From: Lloyd Subject: [patch] wireguard floods dmesg To: "tech@openbsd.org" Date: Wed, 11 Dec 2024 07:45:34 +0000 Hello, Wireguard has a rudimentary logging function accessed by setting the debug flag on the interface. Logging Wireguard activity is desirable e.g. for SIEM purposes. However, the current implementation will flood the system message buffer with the following message if the other side of the tunnel is down: wg0: No valid endpoint has been configured or discovered for peer 0 wg0: No valid endpoint has been configured or discovered for peer 0 wg0: No valid endpoint has been configured or discovered for peer 0 (etc... many times per minute) The below patch quiets the chatter by mapping the unused link0 flag as a "more verbose debugging" setting. Only the above message is muted, but scoping more in similar fashion may be warranted. Ideally the ifconfig man page would be updated as well; however, no section for Wireguard currently exists. Regards Lloyd --- sys/net/if_wg.c.orig Tue Sep 17 09:06:56 2024 +++ sys/net/if_wg.c Tue Dec 10 23:35:32 2024 @@ -70,9 +70,15 @@ #define NEW_HANDSHAKE_TIMEOUT (REKEY_TIMEOUT + KEEPALIVE_TIMEOUT) #define UNDERLOAD_TIMEOUT 1 +#define IFF_VERBOSE IFF_LINK0 + #define DPRINTF(sc, str, ...) do { if (ISSET((sc)->sc_if.if_flags, IFF_DEBUG))\ printf("%s: " str, (sc)->sc_if.if_xname, ##__VA_ARGS__); } while (0) +#define VERBOSE_DPRINTF(sc, str, ...) do { if (ISSET((sc)->sc_if.if_flags, \ + IFF_DEBUG | IFF_VERBOSE) == (IFF_DEBUG | IFF_VERBOSE))\ + printf("%s: " str, (sc)->sc_if.if_xname, ##__VA_ARGS__); } while (0) + #define CONTAINER_OF(ptr, type, member) ({ \ const __typeof( ((type *)0)->member ) *__mptr = (ptr); \ (type *)( (char *)__mptr - offsetof(type,member) );}) @@ -2167,7 +2173,7 @@ wg_output(struct ifnet *ifp, struct mbuf *m, struct so af = peer->p_endpoint.e_remote.r_sa.sa_family; if (af != AF_INET && af != AF_INET6) { - DPRINTF(sc, "No valid endpoint has been configured or " + VERBOSE_DPRINTF(sc, "No valid endpoint has been configured or " "discovered for peer %llu\n", peer->p_id); ret = EDESTADDRREQ; goto error;