sshd 7.8p1 close connection from VMware Fusion NAT Port Forwarding

Stuart Henderson stu at spacehopper.org
Tue Aug 28 20:15:38 AEST 2018


On 2018/08/28 14:17, Damien Miller wrote:
> On Mon, 27 Aug 2018, Stuart Henderson wrote:
>
> > On 2018-08-27, Zach Cheung <kuroro.zhang at gmail.com> wrote:
> > > After upgrading my VMware Fusion (10.1.3) Arch Guest to the latest with
> > > OpenSSH upgraded from 7.7p1 to 7.8p1, found that ssh from macOS Sierra
> > > (10.12.6) host to Arch guest via local NAT port forwarding failed, but via
> > > Arch LAN IP worked, downgraded OpenSSH from 7.8p1 to 7.7p1 fixed the
> > > problem.
> > >
> > > Any idea about this bug?
> >
> > I bet it is the QoS change. Try "IPQoS lowdelay,throughput".
>
> Do you have any insight into what is breaking here? I don't believe
> changing the default DSCP values should break connections...

I think it's probably a NAT bug in VMware Fusion. tcpdump might
give more clues as to how it's broken (maybe it's mangling packets,
maybe it's just rejecting them) but actually fixing it would need
VMware's involvement.

Short description: OpenSSH 7.8 started marking packets with DSCP
(af21 for interactive, cs1 for bulk) instead of IP TOS ("lowdelay"
for interactive, "throughput" for bulk). VMware Fusion with NAT
port-forwarding to sshd in the guest fails with OpenSSH 7.8.
It should be possible to replicate this failure with older OpenSSH
(6.0 or newer) by using "IPQoS af21 cs1" in sshd_config in the guest.

Unless any VMware people are reading this, it's probably best if one
of their customers reports it as a bug, I can't imagine it would be
that complicated to fix, the problem will be getting the report past
front-line support and on to the right person.



More information about the openssh-unix-dev mailing list