From: Alexandr Nedvedicky Subject: Re: wg(4): move bpf on outgoing packets later in the transmit path To: David Gwynne Cc: tech@openbsd.org Date: Sat, 9 May 2026 12:26:54 +0200 Hello, On Sat, May 09, 2026 at 11:57:46AM +1000, David Gwynne wrote: > > tests? ok? I agree consistency is good here, so the diff is OK sashan@ On the other hand, thinking more about the whole situation here... what would actually help to trouble shoot wireguard configuration issues is ability to use tcpdump for both wireguard's ends: like intercepting packet when it enters wg interface and when it leaves interface (or after applying wgaip policy). Another option would be to have something similar like we have for pflog(4), just send dropped packets by wireguard to pflog(4)-like interface. But this is different diff for sure. I think your diff here should go in first. thanks and regards sashan > > Index: if_wg.c > =================================================================== > RCS file: /cvs/src/sys/net/if_wg.c,v > diff -u -p -r1.48 if_wg.c > --- if_wg.c 13 Apr 2026 01:10:39 -0000 1.48 > +++ if_wg.c 9 May 2026 01:47:36 -0000 > @@ -2194,6 +2194,13 @@ wg_qstart(struct ifqueue *ifq) > while ((m = ifq_dequeue(ifq)) != NULL) { > t = wg_tag_get(m); > peer = t->t_peer; > + > +#if NBPFILTER > 0 > + if (sc->sc_if.if_bpf) > + bpf_mtap_af(sc->sc_if.if_bpf, m->m_pkthdr.ph_family, m, > + BPF_DIRECTION_OUT); > +#endif > + > if (mq_push(&peer->p_stage_queue, m) != 0) > counters_inc(ifp->if_counters, ifc_oqdrops); > if (!peer->p_start_onlist) { > @@ -2240,12 +2247,6 @@ wg_output(struct ifnet *ifp, struct mbuf > ret = EAFNOSUPPORT; > goto error; > } > - > -#if NBPFILTER > 0 > - if (sc->sc_if.if_bpf) > - bpf_mtap_af(sc->sc_if.if_bpf, sa->sa_family, m, > - BPF_DIRECTION_OUT); > -#endif > > if (peer == NULL) { > ret = ENETUNREACH; >