Category Archives: IPv6

GNS3 and Gentoo – fixing QEMU networking

I was hoping to have time to further familiarize myself with IPv6 this weekend –  but workplace emergencies, sleep, and a technical glitch slowed me down. Here’s the story of the technical glitch.

GNS3 - this thing rocks.

GNS3/dynamips can handle emulation of a number of routers, and I was happy to see that it can emulate host PCs as well. Unfortunately networking in GNS3  is done via UDP tunnels – something that requires a Qemu patch to implement.

For some reason QEMU won't really start if it's networked.

In Gentoo, simply building GNS3 from the Sunrise Overlay doesn’t provide sufficient support for this requirement. Emulated routers (and I’m assuming switches) work fine when networked together. Emulated host machines work fine when NOT connected to anything. But once you network things together you’ll discover that your Qemu host won’t start.

Here’s why – when you start a Qemu host, this is essentially what GNS3 runs:

/usr/bin/qemu -name QEMU1 -m 256 /mnt/virtualmachines/dynips/IPv6-tc/working/QEMU1/FLASH -hdb /mnt/virtualmachines/dynamips/IPv6-tc/working/QEMU1/SWAP -enable-kvm -net nic,vlan=0,macaddr=00:aa:00:8f:e4:00,model=rtl8139 -net udp,vlan=0,sport=20000,dport=10006,daddr= -net nic,vlan=1,macaddr=00:00:ab:fa:72:01,model=rtl8139 -serial telnet:,server,nowait -no-acpi -vnc :0

GNS3 attempts to use the -net udp option, something not offered in the default QEMU-KVM distribution. With no Gentoo USE flags to add the patch in either 0.13.0 or 0.14.50, I decided to simply upgrade to 0.14.50 and see if it was part of the default build:

# kvm –version
QEMU emulator version 0.14.50 (qemu-kvm-devel), Copyright (c) 2003-2008 Fabrice Bellard
# kvm –help | grep “net udp”

Nope, it’s not. So the next step is to remove app-emulation/qemu-kvm from your system and build it by hand.

First, remove kvm and download the source from

# emerge -C app-emulation/qemu-kvm

# cd /usr/src/

# wget

Unpack and patch it, using the patch provided by the gns-3 team .

# tar zxvpf qemu-kvm-0.13.0.tar.gz

# cd qemu-kvm-0.13.0/

Testing the patch, I ran into a handful of issues:

# patch –dry-run -p1 < /mnt/nas/downloads/qemu-0.13.0-
patching file Makefile.objs
Hunk #1 FAILED at 25.
1 out of 1 hunk FAILED — saving rejects to file Makefile.objs.rej
patching file block/raw-win32.c
Hunk #1 FAILED at 93.
Hunk #2 FAILED at 347.
2 out of 2 hunks FAILED — saving rejects to file block/raw-win32.c.rej
patching file hw/e1000.c
Hunk #1 FAILED at 567.
1 out of 1 hunk FAILED — saving rejects to file hw/e1000.c.rej
patching file net/udp.c
patching file net/udp.h
patching file net.c
Hunk #1 FAILED at 30.
Hunk #2 FAILED at 1075.
2 out of 2 hunks FAILED — saving rejects to file net.c.rej
patching file net.h
Hunk #1 FAILED at 33.
1 out of 1 hunk FAILED — saving rejects to file net.h.rej
patching file qemu-options.hx
Hunk #1 FAILED at 996.
1 out of 1 hunk FAILED — saving rejects to file qemu-options.hx.rej

A quick modification and we’ve got a new patch file. This one applies nicely:

# patch –dry-run -p1 < /mnt/nas/downloads/gentoo-qemu-0.13.0.gns3.patch
patching file Makefile.objs
patching file QMP/qmp-commands.txt
patching file block/raw-win32.c
patching file config-all-devices.mak
patching file config-host.h
patching file config-host.h-timestamp
patching file config-host.ld
patching file config-host.mak
patching file hw/e1000.c
patching file libdis/config.mak
patching file libdis-user/config.mak
patching file libhw32/config.mak
patching file libhw64/config.mak
patching file net/udp.c
patching file net/udp.h
patching file net.c
patching file net.h
patching file qemu-doc.html
patching file qemu-img-cmds.texi
patching file qemu-img.1
patching file qemu-monitor.texi
patching file qemu-nbd.8
patching file qemu-options.hx
patching file qemu-options.texi
patching file qemu-tech.html
patching file qemu.1
patching file roms/seabios/config.mak
patching file roms/vgabios/config.mak
patching file x86_64-softmmu/config-devices.mak
patching file x86_64-softmmu/config-devices.mak.old
patching file x86_64-softmmu/config-target.mak
vonnegut qemu-kvm-0.13.0 #

So let’s apply it for real and then configure, build, and install our new Qemu:

# patch -p1 < /mnt/nas/downloads/gentoo-qemu-0.13.0.gns3.patch

# ./configure –prefix=/usr –target-list=i386-softmmu –enable-sdl

# make && make install

A quick check to ensure UDP tunneling is compiled in:

# /usr/bin/qemu –version
QEMU emulator version 0.13.0 (qemu-kvm-0.13.0), Copyright (c) 2003-2008 Fabrice Bellard
# /usr/bin/qemu –help | grep “net udp”
-net udp[,vlan=n]sport=sport,dport=dport,daddr=host

And voila – now not only does my host machine start when networked into my layout, it also has connectivity:

Yes, it finally works.

Next up – continue lab work with IPv6, and begin studying for my CCNP.

Packet Creation for IPv6

With most of my projects, I’ve noticed that before I can really begin to delve into them, I first have to learn something completely new.

I don’t do most of my work in Perl, but I can definitely make ends meet. My more recent work in Perl has dealt w/ RIP scanning and route-updating (a lot of DSL CPE tends to have RIP enabled). Packet creation isn’t that difficult, and using Perl I could bang out a script in a short period of time.

Usually for packet manipulation, I stay away from Perl – instead I’m a huge fan of Hping[23]. If you’re wanting to watch and play w/ the transport layer – an old laptop with hping and wireshark running is definitely the way to go. If you want to test MTU problems, or ACLs  –  Hping is fast and easy.

Hping is an amazing tool – one of my favorites. Hand crafted TCP and UDP traceroutes are easy as hell, and hand crafting TCP timestamp requests is easy too. Just read the manpages and you’ll find all sorts of interesting features of TCP/IP.

hping: A Great Tool
hping: Like a screwdriver set with most of the bits.

The downside to Hping is that it doesn’t seem to be under regular development (last release 2005?), and IPv6 isn’t supported yet (Aside from some basic third-party patches). Application layer creation is also left for other utilities to handle (But in all fairness – that’s not it’s job)

I was a late adopter, but about a year ago I made a new friend (and picked up some python along the way). My new best friend is Scapy. “Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.” It runs in interactive and script-able mode, and thus far it’s proven to be quite powerful. It also supports IPv6.

Scapy understands a large number of Application level protocols (SNMP, TFTP, SMB, etc, etc), and makes it easy for one to craft such packets.  When I recently realized early versions of Cisco IP Router Export have corrupt headers – Scapy came to the rescue (albeit, only to rip the headers off, as fixing them wasn’t possible).  When I wanted to craft a quick and easy FreeRadius Packet of Death – Scapy came to the rescue.

Exploits Database
FreeRadius PoD on

Another great thing about Scapy is that it’s easy to add “layers” (protocols). Recently I sat down with the RFC’s for OSPF and in about 2 days time had fully implemented OSPF in Scapy – learning a lot about the protocol along the way. (Dirk Loss had beat me and submitted it first, but that was besides the point).

Looking for a fun new world to poke, and tired of IPv4? Sign up for a 6-in-4 tunnel and go exploring. Just make sure you pack Scapy and a handy guide.