Weekly update
Week of 2026-05-04
Two major subsystems landed this week: a fleet management tool for appliances, and a PPPoE access concentrator alongside VPP-backed NAT and ACLs.
πΏ Appliance fleet management
A new ze appliance tool manages appliance images end to end.
- Interactive or config-file init, with encrypted secrets (Argon2id + ChaCha20), bcrypt passwords, self-signed TLS certificates, and SSH key provisioning
- Build, list, show, and day-2 operations: password change, certificate replacement, rekey, clone
- Remote operations (push, config, batch init) and export/import for disaster recovery from a bastion host
- Device-side config loading now validates before applying, and auto-reverts on failure
- Appliance images now build for both amd64 and arm64 (useful for running under QEMU on Apple Silicon)
πΆ Broadband access (BNG)
- New PPPoE access concentrator (RFC 2516): discovery, anti-DoS cookies, per-interface session tables, and rate limiting
- IPv6 wired into the PPP session lifecycle: prefix pools, DHCPv6-PD, and Router Advertisement building
- RADIUS accounting now reports real traffic counters, and Access-Accept attributes are consumed to configure sessions
- A string of Linux kernel-integration fixes were needed to get real PPP data flowing over L2TP: a missing kernel config option was silently disabling the L2TP Netlink module, tunnel sockets weren't connected to their peer (so transmission failed silently), and LCP's first request needed a retransmit timer since pppd wasn't ready to receive it yet
π§± Firewall & VPP dataplane
The VPP backend gained a classify pipeline (mark/limit actions), NAT44 (SNAT, DNAT, masquerade), and an ACL backend, and was hardened against failure patterns found during VyOS interoperability testing.
π Diagnostics
Per-session traffic diagnostics, VPP packet tracing, and pcap export.