BGP Filter
A BGP filter resource (BGPFilter
) represents a way to control routes imported by and exported to BGP peers specified using a BGP peer resource (BGPPeer
).
The BGPFilter rules are applied sequentially: the action
for the first rule that matches is executed immediately. If an address does not match any explicit BGP filter rule, the default action is Accept
.
In order for a BGPFilter to be used in a BGP peering, its name
must be added to filters
of the corresponding BGPPeer resource.
For kubectl
commands, the following case-sensitive aliases may be used to specify the resource type on the CLI: bgpfilters.crd.projectcalico.org
Sample YAML
apiVersion: projectcalico.org/v3
kind: BGPFilter
metadata:
name: my-filter
spec:
exportV4:
- action: Accept
matchOperator: In
cidr: 77.0.0.0/16
source: RemotePeers
- action: Reject
interface: '*.calico'
importV4:
- action: Reject
matchOperator: NotIn
cidr: 44.0.0.0/16
exportV6:
- action: Reject
source: RemotePeers
- action: Reject
interface: '*.calico'
importV6:
- action: Accept
matchOperator: Equal
cidr: 5000::0/64
- action: Reject
BGP filter definition
Field | Description | Accepted Values | Schema |
---|
name | Unique name to describe this resource instance. Must be specified. | Alphanumeric string with optional . , _ , or - . | string |
Spec
BGP Filter Rule v4
Field | Description | Accepted Values | Schema | Default |
---|
cidr | IPv6 range | A valid IPv6 CIDR | string | |
matchOperator | Method by which to match candidate routes | In , NotIn , Equal , NotEqual | string | |
source | Indicator of the source of route | RemotePeers means any route learned from other BGP peers | string | |
interface | String to match interface names | A valid pattern to match interfaces. “*” can be used as a wildcard. | string | |
action | Action to be taken for this rule | Accept or Reject | string | |
BGP Filter Rule v6
Field | Description | Accepted Values | Schema | Default |
---|
cidr | IPv6 range | A valid IPv6 CIDR | string | |
matchOperator | Method by which to match candidate routes | In , NotIn , Equal , NotEqual | string | |
source | Indicator of the source of route | RemotePeers means any route learned from other BGP peers | string | |
interface | String to match interface names | A valid pattern to match interfaces. “*” can be used as a wildcard. | string | |
action | Action to be taken for this rule | Accept or Reject | string | |
Supported operations
Datastore type | Create/Delete | Update | Get/List | Notes |
---|
Kubernetes API server | Yes | Yes | Yes | |