On 2025/10/22 08:04, Matthieu Herrb wrote:
> And they also limit TCP trafic this way, and this hurts large
> SFTP transfers, but at least in ssh one can change the DSCP flags.

openssh (as of 10.1) is much smarter about this.

> For NTP trafic this would not be an issue, but it shows that ISPs are
> playing games with DSCP... 

I wouldn't really class it as games; they're just using it as intended.

btw, one can use PF "set tos" to change markings without touching
application code:

match proto udp to port 123 set tos ef # force EF on NTP traffic
match tos ef set tos 0 # 'bleach' dscp if set to EF

etc. however, this is a bit limited, as the codepoint can change from
packet to packet, and unless using "no state", pf can only test the
packets which create state (first packet in a connectiom).