document new list expansion syntax & add examples

reorganize the "to/from <peer>" filter rule parameter section
add a few other various clarification bits
and fix some mdoc macros

ok henning

1 files changed, 76 insertions, 24 deletions

diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5
index e3a123852be..8d26b8c0e5e 100644
--- a/usr.sbin/bgpd/bgpd.conf.5
+++ b/usr.sbin/bgpd/bgpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: bgpd.conf.5,v 1.33 2004/07/30 22:50:49 claudio Exp $
+.\" $OpenBSD: bgpd.conf.5,v 1.34 2004/08/09 16:29:18 jaredy Exp $
 .\"
 .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
 .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -549,22 +549,11 @@ to which a rule applies.
 An
 .Em UPDATE
 always comes from, or goes to, one neighbor.
-Most parameters are optional.
+Most parameters are optional, but each can appear at most once per rule.
 If a parameter is specified, the rule only applies to packets with
 matching attributes.
 .Pp
 .Bl -tag -width Ds -compact
-.It Ic any
-.It Ar address
-.It Ic group Ar description
-This rule applies only to
-.Em UPDATES
-coming from, or going to, this particular neighbor.
-Neighbors can be matched against their address, the group description,
-or the token
-.Ic any
-can be used to match any neighbor.
-.Pp
 .It Ar as-type as-number
 This rule applies only to
 .Em UPDATES
@@ -589,6 +578,19 @@ is one of the following operators:
 (all but the rightmost AS number)
 .El
 .Pp
+Multiple
+.Ar as-number
+entries for a given type or
+.Ar as-type as-number
+entries may also be specified,
+separated by commas or whitespace,
+if enclosed in curly brackets:
+.Bd -literal -offset indent
+deny from any AS { 1, 2, 3 }
+deny from any { AS 1, source-AS 2, transit-AS 3 }
+deny from any { AS { 1, 2, 3 }, source-AS 4, transit-AS 5 }
+.Ed
+.Pp
 .It Xo
 .Ic community
 .Ar as-number Ns Li \&: Ns Ar local
@@ -599,6 +601,14 @@ This rule applies only to
 where the
 .Ic community
 path attribute is present and matches.
+Communities are specified as
+.Ar as-number Ns Li : Ns Ar local ,
+where
+.Ar as-number
+is an AS number and
+.Ar local
+is a locally significant number between zero and
+.Li 0xffff .
 Both
 .Ar as-number
 and
@@ -608,16 +618,39 @@ may be set to
 to do wildcard matching.
 Alternatively, well-known communities may be given by name instead and
 include
-.Cm NO_EXPORT ,
-.Cm NO_ADVERTISE ,
+.Ic NO_EXPORT ,
+.Ic NO_ADVERTISE ,
 and
-.Cm NO_EXPORT_SUBCONFED .
+.Ic NO_EXPORT_SUBCONFED .
 .Pp
-.It Ic from
-.It Ic to
-This rule applies to incoming or outgoing
-.Em UPDATES .
-Either one or the other must be specified.
+.It Xo
+.Pq Ic from Ns \&| Ns Ic to
+.Ar peer
+.Xc
+This rule applies only to
+.Em UPDATES
+coming from, or going to, this particular neighbor.
+This parameter must be specified.
+.Ar peer
+is one of the following:
+.Pp
+.Bl -tag -width "group descr" -compact
+.It Ic any
+Any neighbor will be matched.
+.It Ar address
+Neighbors with this address will be matched.
+.It Ic group Ar descr
+Neighbors in this group will be matched.
+.El
+.Pp
+Multiple
+.Ar peer
+entries may also be specified,
+separated by commas or whitespace,
+if enclosed in curly brackets:
+.Bd -literal -offset indent
+deny from { 128.251.16.1, 251.128.16.2, group hojo }
+.Ed
 .Pp
 .It Xo
 .Ic prefix
@@ -627,6 +660,25 @@ This rule applies only to
 .Em UPDATES
 for the specified prefix.
 .Pp
+Multiple
+.Ar address Ns Li / Ns Ar len
+entries may be specified,
+separated by commas or whitespace,
+if enclosed in curly brackets:
+.Bd -literal -offset indent
+deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 }
+.Ed
+.Pp
+Multiple lists can also be specified, which is useful for
+macro expansion:
+.Bd -literal -offset indent
+good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
+bad="{ 224.0.0.0/4, 240.0.0.0/4 }"
+ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"
+
+deny from any prefix { $good $bad $ugly }
+.Ed
+.Pp
 .It Ic prefixlen Ar range
 This rule applies only to
 .Em UPDATES
@@ -717,10 +769,10 @@ is an AS number and
 is a locally-significant number between zero and
 .Li 0xffff .
 Alternately, well-known communities may be specified by name:
-.Cm NO_EXPORT ,
-.Cm NO_ADVERTISE ,
+.Ic NO_EXPORT ,
+.Ic NO_ADVERTISE ,
 or
-.Cm NO_EXPORT_SUBCONFED .
+.Ic NO_EXPORT_SUBCONFED .
 .Pp
 .It Ic localpref Ar number
 Set the