xref: /openbsd/usr.sbin/bgpd/bgpd.conf.5 (revision d415bd75)

.\" $OpenBSD: bgpd.conf.5,v 1.237 2023/10/13 07:37:35 claudio Exp $
.\"
.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: October 13 2023 $
.Dt BGPD.CONF 5
.Os
.Sh NAME
.Nm bgpd.conf
.Nd BGP routing daemon configuration file
.Sh DESCRIPTION
The
.Xr bgpd 8
daemon implements the Border Gateway Protocol version 4 as described
in RFC 4271.
.Pp
The
.Nm
config file is divided into the following main sections:
.Bl -tag -width xxxx
.It Sx MACROS
User-defined variables may be defined and used later, simplifying the
configuration file.
.It Sx GLOBAL CONFIGURATION
Global settings for
.Xr bgpd 8 .
.It Sx SET CONFIGURATION
Various lookup tables are defined in this section.
.It Sx NETWORK AND FLOWSPEC ANNOUNCEMENTS
Networks which should be announced by
.Xr bgpd 8
are set in this section.
.It Sx MPLS VPN CONFIGURATION
The definition and properties for BGP MPLS VPNs are set in this section.
.It Sx NEIGHBORS AND GROUPS
.Xr bgpd 8
establishes sessions with
.Em neighbors .
The neighbor definition and properties are set in this section, as well as
grouping neighbors for the ease of configuration.
.It Sx FILTER
Filter rules for incoming and outgoing
.Em UPDATES .
.El
.Pp
With the exception of macros,
the sections should be grouped and appear in
.Nm
in the order shown above.
.Pp
The current line can be extended over multiple lines using a backslash
.Pq Sq \e .
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
Care should be taken when commenting out multi-line text:
the comment is effective until the end of the entire block.
.Pp
Argument names not beginning with a letter, digit, or underscore
must be quoted.
.Pp
Additional configuration files can be included with the
.Ic include
keyword, for example:
.Bd -literal -offset indent
include "/etc/bgpd/bgpd-10.0.0.1.filter"
.Ed
.Sh MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore,
and may contain any of those characters.
Macro names may not be reserved words (for example,
.Ic AS ,
.Ic neighbor ,
or
.Ic group ) .
Macros are not expanded inside quotes.
.Pp
For example:
.Bd -literal -offset indent
peer1="1.2.3.4"
neighbor $peer1 {
	remote-as 65001
}
.Ed
.Sh GLOBAL CONFIGURATION
These settings affect the operation of the
.Xr bgpd 8
daemon as a whole.
.Pp
.Bl -tag -width Ds -compact
.It Ic AS Ar as-number Op Ar as-number
Set the local
.Em autonomous system
number to
.Ar as-number .
A fallback 2-byte AS number may follow a 4-byte AS number for neighbors that
do not support 4-byte AS numbers.
The standard and default fallback AS number is 23456.
.Pp
The AS numbers are assigned by local RIRs, such as:
.Pp
.Bl -tag -width xxxxxxxx -compact
.It AfriNIC
for Africa
.It APNIC
for Asia Pacific
.It ARIN
for North America and parts of the Caribbean
.It LACNIC
for Latin America and the Caribbean
.It RIPE NCC
for Europe, the Middle East, and parts of Asia
.El
.Pp
The AS numbers 64512 \(en 65534 are designated for private use.
The AS number 23456 is reserved and should not be used.
4-byte AS numbers may be specified in either the ASPLAIN format:
.Bd -literal -offset indent
AS 196618
.Ed
.Pp
or in the older ASDOT format:
.Bd -literal -offset indent
AS 3.10
.Ed
.Pp
.It Ic connect-retry Ar seconds
Set the number of seconds to wait before attempting to re-open
a connection.
This timer should be sufficiently large in EBGP configurations.
The default is 120 seconds.
.Pp
.It Xo
.Ic dump
.Op Ic rib Ar name
.Pq Ic table-v2 Ns | Ns Ic table-mp Ns | Ns Ic table
.Ar file Op Ar interval
.Xc
.It Xo
.Ic dump
.Pq Ic all Ns | Ns Ic updates
.Pq Ic in Ns | Ns Ic out
.Ar file Op Ar interval
.Xc
Dump the RIB, a.k.a. the
.Em routing information base ,
or dump ongoing BGP activity, in Multi-threaded Routing Toolkit (MRT) format.
The
.Ar file
is subject to
.Xr strftime 3 Ns -expansion.
.Pp
The
.Ic table-v2
and
.Ic table-mp
RIB formats store multi-protocol RIBs correctly, but the
.Ic table
format does not.
The latter two are provided only to support third-party tools lacking
support for the recommended
.Ic table-v2
format.
Dump an alternative RIB by specifying
.Ar name .
Specify an
.Ar interval
in seconds for periodic RIB dumps.
.Pp
The following will dump the entire RIB table, at startup and every
5 minutes thereafter, to a new file:
.Bd -literal -offset indent
dump table-v2 "/tmp/rib-dump-%H%M" 300
.Ed
.Pp
Dumps of ongoing BGP activity include all BGP state transitions, and
all BGP messages in the specified direction.
Use
.Ic updates
to dump only BGP
.Em UPDATE
messages, without state transitions.
Specify an
.Ar interval
in seconds to restart periodically with a new file:
.Bd -literal -offset indent
dump all in "/tmp/all-in-%H%M" 300
.Ed
.Pp
.It Ic fib-priority Ar prio
Set the routing priority to
.Ar prio .
The default is 48.
.Pp
.It Xo
.Ic fib-update
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic no ,
do not update the Forwarding Information Base, a.k.a. the kernel
routing table.
The default is
.Ic yes .
.Pp
.It Ic holdtime Ar seconds
Set the announced holdtime in seconds.
This is exchanged with a neighbor upon connection
establishment, in the
.Em OPEN
message, and the shortest holdtime governs the session.
.Pp
The neighbor session is dropped if the session holdtime passes
without receipt of a
.Em KEEPALIVE
or an
.Em UPDATE
message from the neighbor.
The default is 90 seconds.
.Pp
.It Ic holdtime min Ar seconds
The minimum acceptable holdtime in seconds.
This value must be at least 3.
.Pp
.It Ic listen on Ar address Op Ic port Ar port
Specify the local IP address and optional port for
.Xr bgpd 8
to listen on.
The default is to listen on all local addresses on the current default
routing domain.
.Pp
.It Ic log updates
Log sent and received BGP update messages.
.Pp
.It Xo
.Ic nexthop
.Ic qualify
.Ic via
.Pq Ic bgp Ns | Ns Ic default
.Xc
If set to
.Ic bgp ,
.Xr bgpd 8
may verify nexthops using BGP routes.
If set to
.Ic default ,
.Xr bgpd 8
may verify nexthops using the default route.
By default
.Xr bgpd 8
uses only static routes or routes added by other routing
daemons, such as
.Xr ospfd 8 .
.Pp
.It Xo
.Ic rde Ic evaluate
.Pq Ic default Ns | Ns Ic all
.Xc
If set to
.Ar all ,
keep evaluating alternative paths in case the selected path is filtered
out.
By default if a path is filtered by the output filters then no alternative
path is sent to this peer.
.Pp
.It Xo
.Ic rde Ic med Ic compare
.Pq Ic always Ns | Ns Ic strict
.Xc
If set to
.Ic always ,
the
.Em MULTI_EXIT_DISC
attributes will always be compared.
The default is
.Ic strict ,
where the metric is only compared between peers belonging to the same AS.
.Pp
.It Xo
.Ic rde
.Ic rib Ar name
.Op Ic no evaluate
.Xc
.It Xo
.Ic rde
.Ic rib Ar name
.Op Ic rtable Ar number
.Xc
Create an additional RIB named
.Ar name .
The degree to which its routes may be utilized is configurable.
They may be excluded from the decision process that selects usable routes
with the
.Ic no evaluate
flag, and this precludes their export to any kernel routing table.
By default its routes will be evaluated, but not exported to the kernel.
They may be both evaluated and exported if associated with a given
.Ic rtable
.Ar number ,
which must belong to the routing domain that
.Xr bgpd 8
was started in.
This table will not be consulted during nexthop verification
unless it is the one that
.Xr bgpd 8
was started in.
It is unnecessary to create
.Ic Adj-RIB-In
and
.Ic Loc-RIB ,
which are created automatically and used by default.
.Pp
.It Xo
.Ic rde
.Ic route-age
.Pq Ic ignore Ns | Ns Ic evaluate
.Xc
If set to
.Ic evaluate ,
the route decision process will also consider the age of the route in
addition to its path attributes, giving preference to the older,
typically more stable, route.
This renders the decision process nondeterministic.
The default is
.Ic ignore .
.Pp
.It Xo
.Ic reject Ic as-set
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic yes ,
.Em AS paths
attributes containing
.Em AS_SET
path segments will be rejected and
all prefixes will be treated as withdraws.
The default is
.Ic no .
.Pp
.It Ic router-id Ar dotted-quad
Set the BGP router ID, which must be non-zero and should be unique
within the AS.
By default, the router ID is the highest IPv4 address assigned
to the local machine.
.Bd -literal -offset indent
router-id 10.0.0.1
.Ed
.Pp
.It Ic rtable Ar number
Work with the given kernel routing table
instead of the default table, which is the one
.Xr bgpd 8
was started in.
For nexthop verification,
.Xr bgpd 8
will always consult the default table.
This is the same as using the following syntax:
.Bd -literal -offset indent
rde rib Loc-RIB rtable number
.Ed
.Pp
.It Ic socket Qo Ar path Qc Op Ic restricted
Create a control socket at
.Ar path .
If
.Ic restricted
is specified, a restricted control socket will be created.
By default
.Pa /var/run/bgpd.sock.<rdomain>
is used where
.Ar <rdomain>
is the routing domain in which
.Xr bgpd 8
has been started.
By default, no restricted socket is created.
.Pp
.It Xo
.Ic transparent-as
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic yes ,
.Em AS paths
to EBGP neighbors are not prepended with the local AS.
The default is
.Ic no .
.El
.Sh SET CONFIGURATION
.Xr bgpd 8
supports the efficient lookup of data within named
.Em sets .
An
.Ic as-set ,
a
.Ic prefix-set ,
and an
.Ic origin-set
store AS numbers, prefixes, and prefixes/source-as pairs,
respectively.
Such sets may be referenced by filter rules; see the
.Sx FILTER
section for details.
It is more efficient to evaluate a set than a long series of
rules for filtering each of its members.
.Pp
One single
.Ic roa-set
may be defined, against which
.Xr bgpd 8
will validate the origin of each prefix.
The
.Ic roa-set
and the
.Ic aspa-set
are merged with the corresponding tables received via
.Ic rtr
sessions.
.Pp
A set definition can span multiple lines, and an optional comma is allowed
between elements.
The same set can be defined more than once, in this case the definitions are
merged into one common set.
.Pp
.Bl -tag -width Ds -compact
.It Xo
.Ic as-set Ar name
.Ic { Ar as-number ... Ic }
.Xc
An
.Ic as-set
stores AS numbers, and can be used with the AS specific parameter in
.Sx FILTER
rules.
.Pp
.It Xo
.Ic aspa-set
.Ic { Ic customer-as Ar as-number
.Op Ic expires Ar seconds
.Ic provider-as Ic { Ar as-number
.Ic ... Ic } ... Ic }
.Xc
The
.Ic aspa-set
holds a collection of
.Em Validated ASPA Payloads Pq VAPs .
Each as AS_PATH received from an eBGP peer is checked against the
.Ic aspa-set ,
and the ASPA Validation State (AVS) is set.
.Ic expires
can be set to the seconds since Epoch until when this VAP is valid.
.Bd -literal -offset indent
aspa-set {
	customer-as 64511 provider-as { 64496 65496 }
	customer-as 64496 provider-as { 65496 64544 }
}
.Ed
.Pp
.It Xo
.Ic origin-set Ar name
.Ic { Ar address Ns Li / Ns Ar len Ic maxlen Ar mlen Ic source-as Ar asn ... Ic }
.Xc
An
.Ic origin-set
stores prefix/source-as pairs, and can be used to filter on the combination
by using the
.Ic origin-set
parameter in
.Sx FILTER
rules.
.Bd -literal -offset indent
origin-set private { 10.0.0.0/8 maxlen 24 source-as 64511
                     203.0.113.0/24 source-as 64496 }
.Ed
.Pp
.It Xo
.Ic prefix-set Ar name
.Ic { Ar address Ns Li / Ns Ar len ... Ic }
.Xc
A
.Ic prefix-set
stores network prefixes and can be used in place
of the
.Ic prefix
parameter in
.Sx FILTER
rules, and in
.Ic network
statements.
A prefix can be followed by the prefixlen operators listed for the
.Ic prefix
parameter in the
.Sx PARAMETERS
section.
.Pp
The first example below creates a set of prefixes called
.Dq private ,
to hold a number of RFC 1918 private network blocks.
The second example shows the use of prefixlen operators.
.Bd -literal -offset indent
prefix-set private { 10.0.0.0/8, 172.16.0.0/12,
                     192.168.0.0/16, fc00::/7 }
prefix-set as64496set { 192.0.2.0/24 prefixlen >= 26,
                        2001:db8::/32 or-longer }
.Ed
.Pp
.It Xo
.Ic roa-set
.Ic { Ar address Ns Li / Ns Ar len
.Op Ic maxlen Ar mlen
.Ic source-as Ar asn
.Oo Ic expires Ar seconds Oc ... Ic }
.Xc
The
.Ic roa-set
holds a collection of
.Em Validated ROA Payloads Pq VRPs .
Each received prefix is checked against the
.Ic roa-set ,
and the Origin Validation State (OVS) is set.
.Ic expires
can be set to the seconds since Epoch until when this VRP is valid.
.Bd -literal -offset indent
roa-set { 192.0.2.0/23 maxlen 24 source-as 64511
          203.0.113.0/24 source-as 64496 }
.Ed
.Pp
.It Xo
.Ic rtr Ar address
.Ic { Ar ... Ic }
.Xc
The
.Ic rtr
block specifies a
.Em RPKI to Router Pq RTR
session.
.Em RTR
sessions provide another means to load
.Em VRP
sets into
.Xr bgpd 8 .
Changes propagated via the RTR protocol do not need a config reload and are
immediately applied.
The union of all
.Em VRP
sets received via
.Ic rtr
sessions and the entries in the
.Ic roa-set
is used to validate the origin of routes.
The rtr session properties are as follows:
.Pp
.Bl -tag -width Ds -compact
.It Ic descr Ar description
Add a description.
The description is used in logging and status reports, but has no further
meaning for
.Xr bgpd 8 .
.Pp
.It Ic local-address Ar address
Bind to the specific IP address before opening the TCP connection to the
.Em rtr
server.
.Pp
.It Ic port Ar number
Specify the TCP destination port for the
.Em rtr
session.
If not specified, the default
.Ic port
is
.Em 323 .
.El
.El
.Sh NETWORK AND FLOWSPEC ANNOUNCEMENTS
.Ic network
statements specify the networks that
.Xr bgpd 8
will announce as its own.
An announcement must also be permitted by the
.Sx FILTER
rules.
By default
.Xr bgpd 8
announces no networks.
.Pp
.Bl -tag -width Ds -compact
.It Xo
.Ic network
.Ar address Ns Li / Ns Ar prefix
.Op Ic set ...
.Xc
Announce the specified prefix as belonging to our AS.
.Pp
.It Xo
.Ic network
.Pq Ic inet Ns | Ns Ic inet6
.Ic connected Op Ic set ...
.Xc
Announce routes to directly attached networks.
.Pp
.It Xo
.Ic network prefix-set
.Ar name
.Op Ic set ...
.Xc
Announce all networks in the prefix-set
.Ar name .
.Pp
.It Xo
.Ic network
.Pq Ic inet Ns | Ns Ic inet6
.Ic priority Ar number Op Ic set ...
.Xc
Announce routes having the specified
.Ar priority .
.Pp
.It Xo
.Ic network
.Pq Ic inet Ns | Ns Ic inet6
.Ic rtlabel Ar label Op Ic set ...
.Xc
Announce routes having the specified
.Ar label .
.Pp
.It Xo
.Ic network
.Pq Ic inet Ns | Ns Ic inet6
.Ic static Op Ic set ...
.Xc
Announce all static routes.
.El
.Pp
Each
.Ic network
statement may set default
.Em AS path attributes :
.Bd -literal -offset indent
network 192.168.7.0/24 set localpref 220
.Ed
.Pp
See also the
.Sx ATTRIBUTE SET
section.
.Pp
.Ic flowspec
statements specify the flowspec rules that
.Xr bgpd 8
will announce as its own.
.\"An announcement must also be permitted by the
.\".Sx FILTER
.\"rules.
By default
.Xr bgpd 8
announces no flowspec rules.
.Pp
.Bl -tag -width Ds -compact
.It Xo
.Ic flowspec
.Pq Ic inet Ns | Ns Ic inet6
.Ar rule Op Ic set ...
.Xc
Announce an IPv4 or IPv6 specific flowspec
.Ar rule
including the
.Em AS path attributes
specified by
.Ar set .
.El
.Pp
The following rule parameters can be set.
Most number arguments in the below rules can be specified as a
list of ranges enclosed in curly brackets using these operators:
.Bd -literal -offset indent
=       (equal, default)
!=      (unequal)
<       (less than)
<=      (less than or equal)
>       (greater than)
>=      (greater than or equal)
-       (range including boundaries)
><      (except range)
.Ed
.Pp
.Sq >< ,
and
.Sq -
are binary operators (they take two arguments).
.Pp
.Bl -tag -width Ds -compact
.It Ic from Ar source Op Ic port Ar list
.It Ic to Ar dest Op Ic port Ar list
This rule applies only to packets with the specified source or
destination addresses and ports.
Addresses can be specified in CIDR notation (matching netblocks) or using
.Cm any
to match any address.
In most cases a
.Ic to
address must be specified and be part of the announced networks.
.Pp
Ports can be specified either by number or by name.
For example, port 80 can be specified as
.Cm www .
For a list of all port name to number mappings see the file
.Pa /etc/services .
.It Ic flags Ar a Ns / Ns Ar b
This rule only applies to TCP packets that have the flags
.Ar a
set out of set
.Ar b .
Flags not specified in
.Ar b
are ignored.
The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
.It Ic fragment Ar a Ns / Ns Ar b
This rule only applies to fragmented packets which match the specified flags.
The flags are: (D)on't fragment, (I)s fragment, (F)irst fragment, and (L)ast
fragment.
.It Ic icmp-type Ar type Op Ic code Ar code
.It Ic icmp6-type Ar type Op Ic code Ar code
This rule only applies to ICMP or ICMP6 packets with the specified type
and code.
Text names for ICMP types and codes are listed in
.Xr icmp 4
and
.Xr icmp6 4 .
.It Ic length Ar pktlen
This rule applies only to packets matching the specified
.Ar pktlen .
.It Ic proto Ar protocol
This rule applies only to packets of this protocol.
Common protocols are ICMP, ICMP6, TCP, and UDP.
For a list of all the protocol name to number mappings see the file
.Pa /etc/protocols .
.It Ic tos Ar string Ns | Ns Ar number
This rule applies to packets with the specified TOS bits set.
.Ar string
may be one of
.Cm critical ,
.Cm inetcontrol ,
.Cm lowdelay ,
.Cm netcontrol ,
.Cm throughput ,
.Cm reliability ,
or one of the DiffServ Code Points:
.Cm ef ,
.Cm af11 No ... Cm af43 ,
.Cm cs0 No ... Cm cs7 ;
.Ar number
may be either a hex or decimal number.
.El
.Pp
The action taken when a flowspec rules matches depends on extended communities.
For example to block all traffic either
.Ic ext-community Ic flow-rate Ar as-number : Ns 0
or
.Ic ext-community Ic flow-pps Ar as-number : Ns 0
need to be set.
.Sh MPLS VPN CONFIGURATION
A
.Ic vpn
section configures a router to participate in an MPLS Virtual Private Network.
It specifies an
.Xr mpe 4
interface to use, a description, and various properties of the VPN:
.Bd -literal -offset indent
vpn "description" on mpe1 {
	rd 65002:1
	import-target rt 65002:42
	export-target rt 65002:42
	network 192.168.1/24
}
.Ed
.Pp
.Xr bgpd 8
will not exchange VPN routes with a neighbor by default, see the
.Sx NEIGHBORS AND GROUPS
section.
The description is used when logging but has no further meaning to
.Xr bgpd 8 .
.Pp
The
.Xr mpe 4
interface will be used as the outgoing interface for routes to
the VPN, and local networks will be announced with the MPLS label
specified on the interface.
The interface can provide VPN connectivity for another rdomain by
being configured in that rdomain.
The required rdomain must be configured on the interface before
.Xr bgpd 8
uses it.
Multiple VPNs may be connected to a single rdomain, including the rdomain that
.Xr bgpd 8
is running in.
.Pp
An example
.Xr hostname.if 5
configuration for an
.Xr mpe 4
interface providing connectivity to rdomain 1:
.Bd -literal -offset indent
rdomain 1
mplslabel 2000
inet 192.198.0.1 255.255.255.255
up
.Ed
.Pp
The VPN properties are as follows:
.Pp
.Bl -tag -width Ds -compact
.It Ic export-target Ar subtype as-number : Ns Ar local
.It Ic export-target Ar subtype IP : Ns Ar local
Classify announced networks by tagging them with an
.Em extended community
of the given arguments.
The community
.Ar subtype
should be a
.Em route target ,
.Ic rt ,
to ensure interoperability.
The arguments are further detailed in the
.Sx ATTRIBUTE SET
section.
More than one
.Ic export-target
can be specified.
.Pp
.It Xo
.Ic fib-update
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic no ,
do not update the Forwarding Information Base, a.k.a. the kernel
routing table.
The default is
.Ic yes .
.Pp
.It Ic import-target Ar subtype as-number : Ns Ar local
.It Ic import-target Ar subtype IP : Ns Ar local
The rdomain imports only those prefixes tagged with an
.Em extended community
matching an
.Ic import-target .
The community
.Ar subtype
should be a
.Em route target ,
.Ic rt ,
to ensure interoperability.
The arguments are further detailed in the
.Sx ATTRIBUTE SET
section.
More than one
.Ic import-target
can be specified.
.Pp
.It Ic network Ar argument ...
Announce the given networks within this VPN;
see the
.Sx NETWORK ANNOUNCEMENTS
section.
.Pp
.It Ic rd Ar as-number : Ns Ar local
.It Ic rd Ar IP : Ns Ar local
The Route Distinguisher
.Ic rd
supplies BGP with namespaces to disambiguate VPN prefixes, as these needn't be
globally unique.
Unlike route targets, the
.Ic rd
neither identifies the origin of the prefix nor controls into
which VPNs the prefix is distributed.
The
.Ar as-number
or
.Ar IP
of a
.Ic rd
should be set to a number or IP that was assigned by an appropriate authority,
whereas
.Ar local
can be chosen by the local operator.
.El
.Sh NEIGHBORS AND GROUPS
.Xr bgpd 8
establishes TCP connections to other BGP speakers called
.Em neighbors .
A neighbor and its properties are specified by a
.Tg
.Ic neighbor
section:
.Bd -literal -offset indent
neighbor 10.0.0.2 {
	remote-as 65002
	descr "a neighbor"
}
.Ed
.Pp
Neighbors placed within a
.Tg
.Ic group
section inherit the properties common to that group:
.Bd -literal -offset indent
group "peering AS65002" {
	remote-as 65002
	neighbor 10.0.0.2 {
		descr "AS65002-p1"
	}
	neighbor 10.0.0.3 {
		descr "AS65002-p2"
	}
}
.Ed
.Pp
An entire network of neighbors may be accommodated by specifying an
address/netmask pair:
.Bd -literal -offset indent
neighbor 10.0.0.0/8
.Ed
.Pp
This is a
.Em template
that recognises as a neighbor any connection from within the given network.
Such neighbors inherit their template's properties, except for their IP address.
A template may omit
.Ic remote-as ;
.Xr bgpd 8
then accepts any AS presented by the neighbor in the
.Em OPEN
message.
.Pp
The neighbor properties are as follows:
.Pp
.Bl -tag -width Ds -compact
.It Xo
.Ic announce
.Pq Ic IPv4 Ns | Ns Ic IPv6
.Pq Ic none Ns | Ns Ic unicast Ns | Ns Ic vpn Ns | Ns Ic flowspec
.Xc
For the given address family, control which
.Em subsequent address families
are announced during the capabilities negotiation.
Only routes for that address family and subsequent address families will be
announced and processed.
.Pp
At the moment, only
.Ic none ,
which disables the announcement of that address family,
.Ic unicast ,
.Ic vpn ,
which allows the distribution of BGP MPLS VPNs, and
.Ic flowspec ,
which allows the distribution of Flow Specification Rules,
are supported.
.Pp
The default is
.Ic unicast
for the same address family of the session.
.Pp
.It Xo
.Ic announce add-path recv
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic yes ,
the receive add-path capability is announced, which allows reception of multiple
paths per prefix.
The default is
.Ic no .
.Pp
.It Xo
.Ic announce add-path send
.Pq Ic no Ns | Ns Ic all
.Xc
.It Xo
.Ic announce add-path send
.Pq Ic best Ns | Ns Ic ecmp | Ns Ic as-wide-best
.Op Ic plus Ar num
.Op Ic max Ar num
.Xc
If set to
.Ic all ,
.Ic best ,
.Ic ecmp ,
or
.Ic as-wide-best ,
the send add-path capability is announced, which allows sending multiple paths
per prefix.
The paths sent depend on which mode is selected:
.Pp
.Bl -tag -width as-wide-best -compact
.It Ic no
do not advertise add-path send capability
.It Ic all
send all valid paths
.It Ic best
send the best path
.It Ic ecmp
send paths with equal nexthop cost
.It Ic as-wide-best
send paths where the first 8 checks of the decision process match
.El
.Pp
.Ic plus
allows the inclusion of additional backup paths and works for
.Ic best ,
.Ic ecmp ,
and
.Ic as-wide-best .
.Ic max
can be used to limit the total amount of paths sent for
.Ic ecmp
and
.Ic as-wide-best .
Right now
.Ic ecmp
and
.Ic as-wide-best
are equivalent.
The default is
.Ic no .
If
.Ic add-path Ic send
is active then the setting of
.Ic rde Ic evaluate
is ignored.
.Pp
.It Xo
.Ic announce as-4byte
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic no ,
the 4-byte AS capability is not announced and so native 4-byte AS support is
disabled.
The default is
.Ic yes .
.Pp
.It Xo
.Ic announce capabilities
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic no ,
capability negotiation is disabled during the establishment of the session.
This can be helpful to connect to old or broken BGP implementations.
The default is
.Ic yes .
.Pp
.It Xo
.Ic announce enhanced refresh
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic yes ,
the enhanced route refresh capability is announced.
The default is
.Ic no .
.Pp
.It Xo
.Ic announce policy
.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce
.Xc
If set to
.Ic yes ,
add the open policy role capability.
If the role of the neighbor does not correspond to the expected role then
the session will be closed.
If
.Ic enforce
is set the session will only establish if the neighbor also announces
the open policy capability.
The default is
.Ic no .
.Pp
.It Xo
.Ic announce refresh
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic no ,
the route refresh capability is not announced.
The default is
.Ic yes .
.Pp
.It Xo
.Ic announce restart
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic no ,
the graceful restart capability is not announced.
Currently only the End-of-RIB marker is supported and announced by the
.Ic restart
capability.
The default is
.Ic yes .
.Pp
.It Xo
.Ic as-override
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic yes ,
all occurrences of the neighbor AS in the
.Em AS path
will be replaced with the local AS before running the filters.
The Adj-RIB-In still holds the unmodified AS path.
The default value is
.Ic no .
.Pp
.It Ic demote Ar group
Increase the
.Xr carp 4
demotion counter on the given interface group, usually
.Ar carp ,
when the session is not in state
.Em ESTABLISHED .
The demotion counter will be increased as soon as
.Xr bgpd 8
starts and decreased
60 seconds after the session went to state
.Em ESTABLISHED .
For neighbors added at runtime, the demotion counter is only increased after
the session has been
.Em ESTABLISHED
at least once before dropping.
.Pp
For more information on interface groups,
see the
.Ic group
keyword in
.Xr ifconfig 8 .
.Pp
.It Ic depend on Ar interface
The neighbor session will be kept in state
.Em IDLE
as long as
.Ar interface
reports no link.
For
.Xr carp 4
interfaces, no link means that the interface is currently
.Em backup .
This is primarily intended to be used with
.Xr carp 4
to reduce failover times.
.Pp
The state of the network interfaces on the system can be viewed
using the
.Cm show interfaces
command to
.Xr bgpctl 8 .
.Pp
.It Ic descr Ar description
Add a description.
The description is used when logging neighbor events, in status
reports, for specifying neighbors, etc., but has no further meaning to
.Xr bgpd 8 .
.Pp
.It Ic down Op Ar reason
Do not start the session when
.Xr bgpd 8
comes up but stay in
.Em IDLE .
If the session is cleared at runtime, after a
.Ic down
.Ar reason
was configured at runtime, the
.Ar reason
is sent as Administrative Shutdown Communication.
The
.Ar reason
cannot exceed 255 octets.
.Pp
.It Xo
.Ic dump
.Pq Ic all Ns | Ns Ic updates
.Pq Ic in Ns | Ns Ic out
.Ar file Op Ar interval
.Xc
Dump ongoing BGP activity for a particular neighbor.
See also the
.Ic dump
setting in
.Sx GLOBAL CONFIGURATION .
.Pp
.It Xo
.Ic enforce local-as
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic no ,
.Em AS paths
will not be checked for AS loop detection.
This feature is similar to allowas-in in some other BGP implementations.
Since there is no AS path loop check, this feature is dangerous, and
requires you to add filters to prevent receiving your own prefixes.
The default value is
.Ic yes .
.Pp
.It Xo
.Ic enforce neighbor-as
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic yes ,
.Em AS paths
whose
.Em leftmost AS
is not equal to the
.Em remote AS
of the neighbor are rejected and a
.Em NOTIFICATION
is sent back.
The default value for IBGP peers is
.Ic no
otherwise the default is
.Ic yes .
.Pp
.It Xo
.Ic export
.Sm off
.Pq Ic none | default-route
.Sm on
.Xc
If set to
.Ic none ,
no
.Em UPDATE
messages will be sent to the neighbor.
If set to
.Ic default-route ,
only the default route will be announced to the neighbor.
.Pp
.It Ic holdtime Ar seconds
Set the holdtime in seconds.
Inherited from the global configuration if not given.
.Pp
.It Ic holdtime min Ar seconds
Set the minimal acceptable holdtime.
Inherited from the global configuration if not given.
.Pp
.It Xo
.Ic ipsec
.Pq Ic ah Ns | Ns Ic esp
.Pq Ic in Ns | Ns Ic out
.Ic spi Ar spi-number authspec Op Ar encspec
.Xc
Enable IPsec with static keying.
There must be at least two
.Ic ipsec
statements per peer with manual keying, one per direction.
.Ar authspec
specifies the authentication algorithm and key.
It can be
.Bd -literal -offset indent
sha1 <key>
md5 <key>
.Ed
.Pp
.Ar encspec
specifies the encryption algorithm and key.
.Ic ah
does not support encryption.
With
.Ic esp ,
encryption is optional.
.Ar encspec
can be
.Bd -literal -offset indent
3des <key>
3des-cbc <key>
aes <key>
aes-128-cbc <key>
.Ed
.Pp
Keys must be given in hexadecimal format.
After changing settings, a session needs to be reset to use the new keys.
The
.Ic ipsec
flows only work with session using the default port 179.
.Pp
.It Xo
.Ic ipsec
.Pq Ic ah Ns | Ns Ic esp
.Ic ike
.Xc
Enable IPsec with dynamic keying.
In this mode,
.Xr bgpd 8
sets up the flows, and a key management daemon such as
.Xr isakmpd 8
is responsible for managing the session keys.
With
.Xr isakmpd 8 ,
it is sufficient to copy the peer's public key, found in
.Pa /etc/isakmpd/local.pub ,
to the local machine.
It must be stored in a file
named after the peer's IP address and must be stored in
.Pa /etc/isakmpd/pubkeys/ipv4/ .
The local public key must be copied to the peer in the same way.
As
.Xr bgpd 8
manages the flows on its own, it is sufficient to restrict
.Xr isakmpd 8
to only take care of keying by specifying the flags
.Fl Ka .
This can be done in
.Xr rc.conf.local 8 .
After starting the
.Xr isakmpd 8
and
.Xr bgpd 8
daemons on both sides, the session should be established.
After changing settings, a session needs to be reset to use the new keys.
The
.Ic ipsec
flows only work with session using the default port 179.
.Pp
.It Ic local-address Ar address
.It Ic no local-address
When
.Xr bgpd 8
initiates the TCP connection to the neighbor system, it normally does not
bind to a specific IP address.
If a
.Ic local-address
is given,
.Xr bgpd 8
binds to this address first.
.Ic no local-address
reverts back to the default.
.Pp
.It Ic local-as Ar as-number Op Ar as-number
Set the AS number sent to the remote system.
Used as described above under
.Sx GLOBAL CONFIGURATION
option
.Ic AS .
.Pp
Since there is no AS path loop check, this option is dangerous, and
requires you to add filters to prevent receiving your ASNs.
Intended to be used temporarily, for migrations to another AS.
.Pp
.It Ic log no
Disable neighbor specific logging.
.Pp
.It Ic log updates
Log received and sent updates for this neighbor.
.Pp
.It Xo
.Ic max-prefix Ar number
.Op Ic restart Ar number
.Xc
Terminate the session when the maximum
.Ar number
of prefixes received is exceeded
(no such limit is imposed by default).
If
.Ic restart
is specified, the session will be restarted after
.Ar number
minutes.
.Pp
.It Xo
.Ic max-prefix Ar number Ic out
.Op Ic restart Ar number
.Xc
Terminate the session when the maximum
.Ar number
of prefixes sent is exceeded
(no such limit is imposed by default).
If
.Ic restart
is specified, the session will be restarted after
.Ar number
minutes.
.Pp
.It Ic multihop Ar hops
Neighbors not in the same AS as the local
.Xr bgpd 8
normally have to be directly connected to the local machine.
If this is not the case, the
.Ic multihop
statement defines the maximum hops the neighbor may be away.
.Pp
.It Ic passive
Do not attempt to actively open a TCP connection to the neighbor system.
.Pp
.It Ic port Ar port
Connect to the peer using
.Ar port
instead of the default BGP port 179.
.Pp
.It Xo
.Ic reject Ic as-set
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic yes ,
.Em AS paths
attributes containing
.Em AS_SET
path segments will be rejected and
all prefixes will be treated as withdraws.
The default is inherited from the global
.Ic reject Ic as-set
setting.
.Pp
.It Ic remote-as Ar as-number
Set the AS number of the remote system.
.Pp
.It Xo
.Ic rde Ic evaluate
.Pq Ic default Ns | Ns Ic all
.Xc
If set to
.Ar all ,
keep evaluating alternative paths in case the selected path is filtered
out.
By default if a path is filtered by the output filters then no alternative
path is sent to this peer.
The default is inherited from the global
.Ic rde Ic evaluate
setting.
.Pp
.It Ic rib Ar name
Bind the neighbor to the specified RIB.
.Pp
.It Ic role Ar role
Set the local role for this eBGP session.
Setting a role is required for ASPA verification, the open policy role
capability and Only-To-Customer (OTC) attribute of RFC 9234.
The role can be one of
.Ar none ,
.Ar provider ,
.Ar customer ,
.Ar rs ,
.Ar rs-client ,
or
.Ar peer .
If the role is set to
.Ar none
the
.Ic announce Ic policy
will also be disabled.
On iBGP session the role setting is ignored and forced to
.Ar none .
.Pp
.It Ic route-reflector Op Ar address
Act as an RFC 4456
.Em route-reflector
for this neighbor.
An optional cluster ID can be specified; otherwise the BGP ID will be used.
.Pp
.It Ic set Ar attribute ...
Set the
.Em AS path attributes
to some default per
.Ic neighbor
or
.Ic group
block:
.Bd -literal -offset indent
set localpref 300
.Ed
.Pp
See also the
.Sx ATTRIBUTE SET
section.
Set parameters are applied to the received prefixes; the only exceptions are
.Ic prepend-self ,
.Ic nexthop no-modify
and
.Ic nexthop self .
These sets are rewritten into filter rules and can be viewed with
.Dq bgpd -nv .
.Pp
.It Ic tcp md5sig password Ar secret
.It Ic tcp md5sig key Ar secret
Enable TCP MD5 signatures per RFC 2385.
The shared secret can either be given as a password or hexadecimal key.
.Bd -literal -offset indent
tcp md5sig password mekmitasdigoat
tcp md5sig key deadbeef
.Ed
After changing keys, a session needs to be reset to use the new keys.
.Pp
.It Xo
.Ic transparent-as
.Pq Ic yes Ns | Ns Ic no
.Xc
If set to
.Ic yes ,
.Em AS paths
to EBGP neighbors are not prepended with the local AS.
The default is inherited from the global
.Ic transparent-as
setting.
.Pp
.It Xo
.Ic ttl-security
.Pq Ic yes Ns | Ns Ic no
.Xc
Enable or disable ttl-security.
When enabled,
outgoing packets are sent using a TTL of 255
and a check is made against an incoming packet's TTL.
For directly connected peers,
incoming packets are required to have a TTL of 255,
ensuring they have not been routed.
For multihop peers,
incoming packets are required to have a TTL of 256 minus multihop distance,
ensuring they have not passed through more than the expected number of hops.
The default is
.Ic no .
.El
.Sh FILTER
.Xr bgpd 8
filters all BGP
.Em UPDATE
messages, including its own announcements, and blocks them by default.
Filter rules may match on neighbor, direction,
.Em prefix
or
.Em AS path attributes .
Filter rules may also modify
.Em AS path attributes .
.Pp
For each
.Em UPDATE
processed by the filter, the filter rules are evaluated in sequential order,
from first to last.
The last matching
.Ic allow
or
.Ic deny
rule decides what action is taken.
The default action is to deny.
.Pp
The following actions can be used in the filter:
.Bl -tag -width xxxxxxxx
.It Ic allow
The
.Em UPDATE
is passed.
.It Ic deny
The
.Em UPDATE
is blocked.
.It Ic match
Apply the filter attribute set without influencing the filter decision.
.El
.Sh PARAMETERS
The rule parameters specify the
.Em UPDATES
to which a rule applies.
An
.Em UPDATE
always comes from, or goes to, one neighbor.
Most parameters are optional, but each can appear at most once per rule.
If a parameter is specified, the rule only applies to packets with
matching attributes.
.Pp
.Bl -tag -width Ds -compact
.It Xo
.Ar as-type Op Ar operator
.Ar as-number
.Xc
.It Ar as-type Ic as-set Ar name
This rule applies only to
.Em UPDATES
where the
.Em AS path
matches.
The
part of the
.Em AS path
specified by the
.Ar as-type
is matched against the
.Ar as-number
or the
.Ic as-set Ar name :
.Pp
.Bl -tag -width transmit-as -compact
.It Ic AS
(any part)
.It Ic peer-as
(leftmost AS number)
.It Ic source-as
(rightmost AS number)
.It Ic transit-as
(all but the rightmost AS number)
.El
.Pp
.Ar as-number
is an AS number as explained above under
.Sx GLOBAL CONFIGURATION .
It may be set to
.Ic neighbor-as ,
which is expanded to the current neighbor remote AS number, or
.Ic local-as ,
which is expanded to the locally assigned AS number.
.Pp
When specifying an
.Ic as-set Ar name ,
the AS path will instead be matched against all the AS numbers in the set.
.Pp
The
.Ar operator
can be unspecified (this case is identical to the equality operator), or one
of the numerical operators
.Bd -literal -offset indent
=	(equal)
!=	(unequal)
-	(range including boundaries)
><	(except range)
.Ed
.Pp
>< and -
are binary operators (they take two arguments); with these,
.Ar as-number
cannot be set to
.Ic neighbor-as .
.Pp
Multiple
.Ar as-number
entries for a given type or
.Ar as-type as-number
entries may also be specified,
separated by commas or whitespace,
if enclosed in curly brackets:
.Bd -literal -offset indent
deny from any AS { 1, 2, 3 }
deny from any { AS 1, source-as 2, transit-as 3 }
deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }
.Ed
.Pp
.It Xo
.Ic avs
.Pq Ic valid | unknown | invalid
.Xc
This rule applies only to
.Em UPDATES
where the ASPA Validation State (AVS) matches.
.Pp
.It Xo
.Ic community
.Ar as-number Ns Li \&: Ns Ar local
.Xc
.It Ic community Ar name
This rule applies only to
.Em UPDATES
where the
.Ic community
path attribute is present and matches.
Communities are specified as
.Ar as-number : Ns Ar local ,
where
.Ar as-number
is an AS number and
.Ar local
is a locally significant number between zero and
.Li 65535 .
Both
.Ar as-number
and
.Ar local
may be set to
.Sq *
to do wildcard matching.
Alternatively, well-known communities may be given by name instead and
include
.Ic BLACKHOLE ,
.Ic GRACEFUL_SHUTDOWN ,
.Ic NO_EXPORT ,
.Ic NO_ADVERTISE ,
.Ic NO_EXPORT_SUBCONFED ,
and
.Ic NO_PEER .
Both
.Ar as-number
and
.Ar local
may be set to
.Ic neighbor-as ,
which is expanded to the current neighbor remote AS number, or
.Ic local-as ,
which is expanded to the locally assigned AS number.
.Pp
.It Xo
.Ic large-community
.Ar as-number : Ns Ar local : Ns Ar local
.Xc
This rule applies only to
.Em UPDATES
where the
.Ic Large community
path attribute is present and matches.
Communities are specified as
.Ar as-number : Ns Ar local : Ns Ar local ,
where
.Ar as-number
is an AS number and
.Ar local
is a locally significant number between zero and
.Li 4294967295 .
Both
.Ar as-number
and
.Ar local
may be set to
.Sq *
to do wildcard matching,
.Ic neighbor-as ,
which is expanded to the current neighbor remote AS number, or
.Ic local-as ,
which is expanded to the locally assigned AS number.
.Pp
.It Xo
.Ic ext-community
.Ar subtype as-number : Ns Ar local
.Xc
.It Xo
.Ic ext-community
.Ar subtype IP : Ns Ar local
.Xc
.It Xo
.Ic ext-community
.Ar subtype numvalue
.Xc
.It Xo
.Ic ext-community
.Ic ovs
.Pq Ic valid | not-found | invalid
.Xc
This rule applies only to
.Em UPDATES
where the
.Em extended community
path attribute is present and matches.
Extended Communities are specified by a
.Ar subtype
and normally two values, a globally unique part (e.g. the AS number) and a
local part.
Both
.Ar as-number
and
.Ar local
may be set to
.Ic neighbor-as ,
which is expanded to the current neighbor remote AS number, or
.Ic local-as ,
which is expanded to the locally assigned AS number.
Wildcard matching is supported for
.Ar local ,
.Ar numvalue
and
.Ar subtype .
If wildcard matching is used on the
.Ar subtype
then
.Ar numvalue
also needs to be set to
.Sq * .
See also the
.Sx ATTRIBUTE SET
section for further information about the encoding.
.Pp
.It Xo
.Pq Ic from Ns | Ns Ic to
.Ar peer
.Xc
This rule applies only to
.Em UPDATES
coming from, or going to, this particular neighbor.
This parameter must be specified.
.Ar peer
is one of the following:
.Pp
.Bl -tag -width "group descr" -compact
.It Ic any
Any neighbor will be matched.
.It Ic ibgp
All
.Em IBGP
neighbors will be matched.
.It Ic ebgp
All
.Em EBGP
neighbors will be matched.
.It Ar address
Neighbors with this address will be matched.
.It Ic group Ar descr
Neighbors in this group will be matched.
.It Ic AS Ar as-number
Neighbors with this AS will be matched.
.El
.Pp
Multiple
.Ar peer
entries may also be specified,
separated by commas or whitespace,
if enclosed in curly brackets:
.Bd -literal -offset indent
deny from { 128.251.16.1, 251.128.16.2, group hojo }
.Ed
.Pp
.It Pq Ic inet Ns | Ns Ic inet6
Match only routes in the IPv4 or IPv6 address families, respectively.
.Ic inet
is an alias for
.Qq prefix 0.0.0.0/0 prefixlen >= 0 ;
.Ic inet6
is an alias for
.Qq prefix ::/0 prefixlen >= 0 .
.Pp
.It Ic max-as-len Ar len
This rule applies only to
.Em UPDATES
where the
.Em AS path
has more than
.Ar len
elements.
.Pp
.It Ic max-as-seq Ar len
This rule applies only to
.Em UPDATES
where a single
.Em AS number
is repeated more than
.Ar len
times.
.Pp
.It Ic max-communities Ns | Ns Ic max-large-communities Ns | \
Ns Ic max-ext-communities Ar num
This rule applies only to
.Em UPDATES
where the
.Em Basic ,
.Em Large ,
or
.Em Extended Community
attribute has more than
.Ar num
elements.
.Pp
.It Ic nexthop Ar address
This rule applies only to
.Em UPDATES
where the nexthop is equal to
.Ar address .
The
.Ar address
can be set to
.Em neighbor
in which case the nexthop is compared against the address of the neighbor.
Nexthop filtering is not supported on locally announced networks and one must
take into consideration previous rules overwriting nexthops.
.Pp
.It Ic origin-set Ar name
This rule applies only to
.Em UPDATES
that match the given origin-set
.Ar name .
.Pp
.It Xo
.Ic ovs
.Pq Ic valid | not-found | invalid
.Xc
This rule applies only to
.Em UPDATES
where the Origin Validation State (OVS) matches.
.Pp
.It Ic prefix Ar address Ns Li / Ns Ar len
.It Ic prefix Ar address Ns Li / Ns Ar len Ic prefixlen Ar range
.It Ic prefix Ar address Ns Li / Ns Ar len Ic or-longer
.It Ic prefix Ar address Ns Li / Ns Ar len Ic maxlen Ar mlen
This rule applies only to
.Em UPDATES
for the specified prefix.
.Pp
Multiple entries may be specified,
separated by commas or whitespace,
if enclosed in curly brackets:
.Bd -literal -offset indent
deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 or-longer }
.Ed
.Pp
Multiple lists can also be specified, which is useful for
macro expansion:
.Bd -literal -offset indent
good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }"
ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"

deny from any prefix { $good $bad $ugly }
.Ed
.Pp
Prefix length ranges are specified by using these operators:
.Bd -literal -offset indent
=	(equal)
!=	(unequal)
<	(less than)
<=	(less than or equal)
>	(greater than)
>=	(greater than or equal)
-	(range including boundaries)
><	(except range)
.Ed
.Pp
>< and -
are binary operators (they take two arguments).
For instance, to match all prefix lengths >= 8 and <= 12, and hence the
CIDR netmasks 8, 9, 10, 11 and 12:
.Bd -literal -offset indent
prefixlen 8-12
.Ed
.Pp
Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks
0\(en7 and 13\(en32:
.Bd -literal -offset indent
prefixlen 8><12
.Ed
.Pp
This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer
than 16:
.Bd -literal -offset indent
prefix 10.0.0.0/8 prefixlen > 16
.Ed
.Pp
.Ic or-longer
is a shorthand for:
.Bd -literal -offset indent
.Ic prefix Ar address Ns Li / Ns Ar len Ic prefixlen >= Ar len
.Ed
.Pp
.Ic maxlen Ar mlen
is a shorthand for:
.Bd -literal -offset indent
.Ic prefix Ar address Ns Li / Ns Ar len Ic prefixlen <= Ar mlen
.Ed
.Pp
.It Ic prefix-set Ar name Op Ic or-longer
This rule applies only to
.Em UPDATES
that match the given prefix-set
.Ar name .
With
.Ic or-longer ,
the
.Em UPDATES
will match any prefix in the prefix-set where
.Bd -literal -offset indent
.Ic address Ns Li / Ns Ar len Ic prefixlen >= Ar len
.Ed
.Pp
.It Ic quick
If an
.Em UPDATE
matches a rule which has the
.Ic quick
option set, this rule is considered the last matching rule, and evaluation
of subsequent rules is skipped.
.Pp
.It Ic rib Ar name
Apply rule only to the specified RIB.
This only applies for received updates, so not for rules using the
.Ar to peer
parameter.
.Pp
.It Ic set Ar attribute ...
All matching rules can set the
.Em AS path attributes
to some default.
The set of every matching rule is applied, not only the last matching one.
See also the following section.
.El
.Sh ATTRIBUTE SET
.Em AS path attributes
can be modified with
.Ic set .
.Pp
.Ic set
can be used on
.Ic network
statements, in
.Ic neighbor
or
.Ic group
blocks, and on filter rules.
Attribute sets can be expressed as lists.
.Pp
The following attributes can be modified:
.Pp
.Bl -tag -width Ds -compact
.It Xo
.Ic community Op Ar delete
.Ar as-number : Ns Ar local
.Xc
.It Xo
.Ic community Op Ar delete
.Ar name
.Xc
Set or delete the
.Em COMMUNITIES
AS path attribute.
Communities are specified as
.Ar as-number : Ns Ar local ,
where
.Ar as-number
is an AS number and
.Ar local
is a locally significant number between zero and
.Li 65535 .
Alternately, well-known communities may be specified by name:
.Ic GRACEFUL_SHUTDOWN ,
.Ic NO_EXPORT ,
.Ic NO_ADVERTISE ,
.Ic NO_EXPORT_SUBCONFED ,
or
.Ic NO_PEER .
For
.Cm delete ,
both
.Ar as-number
and
.Ar local
may be set to
.Sq *
to do wildcard matching.
.Pp
.It Xo
.Ic large-community Op Ar delete
.Ar as-number : Ns Ar local : Ns Ar local
.Xc
.It Xo
.Ic large-community Op Ar delete
.Ar name
.Xc
Set or delete the
.Em Large Communities
path attribute.
Communities are specified as
.Ar as-number : Ns Ar local : Ns Ar local ,
where
.Ar as-number
is an AS number and
.Ar local
is a locally significant number between zero and
.Li 4294967295 .
For
.Cm delete ,
both
.Ar as-number
and
.Ar local
may be set to
.Sq *
to do wildcard matching.
.Pp
.It Xo
.Ic ext-community Op Ar delete
.Ar subtype as-number : Ns Ar local
.Xc
.It Xo
.Ic ext-community Op Ar delete
.Ar subtype IP : Ns Ar local
.Xc
.It Xo
.Ic ext-community Op Ar delete
.Ar subtype numvalue
.Xc
.It Xo
.Ic ext-community Op Ar delete
.Ic ovs
.Pq Ic valid | not-found | invalid
.Xc
Set or delete the
.Em Extended Community
AS path attribute.
Extended Communities are specified by a
.Ar subtype
and normally two values, a globally unique part (e.g. the AS number) and a
local part.
The type is selected depending on the encoding of the global part.
Two-octet AS Specific Extended Communities and Four-octet AS Specific Extended
Communities are encoded as
.Ar as-number : Ns Ar local .
Four-octet encoding is used if the
.Ar as-number
is bigger than 65535 or if the AS_DOT encoding is used.
IPv4 Address Specific Extended Communities are encoded as
.Ar IP : Ns Ar local .
Opaque Extended Communities are encoded with a single numeric value.
The
.Ar ovs
subtype can only be set to
.Ar valid ,
.Ar not-found ,
or
.Ar invalid .
Currently the following subtypes are supported:
.Bd -literal -offset indent
bdc      BGP Data Collection
defgw	 Default Gateway
esi-lab  ESI Label
esi-rt   ES-Import Route Target
l2vid    L2VPN Identifier
mac-mob  MAC Mobility
odi      OSPF Domain Identifier
ort      OSPF Route Type
ori      OSPF Router ID
ovs      BGP Origin Validation State
rt       Route Target
soo      Route Origin / Source of Origin
srcas    Source AS
vrfri    VRF Route Import
.Ed
.Pp
Not all type and subtype value pairs are allowed by IANA and the parser
will ensure that no invalid combination is created.
.Pp
For
.Cm delete ,
.Ar subtype ,
.Ar numvalue ,
or
.Ar local ,
may be set to
.Sq *
to do wildcard matching.
If wildcard matching is used on the
.Ar subtype
then
.Ar numvalue
also needs to be set to
.Sq * .
.Pp
.It Ic localpref Ar number
Set the
.Em LOCAL_PREF
AS path attribute.
If
.Ar number
starts with a plus or minus sign,
.Em LOCAL_PREF
will be adjusted by adding or subtracting
.Ar number ;
otherwise it will be set to
.Ar number .
The default is 100.
.Pp
.It Ic med Ar number
.It Ic metric Ar number
Set the
.Em MULTI_EXIT_DISC
AS path attribute.
If
.Ar number
starts with a plus or minus sign,
.Em MULTI_EXIT_DISC
will be adjusted by adding or subtracting
.Ar number ;
otherwise it will be set to
.Ar number .
.Pp
.It Xo
.Ic origin
.Sm off
.Pq Ic igp | egp | incomplete
.Sm on
.Xc
Set the
.Em ORIGIN
AS path attribute to mark the source of this
route as being injected from an igp protocol, an egp protocol
or being an aggregated route.
.Pp
.It Xo
.Ic nexthop
.Sm off
.Pq Ar address | Ic blackhole | reject | self | no-modify
.Sm on
.Xc
Set the
.Em NEXTHOP
AS path attribute
to a different nexthop address or use blackhole or reject routes.
.Em blackhole
and
.Em reject
only affect the FIB and will not alter the nexthop address.
.Em self
forces the nexthop to be set to the local interface address.
If set to
.Em no-modify ,
the nexthop attribute is not modified for EBGP multihop sessions.
By default EBGP multihop sessions use the local interface address.
On other IBGP and directly connected EBGP sessions
.Em no-modify
is ignored.
The set
.Ar address
is used on IBGP session and on directly connected EBGP session if the
.Ar address
is part of the connected network.
On EBGP multihop session
.Em no-modify
has to be set to force the nexthop to
.Ar address .
.Bd -literal -offset indent
set nexthop 192.168.0.1
set nexthop blackhole
set nexthop reject
set nexthop no-modify
set nexthop self
.Ed
.Pp
.It Ic pftable Ar table
Add the prefix in the update to the specified
.Xr pf 4
table, regardless of whether or not the path was selected for routing.
This option may be useful in building realtime blacklists.
.Pp
.It Ic prepend-neighbor Ar number
Prepend the neighbor's AS
.Ar number
times to the
.Em AS path .
.Pp
.It Ic prepend-self Ar number
Prepend the local AS
.Ar number
times to the
.Em AS path .
.Pp
.It Ic rtlabel Ar label
Add the prefix to the kernel routing table with the specified
.Ar label .
.Pp
.It Ic weight Ar number
The
.Em weight
is used to tip prefixes with equally long AS paths in one or
the other direction.
A prefix is weighed at a very late stage in the decision process.
If
.Ar number
starts with a plus or minus sign, the
.Em weight
will be adjusted by adding or subtracting
.Ar number ;
otherwise it will be set to
.Ar number .
.Em Weight
is a local non-transitive attribute, and is a
.Xr bgpd 8 Ns -specific
extension.
For prefixes with equally long paths, the prefix with the larger weight
is selected.
.El
.Sh FILES
.Bl -tag -width "/etc/examples/bgpd.conf" -compact
.It Pa /etc/bgpd.conf
.Xr bgpd 8
configuration file.
.It Pa /etc/examples/bgpd.conf
Example configuration file.
.El
.Sh SEE ALSO
.Xr strftime 3 ,
.Xr ipsec 4 ,
.Xr pf 4 ,
.Xr rdomain 4 ,
.Xr tcp 4 ,
.Xr bgpctl 8 ,
.Xr bgpd 8 ,
.Xr ipsecctl 8 ,
.Xr isakmpd 8 ,
.Xr rc.conf.local 8
.Sh HISTORY
The
.Nm
file format first appeared in
.Ox 3.5 .