Bug#895364: iptables: using conntrack prevents dropping ip fragments

Tue, 10 Apr 2018 08:24:30 -0700 

Package: src:linux
Version: 4.9.82-1+deb9u3
Severity: important
Tags: upstream

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

0) Background.  A caching resolver DNS server is vulnerable to cache poisioning 
via IP fragmentation attacks.  See 
https://ripe67.ripe.net/presentations/240-ipfragattack.pdf
    According to iptables(8) man page we should be able to drop fragments *and* 
use connection tracking via the PREROUTE chain of the raw table, but this seems 
not to work.

              raw:
                  This table is used mainly for configuring exemptions from 
connection tracking in combination with the NOTRACK target.
                  It registers at the netfilter hooks with higher priority and 
is thus called before ip_conntrack, or any  other IP tables.
                  It provides the following built-in chains: PREROUTING (for 
packets arriving via any network interface) OUTPUT (for packets
                  generated by local processes)

Here are the steps to reproduce the issue:

1) Verify no existing firewall rules nor conntrack module loaded
    sudo iptables -L
    sudo iptables -L -t raw
    lsmod | grep conn

2) Run this DNS query to verify UDP fragments are being accepted.
    dig TXT t1500.frags.opendns.com @8.8.8.8

    It should return something like this:

; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59486
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;t1500.frags.opendns.com.   IN  TXT

;; ANSWER SECTION:
t1500.frags.opendns.com. 18 IN  TXT 
"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
t1500.frags.opendns.com. 18 IN  TXT 
"2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222"
t1500.frags.opendns.com. 18 IN  TXT 
"3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333"
t1500.frags.opendns.com. 18 IN  TXT 
"4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444"
t1500.frags.opendns.com. 18 IN  TXT 
"5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555"
t1500.frags.opendns.com. 18 IN  TXT 
"6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666"
t1500.frags.opendns.com. 18 IN  TXT 
"7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"
t1500.frags.opendns.com. 18 IN  TXT 
"8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888"
t1500.frags.opendns.com. 18 IN  TXT 
"9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999"
t1500.frags.opendns.com. 18 IN  TXT 
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
t1500.frags.opendns.com. 18 IN  TXT 
"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
t1500.frags.opendns.com. 18 IN  TXT 
"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
t1500.frags.opendns.com. 18 IN  TXT 
"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"

;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 09 21:50:33 GMT 2018
;; MSG SIZE  rcvd: 1500

3) Add rule to iptables to drop fragments
    sudo iptables -t raw -I PREROUTING 1 --fragment -j DROP

4) Verify rule is in place
    sudo iptables -L -t raw

5) Re-run DNS query
    dig TXT t1500.frags.opendns.com @8.8.8.8

    It should return something like this:

; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached

    This means the rule is working.

6) Now load conntrack module via adding more rules to iptables
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

7) Verify rules and kernel module are loaded.
    sudo iptables -L
    lsmod | grep conn

8) Rerun DNS query
    dig TXT t1500.frags.opendns.com @8.8.8.8

    This should *not* return any results, like in step #5 but in reallity we 
get the answer from Step #2.

Here is a typescript session output:

Script started on Tue 10 Apr 2018 02:20:23 PM GMT
]0;stretch.localdomainvagrant@stretch:~/tmp
1>sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
]0;stretch.localdomainvagrant@stretch:~/tmp
2>    sudo iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
]0;stretch.localdomainvagrant@stretch:~/tmp
3>    lsmod | grep conn
]0;stretch.localdomainvagrant@stretch:~/tmp
4> dig TXT t1500.frags.opendns.com @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62017
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;t1500.frags.opendns.com.       IN      TXT

;; ANSWER SECTION:
t1500.frags.opendns.com. 21     IN      TXT     
"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
t1500.frags.opendns.com. 21     IN      TXT     
"2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222"
t1500.frags.opendns.com. 21     IN      TXT     
"3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333"
t1500.frags.opendns.com. 21     IN      TXT     
"4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444"
t1500.frags.opendns.com. 21     IN      TXT     
"5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555"
t1500.frags.opendns.com. 21     IN      TXT     
"6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666"
t1500.frags.opendns.com. 21     IN      TXT     
"7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"
t1500.frags.opendns.com. 21     IN      TXT     
"8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888"
t1500.frags.opendns.com. 21     IN      TXT     
"9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999"
t1500.frags.opendns.com. 21     IN      TXT     
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
t1500.frags.opendns.com. 21     IN      TXT     
"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
t1500.frags.opendns.com. 21     IN      TXT     
"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
t1500.frags.opendns.com. 21     IN      TXT     
"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 10 14:20:38 GMT 2018
;; MSG SIZE  rcvd: 1500

]0;stretch.localdomainvagrant@stretch:~/tmp
5>sudo iptables -t raw -I PREROUTING 1 --fragment -j DROP
]0;stretch.localdomainvagrant@stretch:~/tmp
6>sudo iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DROP       all  -f  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
]0;stretch.localdomainvagrant@stretch:~/tmp
7>dig TXT t1500.frags.opendns.com @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached
]0;stretch.localdomainvagrant@stretch:~/tmp
8>sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
]0;stretch.localdomainvagrant@stretch:~/tmp
9>sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate 
RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
]0;stretch.localdomainvagrant@stretch:~/tmp
10>    lsmod | grep conn
nf_conntrack_ipv4      16384  1
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
xt_conntrack           16384  1
nf_conntrack          114688  2 nf_conntrack_ipv4,xt_conntrack
x_tables               36864  6 
ip_tables,iptable_filter,iptable_raw,ip6table_filter,xt_conntrack,ip6_tables
]0;stretch.localdomainvagrant@stretch:~/tmp
11>dig TXT t1500.frags.opendns.com @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> TXT t1500.frags.opendns.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20903
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;t1500.frags.opendns.com.       IN      TXT

;; ANSWER SECTION:
t1500.frags.opendns.com. 32     IN      TXT     
"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
t1500.frags.opendns.com. 32     IN      TXT     
"2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222"
t1500.frags.opendns.com. 32     IN      TXT     
"3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333"
t1500.frags.opendns.com. 32     IN      TXT     
"4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444"
t1500.frags.opendns.com. 32     IN      TXT     
"5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555"
t1500.frags.opendns.com. 32     IN      TXT     
"6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666"
t1500.frags.opendns.com. 32     IN      TXT     
"7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"
t1500.frags.opendns.com. 32     IN      TXT     
"8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888"
t1500.frags.opendns.com. 32     IN      TXT     
"9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999"
t1500.frags.opendns.com. 32     IN      TXT     
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
t1500.frags.opendns.com. 32     IN      TXT     
"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
t1500.frags.opendns.com. 32     IN      TXT     
"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
t1500.frags.opendns.com. 32     IN      TXT     
"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 10 14:21:54 GMT 2018
;; MSG SIZE  rcvd: 1500

]0;stretch.localdomainvagrant@stretch:~/tmp
12>

Script done on Tue 10 Apr 2018 02:21:57 PM GMT

-- Package-specific info:
** Version:
Linux version 4.9.0-6-amd64 (debian-ker...@lists.debian.org) (gcc version 6.3.0 
20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.9.0-6-amd64 
root=UUID=3ce1d384-9969-474b-b8c6-2b8cf7ffe809 ro net.ifnames=0 quiet

** Tainted: O (4096)
 * Out-of-tree module has been loaded.

** Kernel log:
[    0.606994] random: udevadm: uninitialized urandom read (16 bytes read)
[    0.607055] random: udevadm: uninitialized urandom read (16 bytes read)
[    0.607069] random: udevadm: uninitialized urandom read (16 bytes read)
[    0.607295] random: udevadm: uninitialized urandom read (16 bytes read)
[    0.607345] random: udevadm: uninitialized urandom read (16 bytes read)
[    0.625529] piix4_smbus 0000:00:07.0: SMBus Host Controller at 0x4100, 
revision 0
[    0.626177] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[    0.626177] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    0.626878] SCSI subsystem initialized
[    0.634946] AVX version of gcm_enc/dec engaged.
[    0.634947] AES CTR mode by8 optimization enabled
[    0.635813] libata version 3.00 loaded.
[    0.675880] FDC 0 is an 82078.
[    0.869809] input: ImExPS/2 Generic Explorer Mouse as 
/devices/platform/i8042/serio1/input/input2
[    1.033695] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 08:00:27:8d:c0:4d
[    1.033700] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[    1.033723] ahci 0000:00:0d.0: version 3.0
[    1.034731] ahci 0000:00:0d.0: SSS flag set, parallel bus scan disabled
[    1.034884] ahci 0000:00:0d.0: AHCI 0001.0100 32 slots 1 ports 3 Gbps 0x1 
impl SATA mode
[    1.034886] ahci 0000:00:0d.0: flags: 64bit ncq stag only ccc 
[    1.035142] scsi host0: ahci
[    1.035195] ata1: SATA max UDMA/133 abar m8192@0xf0840000 port 0xf0840100 
irq 21
[    1.348600] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
[    1.348867] ata1.00: ATA-6: VBOX HARDDISK, 1.0, max UDMA/133
[    1.348869] ata1.00: 20766720 sectors, multi 128: LBA48 NCQ (depth 31/32)
[    1.349231] ata1.00: configured for UDMA/133
[    1.351060] scsi 0:0:0:0: Direct-Access     ATA      VBOX HARDDISK    1.0  
PQ: 0 ANSI: 5
[    1.418735] sd 0:0:0:0: [sda] 20766720 512-byte logical blocks: (10.6 
GB/9.90 GiB)
[    1.418763] sd 0:0:0:0: [sda] Write Protect is off
[    1.418765] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[    1.419009] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, 
doesn't support DPO or FUA
[    1.419834]  sda: sda1 sda2 < sda5 >
[    1.420108] sd 0:0:0:0: [sda] Attached SCSI disk
[    1.442728] e1000 0000:00:08.0 eth1: (PCI:33MHz:32-bit) 08:00:27:b4:2d:3e
[    1.442731] e1000 0000:00:08.0 eth1: Intel(R) PRO/1000 Network Connection
[    1.454369] PM: Starting manual resume from disk
[    1.454371] PM: Hibernation image partition 8:5 present
[    1.454372] PM: Looking for hibernation image.
[    1.454574] PM: Image not found (code -22)
[    1.454575] PM: Hibernation image not present or could not be loaded.
[    1.516840] random: fast init done
[    1.525404] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: 
(null)
[    1.584121] ip_tables: (C) 2000-2006 Netfilter Core Team
[    1.587859] tsc: Refined TSC clocksource calibration: 2806.771 MHz
[    1.587870] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 
0x28753d54fd8, max_idle_ns: 440795333504 ns
[    1.594391] systemd[1]: systemd 232 running in system mode. (+PAM +AUDIT 
+SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS 
+ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
[    1.594432] systemd[1]: Detected virtualization oracle.
[    1.594437] systemd[1]: Detected architecture x86-64.
[    1.596067] systemd[1]: Set hostname to <stretch>.
[    1.658800] systemd[1]: Listening on Journal Socket.
[    1.658877] systemd[1]: Listening on /dev/initctl Compatibility Named Pipe.
[    1.658907] systemd[1]: Listening on Journal Socket (/dev/log).
[    1.658971] systemd[1]: Listening on Journal Audit Socket.
[    1.659021] systemd[1]: Started Dispatch Password Requests to Console 
Directory Watch.
[    1.659061] systemd[1]: Listening on udev Control Socket.
[    1.684954] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[    1.728171] systemd-journald[185]: Received request to flush runtime journal 
from PID 1
[    1.855762] vboxguest: loading out-of-tree module taints kernel.
[    1.859718] vgdrvHeartbeatInit: Setting up heartbeat to trigger every 2000 
milliseconds
[    1.859983] input: Unspecified device as 
/devices/pci0000:00/0000:00:04.0/input/input3
[    1.860277] vboxguest: misc device minor 58, IRQ 20, I/O port d020, MMIO at 
00000000f0400000 (size 0x400000)
[    1.860278] vboxguest: Successfully loaded version 5.1.30 (interface 
0x00010004)
[    1.865626] input: Power Button as 
/devices/LNXSYSTM:00/LNXPWRBN:00/input/input4
[    1.865629] ACPI: Power Button [PWRF]
[    1.865714] input: Sleep Button as 
/devices/LNXSYSTM:00/LNXSLPBN:00/input/input5
[    1.865715] ACPI: Sleep Button [SLPF]
[    1.867247] ACPI: Battery Slot [BAT0] (battery present)
[    1.867310] ACPI: Video Device [GFX0] (multi-head: yes  rom: no  post: no)
[    1.867359] input: Video Bus as 
/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/LNXVIDEO:00/input/input6
[    1.893823] input: PC Speaker as /devices/platform/pcspkr/input/input7
[    1.903618] [drm] Initialized
[    1.903923] ACPI: AC Adapter [AC] (on-line)
[    1.916939] sd 0:0:0:0: Attached scsi generic sg0 type 0
[    1.950454] [drm] VRAM 00800000
[    1.952964] [TTM] Zone  kernel: Available graphics memory: 2025418 kiB
[    1.952965] [TTM] Initializing pool allocator
[    1.952968] [TTM] Initializing DMA pool allocator
[    1.958218] fbcon: vboxdrmfb (fb0) is primary device
[    1.969205] Console: switching to colour frame buffer device 100x37
[    1.969986] vboxvideo 0000:00:02.0: fb0: vboxdrmfb frame buffer device
[    1.984463] [drm] Initialized vboxvideo 1.0.0 20130823 for 0000:00:02.0 on 
minor 0
[    2.094213] Adding 1046524k swap on /dev/sda5.  Priority:-1 extents:1 
across:1046524k FS
[    2.573522] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    2.718712] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    2.887785] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[    3.012985] vboxsf: Successfully loaded version 5.1.30 (interface 0x00010004)
[    3.227115] VBoxService 5.1.30 r118389 (verbosity: 0) linux.amd64 (Oct 16 
2017 11:53:28) release log
               00:00:00.000172 main     Log opened 
2018-04-10T14:22:07.141268000Z
[    3.227170] 00:00:00.000272 main     OS Product: Linux
[    3.227207] 00:00:00.000313 main     OS Release: 4.9.0-6-amd64
[    3.227243] 00:00:00.000349 main     OS Version: #1 SMP Debian 
4.9.82-1+deb9u3 (2018-03-02)
[    3.227294] 00:00:00.000384 main     Executable: 
/opt/VBoxGuestAdditions-5.1.30/sbin/VBoxService
               00:00:00.000385 main     Process ID: 503
               00:00:00.000386 main     Package type: LINUX_64BITS_GENERIC
[    3.228848] 00:00:00.001944 main     5.1.30 r118389 started. Verbose level = 0
[    4.762137] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: 
RX
[    4.762462] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    4.945970] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: 
RX
[    4.946315] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[    8.489688] random: crng init done

** Model information
sys_vendor: innotek GmbH
product_name: VirtualBox
product_version: 1.2
chassis_vendor: Oracle Corporation
chassis_version: 
bios_vendor: innotek GmbH
bios_version: VirtualBox
board_vendor: Oracle Corporation
board_name: VirtualBox
board_version: 1.2

** Loaded modules:
vboxsf(O)
ip6table_filter
ip6_tables
iptable_filter
iptable_raw
binfmt_misc
crct10dif_pclmul
crc32_pclmul
vboxvideo(O)
ghash_clmulni_intel
ttm
evdev
drm_kms_helper
sg
serio_raw
ac
drm
pcspkr
video
battery
button
vboxguest(O)
ip_tables
x_tables
autofs4
ext4
crc16
jbd2
crc32c_generic
fscrypto
ecb
mbcache
sd_mod
crc32c_intel
floppy
ahci
libahci
psmouse
aesni_intel
aes_x86_64
glue_helper
lrw
gf128mul
ablk_helper
cryptd
libata
e1000
i2c_piix4
scsi_mod

** Network interface configuration:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
#VAGRANT-BEGIN
# The contents below are automatically generated by Vagrant. Do not modify.
auto eth1
iface eth1 inet dhcp
    post-up route del default dev $IFACE || true
#VAGRANT-END

** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
    link/ether 08:00:27:8d:c0:4d brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe8d:c04d/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
    link/ether 08:00:27:b4:2d:3e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.199/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 2601:249:1000:8400:a00:27ff:feb4:2d3e/64 scope global mngtmpaddr 
dynamic 
       valid_lft 221697sec preferred_lft 221697sec
    inet6 fe80::a00:27ff:feb4:2d3e/64 scope link 
       valid_lft forever preferred_lft forever

*** Device statistics:
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    
packets errs drop fifo colls carrier compressed
  eth1: 1236086    4230    0    0    0     0          0        73     2052      
20    0    0    0     0       0          0
    lo:       0       0    0    0    0     0          0         0        0      
 0    0    0    0     0       0          0
  eth0: 1211075    3363    0    0    0     0          0         0   362317    
2032    0    0    0     0       0          0

*** Protocol statistics:
Ip:
    Forwarding: 2
    6610 total packets received
    14 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    6596 incoming packets delivered
    1965 requests sent out
Icmp:
    1 ICMP messages received
    0 input ICMP message failed
    ICMP input histogram:
        echo requests: 1
    1 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        echo replies: 1
IcmpMsg:
        InType8: 1
        OutType0: 1
Tcp:
    6 active connection openings
    1 passive connection openings
    0 failed connection attempts
    0 connection resets received
    1 connections established
    2676 segments received
    1987 segments sent out
    0 segments retransmitted
    0 bad segments received
    5 resets sent
Udp:
    34 packets received
    0 packets to unknown port received
    0 packet receive errors
    32 packets sent
    0 receive buffer errors
    0 send buffer errors
    IgnoredMulti: 3886
UdpLite:
TcpExt:
    3 TCP sockets finished time wait in fast timer
    10 delayed acks sent
    5 packets directly queued to recvmsg prequeue
    TCPDirectCopyFromPrequeue: 2653
    1014 packet headers predicted
    1 packet headers predicted and directly queued to user
    7 acknowledgments not containing data payload received
    1294 predicted acknowledgments
    TCPRcvCoalesce: 172
    TCPOrigDataSent: 1309
    TCPHystartTrainDetect: 1
    TCPHystartTrainCwnd: 22
IpExt:
    InBcastPkts: 3887
    InOctets: 2295343
    OutOctets: 303599
    InBcastOctets: 1153250
    InNoECTPkts: 7266


** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] 
[8086:1237] (rev 02)
        Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- 
<MAbort- >SERR- <PERR- INTx-

00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton 
II] [8086:7000]
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- 
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0

00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH 
VirtualBox Graphics Adapter [80ee:beef] (prog-if 00 [VGA controller])
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- 
<MAbort- >SERR- <PERR- INTx-
        Latency: 0
        Interrupt: pin A routed to IRQ 18
        Region 0: Memory at e0000000 (32-bit, prefetchable) [size=8M]
        [virtual] Expansion ROM at 000c0000 [disabled] [size=128K]
        Kernel driver in use: vboxvideo
        Kernel modules: vboxvideo

00:03.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet 
Controller [8086:100e] (rev 02)
        Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e]
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- 
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 64 (63750ns min)
        Interrupt: pin A routed to IRQ 19
        Region 0: Memory at f0000000 (32-bit, non-prefetchable) [size=128K]
        Region 2: I/O ports at d000 [size=8]
        Capabilities: <access denied>
        Kernel driver in use: e1000
        Kernel modules: e1000

00:04.0 System peripheral [0880]: InnoTek Systemberatung GmbH VirtualBox Guest 
Service [80ee:cafe]
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- 
<MAbort- >SERR- <PERR- INTx-
        Latency: 0
        Interrupt: pin A routed to IRQ 20
        Region 0: I/O ports at d020 [size=32]
        Region 1: Memory at f0400000 (32-bit, non-prefetchable) [size=4M]
        Region 2: Memory at f0800000 (32-bit, prefetchable) [size=16K]
        Kernel driver in use: vboxguest
        Kernel modules: vboxguest

00:07.0 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] 
(rev 08)
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- 
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0
        Interrupt: pin A routed to IRQ 9
        Kernel driver in use: piix4_smbus
        Kernel modules: i2c_piix4

00:08.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet 
Controller [8086:100e] (rev 02)
        Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e]
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- 
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 64 (63750ns min)
        Interrupt: pin A routed to IRQ 16
        Region 0: Memory at f0820000 (32-bit, non-prefetchable) [size=128K]
        Region 2: I/O ports at d040 [size=8]
        Capabilities: <access denied>
        Kernel driver in use: e1000
        Kernel modules: e1000

00:0d.0 SATA controller [0106]: Intel Corporation 82801HM/HEM (ICH8M/ICH8M-E) 
SATA Controller [AHCI mode] [8086:2829] (rev 02) (prog-if 01 [AHCI 1.0])
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- 
<MAbort- >SERR- <PERR- INTx-
        Latency: 64
        Interrupt: pin A routed to IRQ 21
        Region 0: I/O ports at d048 [size=8]
        Region 1: I/O ports at 0000
        Region 2: I/O ports at d058 [size=8]
        Region 3: I/O ports at 0000
        Region 4: I/O ports at d070 [size=16]
        Region 5: Memory at f0840000 (32-bit, non-prefetchable) [size=8K]
        Capabilities: <access denied>
        Kernel driver in use: ahci
        Kernel modules: ahci


** USB devices:
not available


-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-4.9.0-6-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.130
ii  kmod                                    23-2
ii  linux-base                              4.5

Versions of packages linux-image-4.9.0-6-amd64 recommends:
ii  firmware-linux-free  3.4
ii  irqbalance           1.1.0-2.3

Versions of packages linux-image-4.9.0-6-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  grub-pc                 2.02~beta3-5
pn  linux-doc-4.9           <none>

Versions of packages linux-image-4.9.0-6-amd64 is related to:
pn  firmware-amd-graphics     <none>
pn  firmware-atheros          <none>
pn  firmware-bnx2             <none>
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
pn  firmware-iwlwifi          <none>
pn  firmware-libertas         <none>
pn  firmware-linux-nonfree    <none>
pn  firmware-misc-nonfree     <none>
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
pn  firmware-realtek          <none>
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

Reply via email to