From: benaryorg <binary@benary.org>
Subject: bgpd: allow equalityop matching for neighbor-as
To: tech@openbsd.org
Date: Fri, 5 Jun 2026 09:32:02 +0000

Putting the code on par with what the man-page implies, this will allow using an equalityop to match neighbor-as.
Rules such as `deny from any transit-as != neighbor-as` thus become feasible.

On the other side `as_compare` in `rde_attr.c` already checks for the operations against a unified variable containing the neighbor at the time.

Please note that the code is untested at time of writing as I do not currently have a development environment for OpenBSD, but the change itself seemed trivial enough to throw it out there in case anyone can test this before I get around to do so.

diff --git usr.sbin/bgpd/parse.y usr.sbin/bgpd/parse.y
index 4b24de688e0..e5054dd2b66 100644
--- usr.sbin/bgpd/parse.y
+++ usr.sbin/bgpd/parse.y
@@ -2762,6 +2762,13 @@ filter_as	: as4number_any		{
  				fatal(NULL);
  			$$->a.flags = AS_FLAG_NEIGHBORAS;
  		}
+		| equalityop NEIGHBORAS {
+			if (($$ = calloc(1, sizeof(struct filter_as_l))) ==
+			    NULL)
+				fatal(NULL);
+			$$->a.op = $1;
+			$$->a.flags = AS_FLAG_NEIGHBORAS;
+		}
  		| equalityop as4number_any	{
  			if (($$ = calloc(1, sizeof(struct filter_as_l))) ==
  			    NULL)