Weekly update

Week of 2026-05-04

Two major subsystems landed this week: a fleet management tool for appliances, and a PPPoE access concentrator alongside VPP-backed NAT and ACLs.

← All weekly updates

πŸ’Ώ Appliance fleet management

A new ze appliance tool manages appliance images end to end.

  • Interactive or config-file init, with encrypted secrets (Argon2id + ChaCha20), bcrypt passwords, self-signed TLS certificates, and SSH key provisioning
  • Build, list, show, and day-2 operations: password change, certificate replacement, rekey, clone
  • Remote operations (push, config, batch init) and export/import for disaster recovery from a bastion host
  • Device-side config loading now validates before applying, and auto-reverts on failure
  • Appliance images now build for both amd64 and arm64 (useful for running under QEMU on Apple Silicon)

πŸ“Ά Broadband access (BNG)

  • New PPPoE access concentrator (RFC 2516): discovery, anti-DoS cookies, per-interface session tables, and rate limiting
  • IPv6 wired into the PPP session lifecycle: prefix pools, DHCPv6-PD, and Router Advertisement building
  • RADIUS accounting now reports real traffic counters, and Access-Accept attributes are consumed to configure sessions
  • A string of Linux kernel-integration fixes were needed to get real PPP data flowing over L2TP: a missing kernel config option was silently disabling the L2TP Netlink module, tunnel sockets weren't connected to their peer (so transmission failed silently), and LCP's first request needed a retransmit timer since pppd wasn't ready to receive it yet

🧱 Firewall & VPP dataplane

The VPP backend gained a classify pipeline (mark/limit actions), NAT44 (SNAT, DNAT, masquerade), and an ACL backend, and was hardened against failure patterns found during VyOS interoperability testing.

πŸ“Š Diagnostics

Per-session traffic diagnostics, VPP packet tracing, and pcap export.