OpenBSD manual page server

Manual Page Search Parameters
BGPD.CONF(5) File Formats Manual BGPD.CONF(5)

bgpd.confBorder Gateway Protocol daemon configuration file

The bgpd(8) daemon implements the Border Gateway Protocol version 4 as described in RFC 4271.

The bgpd.conf config file is divided into the following main sections:

User-defined variables may be defined and used later, simplifying the configuration file.
Global settings for bgpd(8).
Various lookup tables are defined in this section.
Networks which should be announced by bgpd(8) are set in this section.
The definition and properties for BGP MPLS VPNs are set in this section.
bgpd(8) establishes sessions with neighbors. The neighbor definition and properties are set in this section, as well as grouping neighbors for the ease of configuration.
Filter rules for incoming and outgoing UPDATES.

With the exception of macros, the sections should be grouped and appear in bgpd.conf in the order shown above.

The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Argument names not beginning with a letter, digit, or underscore must be quoted.

Additional configuration files can be included with the include keyword, for example:

include "/etc/bgpd/bgpd-10.0.0.1.filter"

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example, AS, neighbor, or group). Macros are not expanded inside quotes.

For example:

peer1="1.2.3.4"
neighbor $peer1 {
	remote-as 65001
}

There are quite a few settings that affect the operation of the bgpd(8) daemon globally.

as-number [as-number]
Set the local number to as-number. If the first AS number is a 4-byte AS it is possible to specify a secondary 2-byte AS number which is used for neighbors which do not support 4-byte AS numbers. The default for the secondary AS is 23456.

The AS numbers are assigned by local RIRs, such as:

AfriNIC
for Africa
APNIC
for Asia Pacific
ARIN
for North America and parts of the Caribbean
LACNIC
for Latin America and the Caribbean
RIPE NCC
for Europe, the Middle East, and parts of Asia

For example:

AS 65001

sets the local AS to 65001.

The AS numbers 64512 – 65534 are designated for private use. The AS number 23456 is a specially designated Autonomous System Number and should not be used. 4-byte AS numbers are specified as two numbers separated by a dot (ASDOT format), for example:

AS 3.10

or as a large number (ASPLAIN format), for example:

AS 196618

seconds
Set the number of seconds before retrying to open a connection. This timer should be sufficiently large in EBGP configurations. The default is 120 seconds.

[rib name] (table|table-mp|table-v2) file [timeout]
 
(all|updates) (in|out) file [timeout]
Dump the RIB, a.k.a. the , and all BGP messages in Multi-threaded Routing Toolkit (MRT) format. It is possible to dump alternate RIB with the use of name.

For example, the following will dump the entire table to the strftime(3)-expanded filename. Only the table-v2 format is able to dump a multi-protocol RIB correctly. Both table and table-mp formats are more or less limited when handling multi-protocol entries and are only left around to support 3rd party tools not handling the new format. The timeout is optional:

dump table "/tmp/rib-dump-%H%M" 300

Similar to the table dump, but this time all BGP messages and will be dumped to the specified file:

dump all in "/tmp/all-in-%H%M" 300

As before, but only the UPDATE messages will be dumped to the file:

dump updates in "/tmp/updates-in-%H%M" 300

It is also possible to dump outgoing messages:

dump all out "/tmp/all-out-%H%M" 300
# or
dump updates out "/tmp/updates-out-%H%M" 300

prio
Set the routing priority to prio. The default is 48.

(yes|no)
If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.

seconds
Set the holdtime in seconds. The holdtime is reset to its initial value every time either a or an UPDATE message is received from the neighbor. If the holdtime expires the session is dropped. The default is 90 seconds. Neighboring systems negotiate the holdtime used when the connection is established in the OPEN messages. Each neighbor announces its configured holdtime; the smaller one is then agreed upon.

holdtime min seconds
The minimal accepted holdtime in seconds. This value must be greater than or equal to 3.

address
Specify the local IP address bgpd(8) should listen on. 
listen on 127.0.0.1

Log received and sent updates.

qualify via (bgp|default)
If set to bgp, bgpd(8) may use BGP routes to verify nexthops. If set to default, bgpd may use the default route to verify nexthops. By default bgpd will only use static routes or routes added by other routing daemons like ospfd(8).

med compare (always|strict)
If set to always, the MULTI_EXIT_DISC attributes will always be compared. The default is strict, where the metric is only compared between peers belonging to the same AS.

rib name [no evaluate]
 
rib name [rtable number]
Create an additional RIB named name. It is possible to disable the decision process per RIB with the no evaluate flag. If a rtable is specified, routes will be exported to the given kernel routing table. Currently the routing table must belong to the routing domain bgpd(8) was started in. Nexthop verification happens in the table bgpd(8) was started in - routes in the specified table will not be considered. Adj-RIB-In and Loc-RIB are created automatically and used as default.

route-age (ignore|evaluate)
If set to evaluate, the best path selection will not only be based on the path attributes but also on the age of the route, giving preference to the older, typically more stable, route. In this case the decision process is no longer deterministic. The default is ignore.

(yes|no)
If set to yes, the route selection process is turned off. The default is no.

address
Set the router ID to the given IP address, which must be local to the machine. 
router-id 10.0.0.1

If not given, the BGP ID is determined as the biggest IP address assigned to the local machine.

number
Work with the given kernel routing table instead of the default table, which is the one bgpd(8) was started in. For nexthop verification, bgpd(8) will always consult the default table. This is the same as using the following syntax: 
rde rib Loc-RIB rtable number

"path" [restricted]
Create a control socket at path. If restricted is specified a restricted control socket will be created. By default /var/run/bgpd.sock.<rdomain> is used where <rdomain> is the routing domain in which bgpd has been started. By default, no restricted socket is created.

(yes|no)
If set to yes, AS paths to EBGP neighbors are not prepended with the local AS. The default is no.

bgpd(8) supports sets for looking up collections in an efficent way. as-set, prefix-set, and origin-set are used to look up AS numbers, prefixes and prefixes/source-as pairs respectively. See also the FILTER section on how these sets are used in filters. One single roa-set can be defined which will be used to validate the origin of each prefix against. The set collections can span multiple lines and an optional comma is allowed between elements.

name { as-number ... }
An as-set holds a collection of AS numbers and can be used with the AS specific parameter in FILTER rules. Lookups against as-sets are more efficient than a large number of rules which differ only in the AS number.

name { address/len maxlen mlen source-as asn ... }
An origin-set holds a collection of prefix/source-as pairs and can be used in place where a rules filter for source-as and prefix at the same time. 
origin-set private { 10.0.0.0/8 maxlen 24 source-as 64511
          203.0.113.0/24 source-as 64496 }

name { address/len ... }
A prefix-set holds a collection of prefixes and can be used in place of the prefix parameter in FILTER rules and network statements. Lookups against prefix-sets are more efficient than a large number of rules which differ only in prefix.

A prefix can be followed by the prefixlen operators listed for the prefix parameter in the PARAMETERS section.

The first example creates a set of prefixes called “private”, to hold a number of RFC 1918 private network blocks. The second example shows the use of prefixlen operators.

prefix-set private { 10.0.0.0/8, 172.16.0.0/12,
			192.168.0.0/16, fc00::/7 }
prefix-set as64496set { 192.0.2.0/24 prefixlen >= 26,
			2001:db8::/32 or-longer }

{ address/len maxlen mlen source-as asn ... }
An roa-set holds a collection of Validated ROA Payloads (VRP). Each received prefix is checked against the roa-set and the Origin Validation State (OVS) is set. 
roa-set { 192.0.2.0/24 maxlen 24 source-as 64511
          203.0.113.0/24 source-as 64496 }

To announce a specific network as belonging to our AS, a network statement is used. By default bgpd(8) will not announce anything. Filter rules need to be in place to allow announcement of the right prefixes to each neighbor.

address/prefix [set ...]
Announce the specified prefix as belonging to our AS.

(inet|inet6) connected [set ...]
Announce routes to directly attached networks.

network prefix-set name [set ...]
All networks in the prefix-set name will be announced.

(inet|inet6) priority number [set ...]
Announce routes with the specified priority.

(inet|inet6) rtlabel label [set ...]
Announce routes with the specified label.

(inet|inet6) static [set ...]
Announce all static routes.

It is possible to set default AS path attributes per network statement:

network 192.168.7.0/24 set localpref 220

See also the ATTRIBUTE SET section.

bgpd(8) supports the setup and distribution of Virtual Private Networks. It is possible to import and export prefixes between routing domains. Each routing domain is specified by an rdomain section, which allows properties to be set specifically for that rdomain:

rdomain 1 {
	descr "a rdomain"
	rd 65002:1
	import-target rt 65002:42
	export-target rt 65002:42
	network 192.168.1/24
	depend on mpe0
}

There are several routing domain properties:

interface
Routes added to the rdomain will use this interface as the outgoing interface. Normally this will be an MPLS Provider Edge, mpe(4), interface that is part of the rdomain. Local networks will be announced with the MPLS label specified on the interface.

description
Add a description. The description is used when logging but has no further meaning to bgpd(8).

subtype as-number:local
 
subtype IP:local
Specify an extended community which will be attached to announced networks. More than one export-target can be specified. See also the ATTRIBUTE SET section for further information about the encoding. The subtype should be set to rt for best compatibility with other implementations.

(yes|no)
If set to no, do not update the Forwarding Information Base, a.k.a. the kernel routing table. The default is yes.

subtype as-number:local
 
subtype IP:local
Only prefixes matching one of the specified import-targets will be imported into the rdomain. More than one import-target can be specified. See also the ATTRIBUTE SET section for further information about the encoding of extended communities. The subtype should be set to rt for best compatibility with other implementations.

arguments ...
Define which networks should be exported into this VPN. See also the nexthop section in GLOBAL CONFIGURATION for further information about the arguments.

as-number:local
 
IP:local
The sole purpose of the Route Distinguisher rd is to ensure that possible common prefixes are distinct between VPNs. The rd is neither used to identify the origin of the prefix nor to control into which VPNs the prefix is distributed to. The as-number or IP of a rd should be set to a number or IP that was assigned by an appropriate authority. Whereas local can be chosen by the local operator.

bgpd(8) establishes TCP connections to other BGP speakers called neighbors. Each neighbor is specified by a neighbor section, which allows properties to be set specifically for that neighbor:

neighbor 10.0.0.2 {
	remote-as 65002
	descr "a neighbor"
}

Multiple neighbors can be grouped together by a group section. Each neighbor section within the group section inherits all properties from its group:

group "peering AS65002" {
	remote-as 65002
	neighbor 10.0.0.2 {
		descr "AS65002-p1"
	}
	neighbor 10.0.0.3 {
		descr "AS65002-p2"
	}
}

Instead of the neighbor's IP address, an address/netmask pair may be given:

neighbor 10.0.0.0/8

In this case, the neighbor specification becomes a , and if a neighbor connects from an IP address within the given network, the template is , inheriting everything from the template but the remote address, which is replaced by the connecting neighbor's address. With a template specification it is valid to omit remote-as; bgpd(8) will then accept any AS the neighbor presents in the OPEN message.

There are several neighbor properties:

(all | default-route | none)
announce all is a no-op. announce none and announce default-route are aliases for export none and export default-route, respectively. These three directives are provided for backward compatibility, but will eventually be removed.

(IPv4|IPv6) (none|unicast|vpn)
For the given address family, control which subsequent address families are announced during the capabilities negotiation. Only routes for that address family and subsequent address families will be announced and processed.

At the moment, only , which disables the announcement of that address family, , and , which allows the distribution of BGP MPLS VPNs, are supported.

The default is unicast for the same address family of the session.

announce as-4byte (yes|no)
If set to no, the 4-byte AS capability is not announced and so native 4-byte AS support is disabled. The default is yes.

announce capabilities (yes|no)
If set to no, capability negotiation is disabled during the establishment of the session. This can be helpful to connect to old or broken BGP implementations. The default is yes.

announce refresh (yes|no)
If set to no, the route refresh capability is not announced. The default is yes.

announce restart (yes|no)
If set to no, the graceful restart capability is not announced. Currently only the End-of-RIB marker is supported and announced by the restart capability. The default is yes.

group
Increase the carp(4) demotion counter on the given interface group, usually carp, when the session is not in state ESTABLISHED. The demotion counter will be increased as soon as bgpd(8) starts and decreased 60 seconds after the session went to state ESTABLISHED. For neighbors added at runtime, the demotion counter is only increased after the session has been ESTABLISHED at least once before dropping.

For more information on interface groups, see the group keyword in ifconfig(8).

interface
The neighbor session will be kept in state IDLE as long as interface reports no link. For carp(4) interfaces, no link means that the interface is currently . This is primarily intended to be used with carp(4) to reduce failover times.

The state of the network interfaces on the system can be viewed using the show interfaces command to bgpctl(8).

description
Add a description. The description is used when logging neighbor events, in status reports, for specifying neighbors, etc., but has no further meaning to bgpd(8).

[reason]
Do not start the session when bgpd comes up but stay in IDLE. If the session is cleared at runtime, after a down reason was configured at runtime, the reason is sent as Administrative Shutdown Communication. The reason cannot exceed 128 octets.

(all|updates) (in|out) file [timeout]
Do a peer specific MRT dump. Peer specific dumps are limited to all and updates. See also the dump section in GLOBAL CONFIGURATION.

(yes|no)
If set to no, AS paths will not be checked for AS loop detection. This feature is similar to allowas-in in some other BGP implementations. Since there is no AS path loop check, this feature is dangerous, and requires you to add filters to prevent receiving your own prefixes. The default value is yes.

(yes|no)
If set to yes, AS paths whose is not equal to the of the neighbor are rejected and a is sent back. The default value for IBGP peers is no otherwise the default is yes.

(none|default-route)
If set to none, no UPDATE messages will be sent to the neighbor. If set to default-route, only the default route will be announced to the neighbor.

seconds
Set the holdtime in seconds. Inherited from the global configuration if not given.

holdtime min seconds
Set the minimal acceptable holdtime. Inherited from the global configuration if not given.

(ah|esp) (in|out) spi spi-number authspec [encspec]
Enable IPsec with static keying. There must be at least two ipsec statements per peer with manual keying, one per direction. authspec specifies the authentication algorithm and key. It can be 
sha1 <key>
md5 <key>

encspec specifies the encryption algorithm and key. ah does not support encryption. With esp, encryption is optional. encspec can be

3des <key>
3des-cbc <key>
aes <key>
aes-128-cbc <key>

Keys must be given in hexadecimal format.

(ah|esp) ike
Enable IPsec with dynamic keying. In this mode, bgpd(8) sets up the flows, and a key management daemon such as isakmpd(8) is responsible for managing the session keys. With isakmpd(8), it is sufficient to copy the peer's public key, found in /etc/isakmpd/local.pub, to the local machine. It must be stored in a file named after the peer's IP address and must be stored in /etc/isakmpd/pubkeys/ipv4/. The local public key must be copied to the peer in the same way. As bgpd(8) manages the flows on its own, it is sufficient to restrict isakmpd(8) to only take care of keying by specifying the flags -Ka. This can be done in rc.conf.local(8). After starting the isakmpd(8) and bgpd(8) daemons on both sides, the session should be established.

address
When bgpd(8) initiates the TCP connection to the neighbor system, it normally does not bind to a specific IP address. If a local-address is given, bgpd(8) binds to this address first.

as-number [as-number]
Set the AS number sent to the remote system. Used as described above under GLOBAL CONFIGURATION option AS.

Since there is no AS path loop check, this option is dangerous, and requires you to add filters to prevent receiving your ASNs. Intended to be used temporarily, for migrations to another AS.

Disable neighbor specific logging.

Log received and sent updates for this neighbor.

number [restart number]
Terminate the session when the maximum number of prefixes received is exceeded (no such limit is imposed by default). If restart is specified, the session will be restarted after number minutes.

hops
Neighbors not in the same AS as the local bgpd(8) normally have to be directly connected to the local machine. If this is not the case, the multihop statement defines the maximum hops the neighbor may be away.

Do not attempt to actively open a TCP connection to the neighbor system.

as-number
Set the AS number of the remote system.

name
Bind the neighbor to the specified RIB.

[address]
Act as an RFC 4456 route-reflector for this neighbor. An optional cluster ID can be specified; otherwise the BGP ID will be used.

attribute ...
Set the AS path attributes to some default per neighbor or group block: 
set localpref 300

See also the ATTRIBUTE SET section. Set parameters are applied to the received prefixes; the only exceptions are prepend-self, nexthop no-modify and nexthop self. These sets are rewritten into filter rules and can be viewed with “bgpd -nv”.

secret
 
secret
Enable TCP MD5 signatures per RFC 2385. The shared secret can either be given as a password or hexadecimal key. 
tcp md5sig password mekmitasdigoat
tcp md5sig key deadbeef

(yes|no)
If set to yes, AS paths to EBGP neighbors are not prepended with the local AS. The default is inherited from the global transparent-as setting.

(yes|no)
Enable or disable ttl-security. When enabled, outgoing packets are sent using a TTL of 255 and a check is made against an incoming packet's TTL. For directly connected peers, incoming packets are required to have a TTL of 255, ensuring they have not been routed. For multihop peers, incoming packets are required to have a TTL of 256 minus multihop distance, ensuring they have not passed through more than the expected number of hops. The default is no.

bgpd(8) has the ability to allow and deny UPDATES based on prefix or AS path attributes. In addition, UPDATES may also be modified by filter rules.

For each UPDATE processed by the filter, the filter rules are evaluated in sequential order, from first to last. The last matching allow or deny rule decides what action is taken. The default action is to deny.

The following actions can be used in the filter:

The UPDATE is passed.
The UPDATE is blocked.
Apply the filter attribute set without influencing the filter decision.

The rule parameters specify the UPDATES to which a rule applies. An UPDATE always comes from, or goes to, one neighbor. Most parameters are optional, but each can appear at most once per rule. If a parameter is specified, the rule only applies to packets with matching attributes.

as-type [operator] as-number
 
as-type as-set name
This rule applies only to UPDATES where the AS path matches. The part of the AS path specified by the as-type is matched against the as-number or the as-set name:

(any part)
(leftmost AS number)
(rightmost AS number)
(all but the rightmost AS number)

as-number is an AS number as explained above under GLOBAL CONFIGURATION. It may be set to neighbor-as, which is expanded to the current neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number.

When specifying an as-set name the AS path will instead be matched against all the AS numbers in the set.

The operator can be unspecified (this case is identical to the equality operator), or one of the numerical operators

=	(equal)
!=	(unequal)
-	(range including boundaries)
><	(except range)

>< and - are binary operators (they take two arguments); with these, as-number cannot be set to neighbor-as.

Multiple as-number entries for a given type or as-type as-number entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any AS { 1, 2, 3 }
deny from any { AS 1, source-as 2, transit-as 3 }
deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 }

as-number:local
 
name
This rule applies only to UPDATES where the community path attribute is present and matches. Communities are specified as as-number:local, where as-number is an AS number and local is a locally significant number between zero and 65535. Both as-number and local may be set to ‘*’ to do wildcard matching. Alternatively, well-known communities may be given by name instead and include BLACKHOLE, GRACEFUL_SHUTDOWN, NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, and NO_PEER. Both as-number and local may be set to neighbor-as, which is expanded to the current neighbor remote AS number, or local-as, which is expanded to the locally assigned AS number.

as-number:local:local
This rule applies only to UPDATES where the Large community path attribute is present and matches. Communities are specified as as-number:local:local, where as-number is an AS number and local is a locally significant number between zero and 4294967295. Both as-number and local may be set to ‘*’ to do wildcard matching. Both as-number and local may be set to neighbor-as, which is expanded to the current neighbor remote AS number, local-as, which is expanded to the locally assigned AS number.

subtype as-number:local
 
subtype IP:local
 
subtype numvalue
 
ovs (valid | not-found | invalid)
This rule applies only to UPDATES where the path attribute is present and matches. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. See also the ATTRIBUTE SET section for further information about the encoding.

(from|to) peer
This rule applies only to UPDATES coming from, or going to, this particular neighbor. This parameter must be specified. peer is one of the following:

Any neighbor will be matched.
All neighbors will be matched.
All neighbors will be matched.
address
Neighbors with this address will be matched.
descr
Neighbors in this group will be matched.
as-number
Neighbors with this AS will be matched.

Multiple peer entries may also be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from { 128.251.16.1, 251.128.16.2, group hojo }

(inet|inet6)
Match only routes in the IPv4 or IPv6 address families, respectively. inet is an alias for "prefix 0.0.0.0/0 prefixlen >= 0"; inet6 is an alias for "prefix ::/0 prefixlen >= 0".

len
This rule applies only to UPDATES where the AS path has more than len elements.

len
This rule applies only to UPDATES where a single AS number is repeated more than len times.

address
This rule applies only to UPDATES where the nexthop is equal to address. The address can be set to in which case the nexthop is compared against the address of the neighbor. Nexthop filtering is not supported on locally announced networks and one must take into consideration previous rules overwriting nexthops.

name
This rule applies only to UPDATES that match the given origin-set name.

(valid | not-found | invalid)
This rule applies only to UPDATES where the Origin Validation State (OVS) matches.

address/len
 
address/len prefixlen range
 
address/len or-longer
 
address/len maxlen mlen
This rule applies only to UPDATES for the specified prefix.

Multiple entries may be specified, separated by commas or whitespace, if enclosed in curly brackets:

deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 or-longer }

Multiple lists can also be specified, which is useful for macro expansion:

good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }"
ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"

deny from any prefix { $good $bad $ugly }

Prefix length ranges are specified by using these operators:

=	(equal)
!=	(unequal)
<	(less than)
<=	(less than or equal)
>	(greater than)
>=	(greater than or equal)
-	(range including boundaries)
><	(except range)

>< and - are binary operators (they take two arguments). For instance, to match all prefix lengths >= 8 and <= 12, and hence the CIDR netmasks 8, 9, 10, 11 and 12:

prefixlen 8-12

Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks 0–7 and 13–32:

prefixlen 8><12

This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer than 16:

prefix 10.0.0.0/8 prefixlen > 16

or-longer is a shorthand for:

prefix address/len prefixlen >= len

maxlen mlen is a shorthand for:

prefix address/len prefixlen <= mlen

name [or-longer]
This rule applies only to UPDATES that match the given prefix-set name. With or-longer, the UPDATES will match any prefix in the prefix-set where 
address/len prefixlen >= len

If an UPDATE matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped.

name
Apply rule only to the specified RIB. This only applies for received updates, so not for rules using the to peer parameter.

attribute ...
All matching rules can set the AS path attributes to some default. The set of every matching rule is applied, not only the last matching one. See also the following section.

AS path attributes can be modified with set.

set can be used on network statements, in neighbor or group blocks, and on filter rules. Attribute sets can be expressed as lists.

The following attributes can be modified:

[delete] as-number:local
 
[delete] name
Set or delete the AS path attribute. Communities are specified as as-number:local, where as-number is an AS number and local is a locally significant number between zero and 65535. Alternately, well-known communities may be specified by name: GRACEFUL_SHUTDOWN, NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, or NO_PEER. For delete, both as-number and local may be set to ‘*’ to do wildcard matching.

[delete] as-number:local:local
 
[delete] name
Set or delete the path attribute. Communities are specified as as-number:local:local, where as-number is an AS number and local is a locally significant number between zero and 4294967295. For delete, both as-number and local may be set to ‘*’ to do wildcard matching.

[delete] subtype as-number:local
 
[delete] subtype IP:local
 
[delete] subtype numvalue
 
[delete] ovs (valid | not-found | invalid)
Set or delete the AS path attribute. Extended Communities are specified by a subtype and normally two values, a globally unique part (e.g. the AS number) and a local part. The type is selected depending on the encoding of the global part. Two-octet AS Specific Extended Communities and Four-octet AS Specific Extended Communities are encoded as as-number:local. Four-octet encoding is used if the as-number is bigger than 65535 or if the AS_DOT encoding is used. IPv4 Address Specific Extended Communities are encoded as IP:local. Opaque Extended Communities are encoded with a single numeric value. The ovs subtype can only be set to valid, not-found, or invalid. Currently the following subtypes are supported: 
bdc      BGP Data Collection
defgw	 Default Gateway
esi-lab  ESI Label
esi-rt   ES-Import Route Target
l2vid    L2VPN Identifier
mac-mob  MAC Mobility
odi      OSPF Domain Identifier
ort      OSPF Route Type
ori      OSPF Router ID
ovs      BGP Origin Validation State
rt       Route Target
soo      Route Origin / Source of Origin
srcas    Source AS
vrfri    VRF Route Import

Not all type and subtype value pairs are allowed by IANA and the parser will ensure that no invalid combination is created.

number
Set the LOCAL_PREF AS path attribute. If number starts with a plus or minus sign, LOCAL_PREF will be adjusted by adding or subtracting number; otherwise it will be set to number. The default is 100.

number
 
number
Set the MULTI_EXIT_DISC AS path attribute. If number starts with a plus or minus sign, MULTI_EXIT_DISC will be adjusted by adding or subtracting number; otherwise it will be set to number.

(igp|egp|incomplete)
Set the AS path attribute to mark the source of this route as being injected from an igp protocol, an egp protocol or being an aggregated route.

(address|blackhole|reject|self|no-modify)
Set the AS path attribute to a different nexthop address or use blackhole or reject routes. If set to , the nexthop attribute is not modified. Unless set to self, the nexthop is left unmodified for IBGP sessions. self forces the nexthop to be set to the local interface address. 
set nexthop 192.168.0.1
set nexthop blackhole
set nexthop reject
set nexthop no-modify
set nexthop self

table
Add the prefix in the update to the specified pf(4) table, regardless of whether or not the path was selected for routing. This option may be useful in building realtime blacklists.

number
Prepend the neighbor's AS number times to the AS path.

number
Prepend the local AS number times to the AS path.

label
Add the prefix to the kernel routing table with the specified label.

number
The weight is used to tip prefixes with equally long AS paths in one or the other direction. A prefix is weighed at a very late stage in the decision process. If number starts with a plus or minus sign, the weight will be adjusted by adding or subtracting number; otherwise it will be set to number. is a local non-transitive attribute and a bgpd-specific extension. For prefixes with equally long paths, the prefix with the larger weight is selected.

/etc/bgpd.conf
bgpd(8) configuration file

strftime(3), ipsec(4), pf(4), tcp(4), bgpctl(8), bgpd(8), ipsecctl(8), isakmpd(8), rc.conf.local(8)

The bgpd.conf file format first appeared in OpenBSD 3.5.

October 6, 2018 OpenBSD-6.4