BGPLG(8) AerieBSD 1.0 Refernce Manual BGPLG(8)


bgplg — looking glass for the OpenBSD Border Gateway Protocol daemon




The bgplg CGI program is a looking glass for the bgpd(8) Border Gateway Protocol daemon. The looking glass will provide a simple web interface with read-only access to a restricted set of bgpd(8) and system status information, which is typically used on route servers by Internet Service Providers (ISPs) and Internet eXchange points (IXs). It is intended to be used in a chroot(2) environment in /var/www.

bgplg is disabled by default. It requires four steps to enable the looking glass:
  1. Update the file permission mode to allow the execution of the bgplg CGI program and the additional statically linked programs that have been installed into the chroot(2) environment. See the section below for the list of installed programs.

    For example, to allow execution of bgplg and the statically-linked version of bgpctl(8) (disabled commands like ping(8) and traceroute(8) will be hidden from looking glass command list):

    # chmod 0555 /var/www/cgi-bin/bgplg
    # chmod 0555 /var/www/bin/bgpctl

  2. The programs ping(8) and traceroute(8) will require a copy of the resolver configuration file resolv.conf(5) in the chroot(2) environment for optional host name lookups.

    # mkdir /var/www/etc
    # cp /etc/resolv.conf /var/www/etc

  3. Start the Border Gateway Protocol daemon with a second, restricted, control socket that can be used from within the chroot(2) environment. See bgpd(8) for more information.

    For example, set the following in /etc/rc.conf.local to start bgpd(8) using the second, restricted, control socket:

         bgpd_flags=\&"-r /var/www/logs/bgpd.rsock\&"

  4. Start the Apache Hypertext Transfer Protocol Server. See httpd(8) for more information.


Optional bgplg CSS style sheet.
Optional bgplg HTML header.
Optional bgplg HTML footer.
Position of the second, restricted, control socket of bgpd(8).

The following statically linked executables have been installed into the chroot(2) environment of the httpd(8) server. To enable the corresponding functionality, use the chmod(1) utility to manually set the file permission mode to 0555 or anything appropriate.

The bgplg CGI executable.
The bgpctl(8) program used to query information from bgpd(8)
The ping(8) program used to send ICMP ECHO_REQUEST packets to network hosts. Requires the set-user-ID bit, set the permission mode to 4555.
The traceroute(8) program used to print the route packets take to network hosts. Requires the set-user-ID bit, set the permission mode to 4555.


bgpctl(8), bgpd(8), bgplgsh(8), httpd(8)


The bgplg program first appeared in OpenBSD 4.1. The initial implementation was done in 2005 for DE-CIX, the German commercial internet exchange point.


The bgplg program was written by Reyk Floeter ‹›.


To prevent commands from running endlessly, bgplg will kill the corresponding processes after a hard limit of 60 seconds. For example, this can take effect when using traceroute(8) with blackholed or bad routes.

AerieBSD 1.0 Reference Manual August 26 2008 BGPLG(8)