FreeBSD Manual Pages
BGPD.CONF(5) File Formats Manual BGPD.CONF(5) NAME bgpd.conf -- BGP routing daemon configuration file DESCRIPTION The bgpd(8) daemon implements the Border Gateway Protocol version 4 as described in RFC 4271. The bgpd.conf config file is divided into the following main sections: "MACROS" User-defined variables may be defined and used later, simplifying the configuration file. "GLOBAL CONFIGURATION" Global settings for bgpd(8). "SET CONFIGURATION" Various lookup tables are defined in this section. "NETWORK AND FLOWSPEC ANNOUNCEMENTS" Networks which should be announced by bgpd(8) are set in this section. "MPLS VPN CONFIGURATION" The definition and properties for BGP MPLS VPNs are set in this section. "NEIGHBORS AND GROUPS" bgpd(8) establishes sessions with neighbors. The neighbor defin- ition and properties are set in this section, as well as grouping neighbors for the ease of configuration. "FILTER" Filter rules for incoming and outgoing UPDATES. With the exception of macros, the sections should be grouped and appear in bgpd.conf in the order shown above. The current line can be extended over multiple lines using a backslash (`\'). Comments can be put anywhere in the file using a hash mark (`#'), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block. Argument names not beginning with a letter, digit, or underscore must be quoted. Additional configuration files can be included with the include key- word, for example: include "/etc/bgpd/bgpd-10.0.0.1.filter" MACROS Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example, AS, neighbor, or group). Macros are not expanded inside quotes. For example: peer1="1.2.3.4" neighbor $peer1 { remote-as 65001 } GLOBAL CONFIGURATION These settings affect the operation of the bgpd(8) daemon as a whole. AS as-number [as-number] Set the local autonomous system number to as-number. A fall- back 2-byte AS number may follow a 4-byte AS number for neigh- bors that do not support 4-byte AS numbers. The standard and default fallback AS number is 23456. The AS numbers are assigned by local RIRs, such as: AfriNIC for Africa APNIC for Asia Pacific ARIN for North America and parts of the Caribbean LACNIC for Latin America and the Caribbean RIPE NCC for Europe, the Middle East, and parts of Asia The AS numbers 64512 - 65534 are designated for private use. The AS number 23456 is reserved and should not be used. 4-byte AS numbers may be specified in either the ASPLAIN format: AS 196618 or in the older ASDOT format: AS 3.10 connect-retry seconds Set the number of seconds to wait before attempting to re-open a connection. This timer should be sufficiently large in EBGP configurations. The default is 120 seconds. dump [rib name] (table-v2|table-mp|table) file [interval] dump (all|updates) (in|out) file [interval] Dump the RIB, a.k.a. the routing information base, or dump on- going BGP activity, in Multi-threaded Routing Toolkit (MRT) format. The file is subject to strftime(3)-expansion. The table-v2 and table-mp RIB formats store multi-protocol RIBs correctly, but the table format does not. The latter two are provided only to support third-party tools lacking support for the recommended table-v2 format. Dump an alternative RIB by specifying name. Specify an interval in seconds for periodic RIB dumps. The following will dump the entire RIB table, at startup and every 5 minutes thereafter, to a new file: dump table-v2 "/tmp/rib-dump-%H%M" 300 Dumps of ongoing BGP activity include all BGP state transi- tions, and all BGP messages in the specified direction. Use updates to dump only BGP UPDATE messages, without state transi- tions. Specify an interval in seconds to restart periodically with a new file: dump all in "/tmp/all-in-%H%M" 300 fib-priority prio Set the routing priority to prio. The default is 48. fib-update (yes|no) If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes. holdtime seconds Set the announced holdtime in seconds. This is exchanged with a neighbor upon connection establishment, in the OPEN message, and the shortest holdtime governs the session. The neighbor session is dropped if the session holdtime passes without receipt of a KEEPALIVE or an UPDATE message from the neighbor. The default is 90 seconds. holdtime min seconds The minimum acceptable holdtime in seconds. This value must be at least 3. listen on address [port port] Specify the local IP address and optional port for bgpd(8) to listen on. The default is to listen on all local addresses on the current default routing domain. log updates Log sent and received BGP update messages. nexthop qualify via (bgp|default) If set to bgp, bgpd(8) may verify nexthops using BGP routes. If set to default, bgpd(8) may verify nexthops using the de- fault route. By default bgpd(8) uses only static routes or routes added by other routing daemons, such as ospfd(8). rde evaluate (default|all) If set to all, keep evaluating alternative paths in case the selected path is filtered out. By default if a path is fil- tered by the output filters then no alternative path is sent to this peer. rde med compare (always|strict) If set to always, the MULTI_EXIT_DISC attributes will always be compared. The default is strict, where the metric is only com- pared between peers belonging to the same AS. rde rib name [no evaluate] rde rib name [rtable number] Create an additional RIB named name. The degree to which its routes may be utilized is configurable. They may be excluded from the decision process that selects usable routes with the no evaluate flag, and this precludes their export to any kernel routing table. By default its routes will be evaluated, but not exported to the kernel. They may be both evaluated and ex- ported if associated with a given rtable number, which must be- long to the routing domain that bgpd(8) was started in. This table will not be consulted during nexthop verification unless it is the one that bgpd(8) was started in. It is unnecessary to create Adj-RIB-In and Loc-RIB, which are created automati- cally and used by default. rde rib Loc-RIB include filtered Include filtered prefixes in the Loc-RIB. Filtered prefixes are not eligible by the decision process but can be displayed by bgpctl(8). rde route-age (ignore|evaluate) If set to evaluate, the route decision process will also con- sider the age of the route in addition to its path attributes, giving preference to the older, typically more stable, route. This renders the decision process nondeterministic. The de- fault is ignore. reject as-set (yes|no) If set to yes, AS paths attributes containing AS_SET path seg- ments will be rejected and all prefixes will be treated as withdraws. The default is no. router-id dotted-quad Set the BGP router ID, which must be non-zero and should be unique within the AS. By default, the router ID is the highest IPv4 address assigned to the local machine. router-id 10.0.0.1 rtable number Work with the given kernel routing table instead of the default table, which is the one bgpd(8) was started in. For nexthop verification, bgpd(8) will always consult the default table. This is the same as using the following syntax: rde rib Loc-RIB rtable number socket "path" [restricted] Create a control socket at path. If restricted is specified, a restricted control socket will be created. By default /var/run/bgpd.sock.<rdomain> is used where <rdomain> is the routing domain in which bgpd(8) has been started. By default, no restricted socket is created. transparent-as (yes|no) If set to yes, AS paths to EBGP neighbors are not prepended with the local AS. The default is no. SET CONFIGURATION bgpd(8) supports the efficient lookup of data within named sets. An as-set, a prefix-set, and an origin-set store AS numbers, prefixes, and prefixes/source-as pairs, respectively. Such sets may be referenced by filter rules; see the "FILTER" section for details. It is more effi- cient to evaluate a set than a long series of rules for filtering each of its members. One single roa-set may be defined, against which bgpd(8) will validate the origin of each prefix. The roa-set and the aspa-set are merged with the corresponding tables received via rtr sessions. A set definition can span multiple lines, and an optional comma is al- lowed between elements. The same set can be defined more than once, in this case the definitions are merged into one common set. as-set name { as-number ... } An as-set stores AS numbers, and can be used with the AS spe- cific parameter in "FILTER" rules. aspa-set { customer-as as-number [expires seconds] provider-as { as-number ... } ... } The aspa-set holds a collection of Validated ASPA Payloads (VAPs). Each as AS_PATH received from an eBGP peer is checked against the aspa-set, and the ASPA Validation State (AVS) is set. expires can be set to the seconds since Epoch until when this VAP is valid. aspa-set { customer-as 64511 provider-as { 64496 65496 } customer-as 64496 provider-as { 65496 64544 } } origin-set name { address/len [maxlen mlen] source-as asn ... } An origin-set stores prefix/source-as pairs, and can be used to filter on the combination by using the origin-set parameter in "FILTER" rules. origin-set private { 10.0.0.0/8 maxlen 24 source-as 64511 203.0.113.0/24 source-as 64496 } prefix-set name { address/len ... } A prefix-set stores network prefixes and can be used in place of the prefix parameter in "FILTER" rules, and in network statements. A prefix can be followed by the prefixlen opera- tors listed for the prefix parameter in the "PARAMETERS" sec- tion. The first example below creates a set of prefixes called "private", to hold a number of RFC 1918 private network blocks. The second example shows the use of prefixlen operators. prefix-set private { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7 } prefix-set as64496set { 192.0.2.0/24 prefixlen >= 26, 2001:db8::/32 or-longer } roa-set { address/len [maxlen mlen] source-as asn [expires seconds] ... } The roa-set holds a collection of Validated ROA Payloads (VRPs). Each received prefix is checked against the roa-set, and the Origin Validation State (OVS) is set. expires can be set to the seconds since Epoch until when this VRP is valid. roa-set { 192.0.2.0/23 maxlen 24 source-as 64511 203.0.113.0/24 source-as 64496 } rtr address { ... } The rtr block specifies a RPKI to Router (RTR) session. RTR sessions provide another means to load VRP sets into bgpd(8). Changes propagated via the RTR protocol do not need a config reload and are immediately applied. The union of all VRP sets received via rtr sessions and the entries in the roa-set is used to validate the origin of routes. The rtr session proper- ties are as follows: descr description Add a description. The description is used in logging and status reports, but has no further meaning for bgpd(8). local-address address Bind to the specific IP address before opening the TCP connection to the rtr server. min-version number Require a minimal RTR version of number. To ensure that ASPA records are synchronised over RTR a minimal version of 2 is required. port number Specify the TCP destination port for the rtr session. If not specified, the default port is 323. NETWORK AND FLOWSPEC ANNOUNCEMENTS network statements specify the networks that bgpd(8) will announce as its own. An announcement must also be permitted by the "FILTER" rules. By default bgpd(8) announces no networks. network address/prefix [set ...] Announce the specified prefix as belonging to our AS. network (inet|inet6) connected [set ...] Announce routes to directly attached networks. network prefix-set name [set ...] Announce all networks in the prefix-set name. network (inet|inet6) priority number [set ...] Announce routes having the specified priority. network (inet|inet6) rtlabel label [set ...] Announce routes having the specified label. network (inet|inet6) static [set ...] Announce all static routes. Each network statement may set default AS path attributes: network 192.168.7.0/24 set localpref 220 See also the "ATTRIBUTE SET" section. flowspec statements specify the flowspec rules that bgpd(8) will an- nounce as its own. By default bgpd(8) announces no flowspec rules. flowspec (inet|inet6) rule [set ...] Announce an IPv4 or IPv6 specific flowspec rule including the AS path attributes specified by set. The following rule parameters can be set. Most number arguments in the below rules can be specified as a list of ranges enclosed in curly brackets using these operators: = (equal, default) != (unequal) < (less than) <= (less than or equal) > (greater than) >= (greater than or equal) - (range including boundaries) >< (except range) `><', and `-' are binary operators (they take two arguments). from source [port list] to dest [port list] This rule applies only to packets with the specified source or destination addresses and ports. Addresses can be specified in CIDR notation (matching netblocks) or using any to match any address. In most cases a to address must be specified and be part of the announced networks. Ports can be specified either by number or by name. For exam- ple, port 80 can be specified as www. For a list of all port name to number mappings see the file /etc/services. flags a/b This rule only applies to TCP packets that have the flags a set out of set b. Flags not specified in b are ignored. The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. fragment a/b This rule only applies to fragmented packets which match the specified flags. The flags are: (D)on't fragment, (I)s frag- ment, (F)irst fragment, and (L)ast fragment. icmp-type type [code code] icmp6-type type [code code] This rule only applies to ICMP or ICMP6 packets with the speci- fied type and code. Text names for ICMP types and codes are listed in icmp(4) and icmp6(4). length pktlen This rule applies only to packets matching the specified pktlen. proto protocol This rule applies only to packets of this protocol. Common protocols are ICMP, ICMP6, TCP, and UDP. For a list of all the protocol name to number mappings see the file /etc/protocols. tos string|number This rule applies to packets with the specified TOS bits set. string may be one of critical, inetcontrol, lowdelay, netcontrol, throughput, reliability, or one of the DiffServ Code Points: ef, af11 ... af43, cs0 ... cs7; number may be ei- ther a hex or decimal number. The action taken when a flowspec rules matches depends on extended com- munities. For example to block all traffic either ext-community flow-rate as-number:0 or ext-community flow-pps as-number:0 need to be set. MPLS VPN CONFIGURATION A vpn section configures a router to participate in an MPLS Virtual Private Network. It specifies an mpe(4) interface to use, a descrip- tion, and various properties of the VPN: vpn "description" on mpe1 { rd 65002:1 import-target rt 65002:42 export-target rt 65002:42 network 192.168.1/24 } bgpd(8) will not exchange VPN routes with a neighbor by default, see the "NEIGHBORS AND GROUPS" section. The description is used when log- ging but has no further meaning to bgpd(8). The mpe(4) interface will be used as the outgoing interface for routes to the VPN, and local networks will be announced with the MPLS label specified on the interface. The interface can provide VPN connectivity for another rdomain by being configured in that rdomain. The required rdomain must be configured on the interface before bgpd(8) uses it. Multiple VPNs may be connected to a single rdomain, including the rdo- main that bgpd(8) is running in. An example hostname.if(5) configuration for an mpe(4) interface provid- ing connectivity to rdomain 1: rdomain 1 mplslabel 2000 inet 192.198.0.1 255.255.255.255 up The VPN properties are as follows: export-target subtype as-number:local export-target subtype IP:local Classify announced networks by tagging them with an extended community of the given arguments. The community subtype should be a route target, rt, to ensure interoperability. The argu- ments are further detailed in the "ATTRIBUTE SET" section. More than one export-target can be specified. fib-update (yes|no) If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes. import-target subtype as-number:local import-target subtype IP:local The rdomain imports only those prefixes tagged with an extended community matching an import-target. The community subtype should be a route target, rt, to ensure interoperability. The arguments are further detailed in the "ATTRIBUTE SET" section. More than one import-target can be specified. network argument ... Announce the given networks within this VPN; see the "NETWORK ANNOUNCEMENTS" section. rd as-number:local rd IP:local The Route Distinguisher rd supplies BGP with namespaces to dis- ambiguate VPN prefixes, as these needn't be globally unique. Unlike route targets, the rd neither identifies the origin of the prefix nor controls into which VPNs the prefix is distrib- uted. The as-number or IP of a rd should be set to a number or IP that was assigned by an appropriate authority, whereas local can be chosen by the local operator. NEIGHBORS AND GROUPS bgpd(8) establishes TCP connections to other BGP speakers called neighbors. A neighbor and its properties are specified by a neighbor section: neighbor 10.0.0.2 { remote-as 65002 descr "a neighbor" } Neighbors placed within a group section inherit the properties common to that group: group "peering AS65002" { remote-as 65002 neighbor 10.0.0.2 { descr "AS65002-p1" } neighbor 10.0.0.3 { descr "AS65002-p2" } } An entire network of neighbors may be accommodated by specifying an ad- dress/netmask pair: neighbor 10.0.0.0/8 This is a template that recognises as a neighbor any connection from within the given network. Such neighbors inherit their template's properties, except for their IP address. A template may omit remote-as; bgpd(8) then accepts any AS presented by the neighbor in the OPEN message. The neighbor properties are as follows: announce (IPv4|IPv6) (none|unicast|vpn|flowspec) [enforce] For the given address family, control which subsequent address families are announced during the capabilities negotiation. Only routes for that address family and subsequent address fam- ilies will be announced and processed. At the moment, only none, which disables the announcement of that address family, unicast, vpn, which allows the distribu- tion of BGP MPLS VPNs, and flowspec, which allows the distribu- tion of Flow Specification Rules, are supported. The default is unicast for the same address family of the ses- sion. announce add-path recv (yes|no|enforce) If set to yes, the receive add-path capability is announced, which allows reception of multiple paths per prefix. The de- fault is no. announce add-path send (no|all) [enforce] announce add-path send (best|ecmp|as-wide-best) [plus num] [max num] [enforce] If set to all, best, ecmp, or as-wide-best, the send add-path capability is announced, which allows sending multiple paths per prefix. The paths sent depend on which mode is selected: no do not advertise add-path send capability all send all valid paths best send the best path ecmp send paths with equal nexthop cost as-wide-best send paths where the first 8 checks of the deci- sion process match plus allows the inclusion of additional backup paths and works for best, ecmp, and as-wide-best. max can be used to limit the total amount of paths sent for ecmp and as-wide-best. Right now ecmp and as-wide-best are equivalent. The default is no. If add-path send is active then the setting of rde evaluate is ignored. announce as-4byte (yes|no|enforce) If set to no, the 4-byte AS capability is not announced and so native 4-byte AS support is disabled. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is yes. announce enhanced refresh (yes|no|enforce) If set to yes, the enhanced route refresh capability is an- nounced. If enforce is set, the session will only be estab- lished if the neighbor also announces the capability. The de- fault is no. announce policy (yes|no|enforce) If set to yes, add the open policy role capability. If the role of the neighbor does not correspond to the expected role then the session will be closed. If enforce is set, the ses- sion will only be established if the neighbor also announces the capability. The default is no. announce refresh (yes|no|enforce) If set to no, the route refresh capability is not announced. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is yes. announce restart (yes|no|enforce) If set to no, the graceful restart capability is not announced. Currently only the End-of-RIB marker is supported and announced by the restart capability. If enforce is set, the session will only be established if the neighbor also announces the capabil- ity. The default is yes. as-override (yes|no) If set to yes, all occurrences of the neighbor AS in the AS path will be replaced with the local AS before running the fil- ters. The Adj-RIB-In still holds the unmodified AS path. The default value is no. demote group Increase the carp(4) demotion counter on the given interface group, usually carp, when the session is not in state ESTABLISHED. The demotion counter will be increased as soon as bgpd(8) starts and decreased 60 seconds after the session went to state ESTABLISHED. For neighbors added at runtime, the de- motion counter is only increased after the session has been ESTABLISHED at least once before dropping. For more information on interface groups, see the group keyword in ifconfig(8). depend on interface The neighbor session will be kept in state IDLE as long as interface reports no link. For carp(4) interfaces, no link means that the interface is currently backup. This is primar- ily intended to be used with carp(4) to reduce failover times. The state of the network interfaces on the system can be viewed using the show interfaces command to bgpctl(8). descr description Add a description. The description is used when logging neigh- bor events, in status reports, for specifying neighbors, etc., but has no further meaning to bgpd(8). down [reason] Do not start the session when bgpd(8) comes up but stay in IDLE. If the session is cleared at runtime, after a down reason was configured at runtime, the reason is sent as Admin- istrative Shutdown Communication. The reason cannot exceed 255 octets. dump (all|updates) (in|out) file [interval] Dump ongoing BGP activity for a particular neighbor. See also the dump setting in "GLOBAL CONFIGURATION". enforce local-as (yes|no) If set to no, AS paths will not be checked for AS loop detec- tion. This feature is similar to allowas-in in some other BGP implementations. Since there is no AS path loop check, this feature is dangerous, and requires you to add filters to pre- vent receiving your own prefixes. The default value is yes. enforce neighbor-as (yes|no) If set to yes, AS paths whose leftmost AS is not equal to the remote AS of the neighbor are rejected and a NOTIFICATION is sent back. The default value for IBGP peers is no otherwise the default is yes. export (none|default-route) If set to none, no UPDATE messages will be sent to the neigh- bor. If set to default-route, only the default route will be announced to the neighbor. holdtime seconds Set the holdtime in seconds. Inherited from the global config- uration if not given. holdtime min seconds Set the minimal acceptable holdtime. Inherited from the global configuration if not given. ipsec (ah|esp) (in|out) spi spi-number authspec [encspec] Enable IPsec with static keying. There must be at least two ipsec statements per peer with manual keying, one per direc- tion. authspec specifies the authentication algorithm and key. It can be sha1 <key> md5 <key> encspec specifies the encryption algorithm and key. ah does not support encryption. With esp, encryption is optional. encspec can be 3des <key> 3des-cbc <key> aes <key> aes-128-cbc <key> Keys must be given in hexadecimal format. After changing set- tings, a session needs to be reset to use the new keys. The ipsec flows only work with session using the default port 179. ipsec (ah|esp) ike Enable IPsec with dynamic keying. In this mode, bgpd(8) sets up the flows, and a key management daemon such as isakmpd(8) is responsible for managing the session keys. With isakmpd(8), it is sufficient to copy the peer's public key, found in /etc/isakmpd/local.pub, to the local machine. It must be stored in a file named after the peer's IP address and must be stored in /etc/isakmpd/pubkeys/ipv4/. The local public key must be copied to the peer in the same way. As bgpd(8) manages the flows on its own, it is sufficient to restrict isakmpd(8) to only take care of keying by specifying the flags -Ka. This can be done in rc.conf.local(8). After starting the isakmpd(8) and bgpd(8) daemons on both sides, the session should be estab- lished. After changing settings, a session needs to be reset to use the new keys. The ipsec flows only work with session using the default port 179. local-address address no local-address When bgpd(8) initiates the TCP connection to the neighbor sys- tem, it normally does not bind to a specific IP address. If a local-address is given, bgpd(8) binds to this address first. no local-address reverts back to the default. local-as as-number [as-number] Set the AS number sent to the remote system. Used as described above under "GLOBAL CONFIGURATION" option AS. Since there is no AS path loop check, this option is dangerous, and requires you to add filters to prevent receiving your ASNs. Intended to be used temporarily, for migrations to another AS. log no Disable neighbor specific logging. log updates Log received and sent updates for this neighbor. max-prefix number [restart number] Terminate the session when the maximum number of prefixes re- ceived is exceeded (no such limit is imposed by default). If restart is specified, the session will be restarted after number minutes. max-prefix number out [restart number] Terminate the session when the maximum number of prefixes sent is exceeded (no such limit is imposed by default). If restart is specified, the session will be restarted after number min- utes. multihop hops Neighbors not in the same AS as the local bgpd(8) normally have to be directly connected to the local machine. If this is not the case, the multihop statement defines the maximum hops the neighbor may be away. passive Do not attempt to actively open a TCP connection to the neigh- bor system. port port Connect to the peer using port instead of the default BGP port 179. reject as-set (yes|no) If set to yes, AS paths attributes containing AS_SET path seg- ments will be rejected and all prefixes will be treated as withdraws. The default is inherited from the global reject as-set setting. remote-as as-number Set the AS number of the remote system. rde evaluate (default|all) If set to all, keep evaluating alternative paths in case the selected path is filtered out. By default if a path is fil- tered by the output filters then no alternative path is sent to this peer. The default is inherited from the global rde evaluate setting. rib name Bind the neighbor to the specified RIB. role role Set the local role for this eBGP session. Setting a role is required for ASPA verification, the open policy role capability and Only-To-Customer (OTC) attribute of RFC 9234. The role can be one of none, provider, customer, rs, rs-client, or peer. If the role is set to none the announce policy will also be dis- abled. On iBGP session the role setting is ignored and forced to none. route-reflector [address] Act as an RFC 4456 route-reflector for this neighbor. An op- tional cluster ID can be specified; otherwise the BGP ID will be used. set attribute ... Set the AS path attributes to some default per neighbor or group block: set localpref 300 See also the "ATTRIBUTE SET" section. Set parameters are ap- plied to the received prefixes; the only exceptions are prepend-self, nexthop no-modify and nexthop self. These sets are rewritten into filter rules and can be viewed with "bgpd -nv". tcp md5sig password secret tcp md5sig key secret Enable TCP MD5 signatures per RFC 2385. The shared secret can either be given as a password or hexadecimal key. tcp md5sig password mekmitasdigoat tcp md5sig key deadbeef After changing keys, a session needs to be reset to use the new keys. transparent-as (yes|no) If set to yes, AS paths to EBGP neighbors are not prepended with the local AS. The default is inherited from the global transparent-as setting. ttl-security (yes|no) Enable or disable ttl-security. When enabled, outgoing packets are sent using a TTL of 255 and a check is made against an in- coming packet's TTL. For directly connected peers, incoming packets are required to have a TTL of 255, ensuring they have not been routed. For multihop peers, incoming packets are re- quired to have a TTL of 256 minus multihop distance, ensuring they have not passed through more than the expected number of hops. The default is no. FILTER bgpd(8) filters all BGP UPDATE messages, including its own announce- ments, and blocks them by default. Filter rules may match on neighbor, direction, prefix or AS path attributes. Filter rules may also modify AS path attributes. For each UPDATE processed by the filter, the filter rules are evaluated in sequential order, from first to last. The last matching allow or deny rule decides what action is taken. The default action is to deny. The following actions can be used in the filter: allow The UPDATE is passed. deny The UPDATE is blocked. match Apply the filter attribute set without influencing the filter decision. PARAMETERS The rule parameters specify the UPDATES to which a rule applies. An UPDATE always comes from, or goes to, one neighbor. Most parameters are optional, but each can appear at most once per rule. If a parame- ter is specified, the rule only applies to packets with matching at- tributes. as-type [operator] as-number as-type as-set name This rule applies only to UPDATES where the AS path matches. The part of the AS path specified by the as-type is matched against the as-number or the as-set name: AS (any part) peer-as (leftmost AS number) source-as (rightmost AS number) transit-as (all but the rightmost AS number) as-number is an AS number as explained above under "GLOBAL CONFIGURATION". It may be set to neighbor-as, which is ex- panded to the current neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number. When specifying an as-set name, the AS path will instead be matched against all the AS numbers in the set. The operator can be unspecified (this case is identical to the equality operator), or one of the numerical operators = (equal) != (unequal) - (range including boundaries) >< (except range) >< and - are binary operators (they take two arguments); with these, as-number cannot be set to neighbor-as. Multiple as-number entries for a given type or as-type as-number entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets: deny from any AS { 1, 2, 3 } deny from any { AS 1, source-as 2, transit-as 3 } deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 } avs (valid | unknown | invalid) This rule applies only to UPDATES where the ASPA Validation State (AVS) matches. community as-number:local community name This rule applies only to UPDATES where the community path at- tribute is present and matches. Communities are specified as as-number:local, where as-number is an AS number and local is a locally significant number between zero and 65535. Both as-number and local may be set to `*' to do wildcard matching. Alternatively, well-known communities may be given by name in- stead and include BLACKHOLE, GRACEFUL_SHUTDOWN, NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, and NO_PEER. Both as-number and local may be set to neighbor-as, which is expanded to the current neighbor remote AS number, or local-as, which is ex- panded to the locally assigned AS number. large-community as-number:local:local This rule applies only to UPDATES where the Large community path attribute is present and matches. Communities are speci- fied as as-number:local:local, where as-number is an AS number and local is a locally significant number between zero and 4294967295. Both as-number and local may be set to `*' to do wildcard matching, neighbor-as, which is expanded to the cur- rent neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number. ext-community subtype as-number:local ext-community subtype IP:local ext-community subtype numvalue ext-community ovs (valid | not-found | invalid) This rule applies only to UPDATES where the extended community path attribute is present and matches. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. Both as-number and local may be set to neighbor-as, which is ex- panded to the current neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number. Wildcard matching is supported for local, numvalue and subtype. If wildcard matching is used on the subtype then numvalue also needs to be set to `*'. See also the "ATTRIBUTE SET" section for further information about the encoding. (from|to) peer This rule applies only to UPDATES coming from, or going to, this particular neighbor. This parameter must be specified. peer is one of the following: any Any neighbor will be matched. ibgp All IBGP neighbors will be matched. ebgp All EBGP neighbors will be matched. address Neighbors with this address will be matched. group descr Neighbors in this group will be matched. AS as-number Neighbors with this AS will be matched. Multiple peer entries may also be specified, separated by com- mas or whitespace, if enclosed in curly brackets: deny from { 128.251.16.1, 251.128.16.2, group hojo } (inet|inet6) Match only routes in the IPv4 or IPv6 address families, respec- tively. inet is an alias for "prefix 0.0.0.0/0 prefixlen >= 0"; inet6 is an alias for "prefix ::/0 prefixlen >= 0". max-as-len len This rule applies only to UPDATES where the AS path has more than len elements. max-as-seq len This rule applies only to UPDATES where a single AS number is repeated more than len times. max-communities|max-large-communities|max-ext-communities num This rule applies only to UPDATES where the Basic, Large, or Extended Community attribute has more than num elements. nexthop address This rule applies only to UPDATES where the nexthop is equal to address. The address can be set to neighbor in which case the nexthop is compared against the address of the neighbor. Nex- thop filtering is not supported on locally announced networks and one must take into consideration previous rules overwriting nexthops. origin-set name This rule applies only to UPDATES that match the given origin- set name. ovs (valid | not-found | invalid) This rule applies only to UPDATES where the Origin Validation State (OVS) matches. prefix address/len prefix address/len prefixlen range prefix address/len or-longer prefix address/len maxlen mlen This rule applies only to UPDATES for the specified prefix. Multiple entries may be specified, separated by commas or whitespace, if enclosed in curly brackets: deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 or-longer } Multiple lists can also be specified, which is useful for macro expansion: good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }" ugly="{ 127.0.0.1/8, 169.254.0.0/16 }" deny from any prefix { $good $bad $ugly } Prefix length ranges are specified by using these operators: = (equal) != (unequal) < (less than) <= (less than or equal) > (greater than) >= (greater than or equal) - (range including boundaries) >< (except range) >< and - are binary operators (they take two arguments). For instance, to match all prefix lengths >= 8 and <= 12, and hence the CIDR netmasks 8, 9, 10, 11 and 12: prefixlen 8-12 Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks 0-7 and 13-32: prefixlen 8><12 This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer than 16: prefix 10.0.0.0/8 prefixlen > 16 or-longer is a shorthand for: prefix address/len prefixlen >= len maxlen mlen is a shorthand for: prefix address/len prefixlen <= mlen prefix-set name [or-longer] This rule applies only to UPDATES that match the given prefix- set name. With or-longer, the UPDATES will match any prefix in the prefix-set where address/len prefixlen >= len quick If an UPDATE matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped. rib name Apply rule only to the specified RIB. This only applies for received updates, so not for rules using the to peer parameter. set attribute ... All matching rules can set the AS path attributes to some de- fault. The set of every matching rule is applied, not only the last matching one. See also the following section. ATTRIBUTE SET AS path attributes can be modified with set. set can be used on network statements, in neighbor or group blocks, and on filter rules. Attribute sets can be expressed as lists. The following attributes can be modified: community [delete] as-number:local community [delete] name Set or delete the COMMUNITIES AS path attribute. Communities are specified as as-number:local, where as-number is an AS num- ber and local is a locally significant number between zero and 65535. Alternately, well-known communities may be specified by name: GRACEFUL_SHUTDOWN, NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, or NO_PEER. For delete, both as-number and local may be set to `*' to do wildcard matching. large-community [delete] as-number:local:local large-community [delete] name Set or delete the Large Communities path attribute. Communi- ties are specified as as-number:local:local, where as-number is an AS number and local is a locally significant number between zero and 4294967295. For delete, both as-number and local may be set to `*' to do wildcard matching. ext-community [delete] subtype as-number:local ext-community [delete] subtype IP:local ext-community [delete] subtype numvalue ext-community [delete] ovs (valid | not-found | invalid) Set or delete the Extended Community AS path attribute. Ex- tended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. The type is selected depending on the encoding of the global part. Two-octet AS Specific Extended Communities and Four-octet AS Specific Extended Communities are encoded as as-number:local. Four-octet encoding is used if the as-number is bigger than 65535 or if the AS_DOT encoding is used. IPv4 Address Specific Extended Communities are encoded as IP:local. Opaque Extended Communities are encoded with a single numeric value. The ovs subtype can only be set to valid, not-found, or invalid. Currently the following subtypes are supported: bdc BGP Data Collection defgw Default Gateway esi-lab ESI Label esi-rt ES-Import Route Target l2vid L2VPN Identifier mac-mob MAC Mobility odi OSPF Domain Identifier ort OSPF Route Type ori OSPF Router ID ovs BGP Origin Validation State rt Route Target soo Route Origin / Source of Origin srcas Source AS vrfri VRF Route Import Not all type and subtype value pairs are allowed by IANA and the parser will ensure that no invalid combination is created. For delete, subtype, numvalue, or local, may be set to `*' to do wildcard matching. If wildcard matching is used on the subtype then numvalue also needs to be set to `*'. localpref number Set the LOCAL_PREF AS path attribute. If number starts with a plus or minus sign, LOCAL_PREF will be adjusted by adding or subtracting number; otherwise it will be set to number. The default is 100. med number metric number Set the MULTI_EXIT_DISC AS path attribute. If number starts with a plus or minus sign, MULTI_EXIT_DISC will be adjusted by adding or subtracting number; otherwise it will be set to number. origin (igp|egp|incomplete) Set the ORIGIN AS path attribute to mark the source of this route as being injected from an igp protocol, an egp protocol or being an aggregated route. nexthop (address|blackhole|reject|self|no-modify) Set the NEXTHOP AS path attribute to a different nexthop ad- dress or use blackhole or reject routes. blackhole and reject only affect the FIB and will not alter the nexthop address. self forces the nexthop to be set to the local interface ad- dress. If set to no-modify, the nexthop attribute is not modi- fied for EBGP multihop sessions. By default EBGP multihop ses- sions use the local interface address. On other IBGP and di- rectly connected EBGP sessions no-modify is ignored. The set address is used on IBGP session and on directly connected EBGP session if the address is part of the connected network. On EBGP multihop session no-modify has to be set to force the nex- thop to address. set nexthop 192.168.0.1 set nexthop blackhole set nexthop reject set nexthop no-modify set nexthop self pftable table Add the prefix in the update to the specified pf(4) table, re- gardless of whether or not the path was selected for routing. This option may be useful in building realtime blacklists. prepend-neighbor number Prepend the neighbor's AS number times to the AS path. prepend-self number Prepend the local AS number times to the AS path. rtlabel label Add the prefix to the kernel routing table with the specified label. weight number The weight is used to tip prefixes with equally long AS paths in one or the other direction. A prefix is weighed at a very late stage in the decision process. If number starts with a plus or minus sign, the weight will be adjusted by adding or subtracting number; otherwise it will be set to number. Weight is a local non-transitive attribute, and is a bgpd(8)-specific extension. For prefixes with equally long paths, the prefix with the larger weight is selected. FILES /usr/local/etc/bgpd.conf bgpd(8) configuration file. SEE ALSO strftime(3), ipsec(4), pf(4), rdomain(4), tcp(4), bgpctl(8), bgpd(8), ipsecctl(8), isakmpd(8), rc.conf.local(8) HISTORY The bgpd.conf file format first appeared in OpenBSD 3.5. FreeBSD 14.3 August 14, 2024 BGPD.CONF(5)
NAME | DESCRIPTION | MACROS | GLOBAL CONFIGURATION | SET CONFIGURATION | NETWORK AND FLOWSPEC ANNOUNCEMENTS | MPLS VPN CONFIGURATION | NEIGHBORS AND GROUPS | FILTER | PARAMETERS | ATTRIBUTE SET | FILES | SEE ALSO | HISTORY
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=bgpd.conf&sektion=5&manpath=FreeBSD+14.3-RELEASE+and+Ports>