From: David Gwynne Subject: wg(4): move bpf on outgoing packets later in the transmit path To: tech@openbsd.org Date: Sat, 9 May 2026 11:57:46 +1000 there's a convention in openbsd network drivers that bpf calls should be as close to the "wire" as possible so you can see what's actually being transmitted (or received). this means if the stack or driver drops an outgoing packet because something like arp resolution fails, or it's dropped by the transmit queue or hfsc, or it can't be mapped for tx dma, etc, bpf wont see it. wg currently shows outgoing packets to bpf before it does the wgaip checks and queues the packet for transmit, which gives the false impression that a packet is being sent, even if there's no peer configured to send it to, or no peer for that config to send it, or if the ifq has no space for it, etc. this diff moves the bpf call after the transmit ifq, which is an improvement on the situation. a future change can push this further along the transmit path, but this is a quick win for now. this came out of a discussion with mvs@ and sashan@ tests? ok? Index: if_wg.c =================================================================== RCS file: /cvs/src/sys/net/if_wg.c,v diff -u -p -r1.48 if_wg.c --- if_wg.c 13 Apr 2026 01:10:39 -0000 1.48 +++ if_wg.c 9 May 2026 01:47:36 -0000 @@ -2194,6 +2194,13 @@ wg_qstart(struct ifqueue *ifq) while ((m = ifq_dequeue(ifq)) != NULL) { t = wg_tag_get(m); peer = t->t_peer; + +#if NBPFILTER > 0 + if (sc->sc_if.if_bpf) + bpf_mtap_af(sc->sc_if.if_bpf, m->m_pkthdr.ph_family, m, + BPF_DIRECTION_OUT); +#endif + if (mq_push(&peer->p_stage_queue, m) != 0) counters_inc(ifp->if_counters, ifc_oqdrops); if (!peer->p_start_onlist) { @@ -2240,12 +2247,6 @@ wg_output(struct ifnet *ifp, struct mbuf ret = EAFNOSUPPORT; goto error; } - -#if NBPFILTER > 0 - if (sc->sc_if.if_bpf) - bpf_mtap_af(sc->sc_if.if_bpf, sa->sa_family, m, - BPF_DIRECTION_OUT); -#endif if (peer == NULL) { ret = ENETUNREACH;