1BGPD.CONF(5) BSD File Formats Manual BGPD.CONF(5)
2
4 bgpd.conf — Border Gateway Protocol daemon configuration file
5
7 The bgpd(8) daemon implements the Border Gateway Protocol version 4 as
8 described in RFC 4271.
9 The bgpd.conf config file is divided into the following main sections:
11 MACROS
13 User-defined variables may be defined and used later, simplifying
14 the configuration file.
15 GLOBAL CONFIGURATION
17 Global settings for bgpd(8).
18 SET CONFIGURATION
20 Various lookup tables are defined in this section.
21 NETWORK ANNOUNCEMENTS
23 Networks which should be announced by bgpd(8) are set in this sec‐
24 tion.
25 MPLS VPN CONFIGURATION
27 The definition and properties for BGP MPLS VPNs are set in this
28 section.
29 NEIGHBORS AND GROUPS
31 bgpd(8) establishes sessions with neighbors. The neighbor defini‐
32 tion and properties are set in this section, as well as grouping
33 neighbors for the ease of configuration.
34 FILTER
36 Filter rules for incoming and outgoing UPDATES.
37 With the exception of macros, the sections should be grouped and appear
39 in bgpd.conf in the order shown above.
40 The current line can be extended over multiple lines using a backslash
42 (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’),
43 and extend to the end of the current line. Care should be taken when
44 commenting out multi-line text: the comment is effective until the end of
45 the entire block.
46 Argument names not beginning with a letter, digit, or underscore must be
48 quoted.
49 Additional configuration files can be included with the include keyword,
51 for example:
52 include "/etc/bgpd/bgpd-10.0.0.1.filter"
54
56 Macros can be defined that will later be expanded in context. Macro
57 names must start with a letter, digit, or underscore, and may contain any
58 of those characters. Macro names may not be reserved words (for example,
59 AS, neighbor, or group). Macros are not expanded inside quotes.
60 For example:
62 peer1="1.2.3.4"
64 neighbor $peer1 {
65 remote-as 65001
66 }
67
69 These settings affect the operation of the bgpd(8) daemon as a whole.
70 AS as-number [as-number]
72 Set the local autonomous system number to as-number. A fallback
73 2-byte AS number may follow a 4-byte AS number for neighbors that
74 do not support 4-byte AS numbers. The standard and default fall‐
75 back AS number is 23456.
76 The AS numbers are assigned by local RIRs, such as:
78 AfriNIC for Africa
80 APNIC for Asia Pacific
81 ARIN for North America and parts of the Caribbean
82 LACNIC for Latin America and the Caribbean
83 RIPE NCC for Europe, the Middle East, and parts of Asia
84 The AS numbers 64512 – 65534 are designated for private use. The
86 AS number 23456 is reserved and should not be used. 4-byte AS
87 numbers may be specified in either the ASPLAIN format:
88 AS 196618
90 or in the older ASDOT format:
92 AS 3.10
94 connect-retry seconds
96 Set the number of seconds to wait before attempting to re-open a
97 connection. This timer should be sufficiently large in EBGP con‐
98 figurations. The default is 120 seconds.
99 dump [rib name] (table|table-mp|table-v2) file [interval]
101 dump (all|updates) (in|out) file [interval]
102 Dump the RIB, a.k.a. the routing information base, or dump ongo‐
103 ing BGP activity, in Multi-threaded Routing Toolkit (MRT) format.
104 The file is subject to strftime(3)-expansion.
105 The table-v2 and table-mp RIB formats store multi-protocol RIBs
107 correctly, but the table format does not. The latter two are
108 provided only to support third-party tools lacking support for
109 the recommended table-v2 format. Dump an alternative RIB by
110 specifying name. Specify an interval in seconds for periodic RIB
111 dumps.
112 The following will dump the entire RIB table, at startup and
114 every 5 minutes thereafter, to a new file:
115 dump table-v2 "/tmp/rib-dump-%H%M" 300
117 Dumps of ongoing BGP activity include all BGP state transitions,
119 and all BGP messages in the specified direction. Use updates to
120 dump only BGP UPDATE messages, without state transitions. Spec‐
121 ify an interval in seconds to restart periodically with a new
122 file:
123 dump all in "/tmp/all-in-%H%M" 300
125 fib-priority prio
127 Set the routing priority to prio. The default is 48.
128 fib-update (yes|no)
130 If set to no, do not update the Forwarding Information Base,
131 a.k.a. the kernel routing table. The default is yes.
132 holdtime seconds
134 Set the announced holdtime in seconds. This is exchanged with a
135 neighbor upon connection establishment, in the OPEN message, and
136 the shortest holdtime governs the session.
137 The neighbor session is dropped if the session holdtime passes
139 without receipt of a KEEPALIVE or an UPDATE message from the
140 neighbor. The default is 90 seconds.
141 holdtime min seconds
143 The minimum acceptable holdtime in seconds. This value must be
144 at least 3.
145 listen on address
147 Specify the local IP address for bgpd(8) to listen on. The
148 default is to listen on all local addresses on the current
149 default routing domain.
150 log updates
152 Log sent and received BGP update messages.
153 nexthop qualify via (bgp|default)
155 If set to bgp, bgpd(8) may verify nexthops using BGP routes. If
156 set to default, bgpd(8) may verify nexthops using the default
157 route. By default bgpd(8) uses only static routes or routes
158 added by other routing daemons, such as ospfd(8).
159 rde med compare (always|strict)
161 If set to always, the MULTI_EXIT_DISC attributes will always be
162 compared. The default is strict, where the metric is only com‐
163 pared between peers belonging to the same AS.
164 rde rib name [no evaluate]
166 rde rib name [rtable number]
167 Create an additional RIB named name. The degree to which its
168 routes may be utilized is configurable. They may be excluded
169 from the decision process that selects usable routes with the no
170 evaluate flag, and this precludes their export to any kernel
171 routing table. By default its routes will be evaluated, but not
172 exported to the kernel. They may be both evaluated and exported
173 if associated with a given rtable number, which must belong to
174 the routing domain that bgpd(8) was started in. This table will
175 not be consulted during nexthop verification unless it is the one
176 that bgpd(8) was started in. It is unnecessary to create
177 Adj-RIB-In and Loc-RIB, which are created automatically and used
178 by default.
179 rde route-age (ignore|evaluate)
181 If set to evaluate, the route decision process will also consider
182 the age of the route in addition to its path attributes, giving
183 preference to the older, typically more stable, route. This ren‐
184 ders the decision process nondeterministic. The default is
185 ignore.
186 router-id dotted-quad
188 Set the BGP router ID, which must be non-zero and should be
189 unique within the AS. By default, the router ID is the highest
190 IPv4 address assigned to the local machine.
191 router-id 10.0.0.1
193 rtable number
195 Work with the given kernel routing table instead of the default
196 table, which is the one bgpd(8) was started in. For nexthop ver‐
197 ification, bgpd(8) will always consult the default table. This
198 is the same as using the following syntax:
199 rde rib Loc-RIB rtable number
201 socket "path" [restricted]
203 Create a control socket at path. If restricted is specified a
204 restricted control socket will be created. By default
205 /run/bgpd/bgpd.sock.<rdomain> is used where <rdomain> is the
206 routing domain in which bgpd(8) has been started. By default, no
207 restricted socket is created.
208 transparent-as (yes|no)
210 If set to yes, AS paths to EBGP neighbors are not prepended with
211 the local AS. The default is no.
212
214 bgpd(8) supports the efficient lookup of data within named sets. An
215 as-set, a prefix-set, and an origin-set store AS numbers, prefixes, and
216 prefixes/source-as pairs, respectively. Such sets may be referenced by
217 filter rules; see the FILTER section for details. It is more efficient
218 to evaluate a set than a long series of rules for filtering each of its
219 members.
220 One single roa-set may be defined, against which bgpd(8) will validate
222 the origin of each prefix.
223 A set definition can span multiple lines, and an optional comma is
225 allowed between elements.
226 as-set name { as-number ... }
228 An as-set stores AS numbers, and can be used with the AS specific
229 parameter in FILTER rules.
230 origin-set name { address/len maxlen mlen source-as asn ... }
232 An origin-set stores prefix/source-as pairs, and can be used to
233 filter on the combination by using the origin-set parameter in
234 FILTER rules.
235 origin-set private { 10.0.0.0/8 maxlen 24 source-as 64511
237 203.0.113.0/24 source-as 64496 }
238 prefix-set name { address/len ... }
240 A prefix-set stores network prefixes and can be used in place of
241 the prefix parameter in FILTER rules, and in network statements.
242 A prefix can be followed by the prefixlen operators listed for
243 the prefix parameter in the PARAMETERS section.
244 The first example below creates a set of prefixes called
246 “private”, to hold a number of RFC 1918 private network blocks.
247 The second example shows the use of prefixlen operators.
248 prefix-set private { 10.0.0.0/8, 172.16.0.0/12,
250 192.168.0.0/16, fc00::/7 }
251 prefix-set as64496set { 192.0.2.0/24 prefixlen >= 26,
252 2001:db8::/32 or-longer }
253 roa-set { address/len maxlen mlen source-as asn ... }
255 The roa-set holds a collection of Validated Route Origin
256 Authorization Payloads (VRP). Each received prefix is checked
257 against the roa-set, and the Origin Validation State (OVS) is
258 set.
259 roa-set { 192.0.2.0/24 maxlen 24 source-as 64511
261 203.0.113.0/24 source-as 64496 }
262
264 network statements specify the networks that bgpd(8) will announce as its
265 own. An announcement must also be permitted by the FILTER rules. By
266 default bgpd(8) announces no networks.
267 network address/prefix [set ...]
269 Announce the specified prefix as belonging to our AS.
270 network (inet|inet6) connected [set ...]
272 Announce routes to directly attached networks.
273 network prefix-set name [set ...]
275 Announce all networks in the prefix-set name.
276 network (inet|inet6) priority number [set ...]
278 Announce routes having the specified priority.
279 network (inet|inet6) rtlabel label [set ...]
281 Announce routes having the specified label.
282 network (inet|inet6) static [set ...]
284 Announce all static routes.
285 Each network statement may set default AS path attributes:
287 network 192.168.7.0/24 set localpref 220
289 See also the ATTRIBUTE SET section.
291
293 A vpn section configures a router to participate in an MPLS Virtual Pri‐
294 vate Network. It specifies an mpe(4) interface to use, a description,
295 and various properties of the VPN:
296 vpn "description" on mpe1 {
298 rd 65002:1
299 import-target rt 65002:42
300 export-target rt 65002:42
301 network 192.168.1/24
302 }
303 bgpd(8) will not exchange VPN routes with a neighbor by default, see the
305 NEIGHBORS AND GROUPS section. The description is used when logging but
306 has no further meaning to bgpd(8).
307 The mpe(4) interface will be used as the outgoing interface for routes to
309 the VPN, and local networks will be announced with the MPLS label speci‐
310 fied on the interface. The interface can provide VPN connectivity for
311 another rdomain by being configured in that rdomain. The required rdo‐
312 main must be configured on the interface before bgpd(8) uses it. Multi‐
313 ple VPNs may be connected to a single rdomain, including the rdomain that
314 bgpd(8) is running in.
315 An example hostname.if(5) configuration for an mpe(4) interface providing
317 connectivity to rdomain 1:
318 rdomain 1
320 mplslabel 2000
321 inet 192.198.0.1 255.255.255.255
322 up
323 The VPN properties are as follows:
325 export-target subtype as-number:local
327 export-target subtype IP:local
328 Classify announced networks by tagging them with an extended
329 community of the given arguments. The community subtype should
330 be a route target, rt, to ensure interoperability. The arguments
331 are further detailed in the ATTRIBUTE SET section. More than one
332 export-target can be specified.
333 fib-update (yes|no)
335 If set to no, do not update the Forwarding Information Base,
336 a.k.a. the kernel routing table. The default is yes.
337 import-target subtype as-number:local
339 import-target subtype IP:local
340 The rdomain imports only those prefixes tagged with an extended
341 community matching an import-target. The community subtype
342 should be a route target, rt, to ensure interoperability. The
343 arguments are further detailed in the ATTRIBUTE SET section.
344 More than one import-target can be specified.
345 network arguments ...
347 Announce the given networks within this VPN; see the NETWORK
348 ANNOUNCEMENTS section.
349 rd as-number:local
351 rd IP:local
352 The Route Distinguisher rd supplies BGP with namespaces to disam‐
353 biguate VPN prefixes, as these needn't be globally unique.
354 Unlike route targets, the rd neither identifies the origin of the
355 prefix nor controls into which VPNs the prefix is distributed.
356 The as-number or IP of a rd should be set to a number or IP that
357 was assigned by an appropriate authority, whereas local can be
358 chosen by the local operator.
359
361 bgpd(8) establishes TCP connections to other BGP speakers called
362 neighbors. A neighbor and its properties are specified by a neighbor
363 section:
364 neighbor 10.0.0.2 {
366 remote-as 65002
367 descr "a neighbor"
368 }
369 Neighbors placed within a group section inherit the properties common to
371 that group:
372 group "peering AS65002" {
374 remote-as 65002
375 neighbor 10.0.0.2 {
376 descr "AS65002-p1"
377 }
378 neighbor 10.0.0.3 {
379 descr "AS65002-p2"
380 }
381 }
382 An entire network of neighbors may be accommodated by specifying an
384 address/netmask pair:
385 neighbor 10.0.0.0/8
387 This is a template that recognises as a neighbor any connection from
389 within the given network. Such neighbors inherit their template's prop‐
390 erties, except for their IP address. A template may omit remote-as;
391 bgpd(8) then accepts any AS presented by the neighbor in the OPEN mes‐
392 sage.
393 The neighbor properties are as follows:
395 announce (IPv4|IPv6) (none|unicast|vpn)
397 For the given address family, control which subsequent address
398 families are announced during the capabilities negotiation. Only
399 routes for that address family and subsequent address families
400 will be announced and processed.
401 At the moment, only none, which disables the announcement of that
403 address family, unicast, and vpn, which allows the distribution
404 of BGP MPLS VPNs, are supported.
405 The default is unicast for the same address family of the ses‐
407 sion.
408 announce as-4byte (yes|no)
410 If set to no, the 4-byte AS capability is not announced and so
411 native 4-byte AS support is disabled. The default is yes.
412 announce capabilities (yes|no)
414 If set to no, capability negotiation is disabled during the
415 establishment of the session. This can be helpful to connect to
416 old or broken BGP implementations. The default is yes.
417 announce refresh (yes|no)
419 If set to no, the route refresh capability is not announced. The
420 default is yes.
421 announce restart (yes|no)
423 If set to no, the graceful restart capability is not announced.
424 Currently only the End-of-RIB marker is supported and announced
425 by the restart capability. The default is yes.
426 as-override (yes|no)
428 If set to yes, all occurrences of the neighbor AS in the AS path
429 will be replaced with the local AS before running the filters.
430 The Adj-RIB-In still holds the unmodified AS path. The default
431 value is no.
432 demote group
434 Increase the carp(4) demotion counter on the given interface
435 group, usually carp, when the session is not in state
436 ESTABLISHED. The demotion counter will be increased as soon as
437 bgpd(8) starts and decreased 60 seconds after the session went to
438 state ESTABLISHED. For neighbors added at runtime, the demotion
439 counter is only increased after the session has been ESTABLISHED
440 at least once before dropping.
441 For more information on interface groups, see the group keyword
443 in ifconfig(8).
444 depend on interface
446 The neighbor session will be kept in state IDLE as long as
447 interface reports no link. For carp(4) interfaces, no link means
448 that the interface is currently backup. This is primarily
449 intended to be used with carp(4) to reduce failover times.
450 The state of the network interfaces on the system can be viewed
452 using the show interfaces command to bgpctl(8).
453 descr description
455 Add a description. The description is used when logging neighbor
456 events, in status reports, for specifying neighbors, etc., but
457 has no further meaning to bgpd(8).
458 down [reason]
460 Do not start the session when bgpd(8) comes up but stay in IDLE.
461 If the session is cleared at runtime, after a down reason was
462 configured at runtime, the reason is sent as Administrative Shut‐
463 down Communication. The reason cannot exceed 255 octets.
464 dump (all|updates) (in|out) file [interval]
466 Dump ongoing BGP activity for a particular neighbor. See also
467 the dump setting in GLOBAL CONFIGURATION.
468 enforce local-as (yes|no)
470 If set to no, AS paths will not be checked for AS loop detection.
471 This feature is similar to allowas-in in some other BGP implemen‐
472 tations. Since there is no AS path loop check, this feature is
473 dangerous, and requires you to add filters to prevent receiving
474 your own prefixes. The default value is yes.
475 enforce neighbor-as (yes|no)
477 If set to yes, AS paths whose leftmost AS is not equal to the
478 remote AS of the neighbor are rejected and a NOTIFICATION is sent
479 back. The default value for IBGP peers is no otherwise the
480 default is yes.
481 export (none|default-route)
483 If set to none, no UPDATE messages will be sent to the neighbor.
484 If set to default-route, only the default route will be announced
485 to the neighbor. When export is modified the neighbor session
486 needs to be reset to become active.
487 holdtime seconds
489 Set the holdtime in seconds. Inherited from the global configu‐
490 ration if not given.
491 holdtime min seconds
493 Set the minimal acceptable holdtime. Inherited from the global
494 configuration if not given.
495 ipsec (ah|esp) (in|out) spi spi-number authspec [encspec]
497 Enable IPsec with static keying. There must be at least two
498 ipsec statements per peer with manual keying, one per direction.
499 authspec specifies the authentication algorithm and key. It can
500 be
501 sha1 <key>
503 md5 <key>
504 encspec specifies the encryption algorithm and key. ah does not
506 support encryption. With esp, encryption is optional. encspec
507 can be
508 3des <key>
510 3des-cbc <key>
511 aes <key>
512 aes-128-cbc <key>
513 Keys must be given in hexadecimal format. After changing set‐
515 tings a session needs to be reset to use the new keys.
516 ipsec (ah|esp) ike
518 Enable IPsec with dynamic keying. In this mode, bgpd(8) sets up
519 the flows, and a key management daemon such as isakmpd(8) is
520 responsible for managing the session keys. With isakmpd(8), it
521 is sufficient to copy the peer's public key, found in
522 /etc/isakmpd/local.pub, to the local machine. It must be stored
523 in a file named after the peer's IP address and must be stored in
524 /etc/isakmpd/pubkeys/ipv4/. The local public key must be copied
525 to the peer in the same way. As bgpd(8) manages the flows on its
526 own, it is sufficient to restrict isakmpd(8) to only take care of
527 keying by specifying the flags -Ka. This can be done in
528 rc.conf.local(8). After starting the isakmpd(8) and bgpd(8) dae‐
529 mons on both sides, the session should be established. After
530 changing settings a session needs to be reset to use the new
531 keys.
532 local-address address
534 no local-address
535 When bgpd(8) initiates the TCP connection to the neighbor system,
536 it normally does not bind to a specific IP address. If a
537 local-address is given, bgpd(8) binds to this address first. no
538 local-address reverts back to the default.
539 local-as as-number [as-number]
541 Set the AS number sent to the remote system. Used as described
542 above under GLOBAL CONFIGURATION option AS.
543 Since there is no AS path loop check, this option is dangerous,
545 and requires you to add filters to prevent receiving your ASNs.
546 Intended to be used temporarily, for migrations to another AS.
547 log no Disable neighbor specific logging.
549 log updates
551 Log received and sent updates for this neighbor.
552 max-prefix number [restart number]
554 Terminate the session when the maximum number of prefixes
555 received is exceeded (no such limit is imposed by default). If
556 restart is specified, the session will be restarted after number
557 minutes.
558 max-prefix number out [restart number]
560 Terminate the session when the maximum number of prefixes sent is
561 exceeded (no such limit is imposed by default). If restart is
562 specified, the session will be restarted after number minutes.
563 multihop hops
565 Neighbors not in the same AS as the local bgpd(8) normally have
566 to be directly connected to the local machine. If this is not
567 the case, the multihop statement defines the maximum hops the
568 neighbor may be away.
569 passive
571 Do not attempt to actively open a TCP connection to the neighbor
572 system.
573 remote-as as-number
575 Set the AS number of the remote system.
576 rib name
578 Bind the neighbor to the specified RIB.
579 route-reflector [address]
581 Act as an RFC 4456 route-reflector for this neighbor. An
582 optional cluster ID can be specified; otherwise the BGP ID will
583 be used.
584 set attribute ...
586 Set the AS path attributes to some default per neighbor or group
587 block:
588 set localpref 300
590 See also the ATTRIBUTE SET section. Set parameters are applied
592 to the received prefixes; the only exceptions are prepend-self,
593 nexthop no-modify and nexthop self. These sets are rewritten
594 into filter rules and can be viewed with “bgpd -nv”.
595 tcp md5sig password secret
597 tcp md5sig key secret
598 Enable TCP MD5 signatures per RFC 2385. The shared secret can
599 either be given as a password or hexadecimal key.
600 tcp md5sig password mekmitasdigoat
602 tcp md5sig key deadbeef
603 After changing keys a session needs to be reset to use the new
604 keys.
605 transparent-as (yes|no)
607 If set to yes, AS paths to EBGP neighbors are not prepended with
608 the local AS. The default is inherited from the global
609 transparent-as setting.
610 ttl-security (yes|no)
612 Enable or disable ttl-security. When enabled, outgoing packets
613 are sent using a TTL of 255 and a check is made against an incom‐
614 ing packet's TTL. For directly connected peers, incoming packets
615 are required to have a TTL of 255, ensuring they have not been
616 routed. For multihop peers, incoming packets are required to
617 have a TTL of 256 minus multihop distance, ensuring they have not
618 passed through more than the expected number of hops. The
619 default is no.
620
622 bgpd(8) filters all BGP UPDATE messages, including its own announcements,
623 and blocks them by default. Filter rules may match on neighbor, direc‐
624 tion, prefix or AS path attributes. Filter rules may also modify AS path
625 attributes.
626 For each UPDATE processed by the filter, the filter rules are evaluated
628 in sequential order, from first to last. The last matching allow or deny
629 rule decides what action is taken. The default action is to deny.
630 The following actions can be used in the filter:
632 allow The UPDATE is passed.
634 deny The UPDATE is blocked.
636 match Apply the filter attribute set without influencing the filter
638 decision.
639
641 The rule parameters specify the UPDATES to which a rule applies. An
642 UPDATE always comes from, or goes to, one neighbor. Most parameters are
643 optional, but each can appear at most once per rule. If a parameter is
644 specified, the rule only applies to packets with matching attributes.
645 as-type [operator] as-number
647 as-type as-set name
648 This rule applies only to UPDATES where the AS path matches. The
649 part of the AS path specified by the as-type is matched against
650 the as-number or the as-set name:
651 AS (any part)
653 peer-as (leftmost AS number)
654 source-as (rightmost AS number)
655 transit-as (all but the rightmost AS number)
656 as-number is an AS number as explained above under GLOBAL
658 CONFIGURATION. It may be set to neighbor-as, which is expanded
659 to the current neighbor remote AS number, or local-as, which is
660 expanded to the locally assigned AS number.
661 When specifying an as-set name the AS path will instead be
663 matched against all the AS numbers in the set.
664 The operator can be unspecified (this case is identical to the
666 equality operator), or one of the numerical operators
667 = (equal)
669 != (unequal)
670 - (range including boundaries)
671 >< (except range)
672 >< and - are binary operators (they take two arguments); with
674 these, as-number cannot be set to neighbor-as.
675 Multiple as-number entries for a given type or as-type as-number
677 entries may also be specified, separated by commas or whitespace,
678 if enclosed in curly brackets:
679 deny from any AS { 1, 2, 3 }
681 deny from any { AS 1, source-as 2, transit-as 3 }
682 deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }
683 community as-number:local
685 community name
686 This rule applies only to UPDATES where the community path
687 attribute is present and matches. Communities are specified as
688 as-number:local, where as-number is an AS number and local is a
689 locally significant number between zero and 65535. Both
690 as-number and local may be set to ‘*’ to do wildcard matching.
691 Alternatively, well-known communities may be given by name
692 instead and include BLACKHOLE, GRACEFUL_SHUTDOWN, NO_EXPORT,
693 NO_ADVERTISE, NO_EXPORT_SUBCONFED, and NO_PEER. Both as-number
694 and local may be set to neighbor-as, which is expanded to the
695 current neighbor remote AS number, or local-as, which is expanded
696 to the locally assigned AS number.
697 large-community as-number:local:local
699 This rule applies only to UPDATES where the Large community path
700 attribute is present and matches. Communities are specified as
701 as-number:local:local, where as-number is an AS number and local
702 is a locally significant number between zero and 4294967295.
703 Both as-number and local may be set to ‘*’ to do wildcard match‐
704 ing, neighbor-as, which is expanded to the current neighbor
705 remote AS number, or local-as, which is expanded to the locally
706 assigned AS number.
707 ext-community subtype as-number:local
709 ext-community subtype IP:local
710 ext-community subtype numvalue
711 ext-community ovs (valid | not-found | invalid)
712 This rule applies only to UPDATES where the extended community
713 path attribute is present and matches. Extended Communities are
714 specified by a subtype and normally two values, a globally unique
715 part (e.g. the AS number) and a local part. Both as-number and
716 local may be set to neighbor-as, which is expanded to the current
717 neighbor remote AS number, or local-as, which is expanded to the
718 locally assigned AS number. Wildcard matching is supported for
719 local, numvalue and subtype. If wildcard matching is used on the
720 subtype then numvalue also needs to be set to ‘*’. See also the
721 ATTRIBUTE SET section for further information about the encoding.
722 (from|to) peer
724 This rule applies only to UPDATES coming from, or going to, this
725 particular neighbor. This parameter must be specified. peer is
726 one of the following:
727 any Any neighbor will be matched.
729 ibgp All IBGP neighbors will be matched.
730 ebgp All EBGP neighbors will be matched.
731 address Neighbors with this address will be matched.
732 group descr Neighbors in this group will be matched.
733 AS as-number
734 Neighbors with this AS will be matched.
735 Multiple peer entries may also be specified, separated by commas
737 or whitespace, if enclosed in curly brackets:
738 deny from { 128.251.16.1, 251.128.16.2, group hojo }
740 (inet|inet6)
742 Match only routes in the IPv4 or IPv6 address families, respec‐
743 tively. inet is an alias for "prefix 0.0.0.0/0 prefixlen >= 0";
744 inet6 is an alias for "prefix ::/0 prefixlen >= 0".
745 max-as-len len
747 This rule applies only to UPDATES where the AS path has more than
748 len elements.
749 max-as-seq len
751 This rule applies only to UPDATES where a single AS number is
752 repeated more than len times.
753 nexthop address
755 This rule applies only to UPDATES where the nexthop is equal to
756 address. The address can be set to neighbor in which case the
757 nexthop is compared against the address of the neighbor. Nexthop
758 filtering is not supported on locally announced networks and one
759 must take into consideration previous rules overwriting nexthops.
760 origin-set name
762 This rule applies only to UPDATES that match the given origin-set
763 name.
764 ovs (valid | not-found | invalid)
766 This rule applies only to UPDATES where the Origin Validation
767 State (OVS) matches.
768 prefix address/len
770 prefix address/len prefixlen range
771 prefix address/len or-longer
772 prefix address/len maxlen mlen
773 This rule applies only to UPDATES for the specified prefix.
774 Multiple entries may be specified, separated by commas or white‐
776 space, if enclosed in curly brackets:
777 deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 or-longer }
779 Multiple lists can also be specified, which is useful for macro
781 expansion:
782 good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
784 bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }"
785 ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"
786 deny from any prefix { $good $bad $ugly }
788 Prefix length ranges are specified by using these operators:
790 = (equal)
792 != (unequal)
793 < (less than)
794 <= (less than or equal)
795 > (greater than)
796 >= (greater than or equal)
797 - (range including boundaries)
798 >< (except range)
799 >< and - are binary operators (they take two arguments). For
801 instance, to match all prefix lengths >= 8 and <= 12, and hence
802 the CIDR netmasks 8, 9, 10, 11 and 12:
803 prefixlen 8-12
805 Or, to match all prefix lengths < 8 or > 12, and hence the CIDR
807 netmasks 0–7 and 13–32:
808 prefixlen 8><12
810 This will match all prefixes in the 10.0.0.0/8 netblock with net‐
812 masks longer than 16:
813 prefix 10.0.0.0/8 prefixlen > 16
815 or-longer is a shorthand for:
817 prefix address/len prefixlen >= len
819 maxlen mlen is a shorthand for:
821 prefix address/len prefixlen <= mlen
823 prefix-set name [or-longer]
825 This rule applies only to UPDATES that match the given prefix-set
826 name. With or-longer, the UPDATES will match any prefix in the
827 prefix-set where
828 address/len prefixlen >= len
830 quick If an UPDATE matches a rule which has the quick option set, this
832 rule is considered the last matching rule, and evaluation of sub‐
833 sequent rules is skipped.
834 rib name
836 Apply rule only to the specified RIB. This only applies for
837 received updates, so not for rules using the to peer parameter.
838 set attribute ...
840 All matching rules can set the AS path attributes to some
841 default. The set of every matching rule is applied, not only the
842 last matching one. See also the following section.
843
845 AS path attributes can be modified with set.
846 set can be used on network statements, in neighbor or group blocks, and
848 on filter rules. Attribute sets can be expressed as lists.
849 The following attributes can be modified:
851 community [delete] as-number:local
853 community [delete] name
854 Set or delete the COMMUNITIES AS path attribute. Communities are
855 specified as as-number:local, where as-number is an AS number and
856 local is a locally significant number between zero and 65535.
857 Alternately, well-known communities may be specified by name:
858 GRACEFUL_SHUTDOWN, NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED,
859 or NO_PEER. For delete, both as-number and local may be set to
860 ‘*’ to do wildcard matching.
861 large-community [delete] as-number:local:local
863 large-community [delete] name
864 Set or delete the Large Communities path attribute. Communities
865 are specified as as-number:local:local, where as-number is an AS
866 number and local is a locally significant number between zero and
867 4294967295. For delete, both as-number and local may be set to
868 ‘*’ to do wildcard matching.
869 ext-community [delete] subtype as-number:local
871 ext-community [delete] subtype IP:local
872 ext-community [delete] subtype numvalue
873 ext-community [delete] ovs (valid | not-found | invalid)
874 Set or delete the Extended Community AS path attribute. Extended
875 Communities are specified by a subtype and normally two values, a
876 globally unique part (e.g. the AS number) and a local part. The
877 type is selected depending on the encoding of the global part.
878 Two-octet AS Specific Extended Communities and Four-octet AS Spe‐
879 cific Extended Communities are encoded as as-number:local. Four-
880 octet encoding is used if the as-number is bigger than 65535 or
881 if the AS_DOT encoding is used. IPv4 Address Specific Extended
882 Communities are encoded as IP:local. Opaque Extended Communities
883 are encoded with a single numeric value. The ovs subtype can
884 only be set to valid, not-found, or invalid. Currently the fol‐
885 lowing subtypes are supported:
886 bdc BGP Data Collection
888 defgw Default Gateway
889 esi-lab ESI Label
890 esi-rt ES-Import Route Target
891 l2vid L2VPN Identifier
892 mac-mob MAC Mobility
893 odi OSPF Domain Identifier
894 ort OSPF Route Type
895 ori OSPF Router ID
896 ovs BGP Origin Validation State
897 rt Route Target
898 soo Route Origin / Source of Origin
899 srcas Source AS
900 vrfri VRF Route Import
901 Not all type and subtype value pairs are allowed by IANA and the
903 parser will ensure that no invalid combination is created.
904 For delete, subtype, numvalue, or local, may be set to ‘*’ to do
906 wildcard matching. If wildcard matching is used on the subtype
907 then numvalue also needs to be set to ‘*’.
908 localpref number
910 Set the LOCAL_PREF AS path attribute. If number starts with a
911 plus or minus sign, LOCAL_PREF will be adjusted by adding or sub‐
912 tracting number; otherwise it will be set to number. The default
913 is 100.
914 med number
916 metric number
917 Set the MULTI_EXIT_DISC AS path attribute. If number starts with
918 a plus or minus sign, MULTI_EXIT_DISC will be adjusted by adding
919 or subtracting number; otherwise it will be set to number.
920 origin (igp|egp|incomplete)
922 Set the ORIGIN AS path attribute to mark the source of this route
923 as being injected from an igp protocol, an egp protocol or being
924 an aggregated route.
925 nexthop (address|blackhole|reject|self|no-modify)
927 Set the NEXTHOP AS path attribute to a different nexthop address
928 or use blackhole or reject routes. blackhole and reject only
929 affect the FIB and will not alter the nexthop address. self
930 forces the nexthop to be set to the local interface address. If
931 set to no-modify, the nexthop attribute is not modified for EBGP
932 multihop sessions. By default EBGP multihop sessions use the
933 local interface address. On other IBGP and directly connected
934 EBGP sessions no-modify is ignored. The set address is used on
935 IBGP session and on directly connected EBGP session if the
936 address is part of the connected network. On EBGP multihop ses‐
937 sion no-modify has to be set to force the nexthop to address.
938 set nexthop 192.168.0.1
940 set nexthop blackhole
941 set nexthop reject
942 set nexthop no-modify
943 set nexthop self
944 pftable table
946 Add the prefix in the update to the specified pf(4) table,
947 regardless of whether or not the path was selected for routing.
948 This option may be useful in building realtime blacklists.
949 prepend-neighbor number
951 Prepend the neighbor's AS number times to the AS path.
952 prepend-self number
954 Prepend the local AS number times to the AS path.
955 rtlabel label
957 Add the prefix to the kernel routing table with the specified
958 label.
959 weight number
961 The weight is used to tip prefixes with equally long AS paths in
962 one or the other direction. A prefix is weighed at a very late
963 stage in the decision process. If number starts with a plus or
964 minus sign, the weight will be adjusted by adding or subtracting
965 number; otherwise it will be set to number. Weight is a local
966 non-transitive attribute, and is a bgpd(8)-specific extension.
967 For prefixes with equally long paths, the prefix with the larger
968 weight is selected.
969
971 /etc/bgpd.conf bgpd(8) configuration file.
972
974 strftime(3), ipsec(4), pf(4), rdomain(4), tcp(4), bgpctl(8), bgpd(8),
975 ipsecctl(8), isakmpd(8), rc.conf.local(8)
976
978 The bgpd.conf file format first appeared in OpenBSD 3.5.
979BSD May 16, 2020 BSD