github.com/osrg/gobgp/v3@v3.30.0/docs/sources/policy.md (about) 1 # Policy Configuration 2 3 This page explains GoBGP policy feature for controlling the route 4 advertisement. It might be called Route Map in other BGP 5 implementations. 6 7 We explain the overview firstly, then the details. 8 9 ## Prerequisites 10 11 Assumed that you finished [Getting Started](getting-started.md). 12 13 ## Contents 14 15 - [Policy Configuration](#policy-configuration) 16 - [Prerequisites](#prerequisites) 17 - [Contents](#contents) 18 - [Overview](#overview) 19 - [Policy Model](#policy-model) 20 - [Route Server Policy Model](#route-server-policy-model) 21 - [Policy Structure](#policy-structure) 22 - [Configure Policies](#configure-policies) 23 - [1. Defining defined-sets](#1-defining-defined-sets) 24 - [prefix-sets](#prefix-sets) 25 - [Examples](#examples) 26 - [neighbor-sets](#neighbor-sets) 27 - [Examples](#examples-1) 28 - [2. Defining bgp-defined-sets](#2-defining-bgp-defined-sets) 29 - [community-sets](#community-sets) 30 - [Examples](#examples-2) 31 - [ext-community-sets](#ext-community-sets) 32 - [Examples](#examples-3) 33 - [as-path-sets](#as-path-sets) 34 - [Examples](#examples-4) 35 - [3. Defining policy-definitions](#3-defining-policy-definitions) 36 - [Execution condition of Action](#execution-condition-of-action) 37 - [Examples](#examples-5) 38 - [4. Attaching policy](#4-attaching-policy) 39 - [4.1 Attach policy to global rib](#41-attach-policy-to-global-rib) 40 - [4.2. Attach policy to route-server-client](#42-attach-policy-to-route-server-client) 41 - [Policy Configuration Example](#policy-configuration-example) 42 - [Policy and Soft Reset](#policy-and-soft-reset) 43 44 ## Overview 45 46 Policy is a way to control how BGP routes inserted to RIB or advertised to 47 peers. Policy has two parts, **Condition** and **Action**. 48 When a policy is configured, **Action** is applied to routes which meet 49 **Condition** before routes proceed to next step. 50 51 GoBGP supports **Condition** like `prefix`, `neighbor`(source/destination of 52 the route), `aspath` etc.., and **Action** like `accept`, `reject`, 53 `MED/aspath/community manipulation` etc... 54 55 You can configure policy by configuration file, CLI or gRPC API. 56 Here, we show how to configure policy via configuration file. 57 58 ## Policy Model 59 60 The following figure shows how policy works in normal BGP configuration. 61 62  63 64 There are **Import** and **Export** policy. **Import** policy is invoked 65 before best path calculation and pushing routes to RIB. 66 **Export** policy is invoked after that. 67 68 You can check each policy by the following commands. 69 70 ```shell 71 $ gobgp global policy import 72 $ gobgp global policy export 73 ``` 74 75 ## Route Server Policy Model 76 77 The following figure shows how policy works in 78 [route server BGP configuration](route-server.md). 79 80  81 82 In route server mode, **Import** and **Export** policies are defined 83 with respect to a peer. The **Import** policy defines what routes 84 will be imported into the master RIB. The **Export** policy defines 85 what routes will be exported from the master RIB. 86 87 You can check each policy by the following commands. 88 89 ```shell 90 $ gobgp neighbor <neighbor-addr> policy import 91 $ gobgp neighbor <neighbor-addr> policy export 92 ``` 93 94 ## Policy Structure 95 96  97 98 A policy consists of statements. Each statement has condition(s) and action(s). 99 100 Conditions are categorized into attributes below: 101 102 - prefix 103 - neighbor 104 - aspath 105 - aspath length 106 - community 107 - extended community 108 - rpki validation result 109 - route type (internal/external/local) 110 - large community 111 - afi-safi in 112 113 As showed in the figure above, some of the conditions point to defined sets, 114 which are a container for each condition item (e.g. prefixes). 115 116 Actions are categorized into attributes below: 117 118 - accept or reject 119 - add/replace/remove community or remove all communities 120 - add/subtract or replace MED value 121 - set next-hop (specific address/own local address/don't modify) 122 - set local-pref 123 - prepend AS number in the AS_PATH attribute 124 125 When **ALL** conditions in the statement are `true`, the action(s) in the 126 statement are executed. 127 128 You can check policy configuration by the following commands. 129 130 ```shell 131 $ gobgp policy 132 $ gobgp policy statement 133 $ gobgp policy prefix 134 $ gobgp policy neighbor 135 $ gobgp policy as-path 136 $ gobgp policy community 137 $ gobgp policy ext-community 138 $ gobgp policy large-community 139 ``` 140 141 ## Configure Policies 142 143 Policy Configuration comes from two parts, definition and attachment. For definition, we have 144 [defined-sets](#1-defining-defined-sets) and [policy-definition](#3-defining-policy-definitions). 145 **defined-sets** defines condition item for some of the condition type. 146 **policy-definitions** defines policies based on actions and conditions. 147 148 - **defined-sets** 149 A single **defined-sets** entry has prefix match that is named 150 **prefix-sets** and neighbor match part that is named **neighbor-sets**. It 151 also has **bgp-defined-sets**, a subset of **defined-sets** that defines 152 conditions referring to BGP attributes such as aspath. This **defined-sets** 153 has a name and it's used to refer to **defined-sets** items from outside. 154 155 - **policy-definitions** 156 **policy-definitions** is a list of policy. A single element has 157 **statements** part that combines conditions with an action. 158 159 Below are the steps for policy configuration 160 161 1. define defined-sets 162 1. define prefix-sets 163 1. define neighbor-sets 164 1. define bgp-defined-sets 165 1. define community-sets 166 1. define ext-community-sets 167 1. define as-path-setList 168 1. define large-community-sets 169 1. define policy-definitions 170 1. attach policies to global rib (or neighbor local rib when neighbor is 171 [route-server-client](route-server.md)). 172 173 ### 1. Defining defined-sets 174 175 defined-sets has prefix information and neighbor information in prefix-sets and 176 neighbor-sets section, and GoBGP uses these information to evaluate routes. 177 Defining defined-sets is needed at first. 178 prefix-sets and neighbor-sets section are prefix match part and neighbor match 179 part. 180 181 - defined-sets example 182 183 ```toml 184 # prefix match part 185 [[defined-sets.prefix-sets]] 186 prefix-set-name = "ps1" 187 [[defined-sets.prefix-sets.prefix-list]] 188 ip-prefix = "10.33.0.0/16" 189 masklength-range = "21..24" 190 191 # neighbor match part 192 [[defined-sets.neighbor-sets]] 193 neighbor-set-name = "ns1" 194 neighbor-info-list = ["10.0.255.1"] 195 ``` 196 197 #### prefix-sets 198 199 prefix-sets has prefix-set-list, and prefix-set-list has prefix-set-name and 200 prefix-list as its element. prefix-set-list is used as a condition. Note that 201 prefix-sets has either v4 or v6 addresses. 202 203 **prefix-set-list** has 1 element and list of sub-elements. 204 205 | Element | Description | Example | Optional | 206 | --------------- | ---------------------------------- | ------- | -------- | 207 | prefix-set-name | name of prefix-set | "ps1" | | 208 | prefix-list | list of prefix and range of length | | | 209 210 **PrefixList** has 2 elements. 211 212 | Element | Description | Example | Optional | 213 | ---------------- | --------------- | -------------- | -------- | 214 | ip-prefix | prefix value | "10.33.0.0/16" | | 215 | masklength-range | range of length | "21..24" | Yes | 216 217 ##### Examples 218 219 - example 1 220 - Match routes whose high order 2 octets of NLRI is 10.33 and its prefix 221 length is between from 21 to 24 222 - If you define a prefix-list that doesn't have MasklengthRange, it matches 223 routes that have just 10.33.0.0/16 as NLRI. 224 225 ```toml 226 # example 1 227 [[defined-sets.prefix-sets]] 228 prefix-set-name = "ps1" 229 [[defined-sets.prefix-sets.prefix-list]] 230 ip-prefix = "10.33.0.0/16" 231 masklength-range = "21..24" 232 ``` 233 234 - example 2 235 - If you want to evaluate multiple routes with a single prefix-set-list, you 236 can do this by adding an another prefix-list like this: 237 - This prefix-set-list match checks if a route has 10.33.0.0/21 to 24 or 238 10.50.0.0/21 to 24. 239 240 ```toml 241 # example 2 242 [[defined-sets.prefix-sets]] 243 prefix-set-name = "ps1" 244 [[defined-sets.prefix-sets.prefix-list]] 245 ip-prefix = "10.33.0.0/16" 246 masklength-range = "21..24" 247 [[defined-sets.prefix-sets.prefix-list]] 248 ip-prefix = "10.50.0.0/16" 249 masklength-range = "21..24" 250 ``` 251 252 - example 3 253 - prefix-set-name under prefix-set-list is reference to a single prefix-set. 254 - If you want to add different prefix-set more, you can add other blocks that 255 form the same structure with example 1. 256 257 ```toml 258 # example 3 259 [[defined-sets.prefix-sets]] 260 prefix-set-name = "ps1" 261 [[defined-sets.prefix-sets.prefix-list]] 262 ip-prefix = "10.33.0.0/16" 263 masklength-range = "21..24" 264 [[defined-sets.prefix-sets]] 265 prefix-set-name = "ps2" 266 [[defined-sets.prefix-sets.prefix-list]] 267 ip-prefix = "10.50.0.0/16" 268 masklength-range = "21..24" 269 ``` 270 271 #### neighbor-sets 272 273 neighbor-sets has neighbor-set-list, and neighbor-set-list has 274 neighbor-set-name and neighbor-info-list as its element. It is necessary to 275 specify a neighbor address in neighbor-info-list. neighbor-set-list is used as 276 a condition. 277 *Attention: an empty neighbor-set will match against ANYTHING and not invert based on the match option* 278 279 **neighbor-set-list** has 1 element and list of sub-elements. 280 281 | Element | Description | Example | Optional | 282 | ------------------ | ------------------------ | ------- | -------- | 283 | neighbor-set-name | name of neighbor-set | "ns1" | | 284 | neighbor-info-list | list of neighbor address | | | 285 286 **neighbor-info-list** has 1 element. 287 288 | Element | Description | Example | Optional | 289 | ------- | ---------------- | ------------ | -------- | 290 | address | neighbor address | "10.0.255.1" | | 291 292 ##### Examples 293 294 - example 1 295 296 ```toml 297 # example 1 298 [[defined-sets.neighbor-sets]] 299 neighbor-set-name = "ns1" 300 neighbor-info-list = ["10.0.255.1"] 301 # Prefix representations are also acceptable. 302 [[defined-sets.neighbor-sets]] 303 neighbor-set-name = "ns2" 304 neighbor-info-list = ["10.0.0.0/24"] 305 ``` 306 307 - example 2 308 - As with prefix-set-list, neighbor-set-list can have multiple 309 neighbor-info-list like this. 310 311 ```toml 312 # example 2 313 [[defined-sets.neighbor-sets]] 314 neighbor-set-name = "ns1" 315 neighbor-info-list = ["10.0.255.1", "10.0.255.2"] 316 ``` 317 318 - example 3 319 - As with prefix-set-list, multiple neighbor-set-lists can be defined. 320 321 ```toml 322 # example 3 323 [[defined-sets.neighbor-sets]] 324 neighbor-set-name = "ns1" 325 neighbor-info-list = ["10.0.255.1"] 326 # another neighbor-set-list 327 [[defined-sets.neighbor-sets]] 328 neighbor-set-name = "ns2" 329 neighbor-info-list = ["10.0.254.1"] 330 ``` 331 332 ### 2. Defining bgp-defined-sets 333 334 bgp-defined-sets has Community information, Extended Community 335 information and AS_PATH information in each Sets section 336 respectively. And it is a child element of defined-sets. 337 community-sets, ext-community-sets and as-path-sets section are each match 338 part. Like prefix-sets and neighbor-sets, each can have multiple sets and each 339 set can have multiple values. 340 341 - bgp-defined-sets example 342 343 ```toml 344 # Community match part 345 [[defined-sets.bgp-defined-sets.community-sets]] 346 community-set-name = "community1" 347 community-list = ["65100:10"] 348 # Extended Community match part 349 [[defined-sets.bgp-defined-sets.ext-community-sets]] 350 ext-community-set-name = "ecommunity1" 351 ext-community-list = ["RT:65100:10"] 352 # AS_PATH match part 353 [[defined-sets.bgp-defined-sets.as-path-sets]] 354 as-path-set-name = "aspath1" 355 as-path-list = ["^65100"] 356 # Large Community match part 357 [[defined-sets.bgp-defined-sets.large-community-sets]] 358 large-community-set-name = "lcommunity1" 359 large-community-list = ["65100:100:100"] 360 ``` 361 362 #### community-sets 363 364 community-sets has community-set-name and community-list as its element. The 365 Community value are used to evaluate communities held by the destination. 366 367 | Element | Description | Example | Optional | 368 | ------------------ | ----------------------- | ------------ | -------- | 369 | community-set-name | name of CommunitySet | "community1" | | 370 | community-list | list of community value | | | 371 372 **community-list** has 1 element. 373 374 | Element | Description | Example | Optional | 375 | --------- | --------------- | ---------- | -------- | 376 | community | community value | "65100:10" | | 377 378 You can use regular expressions to specify community in community-list. 379 380 ##### Examples 381 382 - example 1 383 - Match routes which has "65100:10" as a community value. 384 385 ```toml 386 # example 1 387 [[defined-sets.bgp-defined-sets.community-sets]] 388 community-set-name = "community1" 389 community-list = ["65100:10"] 390 ``` 391 392 - example 2 393 - Specifying community by regular expression 394 - You can use regular expressions based on POSIX 1003.2 regular expressions. 395 396 ```toml 397 # example 2 398 [[defined-sets.bgp-defined-sets.community-sets]] 399 community-set-name = "community2" 400 community-list = ["6[0-9]+:[0-9]+"] 401 ``` 402 403 #### ext-community-sets 404 405 ext-community-sets has ext-community-set-name and ext-community-list as its 406 element. The values are used to evaluate extended communities held by the 407 destination. 408 409 | Element | Description | Example | Optional | 410 | ---------------------- | -------------------------------- | ------------- | -------- | 411 | ext-community-set-name | name of ExtCommunitySet | "ecommunity1" | | 412 | ext-community-list | list of extended community value | | | 413 414 **ext-community-list** has 1 element. 415 416 | Element | Description | Example | Optional | 417 | ------------- | ------------------------ | -------------- | -------- | 418 | ext-community | extended community value | "RT:65001:200" | | 419 420 You can use regular expressions to specify extended community in 421 ext-community-list. However, the first one element separated by (part of "RT") 422 does not support to the regular expression. The part of "RT" indicates a 423 subtype of extended community and subtypes that can be used are as follows: 424 425 - RT: mean the route target. 426 - SoO: mean the site of origin(route origin). 427 - encap: mean the encapsulation tunnel type, currently gobgp supports the following encap tunnels: 428 l2tp3 429 gre 430 ip-in-ip 431 vxlan 432 nvgre 433 mpls 434 mpls-in-gre 435 vxlan-gre 436 mpls-in-udp 437 sr-policy 438 geneve 439 - LB: mean the link-bandwidth (in bytes). 440 441 ##### Examples 442 443 - example 1 444 - Match routes which has "RT:65001:200" as a extended community value. 445 446 ```toml 447 # example 1 448 [[defined-sets.bgp-defined-sets.ext-community-sets]] 449 ext-community-set-name = "ecommunity1" 450 ext-community-list = ["RT:65100:200"] 451 ``` 452 453 - example 2 454 - Specifying extended community by regular expression 455 - You can use regular expressions that is available in Golang. 456 457 ```toml 458 # example 2 459 [[defined-sets.bgp-defined-sets.ext-community-sets]] 460 ext-community-set-name = "ecommunity2" 461 ext-community-list = ["RT:6[0-9]+:[0-9]+"] 462 ``` 463 464 - example 3 465 - Specify link-bandwidth extended community. 466 467 ```toml 468 # example 3 469 [policy-definitions.statements.actions.bgp-actions.set-ext-community.set-ext-community-method] 470 communities-list = ["LB:65001:125000"] 471 ``` 472 473 #### as-path-sets 474 475 as-path-sets has as-path-set-name and as-path-list as its element. The numbers 476 are used to evaluate AS numbers in the destination's AS_PATH attribute. 477 478 | Element | Description | Example | Optional | 479 | ---------------- | --------------------- | --------- | -------- | 480 | as-path-set-name | name of as-path-set | "aspath1" | | 481 | as-path-list | list of as path value | | | 482 483 **as-path-list** has 1 elements. 484 485 | Element | Description | Example | Optional | 486 | ----------- | ------------- | -------- | -------- | 487 | as-path-set | as path value | "^65100" | | 488 489 The AS path regular expression is compatible with 490 [Quagga](http://www.nongnu.org/quagga/docs/docs-multi/AS-Path-Regular-Expression.html) 491 and Cisco. Note Character `_` has special meaning. It is abbreviation for 492 `(^|[,{}() ]|$)`. 493 494 Some examples follow: 495 496 - From: `^65100_` means the route is passed from AS 65100 directly. 497 - Any: `_65100_` means the route comes through AS 65100. 498 - Origin: `_65100$` means the route is originated by AS 65100. 499 - Only: `^65100$` means the route is originated by AS 65100 and comes from it 500 directly. 501 - `^65100_65001` 502 - `65100_[0-9]+_.*$` 503 - `^6[0-9]_5.*_65.?00$` 504 505 ##### Examples 506 507 - example 1 508 - Match routes which come from AS 65100. 509 510 ```toml 511 # example 1 512 [[defined-sets.bgp-defined-sets.as-path-sets]] 513 as-path-set-name = "aspath1" 514 as-path-list = ["^65100_"] 515 ``` 516 517 - example 2 518 - Match routes which come Origin AS 65100 and use regular expressions to 519 other AS. 520 521 ```toml 522 # example 2 523 [[defined-sets.bgp-defined-sets.as-path-sets]] 524 as-path-set-name = "aspath1" 525 as-path-list = ["[0-9]+_65[0-9]+_65100$"] 526 ``` 527 528 ### 3. Defining policy-definitions 529 530 policy-definitions consists of condition and action. Condition part is used to 531 evaluate routes from neighbors, if matched, action will be applied. 532 533 - an example of policy-definitions 534 535 ```toml 536 [[policy-definitions]] 537 name = "example-policy" 538 [[policy-definitions.statements]] 539 name = "statement1" 540 [policy-definitions.statements.conditions.match-prefix-set] 541 prefix-set = "ps1" 542 match-set-options = "any" 543 [policy-definitions.statements.conditions.match-neighbor-set] 544 neighbor-set = "ns1" 545 match-set-options = "invert" 546 [policy-definitions.statements.conditions.bgp-conditions.match-community-set] 547 community-set = "community1" 548 match-set-options = "any" 549 [policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set] 550 community-set = "ecommunity1" 551 match-set-options = "any" 552 [policy-definitions.statements.conditions.bgp-conditions.match-as-path-set] 553 as-path-set = "aspath1" 554 match-set-options = "any" 555 [policy-definitions.statements.conditions.bgp-conditions.as-path-length] 556 operator = "eq" 557 value = 2 558 [policy-definitions.statements.conditions.bgp-conditions] 559 afi-safi-in = ["l3vpn-ipv4-unicast", "ipv4-unicast"] 560 [policy-definitions.statements.actions] 561 route-disposition = "accept-route" 562 [policy-definitions.statements.actions.bgp-actions] 563 set-med = "-200" 564 [policy-definitions.statements.actions.bgp-actions.set-as-path-prepend] 565 as = "65005" 566 repeat-n = 5 567 [policy-definitions.statements.actions.bgp-actions.set-community] 568 options = "add" 569 [policy-definitions.statements.actions.bgp-actions.set-community.set-community-method] 570 communities-list = ["65100:20"] 571 ``` 572 573 The elements of policy-definitions are as follows: 574 575 - policy-definitions 576 577 | Element | Description | Example | 578 | ------- | ------------- | ---------------- | 579 | name | policy's name | "example-policy" | 580 581 - policy-definitions.statements 582 583 | Element | Description | Example | 584 | ------- | ----------------- | ------------ | 585 | name | statements's name | "statement1" | 586 587 - policy-definitions.statements.conditions.match-prefix-set 588 589 | Element | Description | Example | 590 | ----------------- | ----------------------------------------------------------------------------- | ------- | 591 | prefix-set | name for defined-sets.prefix-sets.prefix-set-list that is used in this policy | "ps1" | 592 | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | 593 594 - policy-definitions.statements.conditions.match-neighbor-set 595 596 | Element | Description | Example | 597 | ----------------- | --------------------------------------------------------------------------------- | ------- | 598 | neighbor-set | name for defined-sets.neighbor-sets.neighbor-set-list that is used in this policy | "ns1" | 599 | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | 600 601 - policy-definitions.statements.conditions.bgp-conditions.match-community-set 602 603 | Element | Description | Example | 604 | ----------------- | -------------------------------------------------------------------------------------------------- | ------------ | 605 | community-set | name for defined-sets.bgp-defined-sets.community-sets.CommunitySetList that is used in this policy | "community1" | 606 | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | 607 608 - policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set 609 610 | Element | Description | Example | 611 | ----------------- | ------------------------------------------------------------------------------------- | ------------- | 612 | ext-community-set | name for defined-sets.bgp-defined-sets.ext-community-sets that is used in this policy | "ecommunity1" | 613 | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | 614 615 - policy-definitions.statements.conditions.bgp-conditions.match-as-path-set 616 617 | Element | Description | Example | 618 | ----------------- | ------------------------------------------------------------------------------- | --------- | 619 | as-path-set | name for defined-sets.bgp-defined-sets.as-path-sets that is used in this policy | "aspath1" | 620 | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | 621 622 - policy-definitions.statements.conditions.bgp-conditions.match-as-path-length 623 624 | Element | Description | Example | 625 | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | 626 | operator | operator to compare the length of AS number in AS_PATH attribute. <br> "eq","ge","le" can be used. <br> "eq" means that length of AS number is equal to Value element <br> "ge" means that length of AS number is equal or greater than the Value element <br> "le" means that length of AS number is equal or smaller than the Value element | "eq" | 627 | value | value used to compare with the length of AS number in AS_PATH attribute | 2 | 628 629 - policy-definitions.statements.actions 630 631 | Element | Description | Example | 632 | ----------------- | ------------------------------------------------------------------------------------------------------------ | -------------- | 633 | route-disposition | stop following policy/statement evaluation and accept/reject the route:<br> "accept-route" or "reject-route" | "accept-route" | 634 635 - policy-definitions.statements.actions.bgp-actions 636 637 | Element | Description | Example | 638 | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | 639 | set-med | set-med used to change the med value of the route. <br> If only numbers have been specified, replace the med value of route.<br> if number and operater(+ or -) have been specified, adding or subtracting the med value of route. | "-200" | 640 641 - policy-definitions.statements.actions.bgp-actions.set-community 642 643 | Element | Description | Example | 644 | ----------- | ------------------------------------------------------------------------------- | ---------- | 645 | options | operator to manipulate Community attribute in the route | "ADD" | 646 | communities | communities used to manipulate the route's community according to options below | "65100:20" | 647 648 - policy-definitions.statements.actions.bgp-actions.set-as-path-prepend 649 650 | Element | Description | Example | 651 | -------- | ------------------------------------------------------------------------------------------------------ | ------- | 652 | as | AS number to prepend. You can use "last-as" to prepend the leftmost AS number in the aspath attribute. | "65100" | 653 | repeat-n | repeat count to prepend AS | 5 | 654 655 #### Execution condition of Action 656 657 Action statement is executed when the result of each Condition, including 658 match-set-options is all true. 659 **match-set-options** is defined how to determine the match result, in the 660 condition with multiple evaluation set as follows: 661 662 | Value | Description | 663 | ------ | ------------------------------------------------------------------------- | 664 | any | match is true if given value matches any member of the defined set | 665 | all | match is true if given value matches all members of the defined set | 666 | invert | match is true if given value does not match any member of the defined set | 667 668 ##### Examples 669 670 - example 1 671 - This policy definition has prefix-set *ps1* and neighbor-set *ns1* as its 672 condition and routes matches the condition is rejected. 673 674 ```toml 675 # example 1 676 [[policy-definitions]] 677 name = "policy1" 678 [[policy-definitions.statements]] 679 name = "statement1" 680 [policy-definitions.statements.conditions.match-prefix-set] 681 prefix-set = "ps1" 682 [policy-definitions.statements.conditions.match-neighbor-set] 683 neighbor-set = "ns1" 684 [policy-definitions.statements.actions] 685 route-disposition = "reject-route" 686 ``` 687 688 - example 2 689 - policy-definition has two statements 690 - If a route matches the condition inside the first statement(1), GoBGP 691 applies its action and quits the policy evaluation. 692 693 ```toml 694 # example 2 695 [[policy-definitions]] 696 name = "policy1" 697 # first statement - (1) 698 [[policy-definitions.statements]] 699 name = "statement1" 700 [policy-definitions.statements.conditions.match-prefix-set] 701 prefix-set = "ps1" 702 [policy-definitions.statements.conditions.match-neighbor-set] 703 neighbor-set = "ns1" 704 [policy-definitions.statements.actions] 705 route-disposition = "reject-route" 706 # second statement - (2) 707 [[policy-definitions.statements]] 708 name = "statement2" 709 [policy-definitions.statements.conditions.match-prefix-set] 710 prefix-set = "ps2" 711 [policy-definitions.statements.conditions.match-neighbor-set] 712 neighbor-set = "ns2" 713 [policy-definitions.statements.actions] 714 route-disposition = "reject-route" 715 ``` 716 717 - example 3 718 - If you want to add other policies, just add policy-definitions block 719 following the first one like this 720 721 ```toml 722 # example 3 723 # first policy 724 [[policy-definitions]] 725 name = "policy1" 726 [[policy-definitions.statements]] 727 name = "statement1" 728 [policy-definitions.statements.conditions.match-prefix-set] 729 prefix-set = "ps1" 730 [policy-definitions.statements.conditions.match-neighbor-set] 731 neighbor-set = "ns1" 732 [policy-definitions.statements.actions] 733 route-disposition = "reject-route" 734 # second policy 735 [[policy-definitions]] 736 name = "policy2" 737 [[policy-definitions.statements]] 738 name = "statement2" 739 [policy-definitions.statements.conditions.match-prefix-set] 740 prefix-set = "ps2" 741 [policy-definitions.statements.conditions.match-neighbor-set] 742 neighbor-set = "ns2" 743 [policy-definitions.statements.actions] 744 route-disposition = "reject-route" 745 ``` 746 747 - example 4 748 - This PolicyDefinition has multiple conditions including BgpConditions as 749 follows: 750 - prefix-set: *ps1* 751 - neighbor-set: *ns1* 752 - community-set: *community1* 753 - ext-community-set: *ecommunity1* 754 - as-path-set: *aspath1* 755 - as-path length: *equal 2* 756 - If a route matches all these conditions, it will be accepted with community 757 "65100:20", next-hop 10.0.0.1, local-pref 110, med subtracted 200, as-path 758 prepended 65005 five times. 759 760 ```toml 761 # example 4 762 [[policy-definitions]] 763 name = "policy1" 764 [[policy-definitions.statements]] 765 name = "statement1" 766 [policy-definitions.statements.conditions.match-prefix-set] 767 prefix-set = "ps1" 768 [policy-definitions.statements.conditions.match-neighbor-set] 769 neighbor-set = "ns1" 770 [policy-definitions.statements.conditions.bgp-conditions.match-community-set] 771 community-set = "community1" 772 [policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set] 773 community-set = "ecommunity1" 774 [policy-definitions.statements.conditions.bgp-conditions.match-as-path-set] 775 community-set = "aspath1" 776 [policy-definitions.statements.conditions.bgp-conditions.as-path-length] 777 operator = "eq" 778 value = 2 779 [policy-definitions.statements.actions] 780 route-disposition = "accept-route" 781 [policy-definitions.statements.actions.bgp-actions] 782 set-med = "-200" 783 set-next-hop = "10.0.0.1" 784 set-local-pref = 110 785 [policy-definitions.statements.actions.bgp-actions.set-as-path-prepend] 786 as = "65005" 787 repeat-n = 5 788 [policy-definitions.statements.actions.bgp-actions.set-community] 789 options = "ADD" 790 [policy-definitions.statements.actions.bgp-actions.set-community.set-community-method] 791 communities-list = ["65100:20"] 792 ``` 793 794 - example 5 795 - example of multiple statement 796 797 ```toml 798 # example 5 799 [[policy-definitions]] 800 name = "policy1" 801 [[policy-definitions.statements]] 802 # statement without route-disposition continues to the next statement 803 [policy-definitions.statements.actions.bgp-actions] 804 set-med = "+100" 805 set-next-hop = "self" 806 [[policy-definitions.statements]] 807 # if matched with "ps1", reject the route and stop evaluating 808 # following statements 809 [policy-definitions.statements.conditions.match-prefix-set] 810 prefix-set = "ps1" 811 [policy-definitions.statements.actions] 812 route-disposition = "reject-route" 813 [[policy-definitions.statements]] 814 # if matched with "ps2", accept the route and stop evaluating 815 # following statements 816 [policy-definitions.statements.conditions.match-prefix-set] 817 prefix-set = "ps2" 818 [policy-definitions.statements.actions] 819 route-disposition = "accept-route" 820 [[policy-definitions.statements]] 821 # since this is the last statement, if the route matched with "ps3", 822 # add 10 to MED value and continue to the next policy if exists. 823 # If not, default-policy is applied. 824 [policy-definitions.statements.conditions.match-prefix-set] 825 prefix-set = "ps3" 826 [policy-definitions.statements.actions.bgp-actions] 827 set-med = "+10" 828 set-next-hop = "unchanged" 829 ``` 830 831 ### 4. Attaching policy 832 833 Here we explain how to attach defined policies to 834 [global rib](#41-attach-policy-to-global-rib) and [neighbor local rib](#42-attach-policy-to-route-server-client). 835 836 #### 4.1 Attach policy to global rib 837 838 To attach policies to global rib, add policy name to 839 `global.apply-policy.config`. 840 841 ```toml 842 [global.apply-policy.config] 843 import-policy-list = ["policy1"] 844 export-policy-list = ["policy2"] 845 default-import-policy = "accept-route" 846 default-export-policy = "accept-route" 847 ``` 848 849 | Element | Description | Example | 850 | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | 851 | import-policy | policy-definitions.name for Import policy | "policy1" | 852 | export-policy | policy-definitions.name for Export policy | "policy2" | 853 | default-import-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | 854 | default-export-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | 855 856 #### 4.2. Attach policy to route-server-client 857 858 You can use policies defined above as Import or Export or In policy by 859 attaching them to neighbors which is configured to be route-server client. 860 861 To attach policies to neighbors, you need to add policy's name to 862 `neighbors.apply-policy` in the neighbor's setting. 863 This example attaches *policy1* to Import policy and *policy2* to Export policy 864 and *policy3* is used as the In policy. 865 866 ```toml 867 [[neighbors]] 868 [neighbors.config] 869 neighbor-address = "10.0.255.2" 870 peer-as = 65002 871 [neighbors.route-server.config] 872 route-server-client = true 873 [neighbors.apply-policy.config] 874 import-policy-list = ["policy1"] 875 export-policy-list = ["policy2"] 876 default-import-policy = "accept-route" 877 default-export-policy = "accept-route" 878 ``` 879 880 neighbors has a section to specify policies and the section's name is 881 apply-policy. The apply-policy has 6 elements. 882 883 | Element | Description | Example | 884 | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | 885 | import-policy | policy-definitions.name for Import policy | "policy1" | 886 | export-policy | policy-definitions.name for Export policy | "policy2" | 887 | default-import-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | 888 | default-export-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | 889 890 ## Policy Configuration Example 891 892 Neighbor 10.0.255.1 advertises 10.33.0.0/16 and 10.3.0.0/16 routes. We 893 define an import policy for neighbor 10.0.255.2 that drops 894 10.33.0.0/16 route from Neighbor 10.0.255.1. 895 896 ```toml 897 [global.config] 898 as = 64512 899 router-id = "192.168.255.1" 900 901 [[neighbors]] 902 [neighbors.config] 903 neighbor-address = "10.0.255.1" 904 peer-as = 65001 905 [neighbors.route-server.config] 906 route-server-client = true 907 908 [[neighbors]] 909 [neighbors.config] 910 neighbor-address = "10.0.255.2" 911 peer-as = 65002 912 [neighbors.route-server.config] 913 route-server-client = true 914 [neighbors.apply-policy.config] 915 import-policy-list = ["pd2"] 916 917 [[neighbors]] 918 [neighbors.config] 919 neighbor-address = "10.0.255.3" 920 peer-as = 65003 921 [neighbors.route-server.config] 922 route-server-client = true 923 924 [[defined-sets.prefix-sets]] 925 prefix-set-name = "ps2" 926 [[defined-sets.prefix-sets.prefix-list]] 927 ip-prefix = "10.33.0.0/16" 928 [[defined-sets.prefix-sets.prefix-list]] 929 ip-prefix = "10.50.0.0/16" 930 931 [[defined-sets.neighbor-sets]] 932 neighbor-set-name = "ns1" 933 [[defined-sets.neighbor-sets.neighbor-info-list]] 934 address = "10.0.255.1" 935 936 [[policy-definitions]] 937 name = "pd2" 938 [[policy-definitions.statements]] 939 name = "statement1" 940 [policy-definitions.statements.conditions.match-prefix-set] 941 prefix-set = "ps2" 942 match-set-options = "any" 943 [policy-definitions.statements.conditions.match-neighbor-set] 944 neighbor-set = "ns1" 945 match-set-options = "any" 946 [policy-definitions.statements.actions] 947 route-disposition = "reject-route" 948 ``` 949 950 Neighbor 10.0.255.2 has pd2 policy. The pd2 policy consists of ps2 prefix match 951 and ns1 neighbor match. The ps2 specifies 10.33.0.0 and 10.50.0.0 address. The 952 ps2 specifies the mask with **MASK** keyword. **masklength-range** keyword can 953 specify the range of mask length like ```masklength-range 24..26```. The *ns1* 954 specifies neighbor 10.0.255.1. 955 956 The pd2 sets multiple condition, This means that only when all match conditions 957 meets, the policy will be applied. 958 959 The match-prefix-set sets match-set-options to "any". This means that when 960 match to any of prefix-list, the policy will be applied. the policy will be 961 applied to 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1. 962 963 If the match-prefix-set sets match-set-options to "invert", It does not match 964 to any of prefix-list, the policy will be applied. the policy will be applied 965 to other than 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1 966 967 Let's confirm that 10.0.255.1 neighbor advertises two routes. 968 969 ```bash 970 $ gobgp neighbor 10.0.255.1 adj-in 971 Network Next Hop AS_PATH Age Attrs 972 10.3.0.0/16 10.0.255.1 [65001] 00:51:57 [{Origin: 0} {Med: 0}] 973 10.33.0.0/16 10.0.255.1 [65001] 00:51:57 [{Origin: 0} {Med: 0}] 974 ``` 975 976 Now let's check out if the policy works as expected. 977 978 ```bash 979 $ gobgp neighbor 10.0.255.2 local 980 Network Next Hop AS_PATH Age Attrs 981 *> 10.3.0.0/16 10.0.255.1 [65001] 00:49:36 [{Origin: 0} {Med: 0}] 982 $ gobgp neighbor 10.0.255.3 local 983 Network Next Hop AS_PATH Age Attrs 984 *> 10.3.0.0/16 10.0.255.1 [65001] 00:49:38 [{Origin: 0} {Med: 0}] 985 *> 10.33.0.0/16 10.0.255.1 [65001] 00:49:38 [{Origin: 0} {Med: 0}] 986 ``` 987 988 Routes accepted or rejected by import policy can be checked using `gobgp neighbor 10.0.255.2 accepted|rejected` command. 989 990 ## Policy and Soft Reset 991 992 When you change an import policy and reset the inbound routing table (aka soft reset in), a withdraw for a route rejected by the latest import policies will be sent to peers. However, when you change an export policy and reset the outbound routing table (aka soft reset out), even if a route is rejected by the latest export policies, a withdraw for the route will not be sent. 993 994 The outbound routing table doesn't exist for saving memory usage, it's impossible to know whether the route was actually sent to peer or the route also was rejected by the previous export policies and not sent. GoBGP doesn't send such withdraw rather than possible unwilling leaking information. 995 996 Please report if other implementations such as bird work in a different way.