diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2024-12-18 16:00:27 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2024-12-18 16:00:27 +0000 |
| commit | 341d201dd4dd3b785f8f27ca632f5218927b6993 (patch) | |
| tree | 86cfac56273f79064d855220b8e5096e06d95f14 | |
| parent | dd1d8cf3d9e4554f3dd0116569c9673b54f242ad (diff) | |
Make the example bgpd.conf work with 4byte ASN out of the box.
Use local-as in community and large-community stanzas since that will
be expanded at runtime. For communities that only work with 2byte ASN
the filter will never match (or nothing will be set / deleted) since
a 4byte ASN can never match.
We want an bgpd.conf example ruleset that is sensible, works and is a
good starting point for beginners. In other words we should not add
traps to the config.
OK deraadt@ job@
| -rw-r--r-- | etc/examples/bgpd.conf | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/etc/examples/bgpd.conf b/etc/examples/bgpd.conf index 13023c294c5..e51e1db14e3 100644 --- a/etc/examples/bgpd.conf +++ b/etc/examples/bgpd.conf @@ -1,8 +1,8 @@ -# $OpenBSD: bgpd.conf,v 1.25 2024/08/29 12:58:57 claudio Exp $ +# $OpenBSD: bgpd.conf,v 1.26 2024/12/18 16:00:26 claudio Exp $ # example bgpd configuration file, see bgpd.conf(5) # define our own ASN as a macro -ASN="65001" +ASN="4200000001" # global configuration AS $ASN @@ -50,7 +50,7 @@ prefix-set bogons { # Generate routes for the networks our ASN will originate. # The communities (read 'tags') are later used to match on what # is announced to EBGP neighbors -network prefix-set mynetworks set large-community $ASN:1:1 +network prefix-set mynetworks set large-community local-as:1:1 # assume simple network with 3 routers in IBGP full mesh group "ibgp mesh" { @@ -91,8 +91,8 @@ group "upstreams" { # Outbound EBGP: only allow self originated networks to ebgp peers # Don't leak any routes from upstream or peering sessions. This is done -# by checking for routes that are tagged with the large-community $ASN:1:1 -allow to ebgp prefix-set mynetworks large-community $ASN:1:1 +# by checking for routes that are tagged with the large-community local-as:1:1 +allow to ebgp prefix-set mynetworks large-community local-as:1:1 # deny more-specifics of our own originated prefixes deny quick from ebgp prefix-set mynetworks or-longer @@ -103,8 +103,8 @@ allow to ibgp # Scrub normal and large communities relevant to our ASN from EBGP neighbors # https://tools.ietf.org/html/rfc7454#section-11 -match from ebgp set { community delete $ASN:* } -match from ebgp set { large-community delete $ASN:*:* } +match from ebgp set { community delete local-as:* } +match from ebgp set { large-community delete local-as:*:* } # filter out prefixes longer than 24 or shorter than 8 bits for IPv4 # and longer than 48 or shorter than 16 bits for IPv6. |