Nexus OS Docs

Appearance

Network Membrane

Operational

The Network Membrane is the userland network stack. It runs the grafted LwIP (Lightweight IP) stack inside a sandboxed fiber, providing TCP/IP connectivity to applications through a POSIX-compatible shim.

What Is the Membrane?

The Membrane (libnexus.a) is a compatibility adapter — a "biosuit" that wraps POSIX system calls and routes them through Nexus's sovereign abstractions. For networking, this means:

  • socket() creates a Membrane-managed endpoint
  • connect() sends a connection request through the LwIP stack
  • send()/recv() transfer data through ION Rings
  • bind()/listen()/accept() work as expected

Applications compiled against POSIX (curl, wget, ssh) work through the Membrane without modification. They never touch the kernel's network code directly.

Architecture 

┌─────────────────────────┐
│  Application Process    │
│  (calls socket/send)    │
├─────────────────────────┤
│  Membrane POSIX Shim    │  libnexus.a
│  (translates to ION)    │
├─────────────────────────┤
│  LwIP TCP/IP Stack      │  Grafted, runs as fiber
│  (DHCP, TCP, UDP, ICMP) │
├─────────────────────────┤
│  ION Ring (proc_rx/tx)  │  Zero-copy to kernel
├─────────────────────────┤
│  NetSwitch (Kernel)     │  L2 demux
└─────────────────────────┘

LwIP — The Grafted Stack

LwIP is an open-source lightweight TCP/IP stack designed for embedded systems. Nexus grafts it by:

  1. Stripping all OS-specific code (no pthreads, no file I/O)
  2. Replacing the platform layer with ION Ring integration
  3. Running it as a Rumpk fiber with restricted capabilities
  4. Applying pledge constraints (INET only — no filesystem access, no process spawning)

The result is a TCP/IP stack that provides full connectivity but cannot escape its sandbox.

DHCP and Network Configuration

The Membrane fiber runs DHCP client logic at boot:

  1. NetSwitch routes incoming DHCP responses to the Membrane fiber's ION Ring
  2. LwIP processes the DHCP offer and configures the interface
  3. The assigned IP address is registered in /Bus/net/
  4. Applications can now connect to the network

Why Not a Kernel Network Stack?

Three reasons:

  1. Crash isolation: A bug in TCP processing kills only the Membrane fiber. The kernel restarts it. Applications reconnect.

  2. Attack surface reduction: The kernel's trusted computing base does not include a TCP/IP stack. You cannot exploit a buffer overflow in packet parsing to gain kernel privileges.

  3. Replaceability: The Membrane is a service, not a kernel feature. You can swap LwIP for a different stack, run multiple stacks simultaneously, or remove networking entirely — without recompiling the kernel.

Chimera POSIX Bridge

For full POSIX compatibility, the Membrane includes the Chimera bridge (SPEC-073) — a more complete adaptation layer that handles edge cases:

  • Non-blocking I/O (O_NONBLOCK)
  • Socket options (setsockopt)
  • Signal-driven I/O (SIGIO)
  • Unix domain sockets (mapped to local ION Rings)

This bridge makes it possible to graft complex network applications (nginx, PostgreSQL, Node.js) with minimal or no source modifications.

Released under the CC0 License.

Nexus Project — Sovereign compute for all.