Ze is a network operating system written in Go. It runs on any Linux or as a gokrazy appliance.
Status values: Supported means implemented and covered in the normal release evidence for this pre-release; Experimental means implemented but still needs deployment evidence or hardening before production claims; Partial means a named subset is not implemented or not proven; Stub-backed means external dependency evidence currently comes from a stub harness; Rejected means unsupported by design; Future means planned but not shipped.
| Feature | Status | Description |
|---|---|---|
| BGP Protocol | Supported | 21 address families, 13 capabilities, 18 path attributes (including AIGP RFC 7311) |
| Configuration | Partial | YANG-modeled config with prefix limits, update groups, session resilience, duplicate list-key rejection, and side-effect-free in-process plugin verifiers for static/API/CLI validation. Live external plugin OnConfigVerify callbacks run only in daemon reload/commit transactions. |
| Deactivate / Activate | Supported | Junos-style inactive: prefix on any node (leaf, container, list entry, leaf-list value); kept in file, skipped at apply. CLI: ze config deactivate/activate <file> <path>. TUI: deactivate <path> / activate <path>. Engine-level, no schema annotation required. |
| Environment Variables | Supported | Ze-native env surface: ze.user, ze.pid.file, ze.pprof, ze.bgp.openwait, ze.bgp.announce.delay; ExaBGP-compat env keys retired 2026-04 |
| Interfaces | Experimental | Linux interface management via netlink: ethernet, dummy, veth, bridge, loopback, VLAN, 8 tunnel kinds (GRE, GRETAP, IP6GRE, IP6GRETAP, IPIP, SIT, IP6TNL, IPIP6), and WireGuard (declarative peers with $9$-encoded keys); DHCP (config-driven, routes, DNS, NTP discovery), NTP client (clock sync, RTC, time persistence, max-step safety cap), monitoring, migration, mirroring, per-interface offload and steering (GRO, GSO, SG, TSO, LRO, hw-tc-offload via kernel ethtool ioctl; RPS, RFS via sysfs; boolean three-state: true/false/absent), per-family reverse path filtering (`rpf-check strict |
| Plugins | Partial | RIB, route server (with reactor-native RS fast path, dynamic peers, RS-client, community filtering), graceful restart, RPKI (ASPA policy enforcement), healthcheck, community filters, prefix-list filters, AS-path filters, community-match filters, route attribute modifiers, AIGP (RFC 7311), BMP (RFC 7854), interface monitoring, cross-protocol redistribute (egress), FlowSpec-to-firewall bridge. BMP Loc-RIB and some redistribution claims remain explicitly scoped by readiness review. |
| BFD Liveness Detection | Partial | RFC 5880 Bidirectional Forwarding Detection plugin: pinned single-hop (UDP 3784) and multi-hop (UDP 4784) sessions, profile-driven timer bundles, GTSM enforcement (IP_TTL=255 outbound / IP_RECVTTL ingress gate), multi-hop min-TTL floor, RFC 5880 §6.8.7 TX jitter (0-25%, clamped to [10%, 25%) when detect-multiplier=1), SO_BINDTODEVICE for single-hop interface and multi-VRF binding, BGP peer opt-in with RFC 9384 Cease subcode 10 teardown, show bfd sessions/session/profile commands, ze_bfd_* Prometheus metrics, RFC 5880 §6.7 Keyed SHA1/MD5 (meticulous variants included) authentication with file-backed sequence-number persistence, and RFC 5880 §6.4 Echo mode config/wire advertisement (transport half tracked as spec-bfd-6b-echo-transport). |
| Kernel Tunable Management | Experimental | Sysctl plugin centralizes kernel parameter management with three-layer precedence (config > transient > default). Plugins declare required defaults (e.g., fib-kernel enables forwarding), users override via config or CLI. Original values restored on clean stop. Named profiles group co-dependent tunables (dsr, router, hardened, multihomed, proxy) applied per interface unit. User-defined profiles supported. CLI: sysctl show, sysctl list, sysctl describe, sysctl set, sysctl list-profiles, sysctl describe-profile. |
| Connection Tracking Management | Experimental | Declarative conntrack configuration under system { conntrack {} }. Helper module loading (ftp, sip, h323, pptp, tftp, sane, irc, amanda, netbios-ns, snmp, nfs, sqlnet) via modprobe on Linux (load-only, never unload). User-friendly config for table sizing (table-size, hash-size, expect-max), per-protocol timeouts (TCP, UDP, ICMP, ICMPv6, GRE, SCTP, DCCP), TCP behavior flags (be-liberal, loose, max-retrans, ignore-invalid-rst), and global flags (accounting, timestamp, checksum, log-invalid). All sysctl values routed through the sysctl plugin for three-layer precedence. Dual-setting prevention rejects keys in sysctl {} that conntrack manages. On gokrazy (modules built-in), module loading is skipped gracefully. CLI: show system conntrack. Telemetry: configured-max gauge alongside existing per-CPU counters. |
| Installation | Experimental | ze install local copies the binary to a standard FHS prefix (/usr/local, /usr, /opt/ze), sets up a systemd unit (auto-detected, or --systemd/--no-systemd), and scaffolds the config directory if no database.zefs exists. ze install remote provides PXE-based bare-metal provisioning: generates ze config from CLI flags, forks ze - to start DHCP+PXE (dhcpserver plugin with options 43/60/66/67/93, BIOS/UEFI bootfile selection), TFTP (RFC 1350 read-only tftpserver plugin), and HTTP image server (imageserver plugin with Range support). ze uninstall reverses a local installation (removes binary, systemd unit, optionally config with --purge). |
| Modular Deployment | Partial | Config-driven plugin loading: BGP, interfaces, and FIB load only when their config section is present. Add or remove subsystems at runtime via config reload (SIGHUP). Required config-root autoload failures fail closed, reload diffs restart same-name plugins when their definition changes, and changed external plugin replacements are pre-started before the old handler is removed. |
| Static Routes | Supported | Config-driven static route plugin with named routing tables (policy-based routing), interface-only next-hops (PPPoE/GRE tunnels), mixed ECMP (gateway + interface-only in same group), ECMP (multiple active next-hops), per-next-hop weighted load balancing, BFD-tracked failover (next-hop removed from ECMP group on session DOWN, re-added on UP), blackhole/reject, IPv4/IPv6, config reload reconciliation, and redistribute integration (redistribute { import static }). Named tables resolved via routing-table registry; non-default table routes are PBR-only (not redistributed into BGP). Programs kernel via netlink multipath or VPP via GoVPP. |
| Connected Routes | Supported | Redistribute directly connected interface prefixes into BGP via redistribute { import connected }. Subscribes to interface address events; emits RouteChangeBatch on address add/remove. Reference-counted: multiple addresses on the same prefix emit one announcement, withdrawn only when the last address is removed. IPv4 and IPv6. No kernel programming (kernel already has connected routes). |
| Kernel Routes | Experimental | Redistribute externally-installed kernel routes into BGP via redistribute { import kernel }. Consumes parsed route events from a shared netlink route watcher (internal/core/routewatch/), filtering Ze-owned routes (rtproto 250-252), RTPROT_KERNEL (2), and RTPROT_REDIRECT (1). Emits RouteChangeBatch for DHCP (16), PPP/manual (BOOT=3), admin static (STATIC=4) routes. Tracks announced prefixes; withdraws all on shutdown. IPv4 and IPv6. Shares a single netlink subscription with fib-kernel (route re-assertion). |
| Policy Routing | Experimental | Policy-based routing via nftables packet marking and kernel ip rules. Steers traffic to alternate routing tables or next-hops based on L3/L4 match criteria (address, port, protocol, TCP flags, set references). Actions: accept (bypass), drop, table N (fwmark + ip rule), next-hop (auto-managed table from 2000-2999), tcp-mss clamping. Interface wildcard binding (e.g., l2tp*). Config reload reconciles nftables tables, ip rules, and auto-managed routes. |
| RPF Lookup | Supported | Reverse Path Forwarding query: longest-prefix-match against Loc-RIB for any CIDR family (IPv4/IPv6 unicast/multicast). Exposes bgp rib rpf <family> <source-addr> command returning matched prefix, next-hop, admin distance, and metric as JSON. Generic LPM on the sharded Loc-RIB (queries all shards, picks most specific). |
| Route Installation | Experimental | FIB pipeline: protocol RIB best-path tracking, system RIB selection by admin distance, kernel route programming via per-producer netlink protocol ownership, crash recovery via stale-mark-sweep, external change monitoring. Local privileged integration covers FIB restart sweep and flush-on-stop preserving static and policyroute-owned routes; target-runner evidence is still required before production deployment claims. |
| CLI Commands | Supported | Protocol tools, config management, schema discovery, daemon control, AS topology graph |
| API Commands | Supported | Peer management, route updates, RIB operations, event subscription |
| Configuration Reload | Partial | Live reload via SIGHUP with automatic reconciliation. Plugin-server transactions, config-provider roots, subsystem reload, and changed external plugin replacement roll back on failure; remaining reload safety depends on component-specific journals and privileged dataplane evidence. |
| Fleet Management | Experimental | Centralized config distribution over TLS |
| Performance Benchmarking | Supported | Cross-implementation latency benchmarking with ze-perf |
| Web Interface | Supported | HTTPS config editor with YANG-driven UI, CLI bar, and L2TP session management (CQM graph, event timeline, disconnect) |
| Looking Glass | Supported | Public BGP looking glass with birdwatcher API, AS path graphs, and BMP-monitored route display |
| AI-First Design | Supported | Self-describing CLI-as-API with MCP transport for AI assistants |
| Self-Documenting System | Supported | Runtime introspection of plugins, env vars, RPCs, schemas, commands |
| Host Inventory | Supported | Structured hardware inventory for ISP fleet monitoring: CPU (vendor, topology, hybrid P/E layout, scaling driver, frequencies, throttle counts), physical NICs (driver, PCI IDs, link speed, queue counts, firmware, rings), DMI board identity, memory with ECC counters, hwmon thermal sensors + per-CPU throttle, block devices with NVMe firmware, kernel release/cmdline/microcode/arch flags. Read-only sysfs/procfs, no daemon required. Online via show host cpu/nic/..., offline via ze host show; JSON by default for pipeline consumption. |
| Self-Update | Supported | Periodic version check with optional self-update for non-gokrazy deployments. SHA-256 verified download, atomic binary replacement via rename with .prev hard-link rollback. Fleet-scale: deterministic spread scheduling (FNV-1a per device+version), maintenance windows (with midnight crossing), server-side pause (file or SIGUSR1). Update history (20 events, persisted across restarts). Manual CLI override: update system firmware {check,download,apply,restart,rollback}. ze update-serve standalone server for build infrastructure with enhanced manifest (sha256, size, paused), checksum endpoint, and pause toggle. Config: system { update-check { auto-apply true; spread 1800; maintenance-window { start 02:00; end 06:00 }; restart { time 03:00 } } }. |
| Operational Report Bus | Supported | Cross-subsystem ze show warnings and ze show errors commands with source <name> filtering: single place to surface prefix-threshold crossings, stale route data, BGP NOTIFICATIONs sent/received, unexpected session drops, session-stuck/flap/EOR-timeout, route-count-anomaly (>50% drop), FIB sync failures/orphans/programming-lag, firewall stale-table/drift, plugin crashes, interface error counters. State-based warnings + event-based error ring, login banner reads the same source. |
| Health Registry | Supported | Aggregated component health via show health and /health HTTP endpoint (503 when any component is down). Registered components: l2tp, report-bus, ipsec, pki, bgp (session-stuck/flap/EOR), fib (sync-failure/orphan/lag), firewall (stale-table/drift audit), iface (error counters), plugins (crash/disabled), vpp (API socket probe). Health checks timeout at 1 second. |
System Readiness (ze doctor) |
Supported | Offline pre-start checks: config syntax, YANG validation, TLS certs (missing/expired/invalid), VPP socket, kernel modules, interface existence/state, SSH host key, listener conflicts, plugin binaries, storage integrity, dangling config references, disk space (<5% free), DNS resolver reachability, clock skew (>5 min vs NTP), VPP version (Linux). --json output with stable diagnostic codes and ze explain <code> for remediation. |
| Runtime Diagnostics | Supported | Production debugging via CLI and MCP: show l2tp observer (per-session event ring), show l2tp cqm (per-login echo RTT/loss buckets), show l2tp echo (current echo state), show l2tp reliable (reliable transport Ns/Nr/cwnd), show traffic (TC qdisc/class state), metrics pool (BGP attribute pool occupancy and dedup rates), enhanced subsystem-list (real plugin state). All auto-exposed as MCP tools for AI-assisted troubleshooting. |
| Core Diagnostics | Supported | 11 built-in diagnostic commands replacing ss, dmesg, lsof, dig, nc, traceroute, mtr, ping, tcpdump, and pprof on gokrazy appliances: show system sockets (TCP/UDP state), show system kernel-log (dmesg), show system goroutines (dump with singleflight dedup), show tcp-check (port probe), show traceroute (ICMP path trace with per-hop RTT, IPv4/IPv6), monitor traceroute (live mtr-style continuous trace with ` |
| Crash Capture | Supported | Automatic stderr redirect captures panic stack traces from any goroutine. Forwarded to syslog (via ze.log.destination) in real time and persisted to crash files on disk. Crash reports include ring buffer context (last 64 log entries before the panic), version, build date, uptime. Crash dir autodetected (/perm/ze/crash/ on gokrazy, fallback chain for other platforms). CLI: show crashes, show crashes latest. Env vars: ze.crash.dir, ze.crash.keep. |
| Interoperability Testing | Supported | 30+ Docker-based scenarios against FRR, BIRD, GoBGP, OpenBGPD, FreeRtr, and Rust implementations |
| REST/gRPC API | Partial | Programmatic API with OpenAPI 3.1 spec, config sessions. Both transports accept multiple named listen endpoints via environment.api-server.rest.server <name> / .grpc.server <name>. REST is plaintext and therefore loopback-only; expose it remotely only behind a TLS terminator. Non-loopback authenticated gRPC listeners require TLS. Bearer token auth, per-user auth, CORS support. Both transports share one engine for identical command output. SSE and gRPC streaming are wired to registered streaming commands such as monitor event, using the same authorization and accounting path as SSH monitor commands. Completion remains future work. |
| Named Service Listeners | Supported | Every service that accepts inbound connections (web, ssh, mcp, looking-glass, telemetry, REST, gRPC, plugin hub) models its listen endpoints as a named YANG list. Each entry binds its own listener on the same subsystem; bind is all-or-nothing with rollback on failure. CollectListeners detects overlapping ip:port pairs at config parse time across every service. |
| MCP Integration | Supported | AI-assisted BGP operations via Model Context Protocol (Streamable HTTP 2025-06-18 transport, OAuth 2.1 resource server, server-initiated elicitation, task-augmented tools/call with background workers per MCP 2025-11-25, MCP Apps UI resources with embedded panels) |
| Chaos MCP | Supported | AI-queryable chaos test state via MCP: 6 tools (status, problems, peers, scenario, control, execute), Watchdog anomaly detector with structured PROBLEM lines, per-family convergence tracking |
| PKI Certificate Store | Supported | YANG pki {} config for CA certificates and device certificates with private keys. Base64-DER certificate parsing, PKCS8/SEC1/PKCS1 private key detection, $9$ sensitive encoding for keys, chain validation, expiry checking, atomic reload. PEM export for IPsec and TLS consumers. Health check (degraded at 30 days, down when expired). Report bus warnings for approaching expiry. show pki certificates, show pki certificate <name>. Shared infrastructure for IPsec, TLS, and future mutual-auth features. |
| IPsec Data Model | Supported | YANG vpn { ipsec {} } config for site-to-site VPN: ESP groups (proposals, lifetime, PFS), IKE groups (proposals, DPD, key-exchange, close-action), site-to-site peers (X.509 and PSK auth, VTI bind, group references). Algorithm enums match strongSwan naming. Cross-reference validation (group names, PKI certificates, interface binding, local-id/CN match). Config diff detection for reload. |
| IKEv2 Wire Format | Supported | RFC 7296 wire codec: all payload types (SA, KE, Nonce, ID, AUTH, CERT, CERTREQ, Notify, Delete, Vendor, TSi/TSr, EAP, Configuration). Header encode/decode, payload chaining, encryption envelope. |
| IKEv2 Cryptographic Primitives | Supported | DH groups (MODP 2048/3072/4096/8192, ECP 256/384/521), PRF (SHA-256/384/512), integrity (HMAC-SHA-256/384/512), encryption (AES-CBC, AES-GCM-16 128/256, ChaCha20-Poly1305), SKEYSEED derivation, key expansion (RFC 7296 Section 2.14). |
| IKEv2 Engine | Supported | Full IKE FSM: IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA, INFORMATIONAL exchanges. X.509 certificate authentication. Child SA creation with traffic selectors and ESP proposals. IKE SA and Child SA rekeying with collision handling. DPD (Dead Peer Detection) via INFORMATIONAL exchange with configurable interval and timeout. XFRM policy and state programming via netlink. Reconciliation on config reload. |
| IPsec EAP Authentication | Supported | EAP-MSCHAPv2 (type 26) and EAP-TLS (type 13) authentication for road warrior VPN clients inside IKEv2 IKE_AUTH exchange. MS-CHAPv2 crypto (NtPasswordHash, ChallengeResponse, MPPE key derivation), TLS handshake in EAP with fragmentation, MSK derivation feeding IKEv2 AUTH payload. Virtual IP pool with dual-stack allocation (IPv4 + IPv6), DNS push via Configuration Payload. |
| IPsec NAT Traversal | Supported | NAT detection via SHA-1 hash notify payloads in IKE_SA_INIT (RFC 7296 Section 2.23). Port 4500 with non-ESP marker for IKE, UDP encapsulation for ESP (RFC 3948). NAT keepalive (0xFF byte, 20s interval). XFRM SA UDP encap attribute set when NAT detected. |
| IPsec MOBIKE | Supported | RFC 4555 address update on interface change for mobile/multihomed clients. UPDATE_SA_ADDRESSES notify, NAT re-detection, XFRM state migration. |
| XFRM Interfaces | Supported | Route-based IPsec via XFRM interfaces (interface { xfrm <name> { if-id <N> } }). Traffic routed through the interface is encrypted; traffic arriving is decrypted. Created and deleted via netlink. |
| IPsec Interop Testing | Supported | Docker-based interop test infrastructure against strongSwan as the remote IKE peer. |
| IPsec CLI and Diagnostics | Supported | show vpn ipsec sa/status/peer, clear vpn ipsec sa [peer <name>], monitor vpn ipsec (live SA event stream). Web page at /show/vpn/ipsec/ with SA table. Health check (healthy/degraded/down from SA state). Prometheus metrics ze_ipsec_sa_count, ze_ipsec_tunnel_up (per-peer gauge). All show commands produce JSON and support full pipe operators. |
| DNS Resolver | Supported | Built-in cached DNS resolver for all components. Uses configured system.name-server or resolv.conf, and fails closed with no DNS server configured when neither is available. It does not silently fall back to public recursive resolvers. Cache management: show dns cache list/record, clear dns cache (flush/selective delete/stats reset). |
| Resolution CLI and Pipes | Supported | Offline ze resolve tool for DNS, Team Cymru ASN names, PeeringDB prefix counts, and IRR AS-SET expansion. The ` |
| Netdata-compatible OS Telemetry | Supported | 138 Prometheus metrics from /proc and /sys (CPU, memory, network, disk, IPv4/IPv6 protocols, conntrack, PSI, cpuidle, cpufreq, ZFS, btrfs, mdstat, SCTP, IPVS, wireless, etc) matching Netdata's naming and labels exactly. Drop-in replacement for Netdata's Prometheus exporter, existing Grafana dashboards keep working. Per-collector enable/disable, interval override, and prefix are scoped under telemetry.prometheus.netdata so Ze-native metrics keep their ze_* names. The Prometheus HTTP service defaults to loopback and can require HTTP Basic Auth. |
| VPP Data Plane | Experimental | Manages VPP lifecycle (startup, crash recovery, DPDK NIC binding), programs FIB routes via GoVPP binary API, and polls VPP's stats segment for per-interface, per-node, and system-wide Prometheus metrics. Configurable poll interval. MPLS label operations (push, swap, pop) driven directly from BGP labeled unicast (RFC 8277): labels are stripped at NLRI parse, stored as RIB side-data, propagated through best-change events, and programmed into VPP via GoVPP IPRouteAddDel with LabelStack (push) or MplsRouteAddDel (swap/pop). vpp.external=true switches ze into connect-only mode for systemd-managed / container-sidecar deployments and the ze-test vpp stub harness. Local Docker evidence via make ze-deployment-vpp-test covers real VPP FIB add/withdraw, traffic policer apply/bind, same-config Ze restart preservation, and startup cleanup of stale Ze traffic policers. Same-process VPP traffic reapply now replays policer output binding so VPP-side unbinds converge back to desired state. |
| L2TPv2 BNG | Partial | RFC 2661 L2TPv2 LNS/LAC with full BNG stack: tunnel lifecycle (SCCRQ/SCCRP/SCCCN, CHAP-MD5 challenge, HELLO keepalive, StopCCN teardown, tie-breaker), reliable delivery with sliding window and congestion avoidance, PPP negotiation (LCP 10-state FSM, PAP/CHAP-MD5/MS-CHAPv2 auth, IPCP/IPv6CP address assignment, proxy LCP), kernel data plane via l2tp_ppp netlink and PPPoL2TP sockets. Four plugins: auth-local (static users), auth-radius (RADIUS auth/acct/CoA/DM with failover, real per-subscriber traffic counters in Interim/Stop including RFC 2869 Gigawords), pool (bitmap-backed IPv4 ranges from Ze config), shaper (TC TBF/HTB on pppN interfaces with configured defaults and CoA rate updates). Subscriber route redistribution via redistribute { import l2tp }: the real RouteObserver emits add/remove route-change batches, and BGP announce/withdraw plumbing is covered with a synthetic producer. CQM monitoring (100s echo RTT/loss buckets, per-login sample rings, 24h retention). Web UI at /l2tp with session list, detail page, uPlot CQM graph with SSE live updates, event timeline, and disconnect with audit trail. ze_l2tp_* Prometheus metrics (session/tunnel gauges, per-session byte/packet counters, CQM echo RTT histogram, loss ratio, bucket state). ze_radius_* metrics (auth/acct/interim counters, server reachability). RADIUS Access-Accept subscriber profile attributes are consumed: Framed-IP-Address bypasses pool (direct IP assignment), Framed-Pool selects a named pool, Session-Timeout/Idle-Timeout enforce session lifetime, Filter-Id sets initial shaping rate at session establishment, Acct-Interim-Interval overrides the per-session accounting interval, and Framed-Route/Framed-IPv6-Route (RFC 2865 Section 5.22, RFC 6911 Section 3.2) inject per-subscriber static routes into BGP alongside the subscriber /32 or /128. Named pools are configured via YANG named-pool list under l2tp > pool. PPP auth now defaults to mandatory CHAP-MD5 with finite tunnel/session caps; no-auth requires explicit opt-in, hidden mandatory AVPs are rejected fail-closed. Docker-backed xl2tpd evidence covers external LAC control tunnel and incoming-call session setup. A peer-isolated Docker lab (make ze-deployment-l2tp-ppp-docker-test) proves full PPP LCP/IPCP, kernel pppN creation, dataplane ping, and BGP route redistribution from a live PPP session with Ze LNS, real xl2tpd/pppd LAC, and FRR in separate containers; requires host kernel PPPoL2TP support. |
| TACACS+ AAA | Partial | RFC 8907 TACACS+ client for SSH login: PAP authentication, ordered server failover with per-server timeout, MD5 pseudo-pad body encryption, priv-lvl-to-profile mapping, command accounting (START/STOP records on every dispatched CLI command), and explicit-reject vs unreachable distinction so wrong-password TACACS+ replies do NOT silently fall through to local bcrypt. Runs as a pluggable aaa.Authenticator so local bcrypt remains the fallback when every TACACS+ server is unreachable (default). Configurable strict-fallback mode denies authorization when TACACS+ infrastructure is unavailable instead of falling back to local RBAC. |
| PPPoE Access | Partial | RFC 2516 PPPoE access concentrator: discovery state machine (PADI/PADO/PADR/PADS/PADT), HMAC-SHA256 AC-Cookie for DoS protection, per-interface session tables with bitmap SID allocation (1-65535), per-source-MAC PADI rate limiting, Service-Name filtering, kernel PPPoE sessions via AF_PPPOX + PX_PROTO_OE, and integration with the transport-agnostic PPP Driver (same auth/pool/shaper plugins as L2TP). YANG config (pppoe {}) with per-interface settings. CLI commands: show pppoe, show pppoe sessions, show pppoe statistics, show pppoe interfaces. Runs concurrently with L2TP on the same daemon. |
| Firewall | Experimental | Packet filter and NAT via the nftables backend on Linux. Abstract model supports 15 match types (source/destination address, port ranges, protocol, input/output interface with wildcard prefix, connection state, marks, DSCP, ICMP type, ICMPv6 type, TCP flags, named sets) and 19 action/modifier types (accept, drop, reject, jump/goto/return, SNAT/DNAT with address ranges, masquerade, redirect, notrack, flow offload, set mark/connmark/DSCP/TCP-MSS, counter, log, rate limit). NAT exclude rules emit a Return verdict to skip translation. Global-options container maps keyword toggles (all-ping, broadcast-ping, syn-cookies, source-validation, etc.) to kernel sysctls via the sysctl plugin's default layer; explicit sysctl settings always override. Component reactor wires into ze's engine lifecycle: Apply on boot and reload, rollback on failure. ze_ prefix on all kernel tables. |
| VPP Firewall Backend | Stub-backed | Registered as firewall { backend vpp }. Filter chains translate ze Match/Action types to VPP ACL rules via GoVPP binapi (source/destination prefix, port range, protocol, ICMP type/code, TCP flags, permit/deny/reflect). Connection-state established,related maps to ACL_ACTION_API_PERMIT_REFLECT (VPP reflexive ACL). NAT chains configure VPP NAT44-ED: masquerade via output-interface mode, SNAT via address pool + inside interface feature, DNAT via static mappings with tagged cleanup. SetMark and Limit actions use VPP's classify pipeline: classify tables match traffic by packet header fields, SetMark sets opaque metadata via CLASSIFY_API_ACTION_SET_METADATA, Limit creates a policer bound to the classify table via PolicerClassifySetInterface. Expression types without a faithful VPP representation are rejected at commit via firewall.RegisterVerifier("vpp", Verify): interface matches, connection marks, DSCP, sets, packet modification (connmark/dscp/tcp-mss), counters, log, chain traversal. |
| Commit-Time Backend Capability Check | Supported | YANG nodes that correspond to backend-specific features carry a ze:backend "<names>" annotation. On commit (daemon reload, first-apply, and ze config validate), the walker rejects the config with the YANG path and the list of supporting backends whenever the active backend does not implement the feature -- instead of letting an Apply-time "not supported" error fire inside the backend. The gate covers interface (netlink-only bridge, tunnel, wireguard, veth, mirror under the vpp backend), traffic-control (the backend-leaf CALL wired into OnConfigure/OnConfigVerify; tc-only feature annotations ship with spec-fw-7-traffic-vpp), and firewall (seven ze:backend "nft" annotations on conntrack-driven matches and nft-only action/modifier leaves). |
| Backend-Aware CLI Completion | Supported | CLI auto-completion filters options based on the active backend. Config editor mode (set/delete/edit/show) and operational command mode (show/clear/monitor) hide nodes annotated with ze:backend when the active backend is not in the annotation's list. Backend names are derived from the config tree at each tree change. Same ze:backend annotations used by commit-time validation, applied earlier at completion time. |
| Traffic Control Lifecycle | Experimental | The traffic-control section of the config is now programmed at boot and on SIGHUP reload. The traffic component's reactor calls the selected backend's Apply(map[string]InterfaceQoS) in OnConfigure and OnConfigApply, with sdk.Journal rollback on apply failure. Linux default backend is tc (netlink); future backends plug in via traffic.RegisterBackend. Local privileged integration covers netlink qdisc snapshot/restore after backend restart; target-runner and reactor-level boot/reload kernel-state evidence remain open. |
| VPP Traffic Control Backend | Stub-backed | Registered as traffic-control { backend vpp }. Scope is an interface-level rate limit: HTB and TBF qdiscs with exactly one class translate to a VPP policer (CIR = Rate, EIR = Ceil, kbps with round-up) bound to interface egress via PolicerOutput. Multi-class configurations, every other qdisc type, and every filter type are rejected at OnConfigVerify via traffic.RegisterVerifier("vpp", Verify). The rejections come with messages pointing at the deferred destination specs in plan/deferrals.md: multi-class and filter support both need the VPP classify-attachment and QoS-record pipelines that fw-7 does not build. Per rules/exact-or-reject.md, shipping silent-no-op features (classify sessions in a detached table, or N policers stacked on the output feature arc producing min(rates) instead of per-class shaping) is banned. Apply waits up to 5s for VPP to be reachable and returns vpp not connected after 5s on timeout. On partial-apply error the backend undoes what this call programmed in VPP before returning. Reconcile-time deletions are tolerant of stale indexes (post-VPP-restart): failures log a warning and continue instead of failing the commit. A fresh backend instance scans VPP policers with the ze/ prefix, removes undesired startup orphans, and rebinds desired policers from config. Same-process reapply also replays PolicerOutput(apply=true) for existing desired policers, repairing VPP-side output unbinds without requiring a Ze restart. Real-daemon traffic-control evidence covers apply/bind, restart preservation, and startup orphan cleanup. |
| AIGP (RFC 7311) | Supported | Accumulated IGP Metric path attribute. Capability negotiation, wire encoding/decoding, structured JSON exposure with RFC 4271 attribute flags. Not consumed in best-path selection. |
| RPKI ASPA Policy Enforcement | Supported | ASPA path verification (draft-ietf-sidrops-aspa-verification) with configurable policy enforcement: rpki/aspa-policy/invalid-action supports reject, log-only, accept. ASPA records distributed via RTR v2 (RFC 9582). |
| FlowSpec-to-Firewall Bridge | Supported | flowspec-firewall plugin converts BGP FlowSpec rules into nftables entries in a dedicated ze_flowspec table. |
| IXP Route Server Dynamic Peers | Supported | Route server (bgp-rs) supports dynamic peers for IXP deployments. Peers connect dynamically and inherit configuration from a peer group template. RS-client role and per-peer community filtering. |
| Subscriber Session Model | Supported | Unified subscriber session model for L2TP/PPPoE subscribers with shared session lifecycle, auth, pool, and shaper infrastructure. |
| Config Schema Stamp | Supported | Config files carry a schema version stamp. Downgrade recovery prunes incompatible fields when loading a config from a newer version. |
| Config Dependency Graph | Supported | ze config graph visualizes config dependency relationships. |
| Graceful Listener Migration | Supported | Hot reload of listener endpoints (web, LG, REST, gRPC, MCP). New listener starts before old one stops; in-flight connections are drained. |
| Docker Support | Supported | Static binary on scratch base (~89 MB). make ze-docker with optional build tags. Compose support via docker/compose.yaml. |
| Archive Pruning | Supported | commit-revisions config field limits the number of retained committed revisions. Older revisions pruned after each commit. |
| DHCP Server Named Ranges | Supported | Multiple named address ranges per subnet for segmented allocation. Each range has an independent bitmap pool. |
| ExaBGP Compatibility | Supported | Automatic config migration and plugin bridge |