Index | Thread | Search

From:
Vitaliy Makkoveev <otto@bsdbox.dev>
Subject:
Re: [patch] wireguard floods dmesg
To:
Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc:
Lloyd <ng2d68@proton.me>, "tech@openbsd.org" <tech@openbsd.org>
Date:
Wed, 11 Dec 2024 14:39:20 +0300

Download raw body.

Thread 
> On 11 Dec 2024, at 12:24, Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
> 
> On Wed, Dec 11, 2024 at 07:45:34AM +0000, Lloyd wrote:
>> Hello,
>> 
>> Wireguard has a rudimentary logging function accessed by setting the debug flag on the interface. Logging Wireguard activity is desirable e.g. for SIEM purposes. However, the current implementation will flood the system message buffer with the following message if the other side of the tunnel is down:
>> 
>> wg0: No valid endpoint has been configured or discovered for peer 0
>> wg0: No valid endpoint has been configured or discovered for peer 0
>> wg0: No valid endpoint has been configured or discovered for peer 0
> 
> Is that message actually useful? Shouldn't it be simply removed?

This message appears only if IFF_DEBUG flag is set. No problem
with it.

> 
>> (etc... many times per minute)
>> 
>> The below patch quiets the chatter by mapping the unused link0 flag as a "more verbose debugging" setting. Only the above message is muted, but scoping more in similar fashion may be warranted.
>> 
>> Ideally the ifconfig man page would be updated as well; however, no section for Wireguard currently exists.
>> 
>> Regards
>> Lloyd
>> 
>> 
>> --- sys/net/if_wg.c.orig	Tue Sep 17 09:06:56 2024
>> +++ sys/net/if_wg.c	Tue Dec 10 23:35:32 2024
>> @@ -70,9 +70,15 @@
>> #define NEW_HANDSHAKE_TIMEOUT	(REKEY_TIMEOUT + KEEPALIVE_TIMEOUT)
>> #define UNDERLOAD_TIMEOUT	1
>> 
>> +#define IFF_VERBOSE	IFF_LINK0
>> +
>> #define DPRINTF(sc, str, ...) do { if (ISSET((sc)->sc_if.if_flags, IFF_DEBUG))\
>>     printf("%s: " str, (sc)->sc_if.if_xname, ##__VA_ARGS__); } while (0)
>> 
>> +#define VERBOSE_DPRINTF(sc, str, ...) do { if (ISSET((sc)->sc_if.if_flags, \
>> +    IFF_DEBUG | IFF_VERBOSE) == (IFF_DEBUG | IFF_VERBOSE))\
>> +    printf("%s: " str, (sc)->sc_if.if_xname, ##__VA_ARGS__); } while (0)
>> +
>> #define CONTAINER_OF(ptr, type, member) ({			\
>> 	const __typeof( ((type *)0)->member ) *__mptr = (ptr);	\
>> 	(type *)( (char *)__mptr - offsetof(type,member) );})
>> @@ -2167,7 +2173,7 @@ wg_output(struct ifnet *ifp, struct mbuf *m, struct so
>> 
>> 	af = peer->p_endpoint.e_remote.r_sa.sa_family;
>> 	if (af != AF_INET && af != AF_INET6) {
>> -		DPRINTF(sc, "No valid endpoint has been configured or "
>> +		VERBOSE_DPRINTF(sc, "No valid endpoint has been configured or "
>> 				"discovered for peer %llu\n", peer->p_id);
>> 		ret = EDESTADDRREQ;
>> 		goto error;
>> 
>> 
> 
> -- 
> :wq Claudio