bug Description "IPQoS le" (Lower Effort) sets outgoing packet's DSCP to 000000 (BE). ** Expected behavior It should be 000001 as per [RFC8622] and [bz2986]. ** How to reproduce 1. ssh -o "IPQoS le" <remotehost> 2. tcpdump -v -n port 22 host <remotehost> 3. watch "tos" field in IP header (or "class" in IPv6) -> Correct DSCP for LE is 000001 (tos 0x04), but we see tos=0x0 (DSCP=0) ======================= 17:31:03.455484 IP (tos 0x0, ttl 64, id 31594, offset 0, flags [DF], proto TCP (6), length 52) *.*.*.108.55566 > *.*.*.*.22: Flags [.], cksum 0xd6b3 (incorrect -> 0xe00d), seq 1661, ack 1463, win 259, options [nop,nop,TS val 4016640841 ecr 3998457139], length 0 ======================= ** Patch for fix IPTOS_DSCP_LE definition is wrong. If we want DSCP=0000001b, IPTOS value set must be 00000100b (two bits shift). --- openssh-8.8p1.org/defines.h 2021-12-11 17:23:14.008544689 +0900 +++ openssh-8.8p1/defines.h 2021-12-11 17:24:02.755931851 +0900 @@ -97,7 +97,7 @@ # define IPTOS_DSCP_EF 0xb8 #endif /* IPTOS_DSCP_EF */ #ifndef IPTOS_DSCP_LE -# define IPTOS_DSCP_LE 0x01 +# define IPTOS_DSCP_LE 0x04 #endif /* IPTOS_DSCP_LE */ #ifndef IPTOS_PREC_CRITIC_ECP # define IPTOS_PREC_CRITIC_ECP 0xa0
Looks like the value comes from OpenBSD so we'll need to fix it there: https://cvsweb.openbsd.org/src/sys/netinet/ip.h?rev=1.19&content-type=text/x-cvsweb-markup
Fixed in OpenBSD and OpenSSH. Thanks for the report.
closing bugs resolved before openssh-8.9