From 301764d7a3ed5fc68bb60de2ef21d3cb9d7435a1 Mon Sep 17 00:00:00 2001
From: phessler <>
Date: Fri, 27 Apr 2012 12:02:47 +0000
Subject: [PATCH] Add a brief comment describing each bogus v4 network that is
 filtered by default, similar to the v6 entries.

While here, add a filter for 100.64.0.0/10, which is now reserved by RFC 6598

OK henning@, sthen@
---
 src/etc/bgpd.conf | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/src/etc/bgpd.conf b/src/etc/bgpd.conf
index a55bcd48..1542fb53 100644
--- a/src/etc/bgpd.conf
+++ b/src/etc/bgpd.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: bgpd.conf,v 1.12 2011/01/19 07:36:40 claudio Exp $
+# $OpenBSD: bgpd.conf,v 1.13 2012/04/27 12:02:47 phessler Exp $
 # sample bgpd configuration file
 # see bgpd.conf(5)
 
@@ -87,18 +87,19 @@ allow from any inet6 prefixlen 16 - 48
 #allow from any prefix 0.0.0.0/0
 
 # filter bogus networks according to RFC5735
-deny from any prefix 0.0.0.0/8 prefixlen >= 8
-deny from any prefix 10.0.0.0/8 prefixlen >= 8
-deny from any prefix 127.0.0.0/8 prefixlen >= 8
-deny from any prefix 169.254.0.0/16 prefixlen >= 16
-deny from any prefix 172.16.0.0/12 prefixlen >= 12
-deny from any prefix 192.0.2.0/24 prefixlen >= 24
-deny from any prefix 192.168.0.0/16 prefixlen >= 16
-deny from any prefix 198.18.0.0/15 prefixlen >= 15
-deny from any prefix 198.51.100.0/24 prefixlen >= 24
-deny from any prefix 203.0.113.0/24 prefixlen >= 24
-deny from any prefix 224.0.0.0/4 prefixlen >= 4
-deny from any prefix 240.0.0.0/4 prefixlen >= 4
+deny from any prefix 0.0.0.0/8 prefixlen >= 8		# 'this' network [RFC1122]
+deny from any prefix 10.0.0.0/8 prefixlen >= 8		# private space [RFC1918]
+deny from any prefix 100.64.0.0/10 prefixlen >= 10	# CGN Shared [RFC6598]
+deny from any prefix 127.0.0.0/8 prefixlen >= 8 	# localhost [RFC1122]
+deny from any prefix 169.254.0.0/16 prefixlen >= 16	# link local [RFC3927]
+deny from any prefix 172.16.0.0/12 prefixlen >= 12	# private space [RFC1918]
+deny from any prefix 192.0.2.0/24 prefixlen >= 24	# TEST-NET-1 [RFC5737]
+deny from any prefix 192.168.0.0/16 prefixlen >= 16	# private space [RFC1918]
+deny from any prefix 198.18.0.0/15 prefixlen >= 15	# benchmarking [RFC2544]
+deny from any prefix 198.51.100.0/24 prefixlen >= 24	# TEST-NET-2 [RFC5737]
+deny from any prefix 203.0.113.0/24 prefixlen >= 24	# TEST-NET-3 [RFC5737]
+deny from any prefix 224.0.0.0/4 prefixlen >= 4 	# multicast
+deny from any prefix 240.0.0.0/4 prefixlen >= 4 	# reserved
 
 # filter bogus IPv6 networks according to IANA
 deny from any prefix ::/8 prefixlen >= 8