Hello,

On Sat, May 09, 2026 at 11:57:46AM +1000, David Gwynne wrote:
</snip>
> 
> tests? ok?

    I agree consistency is good here, so the diff is OK sashan@

On the other hand, thinking more about the whole situation here...
what would actually help to trouble shoot wireguard configuration
issues is ability to use tcpdump for both wireguard's ends:
like intercepting packet when it enters wg interface and when
it leaves interface (or after applying wgaip policy). Another
option would be to have something similar like we have for pflog(4),
just send dropped packets by wireguard to pflog(4)-like interface.
But this is different diff for sure. I think your diff here
should go in first.

thanks and
regards
sashan


> 
> Index: if_wg.c
> ===================================================================
> RCS file: /cvs/src/sys/net/if_wg.c,v
> diff -u -p -r1.48 if_wg.c
> --- if_wg.c	13 Apr 2026 01:10:39 -0000	1.48
> +++ if_wg.c	9 May 2026 01:47:36 -0000
> @@ -2194,6 +2194,13 @@ wg_qstart(struct ifqueue *ifq)
>  	while ((m = ifq_dequeue(ifq)) != NULL) {
>  		t = wg_tag_get(m);
>  		peer = t->t_peer;
> +
> +#if NBPFILTER > 0
> +		if (sc->sc_if.if_bpf)
> +			bpf_mtap_af(sc->sc_if.if_bpf, m->m_pkthdr.ph_family, m,
> +			    BPF_DIRECTION_OUT);
> +#endif
> +
>  		if (mq_push(&peer->p_stage_queue, m) != 0)
>  			counters_inc(ifp->if_counters, ifc_oqdrops);
>  		if (!peer->p_start_onlist) {
> @@ -2240,12 +2247,6 @@ wg_output(struct ifnet *ifp, struct mbuf
>  		ret = EAFNOSUPPORT;
>  		goto error;
>  	}
> -
> -#if NBPFILTER > 0
> -	if (sc->sc_if.if_bpf)
> -		bpf_mtap_af(sc->sc_if.if_bpf, sa->sa_family, m,
> -		    BPF_DIRECTION_OUT);
> -#endif
>  
>  	if (peer == NULL) {
>  		ret = ENETUNREACH;
>