| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:changelog:versions:ver_14 [2026/03/03 14:28] – [Changes in version 14.1] elena.krasnobryzh | en:dpi:changelog:versions:ver_14 [2026/03/26 08:28] (current) – [Changes in version 14.1] elena.krasnobryzh |
|---|
| ===BNG=== | ===BNG=== |
| - [BNG][framed-route] Fixed: Framed-Route delivery when a subscriber login is changed. Previously, when the login was changed, Framed-Route subnets remained attached to the old login, and all services and policing for Framed-Route subnets were taken from the old login. | - [BNG][framed-route] Fixed: Framed-Route delivery when a subscriber login is changed. Previously, when the login was changed, Framed-Route subnets remained attached to the old login, and all services and policing for Framed-Route subnets were taken from the old login. |
| - [BNG] Added the ''bras_disable_l3_auth'' option — an explicit prohibition of L3 auth in L2 BNG mode for all subscribers. For example, only DHCP authorization will work for subscribers with the AS local meta. Default value: ''off'' (L3 auth allowed) ''bras_disable_l3_auth=off''. This option is meaningful only if ''enable_auth=1''. The option is incompatible with the ''bras_dhcp_auth_mix=0'' mode: if ''bras_dhcp_auth_mix=0'' is set, ''bras_disable_l3_auth'' is forced to ''off'' (L3 auth allowed) and a warning is logged to the alert log. | - [BNG] Added the ''bras_disable_l3_auth'' option — an explicit prohibition of L3 auth in L2 BNG mode for all subscribers. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_l3auth#global_disable_l3_authentication|Description]] |
| - [BNG] Added a new subscriber flag — prohibition of L3 auth for a specific subscriber. This flag can be set or cleared only via CLI: a new parameter ''disable_l3_auth=[1:0]'' has been added to the ''subs prop set'' command (''1'' — disable L3 auth, ''0'' — enable). By default, L3 auth is enabled. | - [BNG] Added a new subscriber flag — prohibition of L3 auth for a specific subscriber. This flag can be set or cleared only via CLI: a new parameter ''disable_l3_auth=[1:0]'' has been added to the ''subs prop set'' command. [[en:dpi:bras_bng:cli:subs#subs_prop_set|Description]] |
| - [BNG][srcIP spoofing] Added filtering by source AS flags on the subs→inet path before packet processing to block operator-originated DDoS attacks with IP address spoofing. [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg#filtering_by_source_as_flags|Description]] | - [BNG][srcIP spoofing] Added filtering by source AS flags on the subs→inet path before packet processing to block operator-originated DDoS attacks with IP address spoofing. [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg#filtering_by_source_as_flags|Description]] |
| - [BNG][PPP] Added database session utilization statistics to the ''ppp show stat'' command. [[en:dpi:bras_bng:cli:pppoe#pppoe_show_stat|Description]] | - [BNG][PPP] Added database session utilization statistics to the ''ppp show stat'' command. [[en:dpi:bras_bng:cli:pppoe#pppoe_show_stat|Description]] |
| - [BNG][PCEF][Policing] Added configuration of common policing from parameters passed in the ''VasExperts-Policing-Profile'' attribute with the ''BR##'' prefix | - [BNG][PCEF][Policing] Added configuration of common policing from parameters passed in the ''VasExperts-Policing-Profile'' attribute with the ''BR##'' prefix. [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response#policing_with_absolute_value_transmission_extended_htb_format|Description]] |
| - [BNG][PCEF][Services] Added configuration of a personal (''noname'') user profile for services from parameters passed in the ''VasExperts-Service-Profile'' attribute with the ''BP##'' prefix | - [BNG][PCEF][Services] Added configuration of a personal (''noname'') user profile for services from parameters passed in the ''VasExperts-Service-Profile'' attribute with the ''BP##'' prefix. [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response#example_3_overriding_traffic_classes_and_policing|Description]] |
| - [BNG][PCEF][rating-group] New options (cold, fastDPI restart required): | - [BNG][PCEF][rating-group] New options (cold, fastDPI restart required): |
| * ''rating_group_count'' — number of rating groups, ''0'' — RG disabled. Default value: ''0'' | * ''rating_group_count'' — number of rating groups, ''0'' — RG disabled. Default value: ''0'' |
| * ''rating_group_max_subs'' — maximum number of subscribers with RG. Default value: ''0'' (RG disabled)\\ RG storage is initialized only if billing statistics are enabled. Memory calculation for RG statistics: counter size per RG = 32 bytes. Total required memory:<code>32 * rating_group_count * rating_group_max_subs * num_thread</code> For example, for 10k subscribers, 256 RGs, and 8 processing threads, 625M of memory is required:<code>rating_group_count = 256 | * ''rating_group_max_subs'' — maximum number of subscribers with RG. Default value: ''0'' (RG disabled)\\ [[en:dpi:bras_bng:radius_integration:radius_accounting#rating_group|Description]] |
| rating_group_max_subs = 10000 | - [BNG][PCEF][rating-group][RADIUS Accounting] Output of RG statistics in RADIUS Accounting. RG statistics are transmitted in separate Interim-Update packets. Only non-zero RG data are sent. [[en:dpi:bras_bng:radius_integration:radius_accounting#rating_group|Description]] |
| num_thread = 8 | |
| memory_required = 32 * 256 * 10000 * 8 = 625M</code> | |
| - [BNG][PCEF][rating-group][RADIUS Accounting] Output of RG statistics in RADIUS Accounting. RG statistics are transmitted in separate Interim-Update packets. Only non-zero RG data are sent. Due to the 4096-byte RADIUS packet size limit, RG data may be split across multiple Interim-Update packets.\\ To distinguish Interim-Updates containing RG data, a new VSA ''VasExperts-Acct-Type'' (id=28, vendor 43823, integer type) is used with the following values: | |
| * ''0'' — standard Interim Update Accounting | |
| * ''1'' — RG data\\ Each rating group and its counters are transmitted in *one* VSA containing the following attributes: | |
| * ''VasExperts-Acct-Rating-Group'' (new attribute of type short, 16-bit integer) — RG number; | |
| * ''VasExperts-Acct-Input-Octets-64'' | |
| * ''VasExperts-Acct-Output-Octets-64'' | |
| * ''VasExperts-Acct-Input-Packets-64'' | |
| * ''VasExperts-Acct-Output-Packets-64''\\ Packet/byte counters by direction are output according to the ''acct_swap_dir'' option (as in Accounting).\\ RG transmission specifics: | |
| * RGs are optional data and may be absent for a subscriber; accordingly, no RG accounting data will be transmitted for such a subscriber; | |
| * if receipt of an RG packet by the RADIUS server is not confirmed, it is not retransmitted — fresh data will be sent in the subscriber’s next Interim-Update; | |
| * if a subscriber has RG statistics, current RG data are sent in Interim-Update packets before sending Acct-Stop at session termination. | |
| - [BNG][PCEF][rating-group][CLI] Added the ''subs traffic stat'' CLI command. The command outputs billing statistics and rating group statistics for the specified subscriber, if enabled. [[en:dpi:bras_bng:cli:subs#subs_traffic_stat|Description]] | - [BNG][PCEF][rating-group][CLI] Added the ''subs traffic stat'' CLI command. The command outputs billing statistics and rating group statistics for the specified subscriber, if enabled. [[en:dpi:bras_bng:cli:subs#subs_traffic_stat|Description]] |
| - [BNG][PCEF][rating-group][RADIUS Accept] Added configuration of the RG service during authorization. RG statistics accumulation can be enabled only if service 9 (bill stat) is enabled for the subscriber. RG is assigned at the subscriber level during authorization by specifying a special service 9 profile named 'RG': <code>VasExperts-Service-Profile :="9:RG"</code> When service 9 is disabled, RG accumulation is also disabled.\\ Examples of configuring service 9 and RG: <code># service 9 enabled, RG disabled. Standard RADIUS Accounting is sent. | - [BNG][PCEF][rating-group][RADIUS Accept] Added configuration of the RG service during authorization. RG statistics accumulation can be enabled only if service 9 (bill stat) is enabled for the subscriber. [[en:dpi:bras_bng:radius_integration:radius_accounting#rating_group|Description]] |
| VasExperts-Enable-Service :="9:on"</code> <code># service 9 enabled, RG enabled. RG data are sent in RADIUS Accounting. | |
| VasExperts-Service-Profile :="9:RG"</code> <code># service 9 disabled, RG disabled. Standard RADIUS Accounting and RG are not sent. | |
| VasExperts-Enable-Service :="9:off"</code> | |
| - [BNG][SHCV][hot] Added activity monitoring for static IP L2 subscribers (subscribers for whom RADIUS returned the ''VasExperts-L2-User=1'' flag during L3 authorization). [[en:dpi:bras_bng:bras_l2_options:subs_activity#monitoring_subscriber_activity_with_session_termination_subscriber_host_connectivity_verification|Description]] | - [BNG][SHCV][hot] Added activity monitoring for static IP L2 subscribers (subscribers for whom RADIUS returned the ''VasExperts-L2-User=1'' flag during L3 authorization). [[en:dpi:bras_bng:bras_l2_options:subs_activity#monitoring_subscriber_activity_with_session_termination_subscriber_host_connectivity_verification|Description]] |
| - [BNG][DHCP][hot] New values ''2'' and ''4'' are available for the ''bras_dhcp_check_secondary_keys'' option. Full option description:\\ \\ ''bras_dhcp_check_secondary_keys'' — control of secondary unique keys (opt82/QinQ) [hot]\\ In DHCP, the primary keys are ClientId (opt61) or, if ClientId is not specified, the client MAC address. In secondary key control mode, if another DHCP session is found by at least one secondary key, it will be closed (Acct Stop is sent). | - [BNG][DHCP][hot] New values are available for the ''bras_dhcp_check_secondary_keys'' option: 2 (check only opt82) and 4 (check only QinQ). [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_secondary_keys|Description]] |
| * ''0'' (default) — do not control secondary keys | |
| * ''1'' — control all secondary keys — QinQ and opt82 | |
| * ''2'' — control only opt82 | |
| * ''4'' — control only QinQ | |
| - [BNG][L2TP] Fixed: crash when receiving a duplicate out-of-order ctl packet | - [BNG][L2TP] Fixed: crash when receiving a duplicate out-of-order ctl packet |
| - [BNG][dhcp-relay] Added the ability to preserve the siaddr field value.\\ New flag in the ''bras_dhcp_server'' option: ''keep_siaddr=1'' — preserve the DHCP packet siaddr field. Example:<code bash>bras_dhcp_server=188.227.73.42%eth0;arp_proxy=1;reply_port=67;keep_siaddr=1</code> By default, the siaddr field may be modified to hide the real DHCP server address. | - [BNG][dhcp-relay] Added the ability to preserve the siaddr field value.\\ New flag in the ''bras_dhcp_server'' option: ''keep_siaddr=1'' — preserve the DHCP packet siaddr field. Example:<code bash>bras_dhcp_server=188.227.73.42%eth0;arp_proxy=1;reply_port=67;keep_siaddr=1</code> By default, the siaddr field may be modified to hide the real DHCP server address. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_relay#configuration|Description]] |
| - [BNG][CLI] Added the `subs db stat` command to display L2 BNG database statistics | - [BNG][CLI] Added the ''subs db stat'' command to display L2 BNG database statistics. [[en:dpi:bras_bng:cli:subs#subs_db_stat|Description]] |
| - [BNG][DHCP6] Fixed: crash when processing DHCPv6 with an invalid UDP header length | - [BNG][DHCP6] Fixed: crash when processing DHCPv6 with an invalid UDP header length |
| |
| ===NAT=== | ===NAT=== |
| - [CG-NAT] Added ''rx_dispatcher=3'' — a method with uniform load balancing across an arbitrary number of threads with support for NAT 1:1 and the requirement to assign specific addresses. [[en:dpi:opt_cgnat:сgnat_settings#parameters_and_possible_values|Description]] | - [CG-NAT] Added ''rx_dispatcher=3'' — a method with uniform load balancing across an arbitrary number of threads with support for NAT 1:1 and the requirement to assign specific addresses. [[en:dpi:opt_cgnat:сgnat_settings#parameters_and_possible_values|Description]] |
| - [CG-NAT] Accounting of translation lifetime in the ''fdpi_ctrl list status --service 11 --login UserName (--ip IP)'' command. Additional fields were added to the command output: ''active_sess_tcp'' — number of active NAT translations for TCP and ''active_sess_udp'' — number of active NAT translations for UDP.\\ Translation activity is determined by the time of its last use and the lifetime parameter configured in the cluster options. | - [CG-NAT] Accounting of translation lifetime in the ''fdpi_ctrl list status --service 11 --login UserName (--ip IP)'' command. Additional fields were added to the command output: ''active_sess_tcp'' — number of active NAT translations for TCP and ''active_sess_udp'' — number of active NAT translations for UDP.\\ Translation activity is determined by the time of its last use and the lifetime parameter configured in the cluster options. [[en:dpi:opt_cgnat:cgnat_diagnostics#legend_for_the_nat_statistics_view_by_subscriber|Description]] |
| - [CG-NAT][CLI] Accounting of translation lifetime in the ''nat show <internal_ip> [<lifetime>]'' command. Displays a list of all NAT translations for the specified gray IP. A translation record looks as follows: | - [CG-NAT][CLI] Accounting of translation lifetime in the ''nat show <internal_ip> [<lifetime>]'' command. Displays a list of all NAT translations for the specified gray IP. [[en:dpi:opt_cgnat:cgnat_diagnostics#list_of_nat_translations|Description]] |
| * nat_type — NAT type (0 — CGNAT, 1 — NAT 1:1) | |
| * protocol — L4 protocol (0 — TCP, 1 — UDP) | |
| * internal_ip — gray IP | |
| * internal_port — gray port | |
| * dest_ip — destination IP | |
| * dest_port — destination port | |
| * external_ip — white IP | |
| * external_port — white port | |
| * active — translation activity flag (true if active)\\ Translation activity is determined by the time of its last use and the lifetime parameter configured in the cluster options. If ''<lifetime>'' (in seconds) is specified, its value is used as the translation lifetime. | |
| |
| ===CLI=== | ===CLI=== |
| - [CLI] Added the ''subs bind show'' command to view the list of IP addresses bound to the login ''<login>'':<code>subs bind show <login> [memory|udr]</code>Two modes: | - [CLI] Added the ''subs bind show'' command to view the list of IP addresses bound to the login ''<login>''. [[en:dpi:bras_bng:cli:subs#subs_bind_show|Description]] |
| * ''memory'' (default) displays IP-to-login bindings as currently configured in fastDPI | - [CLI] Added the ''stat http'' CLI command. This command outputs internal statistics similar to those in fastdpi_stat.log. [[en:dpi:bras_bng:cli:stat#stat_http|Description]] |
| * ''udr'' — displays IP-to-login bindings from UDR\\ The output of these two modes may differ: not all IP↔login bindings are stored in UDR; for example, for Framed-Route subnets, the login binding is created only in memory, while the framed-route subnets themselves are stored in UDR in a separate table; see the ''cli framed route ?'' CLI command group | |
| - [CLI] Added the ''stat http'' CLI command. This command outputs internal statistics similar to those in fastdpi_stat.log: | |
| * Detailed statistics on HTTP | |
| * Detailed statistics on SSL_SAVEBL | |
| * Detailed statistics on QUIC_IETF_SAVEBL | |
| * Detailed statistics on BitTorrent | |
| - [CLI] Fixed the ''list status --service 11'' (NAT) and ''nat show'' commands | - [CLI] Fixed the ''list status --service 11'' (NAT) and ''nat show'' commands |
| |
| ===IPFIX=== | ===IPFIX=== |
| - [IPFIX] Storage of TTL information from the IP packet header. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]]\\ TTL statistics added to Full NetFlow in IPFIX format: | - [IPFIX] Storage of TTL information from the IP packet header. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#export_template_in_ipfix_format_netflow_v10_for_ipv4_protocol|Description]]\\ TTL statistics added to Full NetFlow in IPFIX format: |
| * Packet TTL, id 192. The field is used for both directions: subs2inet and inet2subs | * Packet TTL, id 192. The field is used for both directions: subs2inet and inet2subs |
| * Rating group, id 2020 | * Rating group, id 2020 |
| - [IPFIX] Fixed an error in time conversion to unix format | - [IPFIX] Fixed an error in time conversion to unix format |
| - [IPFIX] New 64-bit fields added to Full NetFlow IPFIX. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]]\\ ''service_flags'' — information about the tags assigned to the flow in DPI. Detected tethering is reported via IPFIX in bit 1 of the service_flags field. 63 bits are available for further use.\\ ''detection_flags'' — reserved for detection methods.\\ ''action_flags'' — reserved for transmitting actions applied to the flow. | - [IPFIX] New 64-bit fields added to Full NetFlow IPFIX. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#export_template_in_ipfix_format_netflow_v10_for_ipv4_protocol|Description]]\\ ''service_flags'' — information about the tags assigned to the flow in DPI. Detected tethering is reported via IPFIX in bit 1 of the service_flags field. 63 bits are available for further use.\\ ''detection_flags'' — reserved for detection methods.\\ ''action_flags'' — reserved for transmitting actions applied to the flow. |
| - [IPFIX] Fixed TTL transmission in Full NetFlow IPFIX in a single field with identifier 192 depending on direction. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]] | - [IPFIX] Fixed TTL transmission in Full NetFlow IPFIX in a single field with identifier 192 depending on direction. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#export_template_in_ipfix_format_netflow_v10_for_ipv4_protocol|Description]] |
| |
| ===Utilities=== | ===Utilities=== |
| |
| ===RADIUS=== | ===RADIUS=== |
| - [FastRADIUS] Added support for logging to syslog. New parameter ''syslog_level'' in fdpi_radius.conf — the level of logging messages from the alert log to syslog. ''0'' — syslog logging disabled (default). | - [FastRADIUS] Added support for logging to syslog. New parameter ''syslog_level'' in fdpi_radius.conf — the level of logging messages from the alert log to syslog. ''0'' — syslog logging disabled (default). [[en:dpi:dpi_components:radius:radius_admin#syslog_logging_support|Description]] |
| - [FastRADIUS] Added extraction of the 3GPP User Location Info RADIUS attribute and its export to IPFIX | - [FastRADIUS] Added extraction of the 3GPP User Location Info RADIUS attribute and its export to IPFIX. [[en:dpi:dpi_components:radius:radmon_acct_ipfix|Description]] |
| |
