1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
|
# Detail of Policy configuration
This page shows how to write your own policies.
As [Policy configuration](https://github.com/osrg/gobgp/blob/master/docs/sources/policy.md) shows, you can put import or export policies to control the route advertisement. Basically a policy has condition part and an action part, and a condition part has prefix match and neighbor match. An action part has the rule to accept or reject(if it's import, otherwise discard) routes.
The policy configuration on GoBGP consists of DefinedSets and PolicyDefinitionList in its configuration file.
- DefinedSets
A single DefinedSets entry has prefix match thas is named PrefixSetList and neighbor match part that is named NeighborSetList and combines 2 parts with the name.
It is possible to refer the combination using its name from policy.
- PolicyDefinitionList
PolicyDefinitionList is a list of policy.
A single element of PolicyDefinitionList has statements that combine a condition with an action and we can say it's policy.
## Definition Steps
These are steps to define policy;
1. define DefinedSets
- define PrefixSetList
- define NeighborSetList
2. define PolicyDefinitionList
3. attach policies to a neighbor
### 1. Defining DefinedSets
DefineSets has prefix information and neighbor information in PrefixSetList and NeighborSetList section, and GoBGP uses these information to evaluate routes.
Defining DefinedSets is needed at first.
PrefixSetList and NeighborSetList section are prefix match part and neighbor match part.
- DefinedSets example
```
[[DefinedSets.PrefixSetList]]
PrefixSetName = "ps1"
# prefix match part
[[DefinedSets.PrefixSetList.PrefixList]]
Address = "10.33.0.0"
Masklength = 16
MasklengthRange = 21...24
# neighbor match part
[[DefinedSets.NeighborSetList]]
NeighborSetName = "ns1"
[[DefinedSets.NeighborSetList.NeighborInfoList]]
Address = "10.0.255.1"
```
---
#### PrefixSetList
PrefixSetList has PrefixList as its element. PrefixList has prefix information to match destination's address and we can specify route's NLRI inside.
PrefixList has 3 elements.
| Parent | Element |Description | Example | Optional |
| ------------------------------------- |-----------------|-------------------|------------|------------|
| DefinedSets.PrefixSetList | PrefixSetName | name of PrefixSet | "10.33.0.0"| |
| DefinedSets.PrefixSetList.PrefixList | Address | prefix address | "10.33.0.0"| |
| | Masklength | prefix length | 16 | |
| | MasklengthRange | range of length | "25..28" | Yes |
##### Examples
- example 1
- Match routes whose high order 2 octets of NLRI is 10.33 and its prefix length is between from 21 to 24
```
# example 1
[[DefinedSets.PrefixSetList]]
PrefixSetName = "ps1"
[[DefinedSets.PrefixSetList.PrefixList]]
Address = "10.33.0.0"
Masklength = 16
MasklengthRange = "21...24"
```
- If you define a PrefixList that doesn't have MasklengthRange, it matches routes that have just 10.33.0.0/16 as NLRI.
- example 2
- If you want to evaluate multiple routes with a single PrefixSetList, you can do this by adding an another PrefixList like this;
```
# example 2
[[DefinedSets.PrefixSetList]]
PrefixSetName = "ps1"
[[DefinedSets.PrefixSetList.PrefixList]]
Address = "10.33.0.0"
Masklength = 16
MasklengthRange = "21...24"
[[DefinedSets.PrefixSetList.PrefixList]]
Address = "10.50.0.0"
Masklength = 16
MasklengthRange = "21...24"
```
- This prefix match checks if a route has 10.33.0.0/21 to 24 **or** 10.50.0.0/21 to 24.
- example 3
- PrefixSetName under PrefixSetList is reference to a single PrefixSet.
- If you want to add different PrefixSet more, you can add other blocks that form the same structure with example 1.
```
# example 3
# PrefixSetList
[[DefinedSets.PrefixSetList]]
PrefixSetName = "ps1"
[[DefinedSets.PrefixSetList.PrefixList]]
Address = "10.33.0.0"
Masklength = 16
MasklengthRange = "21...24"
# another PrefixSetList
[[DefinedSets.PrefixSetList]]
PrefixSetName = "ps2"
[[DefinedSets.PrefixSetList.PrefixList]]
Address = "10.50.0.0"
Masklength = 16
MasklengthRange = "21...24"
```
---
#### NeighborSetList
NeighborSetList has NeighborInfoList as its element and NeighborInfoList has neighbor information to match the sender of the routes.
It is necessary to specify a neighbor address in NeighborInfoList.
NeighborInfoList has 1 elements.
| Parent | Element |Description | Example | Optional |
| --------------------------------------------- |----------|--------------------|-------------|------------|
| DefinedSets.NeighborSetList | Name | name of NeighborSet| "ns1 "| |
| DefinedSets.NeighborSetList.NeighborInfoList | Address | neighbor's address | "10.0.255.1"| |
##### Examples
- example 1
- Match routes which come from the neighbor 10.0.255.1
```
# example 1
[[DefinedSets.NeighborSetList]]
NeighborSetName = "ns1"
[[DefinedSets.NeighborSetList.NeighborInfoList]]
Address = "10.0.255.1"
```
- example 2
- Match routes which come from the neighbor 10.0.255.1
Neighbor Match needs be defined within DefinedSets as follows.
```
# example 2
[[DefinedSets.NeighborSetList]]
NeighborSetName = "ns2"
[[DefinedSets.NeighborSetList.NeighborInfoList]]
Address = "10.0.255.1"
```
- example 3
- As with PrefixSet, NeighborSet can have multiple NeighborInfoList like this;
```
# example 3
[[DefinedSets.NeighborSetList]]
NeighborSetName = "ns3"
[[DefinedSets.NeighborSetList.NeighborInfoList]]
Address = "10.0.255.1"
[[DefinedSets.NeighborSetList.NeighborInfoList]]
Address = "10.0.255.2"
```
- - This example checks if a route comes from neighbor 10.0.255.1 **or** 10.0.255.2.
---
### 2. Defining PolicyDefinitionList
PolicyDefinitionList consists of condition and action of the policy. The condition part evaluates routes from neighbors and applies action if the routes match a condition. For the definition of PolicyDefinitionList, you can use DefinedSets above to specify conditions.
PolicyDefinitionList has PolicyDefinition as its element and the PolicyDefinition is just a policy.
You can write condition and action under StatementList.
- an example of PolicyDefinitionList
```
[[PolicyDefinitionList]]
Name = "example-policy"
[[PolicyDefinitionList.StatementList]]
Name = "statement1"
[PolicyDefinitionList.StatementList.Conditions]
MatchPrefixSet = "ps2"
MatchNeighborSet = "ns1"
MatchSetOptions = 1
[PolicyDefinitionList.StatementList.Actions]
RejectRoute = true
```
The elements of PolicyDefinitionList are as follows;
| Parent | Element |Description |Example|
| ---------------------------------------------- |------------------|-----------------------------------------------------------------------------------------------|------|
| PolicyDefinitionList | name | policy's name | "pd1"|
| PolicyDefinitionList.StatementList | name | statements's name | "pd1"|
| PolicyDefinitionList.StatementList.Conditions | MatchPrefixSet | prefix match name used in its policy definition | "ps2"|
| | MatchNeighborSet | neighbor match name used in its policy definition |"ns1" |
| | MatchSetOptions | option for the check;<br> 0 means **ANY**,<br> 1 means **ALL**,<br> 2 means **INVERT** | 1 |
|PolicyDefinitionList.StatementList.Actions | RejectRoute | action for the route which matches PrefixSet and NeighborSet. if true, this route is rejected | true |
##### Examples
- example 1
- This PolicyDefinition has PrefixSet *ps1* and NeighborSet *ns1* as its condition and routes matche the condition is rejected.
```
# example 1
[[PolicyDefinitionList]]
Name = "policy1"
[[PolicyDefinitionList.StatementList]]
Name = "statement1"
[PolicyDefinitionList.StatementList.Conditions]
MatchPrefixSet = "ps2"
MatchNeighborSet = "ns1"
MatchSetOptions = 1
[PolicyDefinitionList.StatementList.Actions]
RejectRoute = true
```
- example 2
- PolicyDefinition has two statements
```
# example 2
[[PolicyDefinitionList]]
Name = "pd1"
# first statement - (1)
[[PolicyDefinitionList.StatementList]]
Name = "statement1"
[PolicyDefinitionList.StatementList.Conditions]
MatchPrefixSet = "ps1"
MatchNeighborSet = "ns1"
MatchSetOptions = 1
[PolicyDefinitionList.StatementList.Actions]
RejectRoute = true
# second statement - (2)
[[PolicyDefinitionList.StatementList]]
Name = "statement2"
[PolicyDefinitionList.StatementList.Conditions]
MatchPrefixSet = "ps2"
MatchNeighborSet = "ns2"
MatchSetOptions = 1
[PolicyDefinitionList.StatementList.Actions]
RejectRoute = true
```
- if a route matches the condition inside the first statement(1), GoBGP applies its action and quits the policy evaluation.
- example 3
- If you want to add other policies, just add PolicyDefinitionList block following the first one like this;
```
# example 3
# first policy
[[PolicyDefinitionList]]
Name = "policy1"
[[PolicyDefinitionList.StatementList]]
Name = "statement1"
[PolicyDefinitionList.StatementList.Conditions]
MatchPrefixSet = "ps1"
MatchNeighborSet = "ns1"
MatchSetOptions = 1
[PolicyDefinitionList.StatementList.Actions]
RejectRoute = true
# second policy
[[PolicyDefinitionList]]
Name = "policy2"
[[PolicyDefinitionList.StatementList]]
Name = "statement2"
[PolicyDefinitionList.StatementList.Conditions]
MatchPrefixSet = "ps2"
MatchNeighborSet = "ns2"
MatchSetOptions = 1
[PolicyDefinitionList.StatementList.Actions]
RejectRoute = true
```
---
### 3. Attaching policy
You can attach policies to a neighbor after defining policy.
To attach policies to a neighbor, you need to add policy's name to NeighborList.ApplyPolicy in the neighbor's setting.
You can attach policies to the import policy or the export policy inside the neighbor configuration.
This example attatches *policy1* to import policy and *policy2* to export policy.
```
[[NeighborList]]
NeighborAddress = "10.0.255.2"
PeerAs = 65002
[NeighborList.RouteServer]
RouteServerClient = true
[NeighborList.ApplyPolicy]
ImportPolicies = ["policy1"]
ExportPolicies = ["policy2"]
DefaultImportPolicy = 0
DefaultExportPolicy = 0
```
NeighborList has a section to specify policies and the section's name is ApplyPolicy.
The ApplyPolicy has 4 elements.
| Parent | Element | Description | Example |
|---------------------------|---------------------|-------------------------------------------------------------------------------|------------|
| NeighborList.ApplyPolicy | ImportPolicies | PolicyDefinitionList.name for import policy | "policy1" |
| | ExportPolicies | PolicyDefinitionList.name for export policy | "policy1" |
| | DefaultImportPolicy | action if the route isn't applied any policy;<br> 0 means import,<br> 1 means reject | 0 |
| | DefaultExportPolicy | action if the route isn't applied any policy;<br> 0 means export,<br> 1 means discard | 0 |
|
