Week of 2026-06-01

The CLI grammar rollout finished, MRT tooling arrived, and a handful of quiet-but-important reliability bugs got fixed.

πŸ–₯️ CLI

The verb-first, show-a-noun command grammar reached the rest of the command surface this week: interfaces, process lifecycle, cache, log, metrics, MPLS, DNS, traffic/QoS, IKE, traceroute, ping, monitor, and BGP peer/cache/commit commands all follow the same pattern now. Bare list/summary commands without an explicit verb are gone. Interface commands also got smarter: creating a sub-interface auto-creates its parent, and the MAC address setting moved under a mac { } container.

πŸ“Š MRT tooling

Ze can now record, replay, and analyze BGP sessions in MRT format (RFC 6396/6397/8050), the standard used by RouteViews and RIPE RIS:

  • A daemon component recording three independent dump streams with time-based file rotation
  • RIB dumps (TABLE_DUMP_V2) and BGP4MP UPDATE recording
  • Analysis tools: statistics, filtering by peer/prefix/timestamp/type, AS-path/community regex, inject, replay at configurable speed, and conversion to pcap or JSON
  • A standalone offline BGP message decoder with bgpdump-style human-readable output
  • MRT files servable over HTTP, and a ze-chaos --mrt-file flag for recording chaos-test sessions

πŸ’Ώ Appliance & installer

The installer kernel now builds from a base config plus a profile (qemu or hardware), with a --profile override and PXE boot args tuned per architecture. ISO images gained a framebuffer console line for physical hardware with a monitor, plus gzip compression to shrink the image.

πŸ”’ Reliability fixes

  • BMP now defaults to monitor-only, matching its role as a passive monitoring protocol (RFC 7854); it no longer injects received routes by default
  • RPKI's validation gate now skips cleanly when no RTR cache servers are configured, instead of leaving every route waiting 30 seconds for a validation response that will never arrive
  • L2TP tunnel IDs are now seeded from the listener port, so multiple ze instances (or parallel test runs) no longer collide on tunnel ID 1; a stale tunnel left behind by a crash is now detected and cleaned up automatically
  • Config reload now falls through correctly to a newly-added peer's embedded config instead of erroring
  • PKI certificates now load correctly during hub reload, not just at startup

🧩 Config validation

Required-field enforcement, previously BGP-specific, is now generic: any YANG list can mark fields required and have them checked on ze config validate and in the editor, currently applied to VPN, PKI, and L2TP sections.