-
Notifications
You must be signed in to change notification settings - Fork 2
plugins
Pre-Alpha. This page describes behavior that may change.
A plugin in Ze is a unit of behaviour that registers itself with the engine and reacts to events on the bus. The engine itself does not know about BGP. BGP is implemented as a stack of plugins on top of a generic message bus and a generic plugin manager. Interface management, the FIB pipeline, RPKI, address families, and the route selection policy are all plugins by the same definition.
A plugin is either an in-tree Go module compiled into the binary, or an external process started by the daemon and spoken to through a TLS-framed line protocol. The two paths use the same APIs, the same event types, and the same registration model. The trade-off is the obvious one: in-tree plugins have direct access and lower latency; external plugins can be written in any language and crash without taking the daemon down with them.
| Plugin | Description |
|---|---|
bgp-rib |
The main RIB store. |
bgp-adj-rib-in |
Per-peer Adj-RIB-In with raw hex replay. |
bgp-persist |
On-disk persistence across restarts. |
| Plugin | Description |
|---|---|
bgp |
The core BGP engine: FSM, message handling, peer reactor. |
bgp-healthcheck |
Service healthcheck with FSM-controlled announcement and withdrawal. |
interface |
OS network interface monitoring and management. |
loop |
Route loop detection per RFC 4271. |
| Plugin | Description |
|---|---|
bgp-rs |
Route server: client-to-client reflection per RFC 7947 with zero-copy fast path. Dynamic peers, RS-client role, community filtering. |
bgp-rr |
Route reflector per RFC 4456, as an alternative to the route server forward-all model. |
bgp-filter-community |
Community tag and strip filter (standard, large, extended). |
bgp-filter-community-match |
Community-match filter (accept/reject on community membership). |
bgp-filter-prefix |
Per-prefix modify path for multi-prefix updates. |
bgp-filter-aspath |
AS-path regex filter. |
bgp-filter-aspath-length |
AS-path length filter (accept/reject by hop count). |
bgp-filter-modify |
Route attribute modifier on import/export: set/increment/decrement local-preference, MED, AIGP; community add/remove (standard, large, extended). |
bgp-filter-remove-private-as |
Strips private ASNs from AS_PATH on export. |
bgp-role |
BGP Role capability enforcement (RFC 9234). |
bgp-redistribute |
Cross-protocol route redistribution (static, kernel, connected, L2TP routes into BGP). |
| Plugin | Description |
|---|---|
bgp-gr |
Graceful Restart (RFC 4724) and Long-Lived GR (RFC 9494). |
bgp-watchdog |
Deferred announcement controlled by named watchdog groups. |
bgp-route-refresh |
Route Refresh and Enhanced Route Refresh (RFC 2918, RFC 7313). |
| Plugin | Description |
|---|---|
bgp-rpki |
RPKI origin validation (RFC 6811), ASPA path verification with policy enforcement (reject/log-only/accept), RTR v2 (RFC 9582). |
bgp-rpki-decorator |
Correlates UPDATE and RPKI events into merged update-rpki events. |
| Plugin | Description |
|---|---|
bgp-aigp |
Accumulated IGP Metric (RFC 7311). |
bgp-hostname |
FQDN capability. |
bgp-llnh |
Link-local next-hop for IPv6 (RFC 2545). |
bgp-softver |
Software version capability. |
The IPv4 and IPv6 unicast and multicast families are part of the engine. Everything else is provided by an nlri plugin and is only available if the plugin is loaded.
| Plugin | Description |
|---|---|
bgp-nlri-vpn |
IPv4 and IPv6 MPLS-VPN. |
bgp-nlri-evpn |
L2VPN EVPN. |
bgp-nlri-flowspec |
IPv4 and IPv6 FlowSpec, with VPN variants. |
bgp-nlri-ls |
BGP-LS. |
bgp-nlri-labeled |
MPLS-labelled unicast. |
bgp-nlri-vpls |
L2VPN VPLS. |
bgp-nlri-mvpn |
Multicast VPN. |
bgp-nlri-rtc |
Route Target Constrain. |
bgp-nlri-mup |
Mobile User Plane. |
Run ze --plugins to list every plugin compiled into the binary you are running.
| Plugin | Description |
|---|---|
bfd |
Bidirectional Forwarding Detection (RFC 5880/5881/5882/5883). Echo mode, keyed SHA1/MD5 auth, BGP peer opt-in. See BFD. |
bgp-bmp |
BGP Monitoring Protocol (RFC 7854). Receiver and sender with Adj-RIB-Out (RFC 8671). See BMP. |
| Plugin | Description |
|---|---|
l2tp |
L2TPv2 LNS/LAC (RFC 2661). Tunnel and session FSMs, PPP negotiation, kernel data plane. See L2TP. |
firewall |
Stateful packet filtering with nftables backend. See Firewall. |
traffic |
Per-interface queueing disciplines with tc and VPP backends. See Traffic Control. |
ntp |
NTP client for system clock synchronization with clock readiness gate. |
sysctl |
Named sysctl profiles (dsr, router, hardened, multihomed, proxy) for interface units. |
tacacs |
TACACS+ AAA client (RFC 8907). SSH authentication, priv-lvl mapping, accounting. See TACACS+. |
dhcpserver |
DHCP server (RFC 2131/2132). Address pools with multiple named ranges, static mappings, lease tracking. See DHCP Server. |
static |
Static route management with ECMP, BFD failover, routing tables. See Static Routes. |
pppoe |
PPPoE client (RFC 2516) for WAN interfaces. See PPPoE. |
policy-routes |
Policy-based routing rules (PBR). See Policy Routing. |
kernel |
Kernel route redistribution via routewatch (RTPROT_KERNEL, RTPROT_REDIRECT). |
routing-table |
Named routing table registry mapping names to kernel table IDs. |
| Plugin | Description |
|---|---|
ipsec |
Native IKEv2 in Go with XFRM dataplane. See IPsec VPN. |
pki |
X.509 certificate store for IPsec and TLS. Health monitoring with certificate expiry warnings. Prometheus metrics. |
| Plugin | Description |
|---|---|
tftpserver |
RFC 1350 read-only TFTP server for PXE boot. |
imageserver |
HTTP image server with Range support for PXE provisioning. |
flowspec-firewall |
FlowSpec-to-nftables bridge: converts FlowSpec rules into nftables firewall entries. |
| Component | Description |
|---|---|
ldp |
Label Distribution Protocol (RFC 5036): UDP multicast discovery, TCP session FSM, label information base. Emits MPLS forwarding entries on the mpls-fib bus. See MPLS / LDP / RSVP-TE. |
rsvp-te |
RSVP-TE (RFC 3209/2205) signaling engine over raw IP (protocol 46): PATH/RESV, ERO explicit routing, bandwidth admission control, soft-state refresh, make-before-break. See RSVP-TE. |
The kernel MPLS FIB itself is programmed by fib-kernel, which stays the single owner of the kernel FIB and consumes push/swap/pop entries from the mpls-fib event bus.
| Component | Description |
|---|---|
gnmi |
gNMI server (gRPC Network Management Interface) for YANG-modeled config: Capabilities, Get, Set, Subscribe ONCE and STREAM. See gNMI. |
flow-export |
Interface counter and per-flow export over sFlow v5, NetFlow v9 (RFC 3954), and IPFIX (RFC 7011). See Flow Export. |
storage |
YANG-modeled SMART disk health: polling, temperature alerting, scheduled self-tests, pure ioctl (no smartctl). |
| Plugin | Description |
|---|---|
interface |
OS network interface monitoring through netlink (Linux). Publishes interface and address events to the bus. |
fib-kernel |
Programs the Linux FIB through netlink, including AF_MPLS push/swap/pop entries from the mpls-fib bus. |
fib-vpp |
Programs the VPP FIB through GoVPP binary API. See VPP. |
fib-p4 |
Experimental P4 dataplane. |
iface-dhcp |
DHCP client for managed interfaces with route/DNS/NTP discovery. |
iface-netlink |
Netlink-driven interface manager (WireGuard, tunnels, bridges, VLAN). |
iface-vpp |
VPP interface backend via GoVPP (lifecycle, addressing, monitor). |
rib |
System RIB shared between protocols: selects the best route across protocols by administrative distance, with a unified Loc-RIB. |
host |
Hardware inventory library and show host surface. |
vpp |
VPP process lifecycle management: startup, DPDK NIC binding, crash recovery, GoVPP connection. |
Every plugin exposes a few standard Prometheus metrics so you can tell at a glance whether they are healthy.
| Metric | Description |
|---|---|
ze_plugin_status{plugin} |
Current stage. 6 means running. |
ze_plugin_restarts_total{plugin} |
Cumulative restart count. |
ze_plugin_events_delivered_total{plugin} |
Total events enqueued to the plugin. |
When a plugin is disabled (respawn limit exceeded) its metrics are deleted rather than left stale.
Beyond the standard health metrics, Go plugins can register their own Prometheus counters and gauges through a ConfigureMetrics callback on the plugin registration. bgp-rib, bgp-watchdog, bgp-rpki, bgp-persist, fib-kernel, and rib each ship with their own metric sets on the same Prometheus endpoint. See Go plugins — Prometheus metrics for the API and naming convention.
- Plugin development for writing your own.
- Configuration overview for how plugins bind to peers and receive events.
- Monitoring for the event-stream surface plugins consume.
Adapted from main/docs/features/plugins.md and main/README.md.
Unreviewed draft. This wiki was authored in bulk and has not been reviewed. File corrections on the issue tracker.
- Overview
- YANG Model
- Editor Workflow
- Archive and Rollback
- System
- Interfaces
- BFD
- FIB
- MPLS / LDP / RSVP-TE
- RSVP-TE
- SRv6
- Static Routes
- Policy Routing
- Firewall
- Traffic Control
- L2TP/PPP
- PPPoE
- VPP Data Plane
- RPKI
- IPsec VPN
- TACACS+ AAA
- Fleet
- BGP
- Starting and Stopping
- Show Commands
- Monitoring
- Flow Export
- Health Checks
- Audit Trail
- Production Diagnostics
- Logging
- Operational Reports
- Healthcheck
- Self-Update
- Zero-Touch Provisioning
- MRT Analysis
- Upgrade and Restart
- Storage
- Policy
- Core
- Resilience
- Validation
- Capabilities
- Address Families
- Protocol
- Subsystems
- Infrastructure
- Route Server at an IXP
- Transit Edge with RPKI
- Public Looking Glass
- ExaBGP Migration Walkthrough
- FlowSpec Injection
- Chaos-Tested Peering
- AS Path Topology