Background: I'm building Linux-based Virtual Appliance that scans IP networks for vulnerabilities. The scan engine, amongst lots of other things, runs highly parallel TCP/UDP port scanner. The only one virtual network adapter in guest is configured in NAT mode. Scanning just a couple IPs in parallel locks up vmnet-natd completely, all networking functions in guest are dead and the only remedy is to restart all Fusion network services.
How to reproduce: The problem, as it turned out after much debugging and packet tracing, could be easily reproduced with one simple nmap command:
nmap -sS -p1-65535 -d -T3 <IP>
<IP> must be a dead (firewalled) host with no TCP/ICMP responces coming back from it. It is definitely possible to hit this error condition with live hosts as well, it just requires a small batch of them (~10) and more aggressive scan timing. Checking xmnet-natd process with:
sudo lsof -n -c vmnet-natd
shows ~1000 TCP sockets in SYN_SENT state. Since I had to restart vmnet-natd manually many times and run it in foreground in terminal window, I was able to see this error message that it starts spitting at insane rate once the error condition is triggered:
user-cg2:~ gakimov$ sudo '/Library/Application Support/VMware Fusion/vmnet-natd' -s 6 -m '/Library/Application Support/VMware Fusion/vmnet8/nat.mac' -c '/Library/Application Support/VMware Fusion/vmnet8/nat.conf'
Using configuration file: /Library/Application Support/VMware Fusion/vmnet8/nat.conf.
IP address: 192.168.4.2
Subnet: 255.255.255.0
External IP address: 0.0.0.0
Device: /dev/vmnet8.
MAC address: 00:50:56:F5:DD:2B.
Ignoring host MAC address: 00:50:56:C0:00:08.
Poll returned error Invalid argument, should not happen, poll: -1
Poll returned error Invalid argument, should not happen, poll: -1
.....
There is nothing of interest at all in both system log and guest .log files.
CentOS 5.6 guest is running under Fusion 3.1.2 (332101) on Mac OS X 10.6.7, 2.66 Quad-Core Xeon/6GB memory MacPro.
