Hi all,
My routing table is being modified by an unknown process.
I have system accounting enabled and I'm monitoring route changes
but the PID of the process reported by `route monitor` is always 0
for these unknown changes.
I've seen my default route (VPN) being deleted and new routes being
added for specific IPs. I'm out of ideas how to find out what process
is modifying my routing table.
Here are the logs:
bash-5.0# route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 10.0.0.1 UGS 15 635 - 8 pair1
224/4 127.0.0.1 URS 0 0 32768 8 lo0
10.0.0/24 10.0.0.2 UCn 1 0 - 4 pair1
10.0.0.1 xx:xx:xx:xx:xx:xx UHLch 20 76 - 3 pair1
10.0.0.2 xx:xx:xx:xx:xx:xx UHLl 0 251 - 1 pair1
10.0.0.255 10.0.0.2 UHb 0 0 - 1 pair1
10.2.0.1 10.0.0.1 UGHD 1 599 - L 8 pair1
13.35.193.117 10.0.0.1 UGHD 1 616 - L 8 pair1
13.224.227.64 10.0.0.1 UGHD 1 611 - L 8 pair1
52.48.109.111 10.0.0.1 UGHD 1 614 - L 8 pair1
52.84.91.7 10.0.0.1 UGHD 1 574 - L 8 pair1
99.84.5.230 10.0.0.1 UGHD 1 620 - L 8 pair1
104.16.9.251 10.0.0.1 UGHD 0 289 1350 8 pair1
104.16.241.18 10.0.0.1 UGHD 1 610 - L 8 pair1
104.18.26.20 10.0.0.1 UGHD 1 609 - L 8 pair1
104.21.22.28 10.0.0.1 UGHD 1 617 - L 8 pair1
108.177.120.136 10.0.0.1 UGHD 1 625 - L 8 pair1
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 8 7322 32768 1 lo0
140.82.121.3 10.0.0.1 UGHD 1 636 - L 8 pair1
142.250.186.129 10.0.0.1 UGHD 1 604 - L 8 pair1
157.230.120.63 10.0.0.1 UGHD 1 596 - L 8 pair1
172.67.203.118 10.0.0.1 UGHD 1 607 - L 8 pair1
172.217.169.86 10.0.0.1 UGHD 1 632 - L 8 pair1
185.199.111.154 10.0.0.1 UGHD 2 633 - L 8 pair1
216.58.206.132 10.0.0.1 UGHD 1 624 - L 8 pair1
216.58.212.227 10.0.0.1 UGHD 1 629 - L 8 pair1
Internet6:
Destination Gateway Flags Refs
Use Mtu Prio Iface
::/96 ::1 UGRS 0
0 32768 8 lo0
::1 ::1 UHhl 10
32 32768 1 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0
0 32768 8 lo0
2002::/24 ::1 UGRS 0
0 32768 8 lo0
2002:7f00::/24 ::1 UGRS 0
0 32768 8 lo0
2002:e000::/20 ::1 UGRS 0
0 32768 8 lo0
2002:ff00::/24 ::1 UGRS 0
0 32768 8 lo0
fe80::/10 ::1 UGRS 0
0 32768 8 lo0
fec0::/10 ::1 UGRS 0
0 32768 8 lo0
fe80::1%lo0 fe80::1%lo0 UHl 0
0 32768 1 lo0
ff01::/16 ::1 UGRS 5
5 32768 8 lo0
ff01::%lo0/32 fe80::1%lo0 Um 0
1 32768 4 lo0
ff02::/16 ::1 UGRS 5
5 32768 8 lo0
ff02::%lo0/32 fe80::1%lo0 Um 0
1 32768 4 lo0
The routes for 216.58.212.227, 216.58.206.132, 185.199.111.154,
172.217.169.86, 172.67.203.118, 157.230.120.63, 142.250.186.129,
140.82.121.3, 108.177.120.136, 104.21.22.28, 104.18.26.20,
104.16.241.18, 104.16.9.251, 99.84.5.230, 52.48.109.111, 52.84.5.230,
13.224.227.64, 13.35.193.117 are completely unknown and not added by
myself.
bash-5.0# route monitor
got message of size 176 on Tue Jan 26 13:13:16 2021
RTM_DELETE: Delete Route: len 176, priority 8, table 0, if# 8, name pair1, pid:
0, seq 0, errno 0
flags:<UP,GATEWAY,HOST,DYNAMIC,DONE>
fmask:
use: 0 mtu: 0 expire: 0
locks: inits:
sockaddrs: <DST,GATEWAY,IFP,IFA>
172.67.203.118 10.0.0.1 xx:xx:xx:xx:xx:xx 10.0.0.2
got message of size 176 on Tue Jan 26 13:13:16 2021
RTM_DELETE: Delete Route: len 176, priority 8, table 0, if# 8, name pair1, pid:
0, seq 0, errno 0
flags:<UP,GATEWAY,HOST,DYNAMIC,DONE>
fmask:
use: 0 mtu: 0 expire: 0
locks: inits:
sockaddrs: <DST,GATEWAY,IFP,IFA>
104.18.26.20 10.0.0.1 xx:xx:xx:xx:xx:xx 10.0.0.2
got message of size 176 on Tue Jan 26 13:13:17 2021
RTM_DELETE: Delete Route: len 176, priority 8, table 0, if# 8, name pair1, pid:
0, seq 0, errno 0
flags:<UP,GATEWAY,HOST,DYNAMIC,DONE>
fmask:
use: 0 mtu: 0 expire: 0
locks: inits:
sockaddrs: <DST,GATEWAY,IFP,IFA>
104.16.241.18 10.0.0.1 xx:xx:xx:xx:xx:xx 10.0.0.2
got message of size 176 on Tue Jan 26 13:13:20 2021
RTM_DELETE: Delete Route: len 176, priority 8, table 0, if# 8, name pair1, pid:
0, seq 0, errno 0
flags:<UP,GATEWAY,HOST,DYNAMIC,DONE>
fmask:
use: 0 mtu: 0 expire: 0
locks: inits:
sockaddrs: <DST,GATEWAY,IFP,IFA>
In another routing domain, my route to a VPN host has been deleted by
PID 0. I don't think this is the VPN client doing this.
Any ideas as to how I can find out what process is causing these route
changes?
p.s. src/sbin/route/route.c line 1090 seems to be missing setting
rtm.rtm_pid? Although route changes issued from the shell seem to
include the PID, I can't work out how reading the source code.
Thanks,
