Manual Page Search Parameters
BGPD.CONF(5) File Formats Manual BGPD.CONF(5)

bgpd.confBGP routing daemon configuration file

The bgpd(8) daemon implements the Border Gateway Protocol version 4 as described in RFC 4271.

The bgpd.conf config file is divided into the following main sections:

MACROS
User-defined variables may be defined and used later, simplifying the configuration file.
GLOBAL CONFIGURATION
Global settings for bgpd(8).
SET CONFIGURATION
Various lookup tables are defined in this section.
NETWORK AND FLOWSPEC ANNOUNCEMENTS
Networks which should be announced by bgpd(8) are set in this section.
MPLS VPN CONFIGURATION
The definition and properties for BGP MPLS VPNs are set in this section.
NEIGHBORS AND GROUPS
bgpd(8) establishes sessions with neighbors. The neighbor definition and properties are set in this section, as well as grouping neighbors for the ease of configuration.
FILTER
Filter rules for incoming and outgoing UPDATES.

With the exception of macros, the sections should be grouped and appear in bgpd.conf in the order shown above.

The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Argument names not beginning with a letter, digit, or underscore must be quoted.

Additional configuration files can be included with the include keyword, for example:

include "/etc/bgpd/bgpd-10.0.0.1.filter"

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example, AS, neighbor, or group). Macros are not expanded inside quotes.

For example:

peer1="1.2.3.4"
neighbor $peer1 {
	remote-as 65001
}

These settings affect the operation of the bgpd(8) daemon as a whole.

as-number [as-number]
Set the local number to as-number. A fallback 2-byte AS number may follow a 4-byte AS number for neighbors that do not support 4-byte AS numbers. The standard and default fallback AS number is 23456.

The AS numbers are assigned by local RIRs, such as:

AfriNIC
for Africa
APNIC
for Asia Pacific
ARIN
for North America and parts of the Caribbean
LACNIC
for Latin America and the Caribbean
RIPE NCC
for Europe, the Middle East, and parts of Asia

The AS numbers 64512 – 65534 are designated for private use. The AS number 23456 is reserved and should not be used. 4-byte AS numbers may be specified in either the ASPLAIN format:

AS 196618

or in the older ASDOT format:

AS 3.10

seconds
Set the number of seconds to wait before attempting to re-open a connection. This timer should be sufficiently large in EBGP configurations. The default is 120 seconds.

[rib name] (table-v2|table-mp|table) file [interval]
 
(all|updates) (in|out) file [interval]
Dump the RIB, a.k.a. the , or dump ongoing BGP activity, in Multi-threaded Routing Toolkit (MRT) format. The file is subject to strftime(3)-expansion.

The table-v2 and table-mp RIB formats store multi-protocol RIBs correctly, but the table format does not. The latter two are provided only to support third-party tools lacking support for the recommended table-v2 format. Dump an alternative RIB by specifying name. Specify an interval in seconds for periodic RIB dumps.

The following will dump the entire RIB table, at startup and every 5 minutes thereafter, to a new file:

dump table-v2 "/tmp/rib-dump-%H%M" 300

Dumps of ongoing BGP activity include all BGP state transitions, and all BGP messages in the specified direction. Use updates to dump only BGP UPDATE messages, without state transitions. Specify an interval in seconds to restart periodically with a new file:

dump all in "/tmp/all-in-%H%M" 300

prio
Set the routing priority to prio. The default is 48.

(yes|no)
If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.

seconds
Set the announced holdtime in seconds. This is exchanged with a neighbor upon connection establishment, in the OPEN message, and the shortest holdtime governs the session.

The neighbor session is dropped if the session holdtime passes without receipt of a or an UPDATE message from the neighbor. The default is 90 seconds.

holdtime min seconds
The minimum acceptable holdtime in seconds. This value must be at least 3.

address [port port]
Specify the local IP address and optional port for bgpd(8) to listen on. The default is to listen on all local addresses on the current default routing domain.

Log sent and received BGP update messages.

qualify via (bgp|default)
If set to bgp, bgpd(8) may verify nexthops using BGP routes. If set to default, bgpd(8) may verify nexthops using the default route. By default bgpd(8) uses only static routes or routes added by other routing daemons, such as ospfd(8).

evaluate (default|all)
If set to all, keep evaluating alternative paths in case the selected path is filtered out. By default if a path is filtered by the output filters then no alternative path is sent to this peer.

med compare (always|strict)
If set to always, the MULTI_EXIT_DISC attributes will always be compared. The default is strict, where the metric is only compared between peers belonging to the same AS.

rib name [no evaluate]
 
rib name [rtable number]
Create an additional RIB named name. The degree to which its routes may be utilized is configurable. They may be excluded from the decision process that selects usable routes with the no evaluate flag, and this precludes their export to any kernel routing table. By default its routes will be evaluated, but not exported to the kernel. They may be both evaluated and exported if associated with a given rtable number, which must belong to the routing domain that bgpd(8) was started in. This table will not be consulted during nexthop verification unless it is the one that bgpd(8) was started in. It is unnecessary to create Adj-RIB-In and Loc-RIB, which are created automatically and used by default.

rde rib Loc-RIB include filtered
Include filtered prefixes in the Loc-RIB. Filtered prefixes are not eligible by the decision process but can be displayed by bgpctl(8).

route-age (ignore|evaluate)
If set to evaluate, the route decision process will also consider the age of the route in addition to its path attributes, giving preference to the older, typically more stable, route. This renders the decision process nondeterministic. The default is ignore.

as-set (yes|no)
If set to yes, AS paths attributes containing AS_SET path segments will be rejected and all prefixes will be treated as withdraws. The default is yes.

dotted-quad
Set the BGP router ID, which must be non-zero and should be unique within the AS. By default, the router ID is the highest IPv4 address assigned to the local machine. 
router-id 10.0.0.1

number
Work with the given kernel routing table instead of the default table, which is the one bgpd(8) was started in. For nexthop verification, bgpd(8) will always consult the default table. This is the same as using the following syntax: 
rde rib Loc-RIB rtable number

"path" [restricted]
Create a control socket at path. If restricted is specified, a restricted control socket will be created. By default /var/run/bgpd.sock.<rdomain> is used where <rdomain> is the routing domain in which bgpd(8) has been started. By default, no restricted socket is created.

seconds
Set the upper bound in seconds stale routes are kept during graceful restart. The default is 180 seconds.

(yes|no)
If set to yes, attribute transparency is enabled. AS paths to EBGP neighbors are not prepended with the local AS. Additionally, the MULTI_EXIT_DISC attribute is passed transparently and automatic filtering based on the well-known communities NO_EXPORT, NO_ADVERTISE, and NO_EXPORT_SUBCONFED is disabled. The default is no.

bgpd(8) supports the efficient lookup of data within named . An as-set, a prefix-set, and an origin-set store AS numbers, prefixes, and prefixes/source-as pairs, respectively. Such sets may be referenced by filter rules; see the FILTER section for details. It is more efficient to evaluate a set than a long series of rules for filtering each of its members.

One single roa-set may be defined, against which bgpd(8) will validate the origin of each prefix. The roa-set and the aspa-set are merged with the corresponding tables received via rtr sessions.

A set definition can span multiple lines, and an optional comma is allowed between elements. The same set can be defined more than once, in this case the definitions are merged into one common set.

name { as-number ... }
An as-set stores AS numbers, and can be used with the AS specific parameter in FILTER rules.

{ customer-as as-number [expires seconds] provider-as { as-number ... } ... }
The aspa-set holds a collection of Validated ASPA Payloads (VAPs). Each as AS_PATH received from an eBGP peer is checked against the aspa-set, and the ASPA Validation State (AVS) is set. expires can be set to the seconds since Epoch until when this VAP is valid. 
aspa-set {
	customer-as 64511 provider-as { 64496 65496 }
	customer-as 64496 provider-as { 65496 64544 }
}

name { address/len [maxlen mlen] source-as asn ... }
An origin-set stores prefix/source-as pairs, and can be used to filter on the combination by using the origin-set parameter in FILTER rules. 
origin-set private { 10.0.0.0/8 maxlen 24 source-as 64511
                     203.0.113.0/24 source-as 64496 }

name { address/len ... }
A prefix-set stores network prefixes and can be used in place of the prefix parameter in FILTER rules, and in network statements. A prefix can be followed by the prefixlen operators listed for the prefix parameter in the PARAMETERS section.

The first example below creates a set of prefixes called “private”, to hold a number of RFC 1918 private network blocks. The second example shows the use of prefixlen operators.

prefix-set private { 10.0.0.0/8, 172.16.0.0/12,
                     192.168.0.0/16, fc00::/7 }
prefix-set as64496set { 192.0.2.0/24 prefixlen >= 26,
                        2001:db8::/32 or-longer }

{ address/len [maxlen mlen] source-as asn [expires seconds] ... }
The roa-set holds a collection of Validated ROA Payloads (VRPs). Each received prefix is checked against the roa-set, and the Origin Validation State (OVS) is set. expires can be set to the seconds since Epoch until when this VRP is valid. 
roa-set { 192.0.2.0/23 maxlen 24 source-as 64511
          203.0.113.0/24 source-as 64496 }

address { ... }
The rtr block specifies a (RTR) session. sessions provide another means to load VRP sets into bgpd(8). Changes propagated via the RTR protocol do not need a config reload and are immediately applied. The union of all VRP sets received via rtr sessions and the entries in the roa-set is used to validate the origin of routes. The rtr session properties are as follows:

description
Add a description. The description is used in logging and status reports, but has no further meaning for bgpd(8).

address
Bind to the specific IP address before opening the TCP connection to the rtr server.

min-version number Require a minimal RTR version of number. To ensure that ASPA records are synchronised over RTR a minimal version of 2 is required.

number
Specify the TCP destination port for the rtr session. If not specified, the default port is .

network statements specify the networks that bgpd(8) will announce as its own. An announcement must also be permitted by the FILTER rules. By default bgpd(8) announces no networks.

address/prefix [set ...]
Announce the specified prefix as belonging to our AS.

(inet|inet6) connected [set ...]
Announce routes to directly attached networks.

network prefix-set name [set ...]
Announce all networks in the prefix-set name.

(inet|inet6) priority number [set ...]
Announce routes having the specified priority.

(inet|inet6) rtlabel label [set ...]
Announce routes having the specified label.

(inet|inet6) static [set ...]
Announce all static routes.

Each network statement may set default AS path attributes:

network 192.168.7.0/24 set localpref 220

See also the ATTRIBUTE SET section.

flowspec statements specify the flowspec rules that bgpd(8) will announce as its own. By default bgpd(8) announces no flowspec rules.

(inet|inet6) rule [set ...]
Announce an IPv4 or IPv6 specific flowspec rule including the AS path attributes specified by set.

The following rule parameters can be set. Most number arguments in the below rules can be specified as a list of ranges enclosed in curly brackets using these operators:

=       (equal, default)
!=      (unequal)
<       (less than)
<=      (less than or equal)
>       (greater than)
>=      (greater than or equal)
-       (range including boundaries)
><      (except range)

‘><’, and ‘-’ are binary operators (they take two arguments).

source [port list]
 
dest [port list]
This rule applies only to packets with the specified source or destination addresses and ports. Addresses can be specified in CIDR notation (matching netblocks) or using any to match any address. In most cases a to address must be specified and be part of the announced networks.

Ports can be specified either by number or by name. For example, port 80 can be specified as www. For a list of all port name to number mappings see the file /etc/services.

a/b
This rule only applies to TCP packets that have the flags a set out of set b. Flags not specified in b are ignored. The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
a/b
This rule only applies to fragmented packets which match the specified flags. The flags are: (D)on't fragment, (I)s fragment, (F)irst fragment, and (L)ast fragment.
type [code code]
 
type [code code]
This rule only applies to ICMP or ICMP6 packets with the specified type and code. Text names for ICMP types and codes are listed in icmp(4) and icmp6(4).
pktlen
This rule applies only to packets matching the specified pktlen.
protocol
This rule applies only to packets of this protocol. Common protocols are ICMP, ICMP6, TCP, and UDP. For a list of all the protocol name to number mappings see the file /etc/protocols.
string|number
This rule applies to packets with the specified TOS bits set. string may be one of critical, inetcontrol, lowdelay, netcontrol, throughput, reliability, or one of the DiffServ Code Points: ef, af11 ... af43, cs0 ... cs7; number may be either a hex or decimal number.

The action taken when a flowspec rules matches depends on extended communities. For example to block all traffic either ext-community flow-rate as-number:0 or ext-community flow-pps as-number:0 need to be set.

A vpn section configures a router to participate in an MPLS Virtual Private Network. It specifies an mpe(4) interface to use, a description, and various properties of the VPN:

vpn "description" on mpe1 {
	rd 65002:1
	import-target rt 65002:42
	export-target rt 65002:42
	network 192.168.1/24
}

bgpd(8) will not exchange VPN routes with a neighbor by default, see the NEIGHBORS AND GROUPS section. The description is used when logging but has no further meaning to bgpd(8).

The mpe(4) interface will be used as the outgoing interface for routes to the VPN, and local networks will be announced with the MPLS label specified on the interface. The interface can provide VPN connectivity for another rdomain by being configured in that rdomain. The required rdomain must be configured on the interface before bgpd(8) uses it. Multiple VPNs may be connected to a single rdomain, including the rdomain that bgpd(8) is running in.

An example hostname.if(5) configuration for an mpe(4) interface providing connectivity to rdomain 1:

rdomain 1
mplslabel 2000
inet 192.198.0.1 255.255.255.255
up

The VPN properties are as follows:

subtype as-number:local
 
subtype IP:local
Classify announced networks by tagging them with an extended community of the given arguments. The community subtype should be a route target, rt, to ensure interoperability. The arguments are further detailed in the ATTRIBUTE SET section. More than one export-target can be specified.

(yes|no)
If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.

subtype as-number:local
 
subtype IP:local
The rdomain imports only those prefixes tagged with an extended community matching an import-target. The community subtype should be a route target, rt, to ensure interoperability. The arguments are further detailed in the ATTRIBUTE SET section. More than one import-target can be specified.

argument ...
Announce the given networks within this VPN; see the NETWORK ANNOUNCEMENTS section.

as-number:local
 
IP:local
The Route Distinguisher rd supplies BGP with namespaces to disambiguate VPN prefixes, as these needn't be globally unique. Unlike route targets, the rd neither identifies the origin of the prefix nor controls into which VPNs the prefix is distributed. The as-number or IP of a rd should be set to a number or IP that was assigned by an appropriate authority, whereas local can be chosen by the local operator.

bgpd(8) establishes TCP connections to other BGP speakers called neighbors. A neighbor and its properties are specified by a section:

neighbor 10.0.0.2 {
	remote-as 65002
	descr "a neighbor"
}

Neighbors placed within a section inherit the properties common to that group:

group "peering AS65002" {
	remote-as 65002
	neighbor 10.0.0.2 {
		descr "AS65002-p1"
	}
	neighbor 10.0.0.3 {
		descr "AS65002-p2"
	}
}

An entire network of neighbors may be accommodated by specifying an address/netmask pair:

neighbor 10.0.0.0/8

This is a that recognises as a neighbor any connection from within the given network. Such neighbors inherit their template's properties, except for their IP address. A template may omit remote-as; bgpd(8) then accepts any AS presented by the neighbor in the OPEN message.

The neighbor properties are as follows:

(IPv4|IPv6) (none|unicast|vpn|flowspec) [enforce]
 
EVPN [enforce]
For the given address family, control which are announced during the capabilities negotiation. Only routes for that address family and subsequent address families will be announced and processed. EVPN does not require a subsequent address family.

At the moment, only none, which disables the announcement of that address family, unicast, vpn, which allows the distribution of BGP MPLS VPNs, and flowspec, which allows the distribution of Flow Specification Rules, are supported.

The default is unicast for the same address family of the session.

announce add-path recv (yes|no|enforce)
If set to yes, the receive add-path capability is announced, which allows reception of multiple paths per prefix. The default is no.

announce add-path send (no|all) [enforce]
 
announce add-path send (best|ecmp|as-wide-best) [plus num] [max num] [enforce]
If set to all, best, ecmp, or as-wide-best, the send add-path capability is announced, which allows sending multiple paths per prefix. The paths sent depend on which mode is selected:

do not advertise add-path send capability
send all valid paths
send the best path
send paths with equal nexthop cost
send paths where the first 8 checks of the decision process match

plus allows the inclusion of additional backup paths and works for best, ecmp, and as-wide-best. max can be used to limit the total amount of paths sent for ecmp and as-wide-best. Right now ecmp and as-wide-best are equivalent. The default is no. If add-path send is active then the setting of rde evaluate is ignored.

announce as-4byte (yes|no|enforce)
If set to no, the 4-byte AS capability is not announced and so native 4-byte AS support is disabled. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is yes.

announce enhanced refresh (yes|no|enforce)
If set to yes, the enhanced route refresh capability is announced. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is no.

announce extended message (yes|no|enforce)
If set to yes, the extended message capability is announced. If negotiated, the default maximum message size is increased from 4096 to 65535 bytes. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is no.

announce extended nexthop (yes|no|enforce)
If set to yes, the extended nexthop encoding capability is announced. If negotiated, IPv4 unicast and vpn sessions can send paths with a IPv6 nexthop. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is no.

announce graceful notification (yes|no)
If set to yes, the graceful notification extension to graceful restart is announced. The default is no. announce refresh must be enabled to enable graceful notifications.

announce policy (yes|no|enforce)
If set to yes, add the open policy role capability. If the role of the neighbor does not correspond to the expected role then the session will be closed. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is no.

announce refresh (yes|no|enforce)
If set to no, the route refresh capability is not announced. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is yes.

announce restart (yes|no|enforce)
If set to no, the graceful restart capability is not announced. Currently only the End-of-RIB marker is supported and announced by the restart capability. If enforce is set, the session will only be established if the neighbor also announces the capability. The default is yes.

(yes|no)
If set to yes, all occurrences of the neighbor AS in the AS path will be replaced with the local AS before running the filters. The Adj-RIB-In still holds the unmodified AS path. The default value is no.

group
Increase the carp(4) demotion counter on the given interface group, usually carp, when the session is not in state ESTABLISHED. The demotion counter will be increased as soon as bgpd(8) starts and decreased 60 seconds after the session went to state ESTABLISHED. For neighbors added at runtime, the demotion counter is only increased after the session has been ESTABLISHED at least once before dropping.

For more information on interface groups, see the group keyword in ifconfig(8).

interface
The neighbor session will be kept in state IDLE as long as interface reports no link. For carp(4) interfaces, no link means that the interface is currently . This is primarily intended to be used with carp(4) to reduce failover times.

The state of the network interfaces on the system can be viewed using the show interfaces command to bgpctl(8).

description
Add a description. The description is used when logging neighbor events, in status reports, for specifying neighbors, etc., but has no further meaning to bgpd(8).

[reason]
Do not start the session when bgpd(8) comes up but stay in IDLE. If the session is cleared at runtime, after a down reason was configured at runtime, the reason is sent as Administrative Shutdown Communication. The reason cannot exceed 255 octets.

(all|updates) (in|out) file [interval]
Dump ongoing BGP activity for a particular neighbor. See also the dump setting in GLOBAL CONFIGURATION.

(yes|no)
If set to no, AS paths will not be checked for AS loop detection. This feature is similar to allowas-in in some other BGP implementations. Since there is no AS path loop check, this feature is dangerous, and requires you to add filters to prevent receiving your own prefixes. The default value is yes.

(yes|no)
If set to yes, AS paths whose is not equal to the of the neighbor are rejected and a is sent back. The default value for IBGP peers is no otherwise the default is yes.

(none|default-route)
If set to none, no UPDATE messages will be sent to the neighbor. If set to default-route, only the default route will be announced to the neighbor.

seconds
Set the holdtime in seconds. Inherited from the global configuration if not given.

holdtime min seconds
Set the minimal acceptable holdtime. Inherited from the global configuration if not given.

(ah|esp) (in|out) spi spi-number authspec [encspec]
Enable IPsec with static keying. There must be at least two ipsec statements per peer with manual keying, one per direction. authspec specifies the authentication algorithm and key. It can be 
sha1 <key>
md5 <key>

encspec specifies the encryption algorithm and key. ah does not support encryption. With esp, encryption is optional. encspec can be

3des <key>
3des-cbc <key>
aes <key>
aes-128-cbc <key>

Keys must be given in hexadecimal format. After changing settings, a session needs to be reset to use the new keys. The ipsec flows only work with session using the default port 179.

(ah|esp) ike
Enable IPsec with dynamic keying. In this mode, bgpd(8) sets up the flows, and a key management daemon such as isakmpd(8) is responsible for managing the session keys. With isakmpd(8), it is sufficient to copy the peer's public key, found in /etc/isakmpd/local.pub, to the local machine. It must be stored in a file named after the peer's IP address and must be stored in /etc/isakmpd/pubkeys/ipv4/. The local public key must be copied to the peer in the same way. As bgpd(8) manages the flows on its own, it is sufficient to restrict isakmpd(8) to only take care of keying by specifying the flags -Ka. This can be done in rc.conf.local(8). After starting the isakmpd(8) and bgpd(8) daemons on both sides, the session should be established. After changing settings, a session needs to be reset to use the new keys. The ipsec flows only work with session using the default port 179.

address
 
no local-address
When bgpd(8) initiates the TCP connection to the neighbor system, it normally does not bind to a specific IP address. If a local-address is given, bgpd(8) binds to this address first. no local-address reverts back to the default.

as-number [as-number]
Set the AS number sent to the remote system. Used as described above under GLOBAL CONFIGURATION option AS.

Since there is no AS path loop check, this option is dangerous, and requires you to add filters to prevent receiving your ASNs. Intended to be used temporarily, for migrations to another AS.

Disable neighbor specific logging.

Log received and sent updates for this neighbor.

number [restart number]
Terminate the session when the maximum number of prefixes received is exceeded (no such limit is imposed by default). If restart is specified, the session will be restarted after number minutes.

number out [restart number]
Terminate the session when the maximum number of prefixes sent is exceeded (no such limit is imposed by default). If restart is specified, the session will be restarted after number minutes.

hops
Neighbors not in the same AS as the local bgpd(8) normally have to be directly connected to the local machine. If this is not the case, the multihop statement defines the maximum hops the neighbor may be away.

Do not attempt to actively open a TCP connection to the neighbor system.

port
Connect to the peer using port instead of the default BGP port 179.

as-set (yes|no)
If set to yes, AS paths attributes containing AS_SET path segments will be rejected and all prefixes will be treated as withdraws. The default is inherited from the global reject as-set setting.

as-number
Set the AS number of the remote system.

evaluate (default|all)
If set to all, keep evaluating alternative paths in case the selected path is filtered out. By default if a path is filtered by the output filters then no alternative path is sent to this peer. The default is inherited from the global rde evaluate setting.

name
Bind the neighbor to the specified RIB.

role
Set the local role for this eBGP session. Setting a role is required for ASPA verification, the open policy role capability and Only-To-Customer (OTC) attribute of RFC 9234. The role can be one of none, provider, customer, rs, rs-client, or peer. If the role is set to none the announce policy will also be disabled. On iBGP session the role setting is ignored and forced to none.

[address]
Act as an RFC 4456 route-reflector for this neighbor. An optional cluster ID can be specified; otherwise the BGP ID will be used.

attribute ...
Set the AS path attributes to some default per neighbor or group block: 
set localpref 300

See also the ATTRIBUTE SET section. Set parameters are applied to the received prefixes; the only exceptions are prepend-self, nexthop no-modify and nexthop self. These sets are rewritten into filter rules and can be viewed with “bgpd -nv”.

seconds
Set the upper bound stale time in seconds for graceful restart. Inherited from the global configuration if not given.

secret
 
secret
Enable TCP MD5 signatures per RFC 2385. The shared secret can either be given as a password or hexadecimal key. 
tcp md5sig password mekmitasdigoat
tcp md5sig key deadbeef
After changing keys, a session needs to be reset to use the new keys.

(yes|no)
If set to yes, attribute transparency is enabled. See also the transparent-as setting in GLOBAL CONFIGURATION. The default is inherited from the global transparent-as setting.

(yes|no)
Enable or disable ttl-security. When enabled, outgoing packets are sent using a TTL of 255 and a check is made against an incoming packet's TTL. For directly connected peers, incoming packets are required to have a TTL of 255, ensuring they have not been routed. For multihop peers, incoming packets are required to have a TTL of 256 minus multihop distance, ensuring they have not passed through more than the expected number of hops. The default is no.

bgpd(8) filters all BGP UPDATE messages, including its own announcements, and blocks them by default. Filter rules may match on neighbor, direction, prefix or AS path attributes. Filter rules may also modify AS path attributes.

For each UPDATE processed by the filter, the filter rules are evaluated in sequential order, from first to last. The last matching allow or deny rule decides what action is taken. The default action is to deny.

The following actions can be used in the filter:

The UPDATE is passed.
The UPDATE is blocked.
Apply the filter attribute set without influencing the filter decision.

The rule parameters specify the UPDATES to which a rule applies. An UPDATE always comes from, or goes to, one neighbor. Most parameters are optional, but each can appear at most once per rule. If a parameter is specified, the rule only applies to packets with matching attributes.

as-type [operator] as-number
 
as-type as-set name
This rule applies only to UPDATES where the AS path matches. The part of the AS path specified by the as-type is matched against the as-number or the as-set name:

(any part)
(leftmost AS number)
(rightmost AS number)
(all but the rightmost AS number)

as-number is an AS number as explained above under GLOBAL CONFIGURATION. It may be set to neighbor-as, which is expanded to the current neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number.

When specifying an as-set name, the AS path will instead be matched against all the AS numbers in the set.

The operator can be unspecified (this case is identical to the equality operator), or one of the numerical operators

=	(equal)
!=	(unequal)
-	(range including boundaries)
><	(except range)

>< and - are binary operators (they take two arguments); with these, as-number cannot be set to neighbor-as.

Multiple as-number entries for a given type or as-type as-number entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any AS { 1, 2, 3 }
deny from any { AS 1, source-as 2, transit-as 3 }
deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }

(valid | unknown | invalid)
This rule applies only to UPDATES where the ASPA Validation State (AVS) matches.

as-number:local
 
name
This rule applies only to UPDATES where the community path attribute is present and matches. Communities are specified as as-number:local, where as-number is an AS number and local is a locally significant number between zero and 65535. Both as-number and local may be set to ‘*’ to do wildcard matching. Alternatively, well-known communities may be given by name instead and include BLACKHOLE, GRACEFUL_SHUTDOWN, NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, and NO_PEER. Both as-number and local may be set to neighbor-as, which is expanded to the current neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number.

as-number:local:local
This rule applies only to UPDATES where the Large community path attribute is present and matches. Communities are specified as as-number:local:local, where as-number is an AS number and local is a locally significant number between zero and 4294967295. Both as-number and local may be set to ‘*’ to do wildcard matching, neighbor-as, which is expanded to the current neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number.

subtype as-number:local
 
subtype IP:local
 
subtype numvalue
 
ovs (valid | not-found | invalid)
This rule applies only to UPDATES where the extended community path attribute is present and matches. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. Both as-number and local may be set to neighbor-as, which is expanded to the current neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number. Wildcard matching is supported for local, numvalue and subtype. If wildcard matching is used on the subtype then numvalue also needs to be set to ‘*’. See also the ATTRIBUTE SET section for further information about the encoding.

(from|to) peer
This rule applies only to UPDATES coming from, or going to, this particular neighbor. This parameter must be specified. peer is one of the following:

Any neighbor will be matched.
All neighbors will be matched.
All neighbors will be matched.
address
Neighbors with this address will be matched.
group descr
Neighbors in this group will be matched.
as-number
Neighbors with this AS will be matched.

Multiple peer entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from { 128.251.16.1, 251.128.16.2, group hojo }

(inet|inet6)
Match only routes in the IPv4 or IPv6 address families, respectively. inet is an alias for "prefix 0.0.0.0/0 prefixlen >= 0"; inet6 is an alias for "prefix ::/0 prefixlen >= 0".

len
This rule applies only to UPDATES where the AS path has more than len elements.

len
This rule applies only to UPDATES where a single AS number is repeated more than len times.

|max-large-communities|max-ext-communities num
This rule applies only to UPDATES where the , Large, or Extended Community attribute has more than num elements.

address
This rule applies only to UPDATES where the nexthop is equal to address. The address can be set to neighbor in which case the nexthop is compared against the address of the neighbor. Nexthop filtering is not supported on locally announced networks and one must take into consideration previous rules overwriting nexthops.

name
This rule applies only to UPDATES that match the given origin-set name.

(valid | not-found | invalid)
This rule applies only to UPDATES where the Origin Validation State (OVS) matches.

address/len
 
address/len prefixlen range
 
address/len or-longer
 
address/len maxlen mlen
This rule applies only to UPDATES for the specified prefix.

Multiple entries may be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 or-longer }

Multiple lists can also be specified, which is useful for macro expansion:

good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }"
ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"

deny from any prefix { $good $bad $ugly }

Prefix length ranges are specified by using these operators:

=	(equal)
!=	(unequal)
<	(less than)
<=	(less than or equal)
>	(greater than)
>=	(greater than or equal)
-	(range including boundaries)
><	(except range)

>< and - are binary operators (they take two arguments). For instance, to match all prefix lengths >= 8 and <= 12, and hence the CIDR netmasks 8, 9, 10, 11 and 12:

prefixlen 8-12

Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks 0–7 and 13–32:

prefixlen 8><12

This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer than 16:

prefix 10.0.0.0/8 prefixlen > 16

or-longer is a shorthand for:

prefix address/len prefixlen >= len

maxlen mlen is a shorthand for:

prefix address/len prefixlen <= mlen

name [or-longer]
This rule applies only to UPDATES that match the given prefix-set name. With or-longer, the UPDATES will match any prefix in the prefix-set where 
address/len prefixlen >= len

If an UPDATE matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped.

name
Apply rule only to the specified RIB. This only applies for received updates, so not for rules using the to peer parameter.

attribute ...
All matching rules can set the AS path attributes to some default. The set of every matching rule is applied, not only the last matching one. See also the following section.

AS path attributes can be modified with set.

set can be used on network statements, in neighbor or group blocks, and on filter rules. Attribute sets can be expressed as lists.

The following attributes can be modified:

[delete] as-number:local
 
[delete] name
Set or delete the AS path attribute. Communities are specified as as-number:local, where as-number is an AS number and local is a locally significant number between zero and 65535. Alternately, well-known communities may be specified by name: GRACEFUL_SHUTDOWN, NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, or NO_PEER. For delete, both as-number and local may be set to ‘*’ to do wildcard matching.

[delete] as-number:local:local
 
[delete] name
Set or delete the Large Communities path attribute. Communities are specified as as-number:local:local, where as-number is an AS number and local is a locally significant number between zero and 4294967295. For delete, both as-number and local may be set to ‘*’ to do wildcard matching.

[delete] subtype as-number:local
 
[delete] subtype IP:local
 
[delete] subtype numvalue
 
[delete] ovs (valid | not-found | invalid)
Set or delete the Extended Community AS path attribute. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. The type is selected depending on the encoding of the global part. Two-octet AS Specific Extended Communities and Four-octet AS Specific Extended Communities are encoded as as-number:local. Four-octet encoding is used if the as-number is bigger than 65535 or if the AS_DOT encoding is used. IPv4 Address Specific Extended Communities are encoded as IP:local. Opaque Extended Communities are encoded with a single numeric value. The ovs subtype can only be set to valid, not-found, or invalid. Currently the following subtypes are supported: 
bdc      BGP Data Collection
defgw	 Default Gateway
esi-lab  ESI Label
esi-rt   ES-Import Route Target
l2vid    L2VPN Identifier
mac-mob  MAC Mobility
odi      OSPF Domain Identifier
ort      OSPF Route Type
ori      OSPF Router ID
ovs      BGP Origin Validation State
rt       Route Target
soo      Route Origin / Source of Origin
srcas    Source AS
vrfri    VRF Route Import

Not all type and subtype value pairs are allowed by IANA and the parser will ensure that no invalid combination is created.

For delete, subtype, numvalue, or local, may be set to ‘*’ to do wildcard matching. If wildcard matching is used on the subtype then numvalue also needs to be set to ‘*’.

number
Set the LOCAL_PREF AS path attribute. If number starts with a plus or minus sign, LOCAL_PREF will be adjusted by adding or subtracting number; otherwise it will be set to number. The default is 100.

number
 
number
Set the MULTI_EXIT_DISC AS path attribute. If number starts with a plus or minus sign, MULTI_EXIT_DISC will be adjusted by adding or subtracting number; otherwise it will be set to number.

(igp|egp|incomplete)
Set the AS path attribute to mark the source of this route as being injected from an igp protocol, an egp protocol or being an aggregated route.

(address|blackhole|reject|self|no-modify)
Set the AS path attribute to a different nexthop address or use blackhole or reject routes. and reject only affect the FIB and will not alter the nexthop address. forces the nexthop to be set to the local interface address. If set to no-modify, the nexthop attribute is not modified for EBGP multihop sessions. By default EBGP multihop sessions use the local interface address. On other IBGP and directly connected EBGP sessions no-modify is ignored. The set address is used on IBGP session and on directly connected EBGP session if the address is part of the connected network. On EBGP multihop session no-modify has to be set to force the nexthop to address. 
set nexthop 192.168.0.1
set nexthop blackhole
set nexthop reject
set nexthop no-modify
set nexthop self

table
Add the prefix in the update to the specified pf(4) table, regardless of whether or not the path was selected for routing. This option may be useful in building realtime blacklists.

number
Prepend the neighbor's AS number times to the AS path.

number
Prepend the local AS number times to the AS path.

label
Add the prefix to the kernel routing table with the specified label.

number
The weight is used to tip prefixes with equally long AS paths in one or the other direction. A prefix is weighed at a very late stage in the decision process. If number starts with a plus or minus sign, the weight will be adjusted by adding or subtracting number; otherwise it will be set to number. is a local non-transitive attribute, and is a bgpd(8)-specific extension. For prefixes with equally long paths, the prefix with the larger weight is selected.

/etc/bgpd.conf
bgpd(8) configuration file.
/etc/examples/bgpd.conf
Example configuration file.

strftime(3), ipsec(4), pf(4), rdomain(4), tcp(4), bgpctl(8), bgpd(8), ipsecctl(8), isakmpd(8), rc.conf.local(8)

The bgpd.conf file format first appeared in OpenBSD 3.5.

March 10, 2025 openbsd