Bug#895364: iptables: using conntrack prevents dropping ip fragments
Package: src:linux
Version: 4.9.82-1+deb9u3
Severity: important
Tags: upstream
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
0) Background. A caching resolver DNS server is vulnerable to cache poisioning via IP fragmentation attacks. See https://ripe67.ripe.net/presentations/240-ipfragattack.pdf
According to iptables(8) man page we should be able to drop fragments *and* use connection tracking via the PREROUTE chain of the raw table, but this seems not to work.
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.
It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables.
It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets
generated by local processes)
Here are the steps to reproduce the issue:
1) Verify no existing firewall rules nor conntrack module loaded
sudo iptables -L
sudo iptables -L -t raw
lsmod | grep conn
2) Run this DNS query to verify UDP fragments are being accepted.
dig TXT t1500.frags.opendns.com @8.8.8.8
It should return something like this:
; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59486
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;t1500.frags.opendns.com. IN TXT
;; ANSWER SECTION:
t1500.frags.opendns.com. 18 IN TXT "1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
t1500.frags.opendns.com. 18 IN TXT "2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222"
t1500.frags.opendns.com. 18 IN TXT "3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333"
t1500.frags.opendns.com. 18 IN TXT "4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444"
t1500.frags.opendns.com. 18 IN TXT "5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555"
t1500.frags.opendns.com. 18 IN TXT "6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666"
t1500.frags.opendns.com. 18 IN TXT "7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"
t1500.frags.opendns.com. 18 IN TXT "8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888"
t1500.frags.opendns.com. 18 IN TXT "9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999"
t1500.frags.opendns.com. 18 IN TXT "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
t1500.frags.opendns.com. 18 IN TXT "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
t1500.frags.opendns.com. 18 IN TXT "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
t1500.frags.opendns.com. 18 IN TXT "ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 09 21:50:33 GMT 2018
;; MSG SIZE rcvd: 1500
3) Add rule to iptables to drop fragments
sudo iptables -t raw -I PREROUTING 1 --fragment -j DROP
4) Verify rule is in place
sudo iptables -L -t raw
5) Re-run DNS query
dig TXT t1500.frags.opendns.com @8.8.8.8
It should return something like this:
; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached
This means the rule is working.
6) Now load conntrack module via adding more rules to iptables
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
7) Verify rules and kernel module are loaded.
sudo iptables -L
lsmod | grep conn
8) Rerun DNS query
dig TXT t1500.frags.opendns.com @8.8.8.8
This should *not* return any results, like in step #5 but in reallity we get the answer from Step #2.
Here is a typescript session output:
Script started on Tue 10 Apr 2018 02:20:23 PM GMT
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
1>sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
2> sudo iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
3> lsmod | grep conn
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
4> dig TXT t1500.frags.opendns.com @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62017
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;t1500.frags.opendns.com. IN TXT
;; ANSWER SECTION:
t1500.frags.opendns.com. 21 IN TXT "1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
t1500.frags.opendns.com. 21 IN TXT "2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222"
t1500.frags.opendns.com. 21 IN TXT "3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333"
t1500.frags.opendns.com. 21 IN TXT "4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444"
t1500.frags.opendns.com. 21 IN TXT "5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555"
t1500.frags.opendns.com. 21 IN TXT "6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666"
t1500.frags.opendns.com. 21 IN TXT "7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"
t1500.frags.opendns.com. 21 IN TXT "8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888"
t1500.frags.opendns.com. 21 IN TXT "9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999"
t1500.frags.opendns.com. 21 IN TXT "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
t1500.frags.opendns.com. 21 IN TXT "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
t1500.frags.opendns.com. 21 IN TXT "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
t1500.frags.opendns.com. 21 IN TXT "ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 10 14:20:38 GMT 2018
;; MSG SIZE rcvd: 1500
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
5>sudo iptables -t raw -I PREROUTING 1 --fragment -j DROP
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
6>sudo iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -f anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
7>dig TXT t1500.frags.opendns.com @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
8>sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
9>sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
10> lsmod | grep conn
nf_conntrack_ipv4 16384 1
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
xt_conntrack 16384 1
nf_conntrack 114688 2 nf_conntrack_ipv4,xt_conntrack
x_tables 36864 6 ip_tables,iptable_filter,iptable_raw,ip6table_filter,xt_conntrack,ip6_tables
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
11>dig TXT t1500.frags.opendns.com @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20903
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;t1500.frags.opendns.com. IN TXT
;; ANSWER SECTION:
t1500.frags.opendns.com. 32 IN TXT "1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
t1500.frags.opendns.com. 32 IN TXT "2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222"
t1500.frags.opendns.com. 32 IN TXT "3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333"
t1500.frags.opendns.com. 32 IN TXT "4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444"
t1500.frags.opendns.com. 32 IN TXT "5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555"
t1500.frags.opendns.com. 32 IN TXT "6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666"
t1500.frags.opendns.com. 32 IN TXT "7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"
t1500.frags.opendns.com. 32 IN TXT "8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888"
t1500.frags.opendns.com. 32 IN TXT "9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999"
t1500.frags.opendns.com. 32 IN TXT "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
t1500.frags.opendns.com. 32 IN TXT "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
t1500.frags.opendns.com. 32 IN TXT "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
t1500.frags.opendns.com. 32 IN TXT "ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 10 14:21:54 GMT 2018
;; MSG SIZE rcvd: 1500
]0;stretch.localdomain[1;33mvagrant[0m@stretch:~/tmp
12>
[3J[H[2J
Script done on Tue 10 Apr 2018 02:21:57 PM GMT
-- Package-specific info:
** Version:
Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.9.0-6-amd64 root=UUID=3ce1d384-9969-474b-b8c6-2b8cf7ffe809 ro net.ifnames=0 quiet
** Tainted: O (4096)
* Out-of-tree module has been loaded.
** Kernel log:
[ 0.606994] random: udevadm: uninitialized urandom read (16 bytes read)
[ 0.607055] random: udevadm: uninitialized urandom read (16 bytes read)
[ 0.607069] random: udevadm: uninitialized urandom read (16 bytes read)
[ 0.607295] random: udevadm: uninitialized urandom read (16 bytes read)
[ 0.607345] random: udevadm: uninitialized urandom read (16 bytes read)
[ 0.625529] piix4_smbus 0000:00:07.0: SMBus Host Controller at 0x4100, revision 0
[ 0.626177] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[ 0.626177] e1000: Copyright (c) 1999-2006 Intel Corporation.
[ 0.626878] SCSI subsystem initialized
[ 0.634946] AVX version of gcm_enc/dec engaged.
[ 0.634947] AES CTR mode by8 optimization enabled
[ 0.635813] libata version 3.00 loaded.
[ 0.675880] FDC 0 is an 82078.
[ 0.869809] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input2
[ 1.033695] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 08:00:27:8d:c0:4d
[ 1.033700] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[ 1.033723] ahci 0000:00:0d.0: version 3.0
[ 1.034731] ahci 0000:00:0d.0: SSS flag set, parallel bus scan disabled
[ 1.034884] ahci 0000:00:0d.0: AHCI 0001.0100 32 slots 1 ports 3 Gbps 0x1 impl SATA mode
[ 1.034886] ahci 0000:00:0d.0: flags: 64bit ncq stag only ccc
[ 1.035142] scsi host0: ahci
[ 1.035195] ata1: SATA max UDMA/133 abar m8192@0xf0840000 port 0xf0840100 irq 21
[ 1.348600] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
[ 1.348867] ata1.00: ATA-6: VBOX HARDDISK, 1.0, max UDMA/133
[ 1.348869] ata1.00: 20766720 sectors, multi 128: LBA48 NCQ (depth 31/32)
[ 1.349231] ata1.00: configured for UDMA/133
[ 1.351060] scsi 0:0:0:0: Direct-Access ATA VBOX HARDDISK 1.0 PQ: 0 ANSI: 5
[ 1.418735] sd 0:0:0:0: [sda] 20766720 512-byte logical blocks: (10.6 GB/9.90 GiB)
[ 1.418763] sd 0:0:0:0: [sda] Write Protect is off
[ 1.418765] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[ 1.419009] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1.419834] sda: sda1 sda2 < sda5 >
[ 1.420108] sd 0:0:0:0: [sda] Attached SCSI disk
[ 1.442728] e1000 0000:00:08.0 eth1: (PCI:33MHz:32-bit) 08:00:27:b4:2d:3e
[ 1.442731] e1000 0000:00:08.0 eth1: Intel(R) PRO/1000 Network Connection
[ 1.454369] PM: Starting manual resume from disk
[ 1.454371] PM: Hibernation image partition 8:5 present
[ 1.454372] PM: Looking for hibernation image.
[ 1.454574] PM: Image not found (code -22)
[ 1.454575] PM: Hibernation image not present or could not be loaded.
[ 1.516840] random: fast init done
[ 1.525404] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
[ 1.584121] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 1.587859] tsc: Refined TSC clocksource calibration: 2806.771 MHz
[ 1.587870] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x28753d54fd8, max_idle_ns: 440795333504 ns
[ 1.594391] systemd[1]: systemd 232 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
[ 1.594432] systemd[1]: Detected virtualization oracle.
[ 1.594437] systemd[1]: Detected architecture x86-64.
[ 1.596067] systemd[1]: Set hostname to <stretch>.
[ 1.658800] systemd[1]: Listening on Journal Socket.
[ 1.658877] systemd[1]: Listening on /dev/initctl Compatibility Named Pipe.
[ 1.658907] systemd[1]: Listening on Journal Socket (/dev/log).
[ 1.658971] systemd[1]: Listening on Journal Audit Socket.
[ 1.659021] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[ 1.659061] systemd[1]: Listening on udev Control Socket.
[ 1.684954] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[ 1.728171] systemd-journald[185]: Received request to flush runtime journal from PID 1
[ 1.855762] vboxguest: loading out-of-tree module taints kernel.
[ 1.859718] vgdrvHeartbeatInit: Setting up heartbeat to trigger every 2000 milliseconds
[ 1.859983] input: Unspecified device as /devices/pci0000:00/0000:00:04.0/input/input3
[ 1.860277] vboxguest: misc device minor 58, IRQ 20, I/O port d020, MMIO at 00000000f0400000 (size 0x400000)
[ 1.860278] vboxguest: Successfully loaded version 5.1.30 (interface 0x00010004)
[ 1.865626] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input4
[ 1.865629] ACPI: Power Button [PWRF]
[ 1.865714] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input5
[ 1.865715] ACPI: Sleep Button [SLPF]
[ 1.867247] ACPI: Battery Slot [BAT0] (battery present)
[ 1.867310] ACPI: Video Device [GFX0] (multi-head: yes rom: no post: no)
[ 1.867359] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/LNXVIDEO:00/input/input6
[ 1.893823] input: PC Speaker as /devices/platform/pcspkr/input/input7
[ 1.903618] [drm] Initialized
[ 1.903923] ACPI: AC Adapter [AC] (on-line)
[ 1.916939] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 1.950454] [drm] VRAM 00800000
[ 1.952964] [TTM] Zone kernel: Available graphics memory: 2025418 kiB
[ 1.952965] [TTM] Initializing pool allocator
[ 1.952968] [TTM] Initializing DMA pool allocator
[ 1.958218] fbcon: vboxdrmfb (fb0) is primary device
[ 1.969205] Console: switching to colour frame buffer device 100x37
[ 1.969986] vboxvideo 0000:00:02.0: fb0: vboxdrmfb frame buffer device
[ 1.984463] [drm] Initialized vboxvideo 1.0.0 20130823 for 0000:00:02.0 on minor 0
[ 2.094213] Adding 1046524k swap on /dev/sda5. Priority:-1 extents:1 across:1046524k FS
[ 2.573522] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 2.718712] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 2.887785] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 3.012985] vboxsf: Successfully loaded version 5.1.30 (interface 0x00010004)
[ 3.227115] VBoxService 5.1.30 r118389 (verbosity: 0) linux.amd64 (Oct 16 2017 11:53:28) release log
00:00:00.000172 main Log opened 2018-04-10T14:22:07.141268000Z
[ 3.227170] 00:00:00.000272 main OS Product: Linux
[ 3.227207] 00:00:00.000313 main OS Release: 4.9.0-6-amd64
[ 3.227243] 00:00:00.000349 main OS Version: #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
[ 3.227294] 00:00:00.000384 main Executable: /opt/VBoxGuestAdditions-5.1.30/sbin/VBoxService
00:00:00.000385 main Process ID: 503
00:00:00.000386 main Package type: LINUX_64BITS_GENERIC
[ 3.228848] 00:00:00.001944 main 5.1.30 r118389 started. Verbose level = 0
[ 4.762137] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 4.762462] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 4.945970] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 4.946315] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[ 8.489688] random: crng init done
** Model information
sys_vendor: innotek GmbH
product_name: VirtualBox
product_version: 1.2
chassis_vendor: Oracle Corporation
chassis_version:
bios_vendor: innotek GmbH
bios_version: VirtualBox
board_vendor: Oracle Corporation
board_name: VirtualBox
board_version: 1.2
** Loaded modules:
vboxsf(O)
ip6table_filter
ip6_tables
iptable_filter
iptable_raw
binfmt_misc
crct10dif_pclmul
crc32_pclmul
vboxvideo(O)
ghash_clmulni_intel
ttm
evdev
drm_kms_helper
sg
serio_raw
ac
drm
pcspkr
video
battery
button
vboxguest(O)
ip_tables
x_tables
autofs4
ext4
crc16
jbd2
crc32c_generic
fscrypto
ecb
mbcache
sd_mod
crc32c_intel
floppy
ahci
libahci
psmouse
aesni_intel
aes_x86_64
glue_helper
lrw
gf128mul
ablk_helper
cryptd
libata
e1000
i2c_piix4
scsi_mod
** Network interface configuration:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
#VAGRANT-BEGIN
# The contents below are automatically generated by Vagrant. Do not modify.
auto eth1
iface eth1 inet dhcp
post-up route del default dev $IFACE || true
#VAGRANT-END
** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:8d:c0:4d brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe8d:c04d/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:b4:2d:3e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.199/24 brd 192.168.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 2601:249:1000:8400:a00:27ff:feb4:2d3e/64 scope global mngtmpaddr dynamic
valid_lft 221697sec preferred_lft 221697sec
inet6 fe80::a00:27ff:feb4:2d3e/64 scope link
valid_lft forever preferred_lft forever
*** Device statistics:
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
eth1: 1236086 4230 0 0 0 0 0 73 2052 20 0 0 0 0 0 0
lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0: 1211075 3363 0 0 0 0 0 0 362317 2032 0 0 0 0 0 0
*** Protocol statistics:
Ip:
Forwarding: 2
6610 total packets received
14 with invalid addresses
0 forwarded
0 incoming packets discarded
6596 incoming packets delivered
1965 requests sent out
Icmp:
1 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
echo requests: 1
1 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
echo replies: 1
IcmpMsg:
InType8: 1
OutType0: 1
Tcp:
6 active connection openings
1 passive connection openings
0 failed connection attempts
0 connection resets received
1 connections established
2676 segments received
1987 segments sent out
0 segments retransmitted
0 bad segments received
5 resets sent
Udp:
34 packets received
0 packets to unknown port received
0 packet receive errors
32 packets sent
0 receive buffer errors
0 send buffer errors
IgnoredMulti: 3886
UdpLite:
TcpExt:
3 TCP sockets finished time wait in fast timer
10 delayed acks sent
5 packets directly queued to recvmsg prequeue
TCPDirectCopyFromPrequeue: 2653
1014 packet headers predicted
1 packet headers predicted and directly queued to user
7 acknowledgments not containing data payload received
1294 predicted acknowledgments
TCPRcvCoalesce: 172
TCPOrigDataSent: 1309
TCPHystartTrainDetect: 1
TCPHystartTrainCwnd: 22
IpExt:
InBcastPkts: 3887
InOctets: 2295343
OutOctets: 303599
InBcastOctets: 1153250
InNoECTPkts: 7266
** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02)
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter [80ee:beef] (prog-if 00 [VGA controller])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 18
Region 0: Memory at e0000000 (32-bit, prefetchable) [size=8M]
[virtual] Expansion ROM at 000c0000 [disabled] [size=128K]
Kernel driver in use: vboxvideo
Kernel modules: vboxvideo
00:03.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet Controller [8086:100e] (rev 02)
Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64 (63750ns min)
Interrupt: pin A routed to IRQ 19
Region 0: Memory at f0000000 (32-bit, non-prefetchable) [size=128K]
Region 2: I/O ports at d000 [size=8]
Capabilities: <access denied>
Kernel driver in use: e1000
Kernel modules: e1000
00:04.0 System peripheral [0880]: InnoTek Systemberatung GmbH VirtualBox Guest Service [80ee:cafe]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 20
Region 0: I/O ports at d020 [size=32]
Region 1: Memory at f0400000 (32-bit, non-prefetchable) [size=4M]
Region 2: Memory at f0800000 (32-bit, prefetchable) [size=16K]
Kernel driver in use: vboxguest
Kernel modules: vboxguest
00:07.0 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 08)
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 9
Kernel driver in use: piix4_smbus
Kernel modules: i2c_piix4
00:08.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet Controller [8086:100e] (rev 02)
Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64 (63750ns min)
Interrupt: pin A routed to IRQ 16
Region 0: Memory at f0820000 (32-bit, non-prefetchable) [size=128K]
Region 2: I/O ports at d040 [size=8]
Capabilities: <access denied>
Kernel driver in use: e1000
Kernel modules: e1000
00:0d.0 SATA controller [0106]: Intel Corporation 82801HM/HEM (ICH8M/ICH8M-E) SATA Controller [AHCI mode] [8086:2829] (rev 02) (prog-if 01 [AHCI 1.0])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Interrupt: pin A routed to IRQ 21
Region 0: I/O ports at d048 [size=8]
Region 1: I/O ports at 0000
Region 2: I/O ports at d058 [size=8]
Region 3: I/O ports at 0000
Region 4: I/O ports at d070 [size=16]
Region 5: Memory at f0840000 (32-bit, non-prefetchable) [size=8K]
Capabilities: <access denied>
Kernel driver in use: ahci
Kernel modules: ahci
** USB devices:
not available
-- System Information:
Debian Release: 9.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages linux-image-4.9.0-6-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.130
ii kmod 23-2
ii linux-base 4.5
Versions of packages linux-image-4.9.0-6-amd64 recommends:
ii firmware-linux-free 3.4
ii irqbalance 1.1.0-2.3
Versions of packages linux-image-4.9.0-6-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-pc 2.02~beta3-5
pn linux-doc-4.9 <none>
Versions of packages linux-image-4.9.0-6-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: