BGP Filter
A BGP filter resource (BGPFilter) represents a way to control
routes imported by and exported to BGP peers specified using a
BGP peer resource (BGPPeer).
The BGPFilter rules are applied sequentially: the action for
the first rule that matches is executed immediately.
If an address does not match any explicit BGP filter rule,
the default action is Accept.
In order for a BGPFilter to be used in a BGP peering, its name
must be added to filters of the corresponding BGPPeer resource.
For kubectl commands, the following case-sensitive aliases may
be used to specify the resource type on the CLI: bgpfilters.crd.projectcalico.org
Sample YAML​
apiVersion: projectcalico.org/v3
kind: BGPFilter
metadata:
name: my-filter
spec:
exportV4:
- action: Accept
matchOperator: In
cidr: 77.0.0.0/16
source: RemotePeers
- action: Reject
interface: '*.calico'
importV4:
- action: Accept
matchOperator: In
cidr: 55.0.0.0/16
prefixLength:
min: 30
- action: Reject
matchOperator: NotIn
cidr: 44.0.0.0/16
exportV6:
- action: Reject
source: RemotePeers
- action: Reject
interface: '*.calico'
importV6:
- action: Accept
matchOperator: Equal
cidr: 5000::0/64
- action: Reject
BGP filter definition​
Metadata​
| Field | Description | Accepted Values | Schema |
|---|---|---|---|
| name | Unique name to describe this resource instance. Must be specified. | Alphanumeric string with optional ., _, or -. | string |
Spec​
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| exportV4 | List of v4 CIDRs and export action | BGP Filter Rule v4 | ||
| importV4 | List of v4 CIDRs and import action | BGP Filter Rule v4 | ||
| exportV6 | List of v6 CIDRs and export action | BGP Filter Rule v6 | ||
| importV6 | List of v6 CIDRs and import action | BGP Filter Rule v6 |
BGP Filter Rule v4​
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| cidr | IPv6 range | A valid IPv6 CIDR | string | |
| prefixLength | PrefixLength | Valid integers between 0 and ipv4/6 max (32, 128) | ||
| matchOperator | Method by which to match candidate routes | In, NotIn, Equal, NotEqual | string | |
| source | Indicator of the source of route | RemotePeers means any route learned from other BGP peers | string | |
| interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | |
| action | Action to be taken for this rule | Accept or Reject | string |
BGP Filter Rule v6​
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| cidr | IPv6 range | A valid IPv6 CIDR | string | |
| prefixLength | PrefixLength | Valid integers between 0 and ipv4/6 max (32, 128) | ||
| matchOperator | Method by which to match candidate routes | In, NotIn, Equal, NotEqual | string | |
| source | Indicator of the source of route | RemotePeers means any route learned from other BGP peers | string | |
| interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | |
| action | Action to be taken for this rule | Accept or Reject | string |
Supported operations​
| Datastore type | Create/Delete | Update | Get/List | Notes |
|---|---|---|---|---|
| Kubernetes API server | Yes | Yes | Yes |