From: Claudio Jeker Subject: Re: [patch] wireguard floods dmesg To: Lloyd Cc: Stuart Henderson , Jay , "tech@openbsd.org" Date: Thu, 12 Dec 2024 21:26:56 +0100 On Thu, Dec 12, 2024 at 08:17:46PM +0000, Lloyd wrote: > On Thursday, December 12th, 2024, Stuart Henderson wrote: > > > > > IIRC it wasn't ported, it was a separate implementation. > > > > I agree, but from my brief examination the text of some debugging messages was identical, with the IP addresses deleted. > > > Also IIRC the data structures used in this implementation make it > > a bit hard to get at some of the information that would be useful > > for loggin. > > The information should be there (struct wg_endpoint accessed via struct wg_peer) - there is usually a struct wg_peer available whenever something security-relevant is happening. I suspect this was not implemented simply because the Linux networking stack's debugging facility can decode a struct sockaddr directly from a printf-like statement. printf(9) does not, so it was removed. > > It's best this is viewed as two separate issues: > > - How best to capture data considered statistics, rather than flooding the console, per previous discussion. > > - How to capture wg security-related events via some sort of persistent logging, similar to iked, as this functionality is currently missing. Maybe printf(9) isn't the best way - does it impact performance? Perhaps similar to how pf does it? > If it is relevant for operation than it should not use printf but instead log(9). This way it is syslogged and you can even play with the log levels. To print IPs there is inet_ntop() and sockaddr_ntop() and various example are in the tree on how to use them. sthen@ already gave some pointers on how to do counters (easier with kstats). -- :wq Claudio