From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: [patch] wireguard floods dmesg
To: Lloyd <ng2d68@proton.me>
Cc: "tech@openbsd.org" <tech@openbsd.org>
Date: Wed, 11 Dec 2024 10:24:46 +0100

On Wed, Dec 11, 2024 at 07:45:34AM +0000, Lloyd wrote:
> Hello,
> 
> Wireguard has a rudimentary logging function accessed by setting the debug flag on the interface. Logging Wireguard activity is desirable e.g. for SIEM purposes. However, the current implementation will flood the system message buffer with the following message if the other side of the tunnel is down:
> 
> wg0: No valid endpoint has been configured or discovered for peer 0
> wg0: No valid endpoint has been configured or discovered for peer 0
> wg0: No valid endpoint has been configured or discovered for peer 0

Is that message actually useful? Shouldn't it be simply removed?
 
> (etc... many times per minute)
> 
> The below patch quiets the chatter by mapping the unused link0 flag as a "more verbose debugging" setting. Only the above message is muted, but scoping more in similar fashion may be warranted.
> 
> Ideally the ifconfig man page would be updated as well; however, no section for Wireguard currently exists.
> 
> Regards
> Lloyd
> 
> 
> --- sys/net/if_wg.c.orig	Tue Sep 17 09:06:56 2024
> +++ sys/net/if_wg.c	Tue Dec 10 23:35:32 2024
> @@ -70,9 +70,15 @@
>  #define NEW_HANDSHAKE_TIMEOUT	(REKEY_TIMEOUT + KEEPALIVE_TIMEOUT)
>  #define UNDERLOAD_TIMEOUT	1
>  
> +#define IFF_VERBOSE	IFF_LINK0
> +
>  #define DPRINTF(sc, str, ...) do { if (ISSET((sc)->sc_if.if_flags, IFF_DEBUG))\
>      printf("%s: " str, (sc)->sc_if.if_xname, ##__VA_ARGS__); } while (0)
>  
> +#define VERBOSE_DPRINTF(sc, str, ...) do { if (ISSET((sc)->sc_if.if_flags, \
> +    IFF_DEBUG | IFF_VERBOSE) == (IFF_DEBUG | IFF_VERBOSE))\
> +    printf("%s: " str, (sc)->sc_if.if_xname, ##__VA_ARGS__); } while (0)
> +
>  #define CONTAINER_OF(ptr, type, member) ({			\
>  	const __typeof( ((type *)0)->member ) *__mptr = (ptr);	\
>  	(type *)( (char *)__mptr - offsetof(type,member) );})
> @@ -2167,7 +2173,7 @@ wg_output(struct ifnet *ifp, struct mbuf *m, struct so
>  
>  	af = peer->p_endpoint.e_remote.r_sa.sa_family;
>  	if (af != AF_INET && af != AF_INET6) {
> -		DPRINTF(sc, "No valid endpoint has been configured or "
> +		VERBOSE_DPRINTF(sc, "No valid endpoint has been configured or "
>  				"discovered for peer %llu\n", peer->p_id);
>  		ret = EDESTADDRREQ;
>  		goto error;
> 
> 

-- 
:wq Claudio