| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:changelog:versions:beta [2025/12/26 12:52] – [Update instructions] elena.krasnobryzh | en:dpi:changelog:versions:beta [2026/06/16 13:09] (current) – elena.krasnobryzh |
|---|
| ====== Beta-version 14.1 ====== | |
| {{indexmenu_n>1}} | {{indexmenu_n>1}} |
| | ======Beta-version 14.2====== |
| |
| ===== Changes in version 14.1 BETA1 ===== | =====Changes in version 14.2 BETA8===== |
| === DPI === | - [DPI] Changed: after IPSNI check, fallback to base protocol or protocol defined by SNI (if detected) |
| - [DPI][ajb_save_vlan] Fixed an issue when the engine runs in read-only mode | - [DPI] Changed: reduced inspection depth when attempting to decode cname/sni |
| - [DPDK][tap_device] Fixed: setting the tx queue length via the ''dpdk_tx_queue_size'' option. Previously, the tx queue length of the TAP device was unconditionally set to 256, which VMware VMXNET3 Ethernet Controller complained about: ETHDEV: Invalid value for nb_tx_desc(=256), should be: <= 4096, >= 512, and a product of 1 | - [CLI] Added pcap capture command from port: <code>dev pcap <dev-name> rx|tx|any|off</code> |
| - [LAG] Fixed: added load balancing for pass packets | * ''rx'' — record packets received from the port |
| - [DPI][ip_node stg] Added statistics for bucket occupancy. The new CLI command ''stat storage ip4 detail'' outputs statistics on bucket filling in the IPv4 node storage | * ''tx'' — record packets sent to the port |
| - [DPI] Added validation for the MULTIPROXY_STRONG protocol | * ''any'' — rx and tx |
| - [DPI] Improved scalability on 128-core systems | * ''off'' — stop recording\\ \\ pcap file prefixes (''dev'' - port name): |
| - [DPI][log] Improved the logging subsystem in cases of log file overflow | * ''rx-dev'' — for rx |
| | * ''tx-dev'' — for tx |
| | - [NAT] Fixed consistency of private address queue |
| | - [DPI] Fixed issue with tx-port selection for multi-valued configurations: return packet is now preferentially sent to the port from which the original packet arrived |
| | - [NAT] Fixes and optimization of private address port queue: |
| | - Private address port queue is distributed across threads |
| | - Private address port queue is split into "short" and "long" |
| | - [CLI][RG] Added: command ''rg show <IP>'' for viewing current rating group data for a subscriber |
| |
| === BNG === | =====Changes in version 14.2 BETA7===== |
| - [BNG][framed-route] Fixed: Framed-Route propagation when changing the subscriber login. When changing the login, Framed-Route subnets remained attached to the old login, and all services and policing for the Framed-Route subnets were taken from the old login. | - [DPI] Changed: FakeSNI check is not performed if protocol is determined by IP and there is no mark1 |
| - [BNG] Added the ''bras_disable_l3_auth'' option — explicit prohibition of L3 auth in L2 BNG mode for all subscribers. For example, only DHCP authorization will work for subscribers with AS local meta. Default value: ''off'' (L3 auth is allowed) ''bras_disable_l3_auth=off''. This option makes sense only if ''enable_auth=1''. The option is incompatible with ''bras_dhcp_auth_mix=0'': if ''bras_dhcp_auth_mix=0'' is set, then ''bras_disable_l3_auth'' is assumed to be ''off'' (L3 auth is allowed) and a warning is printed to the alert log. | - [CG-NAT] Optimized statistics command ''fdpi_ctrl list all status --service 11'' |
| - [BNG] Added a new subscriber flag — prohibit L3 auth for a specific subscriber. This flag can be set/cleared only via CLI: a new parameter ''disable_l3_auth=[1:0]'' was added to the ''subs prop set'' command (''1'' — prohibit L3 auth, ''0'' — allow). By default, L3 auth is allowed. | - [DPDK] Increased maximum memory size to 256 GB |
| - [BNG][srcIP spoofing] Added filtering by source AS flags on the subs→inet path before a packet is accepted for processing, to block outgoing operator-side DDoS with IP spoofing.\\ Added a new fastdpi.conf option ''ip_filter_source_as_flags'' (hot)[hot] — filtering subs traffic by AS. Bitmask of AS (autonomous systems) flags for the source IP from the subs side.\\ Only packets whose source IP AS contains at least one of the listed flags are allowed for processing. Otherwise, the packet is dropped. AS flag values (bit mask): | - [DPI][BRAS] Added service 20: rating group (RG) policing and volume quota control.\\ Creating service 20 profile: |
| * 0 - filtering disabled (default) — ''ip_filter_source_as_flags=0x0'' | - Enable RG support in fastdpi.conf\\ ''rating_group_count=0'' — number of rating groups, ''0'' — RG disabled. Default value: ''0'' |
| * 0x0100 - pass | - Prepare a text file where each rating group defines TBF policing, quota, and action upon quota exhaustion, example:<code>rg4 tbf rate 1Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit quota 100MB report |
| * 0x0200 - local | rg5 tbf rate 8Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit quota 1GB block</code> ''report'' and ''block'' are available actions upon quota reach: ''report'' — notify about quota reached but continue traffic forwarding; ''block'' — notify and block traffic for this rating group |
| * 0x0400 - peer | - Convert text file to binary format: <code>cat rg.txt | lst2rg rg.bin</code> |
| * 0x0800 - term | - Place resulting binary file into directory from which DPI will read it: <code>cp rg.bin /var/lib/dpi/rg.bin</code> |
| * 0x1000 - mark1 | - Create service profile: <code>fdpi_ctrl load profile --service 20 --profile.name rg1 --profile.json '{ "rg_list" : "/var/lib/dpi/rg.bin" }'</code> ''max_profiles_serv20'' — maximum number of profiles. Default — 32.\\ \\ Utility rg2lst allows decoding binary file into readable form: <code>rg2lst rg.bin > rg.txt</code> |
| * 0x2000 - mark2 | - [DPIUTILS] Added utilities lst2rg and rg2lst for converting service 20 profiles |
| * 0x4000 - mark3 | |
| - [BNG][PPP] Added database-session utilization statistics to the ''ppp show stat'' command | |
| - [BNG][PCEF][Policing] Added configuration of global policing from parameters passed in the ''VasExperts-Policing-Profile'' attribute with the ''BR##'' prefix | |
| - [BNG][PCEF][Services] Added configuration of a personal (''noname'') user profile for services from parameters passed in the ''VasExperts-Service-Profile'' attribute with the ''BP##'' prefix | |
| - [BNG][PCEF][rating-group] New options (cold, requires fastDPI restart): | |
| * ''rating_group_count'' — number of rating groups, ''0'' — RG disabled. Default: ''0'' | |
| * ''rating_group_max_subs'' — max number of subscribers with RG. Default: ''0'' (RG disabled)\\ RG storage is initialized only if billing statistics are enabled. Memory sizing for RG statistics: counter size per one RG = 32 bytes. Total required memory:<code>32 * rating_group_count * rating_group_max_subs * num_thread</code> For example, for 10k subscribers, 256 RG, and 8 processing threads, 625M of memory is required:<code>rating_group_count = 256 | |
| rating_group_max_subs = 10000 | |
| num_thread = 8 | |
| memory_required= 32 * 256 * 10000 * 8 = 625M</code> | |
| - [BNG][PCEF][rating-group][RADIUS Accounting] Output RG statistics in RADIUS Accounting. RG statistics are sent in separate Interim-Update packets. Only non-zero RG data is sent. Due to the 4096-byte RADIUS packet size limitation, RG data can be split into multiple Interim-Update RADIUS packets. \\ To distinguish the Interim-Update type, it contains an indicator of the data carried inside: the new VSA ''VasExperts-Acct-Type'' (id=28, vendor 43823, integer) with values: | |
| * ''0'': standard Interim Update Accounting | |
| * ''1'': RG data \\ Each rating group and its counters are sent in *one* VSA, which contains the following attributes: | |
| * ''VasExperts-Acct-Rating-Group'' (new short attribute, 16-bit integer) - RG number; | |
| * ''VasExperts-Acct-Input-Octets-64'' | |
| * ''VasExperts-Acct-Output-Octets-64'' | |
| * ''VasExperts-Acct-Input-Packets-64'' | |
| * ''VasExperts-Acct-Output-Packets-64''\\ packet/byte counters by direction are output according to the ''acct_swap_dir'' option (as in Accounting). \\ RG transfer specifics: | |
| * RG are optional data and may be absent for a subscriber; accordingly, no RG accounting will be sent for such a subscriber; | |
| * if the RADIUS server does not acknowledge receiving an RG packet, it is not retransmitted — fresh data will be sent in the subscriber’s next Interim-Update; | |
| * if a subscriber has RG statistics, then before sending Acct-Stop at session end, the current RG data is sent in Interim-Update packets. | |
| - [BNG][PCEF][rating-group][CLI] Added: the CLI command ''subs traffic stat''. For the specified subscriber, the command outputs billing statistics and rating group statistics, if they are enabled for the subscriber. | |
| - [BNG][PCEF][rating-group][RADIUS Accept] Added: setting the RG service at authorization. RG statistics accumulation can be enabled only if service 9 (bill stat) is enabled for the specific subscriber. RG is set at the subscriber level during authorization by specifying a special service 9 profile named 'RG': | |
| <code>VasExperts-Service-Profile :="9:RG"</code> If service 9 is disabled, RG accumulation is disabled as well.\\ | |
| Examples for service 9 and RG: | |
| <code># service 9 enabled, RG disabled. Standard RADIUS Accounting is sent. | |
| VasExperts-Enable-Service :="9:on"</code> | |
| <code># service 9 enabled, RG enabled. RG data is sent in RADIUS Accounting. | |
| VasExperts-Service-Profile :="9:RG"</code> | |
| <code># service 9 disabled, RG disabled. Standard RADIUS Accounting and RG are not sent. | |
| VasExperts-Enable-Service :="9:off"</code> | |
| |
| === NAT === | =====Changes in version 14.2 BETA6===== |
| - [CG-NAT] Added ''rx_dispatcher=3'' — a method with even load balancing across an arbitrary number of threads with NAT 1:1 support requiring assignment of specific addresses. | - [DPI] Added viber_cl check by container |
| - [CG-NAT] Accounting for translation lifetime in the ''fdpi_ctrl list status --service 11 --login UserName (--ip IP)'' command. Additional fields were added to the output: ''active_sess_tcp'' — number of active NAT translations for TCP and ''active_sess_udp'' — number of active NAT translations for UDP.\\ Translation activity is determined by the time it was last used and by the lifetime parameter configured in the cluster options. | - [DPI] Fixed: override of cloud protocols by some built-in ones |
| - [CG-NAT][CLI] Accounting for translation lifetime in the ''nat show <internal_ip> [<lifetime>]'' command. Outputs a list of all NAT translations for the specified private IP. A translation record looks like: | - [DPI] Fixed: added protocol detection for addresses when SNI is already in the first packet to preserve IP/SNI priority |
| * nat_type - NAT type (0 - CGNAT, 1 - NAT 1:1), | - [DPI] Fixed: DSCP detection from the first packet for cloud protocols defined by addresses |
| * protocol - L4 protocol (0 - TCP, 1 - UDP), | - [NAT] Added explicit TCP connection close when port is reused by another subscriber |
| * internal_ip - private IP, | - [CLI] Added new fields in ''fdpi_cli dump flow cache command''. [[en:dpi:qoe_analytics:cases:network_health:flood|Description]] |
| * internal_port - private port, | - [NAT] Changed public port queue handling: ports with short lifetime and long lifetime are now in separate queues. Ports are now elements of a private address subqueue. A port accessed from a non-owner flow thread can be reused immediately |
| * dest_ip - destination IP, | - [CLI] Added rating group and tethering control via service 18, where new optional fields were added to the profile configuration:\\ ''tethN'', possible values: |
| * dest_port - destination port, | * teth0 — no tethering control (default) |
| * external_ip - public IP, | * teth1 — tethering control enabled: tethering present |
| * external_port - public port, | * teth2 — tethering control enabled: no tethering\\ \\ ''rgN'', possible values: |
| * active - translation activity flag (true if active)\\ Translation activity is determined by the time it was last used and by the lifetime parameter configured in the cluster options. If ''<lifetime>'' (in seconds) is specified, its value is used as the translation lifetime. | * rg0 default (rg not set) |
| - [NAT][CLI] Output translations for a client by private IP using ''nat show'' | * rg1 rg=1 is set\\ .. |
| | * rg65535 rg=65535 is set\\ \\ **Example of service 18 configuration:** |
| | - prepare configuration file example.txt<code> |
| | http cs0 teth1 rg1 |
| | https cs0 teth1 rg1 |
| | http cs0 teth2 rg2 |
| | https cs0 teth2 rg2 |
| |
| === CLI === | dns cs1 teth1 rg1 |
| - [CLI] Added the ''subs bind show'' command to view the list of IP addresses bound to the login ''<login>'':<code>subs bind show <login> [memory|udr]</code>Two modes: | dns cs1 teth2 rg2 |
| * ''memory'' (default) outputs the IP-to-login binding as it is currently configured in fastDPI. | |
| * ''udr'' — outputs the IP-to-login binding from UDR\\ The output of these two modes may differ: not all IP←→login bindings are stored in UDR; for example, for Framed-Route subnets, the login binding is created only in memory, while the Framed-Route subnets themselves are stored in UDR in a separate table, see the CLI command group ''cli framed route ?'' | |
| - [CLI] Added: the CLI command ''stat http''. This command outputs internal statistics similar to the output in fastdpi_stat.log: | |
| * Detailed statistics on HTTP | |
| * Detailed statistics on SSL_SAVEBL | |
| * Detailed statistics on QUIC_IETF_SAVEBL | |
| * Detailed statistics on BitTorrent | |
| |
| === IPFIX === | default cs7 teth0 rg3</code> :!: **In this example, tethering is tracked for http/https protocols and corresponding RG is assigned depending on it. Note that policing class cs is the same. Similarly for dns protocol. For ALL other protocols (default), tethering control is disabled and a separate RG is specified.** |
| - [IPFIX] Storing TTL information from the IP packet header. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]] \\ Added to Full NetFlow statistics in IPFIX format: | - convert to internal format<code>cat example.txt|lst2dscp /tmp/example.bin</code> |
| * Packet TTL, id 192. The field is used for both directions: subs2inet and inet2subs | - optionally verify with reverse conversion<code>dscp2lst /tmp/example.bin</code> |
| * Rating group, id 2020 | - create service 18 profile and assign to subscriber (or assign unnamed profile directly)<code> fdpi_ctrl load profile --service 18 --profile.name test_dscp --profile.json '{ "dscp" : "/tmp/example.bin" }' |
| | fdpi_ctrl load --service 18 --profile.name test_dscp --login test_subs</code> check<code>fdpi_ctrl list --service 18 --login test_subs</code> In trace, field ''rg=N'' is added |
| | - [BRAS][DHCPv6] Fixed periodic ICMPv6 Router Adv sending for DHCPv6 subscribers |
| | - [BRAS][pppoe] Fixed modification of src/dst MAC in Ethernet header during termination. For PPPoE packets, Ethernet termination must always be performed. But with ''bras_term_by_as=1'' enabled, when srcAS is not marked as term, Ethernet src/dst MAC was not changed |
| |
| === Utilities === | =====Changes in version 14.2 BETA5===== |
| - [utils] Added the name2custom utility to view the list of protocols loaded from the cloud (as opposed to built-in ones) | - [BASE] Added LLDP support.\\ When LLDP support is enabled, fastDPI emits LLDP packets (LLDPDU) on specified ports. Incoming LLDP packets are unconditionally dropped.\\ New fastdpi.conf parameters (all parameters are hot, set in ''lldp'' section): |
| | * ''enable'' — LLDP support enable flag. By default, if ''lldp'' section exists in config, ''enable=on''; otherwise ''enable=off'' |
| | * ''chassis'' — string — Chassis-Id value. Chassis-Id TLV is mandatory in LLDP packet. If not set, it is taken as MAC address from ''bras_arp_mac'', otherwise port MAC |
| | * ''ttl'' — number — TTL value in seconds, default 120 |
| | * ''src_mac'' — MAC address — source MAC in Ethernet header of LLDPDU. If not set, taken from ''bras_arp_mac'' or port MAC |
| | * ''dest_mac'' — MAC address — destination MAC in Ethernet header of LLDPDU. Default — ''01:80:c2:00:00:0e'' (LLDPDU multicast) |
| | * ''system_name'' — string — System-Name TLV value. If not set, TLV is not included in LLDPDU |
| | * ''system_desc'' — string — System-Desc TLV value. If not set, TLV is not included in LLDPDU |
| | * ''device=<port_name>;enable=<on|off>;desc=<port_desc>'' — ports for which LLDPDU should be sent. Each port is defined via separate ''device'' parameter; port name is from in_dev/out_dev. Per-port options: |
| | * ''enable=on|off'' — enable/disable LLDPDU sending for this port, default ''on'' |
| | * ''desc=string'' — Port-Desc TLV value; if not set, TLV is not included\\ \\ Debug options: |
| | * ''trace'' — enable LLDP tracing (boolean) |
| | * ''pcap'' — write LLDP packets to PCAP (boolean) |
| | - [CLI] New CLI commands: ''lldp enable'', ''lldp disable'' — allow enabling/disabling LLDP packet generation |
| | - [NAT] Improvements in session limit management: for ''nat_tcp_max_sessions''/''nat_udp_max_sessions'' limits, which define the number of allocated public ports, fixed decrement of allocated port counter which could lead to slight limit overflow. Counters ''whpf'', ''whp_salfs'', ''whp_lalfs'', ''whp_ruse'', ''whp_ruse_salfs'', ''whp_ruse_lalfs'' and similar flow statistics counters (''thr_salfs'' etc.), as well as ''nat show'' output, now reflect current actual usage instead of cumulative usage |
| | - [NAT] Fixed: NAT translation validity check in FullCone mode when ''nat_whp_lifetime'' < ''lifetime_flow'': if session becomes active again while NAT port is already reused, a new port is allocated |
| |
| ===== Changes in version 14.1 BETA2 ===== | =====Changes in version 14.2 BETA4===== |
| === IPFIX === | - [DPI] Added detection of FakeTLS protocol with validation |
| - [IPFIX] Fixed an issue with converting time to unix format | - [DPI] Fixed: switching from QUIC_UNKNOWN to QUIC upon successful SNI parsing |
| | - [DHCP6-Proxy] Added DHCPv6 option 79 Client-LinkLayer-Address, containing subscriber MAC address, in Relay-Forward requests to DHCPv6 Framed-Pool server |
| | - [VLAN-Rule][PPPoE] Added to ''vlan rule show'' command output of all permissions for Service-Name |
| | - [VLAN-Rule][PPPoE] Added full support for Service-Name in QinQ. Supported rules: |
| | - without CVLAN selectivity: rules of type ''SVLAN.*'' with and without SName |
| | - full QinQ (''svlan.cvlan'') with SName selectivity |
| | - [VLAN-Rule][PPPoE] Refactoring of Service-Name support. ''vlan rule add/rm'' commands now support PPPoE and Service-Name.\\ Adding PPPoE processing rule for a given ''<Range>'' VLAN/QinQ: <code>vlan rule add <Range> pppoe [enable | drop | pass | delay N]</code>Adding PPPoE Service-Name processing rule for a given ''<Range>'' VLAN/QinQ:<code>vlan rule add <Range> pppoe sname <Service-Name> [enable | drop | pass | delay N]</code> Here ''<Service-Name>'' is the PPPoE Service-Name in single or double quotes (or without quotes if it is an identifier (''[a-zA-Z_][a-zA-Z_0-9]*'')\\ \\ Permissions: |
| | - ''enable'' - PPPoE processing allowed |
| | - ''drop'' - drop PPPoE packets |
| | - ''pass'' - pass PPPoE packets through without processing |
| | - ''delay N'' - establish PPPoE session with a delay of N seconds (0 < N < 16) |
| | - [IPFIX] Added ability to send data over UDP exceeding MTU size (with IP fragmentation) |
| | - [DNS] Added parameters ''ajb_save_dns_answer_types'' and ''ajb_save_dns_request_types'' allowing definition of DNS request/response types for file logging and IPFIX export |
| | - [IPFIX] Fixed default timeout configuration error |
| | - [DHCP-Dual] Fixed incorrect IPv6 PD prefix formation for addresses from Framed-IPv6-Pool |
| | - [DHCP-Dual] Fixed crash when enabling tracing by MAC ''bras_dhcp_trace_mac'' |
| | - [DHCP-Dual] Fixed issue where DHCPv6 followed by DHCPv4 request sequence caused extra authorization |
| | - [DHCP-Dual] Fixed DHCPv6 response tracing when MAC address tracing is enabled |
| | - [DNS] Added utility dic2dns. [[en:dpi:dpi_options:dns_substitution#configuration|Description]] |
| |
| === BNG === | =====Changes in version 14.2 BETA3===== |
| - [BNG][SHCV][hot] Added activity control for a static IP L2 subscriber (a subscriber for whom, during L3 authorization, RADIUS returned the flag ''VasExperts-L2-User=1'').\\ New options (all hot): | ===DPI=== |
| * ''bras_subs_shcv_interval'' — inactivity interval, seconds; ''0'' - SHCV disabled. | - [DPI] Added GRE ERSPAN tunnel parsing for ''check_tunnels=1'' mode |
| * ''bras_subs_shcv_retry_timeout'' — ARP request response wait time, seconds; default = ''3'' seconds. | - [DPI] Message "Can't allocate record http_state" is now printed once per 50000 occurrences |
| * ''bras_subs_shcv_retry_count'' — number of ARP requests; default = ''3''. | - [DPI] Added MARK2 flag check for redefinition into QUIC_UNKNOWN_MARKED when QUIC protocol is still being identified via SNI. [[en:dpi:dpi_options:opt_priority:priority_config_as#file_format_of_autonomous_systems_list_and_their_priorities|Description]] |
| * ''bras_shcv_trace'' — SHCV tracing; default = ''off''.\\ \\ If there is no traffic from the subscriber for ''bras_subs_shcv_interval'' seconds, fastDPI starts pinging the subscriber by sending a unicast ARP request on behalf of the subscriber gateway. Waiting for an ARP reply is ''bras_subs_shcv_retry_timeout'' seconds. If no reply is received for ''bras_subs_shcv_retry_count'' consecutive ARP requests, or the ARP reply contains a different MAC, the subscriber is considered inactive, their authorization status is reset, and the accounting session is stopped. | ===BRAS=== |
| - [BNG][DHCP][hot] New values ''2'' and ''4'' are now available for the ''bras_dhcp_check_secondary_keys'' option. Full option description:\\ \\ ''bras_dhcp_check_secondary_keys'' — control of secondary unique keys (opt82/QinQ) [hot]\\ In DHCP, the primary keys are ClientId (opt61) or, if ClientId is not specified, the client MAC address. In secondary key control mode, if another DHCP session is found by at least one secondary key, it will be closed (Acct Stop is sent) | - [BRAS][Router] Changed Linux route table parsing at router startup. [[en:dpi:dpi_components:router#the_internal_router_architecture|Description]] |
| * ''0'' (default) — do not control secondary keys. | |
| * ''1'' — control all secondary keys — QinQ and opt82 | |
| * ''2'' — control opt82 only | |
| * ''4'' — control QinQ only | |
| |
| === RADIUS === | =====Changes in version 14.2 BETA2.1===== |
| - [FastRADIUS] Added support for logging to syslog. New parameter ''syslog_level'' in fdpi_radius.conf — the log level for writing messages from the alert log to syslog. ''0'' — syslog logging is disabled (default). | ===NAT=== |
| | - [CG-NAT] NAT optimization changes |
| ===== Changes in version 14.1 BETA3 ===== | |
| - [DPI][tethering] Added tethering detection. Parameter ''tethering_ttl_allowed = 128:64'' [hot] defines the list of allowed TTL values for subscriber traffic that are not considered tethering. Values are listed separated by ':'. Up to 256 values (0-255). [[en:dpi:dpi_options:opt_statistics:statistics_ipfix|Description]] | |
| - [IPFIX] Added new 64-bit fields to Full NetFlow IPFIX. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]] \\ ''service_flags'' - information about tags assigned to a flow in DPI. Detected tethering is reported in IPFIX in bit 1 of the service_flags field. 63 bits are available for future use. \\ ''detection_flags'' - reserved for the detection method. \\ ''action_flags'' - reserved to indicate what actions were applied to the flow. | |
| - [IPFIX] Fixed TTL export in Full NetFlow IPFIX in a single field with identifier 192 depending on direction. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]] | |
| |
| | =====Changes in version 14.2 BETA2===== |
| | ===DPI=== |
| | - [DPI][DNS] Fixed issue with service 19 for IPv6 traffic |
| | ===BRAS=== |
| | - [BRAS][DHCP-Dual] Added Lease-Time accounting\\ In DHCP Dual mode, it is critical that ''Session-Timeout'' is at least 4 times greater than ''Lease-Time''. If this condition is violated, ''Lease-Time'' is set to 1/4 of ''Session-Timeout''.\\ ''Lease-Time'' is taken from RADIUS authentication response (in order of priority): |
| | - attribute ''DHCP-IP-Address-Lease-Time''; |
| | - attribute ''VasExperts-DHCP-Option-Num'' defining option 51; |
| | - DHCP option 51 if address is allocated from ''Framed-Pool''.\\ \\ If ''Lease-Time'' is not specified by any of the above methods, it is set to 1/16 of ''Session-Timeout''.\\ Minimum values: |
| | * ''Session-Timeout'' — 600 seconds |
| | * ''Lease-Time'' — 60 seconds |
| | ===NAT=== |
| | - [CG-NAT] Added support for disabling white address cache for NAT export. Setting ''nat_dstaddr_cache_size=0'' in ''/etc/dpi/fastdpi.conf'' |
| |
| | =====Changes in version 14.2 BETA1===== |
| | ===DPI=== |
| | - [DPDK] Migration to new DPDK version 25.11. [[en:dpi:dpi_brief:dpi_requirements#minimum_requirements|Description]] |
| | - [DPI][NAT] Optimization under private-to-public cache overflow |
| | - [CLI][VLAN] Added parameter to ''vlan rule dump'' command defining rule type output: ''vlan rule dump [type]''\\ ''type'' — rule type: ''perm'', ''dhcp'', ''all'' (default)\\ Show VLAN permissions:<code>vlan rule dump perm</code> Show DHCP-only rules: <code>vlan rule dump dhcp</code> Show all rules: <code>vlan rule dump</code> |
| | - [CLI][DPI] Extended output of ''fdpi_cli dump flow cache format'' with new fields. [[en:dpi:dpi_components:platform:dpi_admin:flow_statistics|Description]] |
| | - [BALANCER] Added ability to use vlan rule for packet filtering |
| | - [DPDK] Added new option ''dpdk_max_memzone'' [cold] — sets DPDK max memzone count. Default in DPDK is ''5120'' (depends on DPDK version)\\ ''0'' — use default value from DPDK. Increasing this is useful for huge configurations with many NICs if startup error occurs: "Number of requested memzone segments exceeds maximum 5120" |
| | - [CLI][DHCP-Dual] Added support for command ''dhcp show stat vrf'' |
| | - [DPDK] New engine ''dpdk_engine=7'' with explicit dispatcher assignment\\ This engine supports heterogeneous configurations where ports of different types exist in one cluster — e.g. in-dev 100G port and multiple 10G out-dev ports.\\ Dispatchers are defined in ''dpdk_dispatch'': <code>dpdk_dispatch=<port-list>[;params]*</code> |
| | * ''<port-list>'' defines which ports are handled by this dispatcher |
| | * ''params'' — additional options: |
| | * ''rss=N'' — enable RSS on all ports in dispatcher; creates N dispatchers per RX queue |
| | * ''mempool_size=N'' — size of ''mbuf_pool'' for dispatcher; each dispatcher has its own mempool\\ \\ Multiple ''dpdk_dispatch'' entries may exist; each defines a separate dispatcher (or group if RSS is enabled). Each cluster port must belong to exactly one ''dpdk_dispatch''. On-stick ports must reference the base physical port.\\ Configuration errors: |
| | * cluster port is not included in any ''dpdk_dispatch'' |
| | * cluster port appears in multiple ''dpdk_dispatch'' entries |
| | * ports from different clusters are mixed in one dispatcher\\ \\ Example mappings:<code> |
| | dpdk_engine=0: single dispatcher for all ports |
| | dpdk_engine=1: dispatcher per direction |
| | dpdk_engine=3: bridge dispatcher |
| | dpdk_engine=4: per-port dispatcher |
| | dpdk_engine=6: bridge dispatcher with RSS |
| | </code> |
| | - [IPFIX] Fixed error when changing ''ipfix_dev'' option |
