{"id":13819270,"url":"https://github.com/bgp/bgpq4","last_synced_at":"2025-10-29T04:38:41.575Z","repository":{"id":36512067,"uuid":"234789965","full_name":"bgp/bgpq4","owner":"bgp","description":"BGP Filter generator","archived":false,"fork":false,"pushed_at":"2024-10-16T16:01:36.000Z","size":417,"stargazers_count":300,"open_issues_count":17,"forks_count":44,"subscribers_count":17,"default_branch":"main","last_synced_at":"2024-11-19T02:47:23.947Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://github.com/bgp/bgpq4","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"snar/bgpq3","license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bgp.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-18T19:58:12.000Z","updated_at":"2024-11-18T03:44:10.000Z","dependencies_parsed_at":"2024-01-13T15:44:17.356Z","dependency_job_id":"a0fcfc05-efb9-4a1e-be2b-e920e05c5b47","html_url":"https://github.com/bgp/bgpq4","commit_stats":{"total_commits":376,"total_committers":31,"mean_commits":"12.129032258064516","dds":0.7101063829787234,"last_synced_commit":"8883f13b745f40b5685b48d2fae60592f96c8430"},"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fbgpq4","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fbgpq4/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fbgpq4/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fbgpq4/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bgp","download_url":"https://codeload.github.com/bgp/bgpq4/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225405575,"owners_count":17469370,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T08:00:43.838Z","updated_at":"2025-10-21T04:03:48.644Z","avatar_url":"https://github.com/bgp.png","language":"C","funding_links":[],"categories":["others"],"sub_categories":[],"readme":"[![CI](https://github.com/bgp/bgpq4/actions/workflows/unit-tests.yml/badge.svg)](https://github.com/bgp/bgpq4/actions/workflows/unit-tests.yml)\n\n\u003ca href=\"https://repology.org/project/bgpq4/versions\"\u003e\n    \u003cimg src=\"https://repology.org/badge/vertical-allrepos/bgpq4.svg\" alt=\"Packaging status\" align=\"right\"\u003e\n\u003c/a\u003e\n\n# NAME\n\n**bgpq4** - bgp filtering automation tool\n\n# SYNOPSIS\n\n**bgpq4**\n\\[**-h**\u0026nbsp;*host\\[:port]*]\n\\[**-S**\u0026nbsp;*sources*]\n\\[**-EPz**]\n\\[**-f**\u0026nbsp;*asn*\u0026nbsp;|\n**-F**\u0026nbsp;*fmt*\u0026nbsp;|\n**-G**\u0026nbsp;*asn*\n**-H**\u0026nbsp;*asn*\n**-t**]\n\\[**-46ABbDdJjNnpsXU**]\n\\[**-a**\u0026nbsp;*asn*]\n\\[**-r**\u0026nbsp;*len*]\n\\[**-R**\u0026nbsp;*len*]\n\\[**-m**\u0026nbsp;*max*]\n\\[**-W**\u0026nbsp;*len*]\n*OBJECTS*\n\\[...]\n\\[EXCEPT\u0026nbsp;OBJECTS]\n\n# DESCRIPTION\n\nThe\n**bgpq4**\nutility is used to generate configurations (prefix-lists, extended\naccess-lists, policy-statement terms and as-path lists) based on IRR data.\n\nIt's options are as follows:\n\n**-4**\n\n\u003e generate IPv4 prefix/access-lists (default).\n\n**-6**\n\n\u003e generate IPv6 prefix/access-lists (IPv4 by default).\n\n**-A**\n\n\u003e try to aggregate prefix-lists as much as possible (not all output\n\u003e formats supported).\n\n**-a** *asn*\n\n\u003e specify what asn shall be denied in case of empty prefix-list (OpenBGPD)\n\n**-B**\n\n\u003e generate output in OpenBGPD format (default: Cisco)\n\n**-b**\n\n\u003e generate output in BIRD format (default: Cisco).\n\n**-d**\n\n\u003e enable some debugging output.\n\n**-e**\n\n\u003e generate output in Arista EOS format (default: Cisco).\n\n**-E**\n\n\u003e generate extended access-list (Cisco), policy-statement term using\n\u003e route-filters (Juniper), \\[ip|ipv6]-prefix-list (Nokia) or prefix-sets\n\u003e (OpenBGPd).\n\n**-f** *number*\n\n\u003e generate input as-path access-list.\n\n**-F** *fmt*\n\n\u003e generate output in user-defined format.\n\n**-G** *number*\n\n\u003e generate output as-path access-list.\n\n**-H** *number*\n\n\u003e generate output as-list for JunOS 21.3R1+ `as-path-origin` filter (JunOS only)\n\n**-h** *host\\[:port]*\n\n\u003e host running IRRD database (default: rr.ntt.net).\n\n**-J**\n\n\u003e generate config for Juniper (default: Cisco).\n\n**-j**\n\n\u003e generate output in JSON format (default: Cisco).\n\n**-K**\n\n\u003e generate config for Mikrotik ROSv6 (default: Cisco).\n\n**-K7**\n\n\u003e generate config for Mikrotik ROSv7 (default: Cisco).\n\n**-l** *name*\n\n\u003e name of generated entry.\n\n**-L** *limit*\n\n\u003e limit recursion depth when expanding as-sets.\n\n**-m** *len*\n\n\u003e maximum prefix-length of accepted prefixes (default: 32 for IPv4 and\n\u003e 128 for IPv6).\n\n**-M** *match*\n\n\u003e extra match conditions for Juniper route-filters.\n\n**-n**\n\n\u003e generate config for Nokia SR OS MD-CLI (Cisco IOS by default)\n\n**-n2**\n\n\u003e generate config for Nokia SR Linux (Cisco IOS by default)\n\n**-N**\n\n\u003e generate config for Nokia SR OS classic CLI (Cisco IOS by default).\n\n**-p**\n\n\u003e emit prefixes where the origin ASN is in the private ASN range\n\u003e (disabled by default).\n\n**-r** *len*\n\n\u003e allow more specific routes starting with specified masklen too.\n\n**-R** *len*\n\n\u003e allow more specific routes up to specified masklen too.\n\n**-s**\n\n\u003e generate sequence numbers in IOS-style prefix-lists.\n\n**-S** *sources*\n\n\u003e use specified sources only (recommended: RPKI,AFRINIC,ARIN,APNIC,LACNIC,RIPE).\n\n**-t**\n\n\u003e generate as-sets for OpenBGPd, BIRD and JSON formats.\n\n**-T**\n\n\u003e disable pipelining (not recommended).\n\n**-W** *len*\n\n\u003e generate as-path strings of no more than len items (use 0 for infinity).\n\n**-U**\n\n\u003e generate config for Huawei devices (Cisco IOS by default)\n\n**-u**\n\n\u003e generate output in Huawei XPL format.\n\n**-X**\n\n\u003e generate config for Cisco IOS XR devices (plain IOS by default).\n\n**-z**\n\n\u003e generate route-filter-lists (JunOS 16.2+).\n\n*OBJECTS*\n\n\u003e means networks (in prefix format), autonomous systems, as-sets and route-sets.\n\n*EXCEPT OBJECTS*\n\n\u003e those objects will be excluded from expansion.\n\n# EXAMPLES\n\nGenerating named juniper prefix-filter for AS20597:\n\n\t$ bgpq4 -Jl eltel AS20597\n\tpolicy-options {\n\treplace:\n\t prefix-list eltel {\n\t    81.9.0.0/20;\n\t    81.9.32.0/20;\n\t    81.9.96.0/20;\n\t    81.222.128.0/20;\n\t    81.222.192.0/18;\n\t    85.249.8.0/21;\n\t    85.249.224.0/19;\n\t    89.112.0.0/19;\n\t    89.112.4.0/22;\n\t    89.112.32.0/19;\n\t    89.112.64.0/19;\n\t    217.170.64.0/20;\n\t    217.170.80.0/20;\n\t }\n\t}\n\nFor Cisco we can use aggregation (-A) flag to make this prefix-filter\nmore compact:\n\n\t$ bgpq4 -Al eltel AS20597\n\tno ip prefix-list eltel\n\tip prefix-list eltel permit 81.9.0.0/20\n\tip prefix-list eltel permit 81.9.32.0/20\n\tip prefix-list eltel permit 81.9.96.0/20\n\tip prefix-list eltel permit 81.222.128.0/20\n\tip prefix-list eltel permit 81.222.192.0/18\n\tip prefix-list eltel permit 85.249.8.0/21\n\tip prefix-list eltel permit 85.249.224.0/19\n\tip prefix-list eltel permit 89.112.0.0/18 ge 19 le 19\n\tip prefix-list eltel permit 89.112.4.0/22\n\tip prefix-list eltel permit 89.112.64.0/19\n\tip prefix-list eltel permit 217.170.64.0/19 ge 20 le 20\n\nPrefixes 89.112.0.0/19 and 89.112.32.0/19 now aggregated\ninto single entry 89.112.0.0/18 ge 19 le 19.\n\nWell, for Juniper we can generate even more interesting policy-options,\nusing -M \u0026lt;extra match conditions\u0026gt;, -R \u0026lt;len\u0026gt; and hierarchical names:\n\n\t$ bgpq4 -AJEl eltel/specifics -r 29 -R 32 -M \"community blackhole\" AS20597\n\tpolicy-options {\n\t policy-statement eltel {\n\t  term specifics {\n\treplace:\n\t   from {\n\t    community blackhole;\n\t    route-filter 81.9.0.0/20 prefix-length-range /29-/32;\n\t    route-filter 81.9.32.0/20 prefix-length-range /29-/32;\n\t    route-filter 81.9.96.0/20 prefix-length-range /29-/32;\n\t    route-filter 81.222.128.0/20 prefix-length-range /29-/32;\n\t    route-filter 81.222.192.0/18 prefix-length-range /29-/32;\n\t    route-filter 85.249.8.0/21 prefix-length-range /29-/32;\n\t    route-filter 85.249.224.0/19 prefix-length-range /29-/32;\n\t    route-filter 89.112.0.0/17 prefix-length-range /29-/32;\n\t    route-filter 217.170.64.0/19 prefix-length-range /29-/32;\n\t   }\n\t  }\n\t }\n\t}\n\ngenerated policy-option term now allows all specifics with prefix-length\nbetween /29 and /32 for eltel networks if they match with special community\nblackhole (defined elsewhere in configuration).\n\nOf course, this version supports IPv6 (-6):\n\n\t$ bgpq4 -6l as-retn-6 AS-RETN6\n\tno ipv6 prefix-list as-retn-6\n\tipv6 prefix-list as-retn-6 permit 2001:7fb:fe00::/48\n\tipv6 prefix-list as-retn-6 permit 2001:7fb:fe01::/48\n\t[....]\n\nand assumes your device supports 32-bit ASNs\n\n\t$ bgpq4 -Jf 112 AS-SPACENET\n\tpolicy-options {\n\treplace:\n\t as-path-group NN {\n\t  as-path a0 \"^112(112)*$\";\n\t  as-path a1 \"^112(.)*(1898|5539|8495|8763|8878|12136|12931|15909)$\";\n\t  as-path a2 \"^112(.)*(21358|23456|23600|24151|25152|31529|34127|34906)$\";\n\t  as-path a3 \"^112(.)*(35052|41720|43628|44450|196611)$\";\n\t }\n\t}\n\nsee \\`AS196611\\` in the end of the list ? That's a 32-bit ASN.\n\n# USER-DEFINED FORMAT\n\nIf you want to generate configuration not for routers, but for some\nother programs/systems, you may use user-defined formatting, like in\nexample below:\n\n\t$ bgpq4 -F \"ipfw add pass all from %n/%l to any\\n\" as3254\n\tipfw add pass all from 62.244.0.0/18 to any\n\tipfw add pass all from 91.219.29.0/24 to any\n\tipfw add pass all from 91.219.30.0/24 to any\n\tipfw add pass all from 193.193.192.0/19 to any\n\nRecognized format sequences are:\n\n**%n**\n\n\u003e network\n\n**%l**\n\n\u003e mask length\n\n**%a**\n\n\u003e aggregate low mask length\n\n**%A**\n\n\u003e aggregate high mask length\n\n**%N**\n\n\u003e object name\n\n**%m**\n\n\u003e object mask\n\n**%i**\n\n\u003e inversed mask\n\n**\u0026#92;n**\n\n\u003e new line\n\n**\u0026#92;t**\n\n\u003e tabulation\n\nPlease note that no new lines inserted automatically after each sentence,\nyou have to add them into format string manually, elsewhere output will\nbe in one line (sometimes it makes sense):\n\n\t$ bgpq4 -6F \"%n/%l; \" as-eltel\n\t2001:1b00::/32; 2620:4f:8000::/48; 2a04:bac0::/29; 2a05:3a80::/48;\n\n# NOTES ON SOURCES\n\nBy default *bgpq4* trusts data from all databases mirrored into NTT's IRR service.\nUnfortunately, not all these databases are equal in how much can we trust their\ndata.\nRIR maintained databases (AFRINIC, ARIN, APNIC, LACNIC and RIPE)\nshall be trusted more than the others because they have the knowledge about\nwhich address space is allocated to each ASN, other databases lack this\nknowledge and can (and actually do) contain some stale data: nobody but RIRs\ncare to remove outdated route-objects when address space is revoked from one\nASN and allocated to another. In order to keep their filters both compact and\ncurrent, *bgpq4 users* are encouraged to use one of two method to limit\ndatabase sources to only ones they trust.\n\nOne option is to use the '-S' flag. This limits all queries to a specific data\nsource. For example, the following command tells IIRd to only use data from\nthe RIPE RIR DB to build the prefix list for the AS-SET:\n\n\t$./bgpq4 -S RIPE AS-VOSTRON\n\tno ip prefix-list NN\n\tip prefix-list NN permit 89.21.224.0/19\n\tip prefix-list NN permit 134.0.64.0/21\n\nBe aware though, than an AS-SET may contain members from other data sources.\nIn this case IRRd won't respond to the bgpq4 query will all the prefixes in the\nAS-SET tree. Make sure to use the '-S' flag with all the data sources required\nfor the AS-SET being expanded:\n\n\t$./bgpq4 -S RIPE,ARIN AS-VOSTRON\n\tno ip prefix-list NN\n\tip prefix-list NN permit 89.21.224.0/19\n\tip prefix-list NN permit 134.0.64.0/21\n\tip prefix-list NN permit 208.86.232.0/24\n\tip prefix-list NN permit 208.86.233.0/24\n\tip prefix-list NN permit 208.86.234.0/24\n\tip prefix-list NN permit 208.86.235.0/24\n\nThe other option is to specify a source for an AS-SET or Route Set using the\n\"::\" notation. When bgpq4 detects this, it will look for \"::\" in the specified\nAS-SET or RS on the CLI, and in all members of the AS-SET/RS, and for each\nmember with a data source specified in \"::\" format, it will set the IRRd data\nsource to the given value, query the AS-SET/RS, then reset the data sources back\n to the default list for the next object in the tree.\n\n\t$./bgpq4 RIPE::AS-VOSTRON\n\tno ip prefix-list NN\n\tip prefix-list NN permit 89.21.224.0/19\n\tip prefix-list NN permit 134.0.64.0/21\n\tip prefix-list NN permit 208.86.232.0/22\n\tip prefix-list NN permit 208.86.232.0/24\n\tip prefix-list NN permit 208.86.233.0/24\n\tip prefix-list NN permit 208.86.234.0/24\n\tip prefix-list NN permit 208.86.235.0/24\n\nIn comparison to the '-S' flag, this method return all the prefixes under the\nAS-SET, but the root of the tree \"AS-VOSTRON\" was queries from RIPE only. None\nof the member objects used the \"::\" notation so they were queries from the\ndefault source list (which is all sources).\n\n\nGeneral recommendations:\n\nUse minimal set of RIR databases (only those in which you and your\ncustomers have registered route-objects).\n\nAvoid using ARIN-NONAUTH and RIPE-NONAUTH as trusted sources: these records\nwere created in database but for address space allocated to different RIR,\nso the NONAUTH databases have no chance to confirm validity of this route\nobject.\n\n\t$ bgpq4 -S RIPE,RADB as-space\n\tno ip prefix-list NN\n\tip prefix-list NN permit 195.190.32.0/19\n\t\n\t$ bgpq4 -S RADB,RIPE as-space\n\tno ip prefix-list NN\n\tip prefix-list NN permit 45.4.4.0/22\n\tip prefix-list NN permit 45.4.132.0/22\n\tip prefix-list NN permit 45.6.128.0/22\n\tip prefix-list NN permit 45.65.184.0/22\n\t[...]\n\nWhen known, use the \"::\" notation to speicy the authortative data source for\nan AS-SET or RS instead of the -S flag.\n\n# PERFORMANCE\n\nTo improve \\`bgpq4\\` performance when expanding extra-large AS-SETs you\nshall tune OS settings to enlarge TCP send buffer.\n\nFreeBSD can be tuned in the following way:\n\n\tsysctl -w net.inet.tcp.sendbuf_max=2097152\n\nLinux can be tuned in the following way:\n\n\tsysctl -w net.ipv4.tcp_window_scaling=1\n\n\tsysctl -w net.core.rmem_max=2097152\n\n\tsysctl -w net.core.wmem_max=2097152\n\n\tsysctl -w net.ipv4.tcp_rmem=\"4096 87380 2097152\"\n\n\tsysctl -w net.ipv4.tcp_wmem=\"4096 65536 2097152\"\n\n# CONTAINER IMAGE\n\nA multi-arch (linux/amd64 and linux/arm64) container image is built automatically for all tagged releases and `main` branch. The image is based on Alpine Linux and is available on [GitHub Container Registry](https://github.com/bgp/bgpq4/pkgs/container/bgpq4).\n\nUsing the image is as simple as:\n\n\t```\n\tdocker run --rm ghcr.io/bgp/bgpq4:latest -Jl eltel AS20597\n\tpolicy-options {\n\t\treplace:\n\t\tprefix-list eltel {\n\t\t\t81.9.0.0/20;\n\t\t\t81.9.32.0/20;\n\t\t\t81.9.96.0/20;\n\t\t\t81.222.128.0/20;\n\t\t\t81.222.160.0/20;\n\t\t\t81.222.192.0/18;\n\t\t\t85.249.8.0/21;\n\t\t\t85.249.224.0/19;\n\t\t\t89.112.0.0/17;\n\t\t\t217.170.64.0/19;\n\t\t}\n\t\t}\n\t```\n\n# BUILDING\n\nThis project uses autotools. If you are building from the repository,\nrun the following command to prepare the build system:\n\n\t./bootstrap\n\nIn order to compile the software, run:\n\n\t./configure\n\n\tmake\n\n\tmake install\n\nIf you wish to remove the generated build system files from your\nworking tree, run:\n\n\tmake maintainer-clean\n\nIn order to create a distribution archive, run:\n\n\tmake dist\n\n# DIAGNOSTICS\n\nWhen everything is OK,\n**bgpq4**\ngenerates access-list to standard output and exits with status == 0.\nIn case of errors they are printed to stderr and the program exits with\nnon-zero status.\n\n# TESTS\n\nThe [tests/](tests/) folder contains reference output data in [text files](tests/reference/). The [generate_outputs.sh](tests/generate_outputs.sh) script is used in the [Github workflow](.github/workflows/unit-tests.yml) to generate the same output data, using the latest commit, and compare the output data to the stored \"known-good\" reference data, and check there are no changes.\n\nTo update the reference data (i.e. if the bgpq4 output is modified), simply run the script again (`./tests/generate_outputs.sh ./bgpq4 tests/reference`) and commit the changes.\n\n# AUTHORS\n\nAlexandre Snarskii, Christian David, Claudio Jeker, Job Snijders,\nMassimiliano Stucchi, Michail Litvak, Peter Schoenmaker, Roelf Wichertjes,\nand contributions from many others.\n\n# SEE ALSO\n\n**https://github.com/bgp/bgpq4**\nBGPQ4 on Github.\n\n**http://bgpfilterguide.nlnog.net/**\nNLNOG's BGP Filter Guide.\n\n**https://tcp0.com/cgi-bin/mailman/listinfo/bgpq4**\nUsers and interested parties can subscribe to the BGPQ4 mailing list bgpq4@tcp0.com\n\n# PROJECT MAINTAINER\n\nJob Snijders \u0026lt;job@sobornost.net\u0026gt;\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbgp%2Fbgpq4","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbgp%2Fbgpq4","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbgp%2Fbgpq4/lists"}