| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:changelog:versions:ver_14 [2026/03/25 14:39] – elena.krasnobryzh | en:dpi:changelog:versions:ver_14 [2026/06/15 15:24] (current) – [Changes in Version 14.2.1] elena.krasnobryzh |
|---|
| {{indexmenu_n>85}} | {{indexmenu_n>85}} |
| ======Version 14.0 Shooting Stars====== | ======Version 14.0 Shooting Stars====== |
| | |
| | =====Changes in Version 14.2.1===== |
| | |
| | <note important>Starting from SSG **14.2.1**, the ''nat_dstaddr_cache_size'' parameter is no longer required and should be removed from ''/etc/dpi/fastdpi.conf''.</note> |
| | |
| | ===DPI=== |
| | - Improved RFC standards compliance for redirects in Service 16 (HTTP redirect and IP address whitelist with TCP session termination on SSG): the ISN in SYN+ACK is replaced with an unpredictable value, and the session is terminated using the full TCP termination sequence |
| | |
| | ===NAT=== |
| | - Improved CG-NAT behavior when free ports are exhausted. If a subscriber does not have enough free ports to create new sessions, the subscriber can reuse ports previously allocated to them more aggressively. This behavior is controlled by the following new configurable timeout values, which default to the values listed below: |
| | * ''nat_whp_lifetime_min'' = ''nat_whp_lifetime'' / 3 — timeout for reusing allocated ports in the **short** queue when ports are exhausted |
| | * ''nat_whp_lifetime_min_long'' = ''nat_whp_lifetime_long'' / 3 — timeout for reusing allocated ports in the **long** queue when ports are exhausted |
| | |
| | ===Utilities=== |
| | - Added the ''--append'' option to the ip2proto utility: appends new data to an existing file |
| | |
| | =====Changes in Version 14.2===== |
| | ===DPI=== |
| | - [DPDK] Migrated to DPDK version 25.11. [[en:dpi:dpi_brief:dpi_requirements#minimum_requirements|Description]] |
| | - [DPDK] Increased the maximum memory size to 256 GB. |
| | - [DPDK] Note: the distribution package includes the fastdpi_dpdk2411 build based on DPDK 24.11 to support certain older Mellanox models. If this affects your deployment, please plan a network adapter upgrade, as support for these models has likely been discontinued in the current and future DPDK versions. |
| | - [DPDK] New ''dpdk_engine=7'' engine with support for explicit dispatcher assignment.\\ This engine supports heterogeneous configurations where ports of different types are used within the same cluster—for example, a 100G in-dev port and multiple 10G out-dev ports. [[en:dpi:dpi_components:platform:dpi_config#dpdk_engine_7explicit_dispatcher_configuration|Description]] |
| | - [DPDK] Added the new ''dpdk_max_memzone'' [cold] option for configuring the DPDK max memzone count. [[en:dpi:dpi_components:platform:dpi_config#dpdk_engine_7explicit_dispatcher_configuration|Description]] |
| | - [BALANCER] Added support for using vlan rule to filter packets. [[en:dpi:dpi_components:platform:vlan_traffic_handling#using_vlan_rule_in_balancer|Description]] |
| | - [DNS] Fixed an issue with Service 19 processing IPv6 traffic and added the dic2dns utility. [[en:dpi:dpi_options:dns_substitution#configuration|Description]] |
| | - Added GRE ERSPAN tunnel parsing support for ''check_tunnels=1'' mode. [[en:dpi:dpi_components:platform:dpi_inst_spec:dpi_tunnels|Description]] |
| | - The "Can't allocate record http_state" message is now printed once every 50,000 occurrences. |
| | - Added MARK2 flag verification to override the protocol with QUIC_UNKNOWN_MARKED while the QUIC protocol is still in the SNI detection stage. [[en:dpi:dpi_options:opt_priority:priority_config_as#file_format_of_autonomous_systems_list_and_their_priorities|Description]] |
| | - Added validated FakeTLS protocol detection. |
| | - Fixed switching from QUIC_UNKNOWN to QUIC after successful SNI parsing. |
| | - [LLDP] Added LLDP support. [[en:dpi:dpi_components:platform:dpi_inst_spec:lldp_support|Description]] |
| | - Added viber_cl detection by container. |
| | - Fixed overriding of cloud protocols by some built-in protocols. |
| | - Fixed protocol assignment by address when SNI is already present in the first packet to preserve IP/SNI priority. |
| | - Fixed DSCP detection from the first packet for cloud protocols identified by address. |
| | - Changed: FakeSNI checks are skipped if the protocol has already been identified by IP and mark1 is absent. |
| | - Changed: after IPSNI verification, the protocol falls back to the base protocol or to the SNI-defined protocol (if identified). |
| | - Changed: reduced the inspection depth for CNAME/SNI decoding attempts. |
| | - Resolved TX port selection issues in multi-path configurations: return packets are preferentially sent through the same port that received the original packet. |
| | - [RATING GROUP] Added Service 20: policing by rating groups (RG) and traffic volume quota control.\\ Creating a Service 20 profile: |
| | - Enable RG support in fastdpi.conf\\ ''rating_group_count=0'' — number of rating groups; ''0'' means RG is disabled. Default value: ''0'' |
| | - Prepare a text file defining TBF policing, quotas, and actions to take when the quota is reached for each rating group, for example:<code>rg4 tbf rate 1Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit quota 100MB report |
| | rg5 tbf rate 8Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit quota 1GB block</code> ''report'' and ''block'' are the available actions when the quota is reached: ''report'' reports that the quota has been reached but continues forwarding traffic; ''block'' reports that the quota has been reached and blocks traffic for the corresponding rating group. |
| | - Convert the text file to binary format:<code>cat rg.txt | lst2rg rg.bin</code> |
| | - Copy the resulting binary file to the directory from which DPI will read it:<code>cp rg.bin /var/lib/dpi/rg.bin</code> |
| | - Create the service profile:<code>fdpi_ctrl load profile --service 20 --profile.name rg1 --profile.json '{ "rg_list" : "/var/lib/dpi/rg.bin" }'</code> ''max_profiles_serv20'' specifies the maximum number of profiles. The default value is 32.\\ \\ The rg2lst utility can be used to convert the binary file back into a readable format:<code>rg2lst rg.bin > rg.txt</code> |
| | - [RATING GROUP][TETHERING] Added support for assigning a rating group and controlling tethering through Service 18. The profile configuration now includes the following optional fields:\\ ''tethN'', where the possible values are: |
| | * teth0 — no tethering control (default) |
| | * teth1 — tethering control enabled: tethering detected |
| | * teth2 — tethering control enabled: tethering not detected\\ \\ ''rgN'', where the possible values are: |
| | * rg0 — default (RG not assigned) |
| | * rg1 — assign rg=1\\ .. |
| | * rg65535 — assign rg=65535\\ \\ **Example of configuring Service 18:** |
| | - Prepare a text configuration file example.txt:<code> http cs0 teth1 rg1 |
| | https cs0 teth1 rg1 |
| | http cs0 teth2 rg2 |
| | https cs0 teth2 rg2 |
| | |
| | dns cs1 teth1 rg1 |
| | dns cs1 teth2 rg2 |
| | |
| | default cs7 teth0 rg3</code> :!: **In this example, HTTP and HTTPS traffic is monitored for tethering, and the corresponding RG is assigned depending on the result. Note that the policing class (cs) remains the same. The same logic applies to DNS traffic. For ALL other protocols (default), tethering control is disabled and a separate RG is assigned.** |
| | - Convert it to the internal format:<code>cat example.txt | lst2dscp /tmp/example.bin</code> |
| | - Optionally verify it by converting it back:<code>dscp2lst /tmp/example.bin</code> |
| | - Create a Service 18 profile and assign it to a subscriber (or assign an unnamed profile directly):<code>fdpi_ctrl load profile --service 18 --profile.name test_dscp --profile.json '{ "dscp" : "/tmp/example.bin" }' |
| | fdpi_ctrl load --service 18 --profile.name test_dscp --login test_subs</code> Verify the assignment:<code> fdpi_ctrl list --service 18 --login test_subs</code> The trace output now includes the ''rg=N'' field. |
| | |
| | ===BRAS=== |
| | - [DHCP-Dual] Added support for ''Lease-Time'' handling. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:dual_dhcp#session-timeout_and_lease-time|Description]] |
| | - [Router] Changed how the Linux route table is read during router startup. [[en:dpi:dpi_components:router#the_internal_router_architecture|Description]] |
| | - [DHCP6-Proxy] Added DHCPv6 Option 79 (Client-LinkLayer-Address), containing the subscriber's MAC address, to Relay-Forward requests sent to the Framed-Pool DHCPv6 server. |
| | - [DHCP-Dual] Fixed incorrect generation of IPv6 PD prefixes for addresses from Framed-IPv6-Pool. |
| | - [DHCP-Dual] Fixed a crash when enabling MAC-based tracing using ''bras_dhcp_trace_mac''. |
| | - [DHCP-Dual] Fixed an issue where requesting a DHCPv6 address followed by a DHCPv4 address resulted in redundant authorization. |
| | - [DHCP-Dual] Fixed tracing of DHCPv6 responses when the subscriber's MAC address is being traced. |
| | - [DHCP-Dual] Fixed IPv4 address announcement for subscribers. |
| | - [VLAN-Rule][PPPoE] Added full Service-Name support for QinQ. [[en:dpi:dpi_components:platform:vlan_traffic_handling#syntax_for_vlan_qinq_range_description|Description]] |
| | - [DHCPv6] Fixed periodic ICMPv6 Router Advertisement transmission for DHCPv6 subscribers. |
| | - [PPPoE] Fixed src/dst MAC address modification in the Ethernet header during termination. Ethernet header termination must always be performed for PPPoE packets. However, when ''bras_term_by_as=1'' was enabled and srcAS was not marked as term, the Ethernet src/dst MAC addresses were not modified. |
| | |
| | ===NAT=== |
| | - Added support for disabling the public address cache used for NAT translation export. Configure ''nat_dstaddr_cache_size=0'' in ''/etc/dpi/fastdpi.conf''. |
| | - Improved session limit management: for the ''nat_tcp_max_sessions''/''nat_udp_max_sessions'' limits, which restrict the number of allocated public ports, fixed the decrement of the allocated port counter that could previously result in a slight exceedance of the configured limit. Updated the ''whpf'', ''whp_salfs'', ''whp_lalfs'', ''whp_ruse'', ''whp_ruse_salfs'', ''whp_ruse_lalfs'' counters and the corresponding flow statistics counters (''thr_salfs'' and others), as well as the output of the ''nat show'' command, so that they reflect the current actual port usage rather than cumulative usage. |
| | - Fixed: added validation of NAT translations in FullCone mode when ''nat_whp_lifetime'' < ''lifetime_flow''. If activity appears in a session after its NAT port has already been reused, a new port is allocated. |
| | - Added explicit TCP connection termination when a port is reused by another subscriber. |
| | - Changed public port queue handling: ports with short and long lifetimes are now maintained in separate queues. Ports are now elements of a private address subqueue. A port that has been accessed by a non-owner flow can now be reused immediately. |
| | - Optimized the ''fdpi_ctrl list all status --service 11'' statistics command. |
| | - Fixed consistency issues in the private address queue. |
| | - Fixed and optimized private address port queue handling: |
| | - The private address port queue is now distributed across processing threads. |
| | - The private address port queue is now divided into "short" and "long" queues. |
| | - Optimized behavior when the private-to-public cache is full. |
| | |
| | ===CLI=== |
| | - [LLDP] New CLI commands: ''fdpi_cli lldp enable'' and ''fdpi_cli lldp disable'' — enable or disable LLDP packet generation. [[en:dpi:dpi_components:platform:dpi_inst_spec:lldp_support|Description]] |
| | - [PCAP] Added a command to capture pcap traffic from a port:<code>dev pcap <dev-name> rx|tx|any|off</code> |
| | * ''rx'' — capture packets received on the port |
| | * ''tx'' — capture packets transmitted through the port |
| | * ''any'' — capture both rx and tx traffic |
| | * ''off'' — stop capturing\\ \\ PCAP file prefixes (where ''dev'' is the port name): |
| | * ''rx-dev'' — for rx captures |
| | * ''tx-dev'' — for tx captures |
| | - [RATING GROUP] Added the ''fdpi_cli rg show <IP>'' command to display the current rating group information for a subscriber. |
| | - [VLAN] Added a parameter to the ''fdpi_cli vlan rule dump'' command to specify which rule type to display: ''fdpi_cli vlan rule dump [type]''. [[en:dpi:dpi_components:platform:vlan_traffic_handling|Description]] |
| | - [DPI] Extended the output of the ''fdpi_cli dump flow cache format'' command with additional fields. [[en:dpi:dpi_components:platform:dpi_admin:flow_statistics|Description]] |
| | - [VLAN-Rule][PPPoE] Added display of all Service-Name permissions to the ''fdpi_cli vlan rule show'' command. [[en:dpi:dpi_components:platform:vlan_traffic_handling#management|Description]] |
| | - [VLAN-Rule][PPPoE] Refactored Service-Name support. The ''fdpi_cli vlan rule add/rm'' commands now support PPPoE and Service-Name. [[en:dpi:dpi_components:platform:vlan_traffic_handling#management|Description]] |
| | - [VRF] Added support for the ''fdpi_cli dhcp show stat vrf'' command. |
| | - [NAT] Fixed ''fdpi_cli ping'' for NAT subscribers. |
| | - [NAT] Fixed the ''fdpi_cli nat show'' command. |
| | |
| | ===IPFIX=== |
| | - Added support for sending UDP data exceeding the MTU size (using IP fragmentation). |
| | - Fixed an issue with setting the default data export timeout. |
| | - Fixed an issue when changing the ''ipfix_dev'' option. |
| | - [DNS] Added the ''ajb_save_dns_answer_types'' and ''ajb_save_dns_request_types'' parameters, which allow specifying DNS response and request types to save to a file and export via IPFIX. [[en:dpi:dpi_options:opt_li:li_ipfix#configuring_the_export_of_dns_responses_or_dns_queries|Description]] |
| | |
| | ===Utilities=== |
| | - Added the lst2rg and rg2lst utilities for converting Service 20 profiles. |
| | |
| | =====Changes in version 14.1===== |
| | ===DPI=== |
| | - [DPI][ajb_save_vlan] Fixed an error when the engine operates in read-only mode |
| | - [DPDK][tap_device] Fixed: setting the tx queue length using the ''dpdk_tx_queue_size'' option. Previously, the tx queue length of the TAP device was always set to 256, which caused errors on the VMware VMXNET3 Ethernet Controller: ETHDEV: Invalid value for nb_tx_desc(=256), should be: <= 4096, >= 512, and a product of 1 |
| | - [LAG] Fixed: added load balancing for pass packets |
| | - [DPI][ip_node stg] Added statistics on bucket occupancy. The new CLI command ''stat storage ip4 detail'' outputs statistics on bucket filling in the IPv4 node storage |
| | - [DPI] Added validation for the MULTIPROXY_STRONG protocol |
| | - [DPI] Improved scalability on 128-core systems |
| | - [DPI][log] Improved the logging subsystem in cases of log file overflow |
| | - [DPI][tethering] Added tethering detection. The parameter ''tethering_ttl_allowed = 128:64'' [hot] defines the list of allowed TTL values for subscriber traffic that are not considered tethering. Values are separated by ':'. The number of values is up to 256 (0–255). [[en:dpi:dpi_options:opt_statistics:statistics_ipfix|Description]] |
| | |
| | ===BNG=== |
| | - [BNG][framed-route] Fixed: Framed-Route delivery when a subscriber login is changed. Previously, when the login was changed, Framed-Route subnets remained attached to the old login, and all services and policing for Framed-Route subnets were taken from the old login. |
| | - [BNG] Added the ''bras_disable_l3_auth'' option — an explicit prohibition of L3 auth in L2 BNG mode for all subscribers. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_l3auth#global_disable_l3_authentication|Description]] |
| | - [BNG] Added a new subscriber flag — prohibition of L3 auth for a specific subscriber. This flag can be set or cleared only via CLI: a new parameter ''disable_l3_auth=[1:0]'' has been added to the ''subs prop set'' command. [[en:dpi:bras_bng:cli:subs#subs_prop_set|Description]] |
| | - [BNG][srcIP spoofing] Added filtering by source AS flags on the subs→inet path before packet processing to block operator-originated DDoS attacks with IP address spoofing. [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg#filtering_by_source_as_flags|Description]] |
| | - [BNG][PPP] Added database session utilization statistics to the ''ppp show stat'' command. [[en:dpi:bras_bng:cli:pppoe#pppoe_show_stat|Description]] |
| | - [BNG][PCEF][Policing] Added configuration of common policing from parameters passed in the ''VasExperts-Policing-Profile'' attribute with the ''BR##'' prefix. [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response#policing_with_absolute_value_transmission_extended_htb_format|Description]] |
| | - [BNG][PCEF][Services] Added configuration of a personal (''noname'') user profile for services from parameters passed in the ''VasExperts-Service-Profile'' attribute with the ''BP##'' prefix. [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response#example_3_overriding_traffic_classes_and_policing|Description]] |
| | - [BNG][PCEF][rating-group] New options (cold, fastDPI restart required): |
| | * ''rating_group_count'' — number of rating groups, ''0'' — RG disabled. Default value: ''0'' |
| | * ''rating_group_max_subs'' — maximum number of subscribers with RG. Default value: ''0'' (RG disabled)\\ [[en:dpi:bras_bng:radius_integration:radius_accounting#rating_group|Description]] |
| | - [BNG][PCEF][rating-group][RADIUS Accounting] Output of RG statistics in RADIUS Accounting. RG statistics are transmitted in separate Interim-Update packets. Only non-zero RG data are sent. [[en:dpi:bras_bng:radius_integration:radius_accounting#rating_group|Description]] |
| | - [BNG][PCEF][rating-group][CLI] Added the ''subs traffic stat'' CLI command. The command outputs billing statistics and rating group statistics for the specified subscriber, if enabled. [[en:dpi:bras_bng:cli:subs#subs_traffic_stat|Description]] |
| | - [BNG][PCEF][rating-group][RADIUS Accept] Added configuration of the RG service during authorization. RG statistics accumulation can be enabled only if service 9 (bill stat) is enabled for the subscriber. [[en:dpi:bras_bng:radius_integration:radius_accounting#rating_group|Description]] |
| | - [BNG][SHCV][hot] Added activity monitoring for static IP L2 subscribers (subscribers for whom RADIUS returned the ''VasExperts-L2-User=1'' flag during L3 authorization). [[en:dpi:bras_bng:bras_l2_options:subs_activity#monitoring_subscriber_activity_with_session_termination_subscriber_host_connectivity_verification|Description]] |
| | - [BNG][DHCP][hot] New values are available for the ''bras_dhcp_check_secondary_keys'' option: 2 (check only opt82) and 4 (check only QinQ). [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_secondary_keys|Description]] |
| | - [BNG][L2TP] Fixed: crash when receiving a duplicate out-of-order ctl packet |
| | - [BNG][dhcp-relay] Added the ability to preserve the siaddr field value.\\ New flag in the ''bras_dhcp_server'' option: ''keep_siaddr=1'' — preserve the DHCP packet siaddr field. Example:<code bash>bras_dhcp_server=188.227.73.42%eth0;arp_proxy=1;reply_port=67;keep_siaddr=1</code> By default, the siaddr field may be modified to hide the real DHCP server address. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_relay#configuration|Description]] |
| | - [BNG][CLI] Added the ''subs db stat'' command to display L2 BNG database statistics. [[en:dpi:bras_bng:cli:subs#subs_db_stat|Description]] |
| | - [BNG][DHCP6] Fixed: crash when processing DHCPv6 with an invalid UDP header length |
| | |
| | ===NAT=== |
| | - [CG-NAT] Added ''rx_dispatcher=3'' — a method with uniform load balancing across an arbitrary number of threads with support for NAT 1:1 and the requirement to assign specific addresses. [[en:dpi:opt_cgnat:сgnat_settings#parameters_and_possible_values|Description]] |
| | - [CG-NAT] Accounting of translation lifetime in the ''fdpi_ctrl list status --service 11 --login UserName (--ip IP)'' command. Additional fields were added to the command output: ''active_sess_tcp'' — number of active NAT translations for TCP and ''active_sess_udp'' — number of active NAT translations for UDP.\\ Translation activity is determined by the time of its last use and the lifetime parameter configured in the cluster options. [[en:dpi:opt_cgnat:cgnat_diagnostics#legend_for_the_nat_statistics_view_by_subscriber|Description]] |
| | - [CG-NAT][CLI] Accounting of translation lifetime in the ''nat show <internal_ip> [<lifetime>]'' command. Displays a list of all NAT translations for the specified gray IP. [[en:dpi:opt_cgnat:cgnat_diagnostics#list_of_nat_translations|Description]] |
| | |
| | ===CLI=== |
| | - [CLI] Added the ''subs bind show'' command to view the list of IP addresses bound to the login ''<login>''. [[en:dpi:bras_bng:cli:subs#subs_bind_show|Description]] |
| | - [CLI] Added the ''stat http'' CLI command. This command outputs internal statistics similar to those in fastdpi_stat.log. [[en:dpi:bras_bng:cli:stat#stat_http|Description]] |
| | - [CLI] Fixed the ''list status --service 11'' (NAT) and ''nat show'' commands |
| | |
| | ===IPFIX=== |
| | - [IPFIX] Storage of TTL information from the IP packet header. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#export_template_in_ipfix_format_netflow_v10_for_ipv4_protocol|Description]]\\ TTL statistics added to Full NetFlow in IPFIX format: |
| | * Packet TTL, id 192. The field is used for both directions: subs2inet and inet2subs |
| | * Rating group, id 2020 |
| | - [IPFIX] Fixed an error in time conversion to unix format |
| | - [IPFIX] New 64-bit fields added to Full NetFlow IPFIX. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#export_template_in_ipfix_format_netflow_v10_for_ipv4_protocol|Description]]\\ ''service_flags'' — information about the tags assigned to the flow in DPI. Detected tethering is reported via IPFIX in bit 1 of the service_flags field. 63 bits are available for further use.\\ ''detection_flags'' — reserved for detection methods.\\ ''action_flags'' — reserved for transmitting actions applied to the flow. |
| | - [IPFIX] Fixed TTL transmission in Full NetFlow IPFIX in a single field with identifier 192 depending on direction. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#export_template_in_ipfix_format_netflow_v10_for_ipv4_protocol|Description]] |
| | |
| | ===Utilities=== |
| | - [utils] Added the name2custom utility to view the list of protocols loaded from the cloud (as opposed to built-in ones) |
| | |
| | ===RADIUS=== |
| | - [FastRADIUS] Added support for logging to syslog. New parameter ''syslog_level'' in fdpi_radius.conf — the level of logging messages from the alert log to syslog. ''0'' — syslog logging disabled (default). [[en:dpi:dpi_components:radius:radius_admin#syslog_logging_support|Description]] |
| | - [FastRADIUS] Added extraction of the 3GPP User Location Info RADIUS attribute and its export to IPFIX. [[en:dpi:dpi_components:radius:radmon_acct_ipfix|Description]] |
| | |
| | |
| | |
| =====Changes in version 14.0===== | =====Changes in version 14.0===== |
| - [BRAS] DHCP-Dual support. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:dual_dhcp|Description]] | - [BRAS] DHCP-Dual support. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:dual_dhcp|Description]] |
| - Fixed a recently introduced error (affecting betas 4.6 and 4.7) in the session lifecycle that leads to resource exhaustion over time; an operational update from these versions (or rollback) is recommended. | - Fixed a recently introduced error (affecting betas 4.6 and 4.7) in the session lifecycle that leads to resource exhaustion over time; an operational update from these versions (or rollback) is recommended. |
| |
| =====Changes in version 14.1===== | |
| ===DPI=== | |
| - [DPI][ajb_save_vlan] Fixed an error when the engine operates in read-only mode | |
| - [DPDK][tap_device] Fixed: setting the tx queue length using the ''dpdk_tx_queue_size'' option. Previously, the tx queue length of the TAP device was always set to 256, which caused errors on the VMware VMXNET3 Ethernet Controller: ETHDEV: Invalid value for nb_tx_desc(=256), should be: <= 4096, >= 512, and a product of 1 | |
| - [LAG] Fixed: added load balancing for pass packets | |
| - [DPI][ip_node stg] Added statistics on bucket occupancy. The new CLI command ''stat storage ip4 detail'' outputs statistics on bucket filling in the IPv4 node storage | |
| - [DPI] Added validation for the MULTIPROXY_STRONG protocol | |
| - [DPI] Improved scalability on 128-core systems | |
| - [DPI][log] Improved the logging subsystem in cases of log file overflow | |
| - [DPI][tethering] Added tethering detection. The parameter ''tethering_ttl_allowed = 128:64'' [hot] defines the list of allowed TTL values for subscriber traffic that are not considered tethering. Values are separated by ':'. The number of values is up to 256 (0–255). [[en:dpi:dpi_options:opt_statistics:statistics_ipfix|Description]] | |
| |
| ===BNG=== | |
| - [BNG][framed-route] Fixed: Framed-Route delivery when a subscriber login is changed. Previously, when the login was changed, Framed-Route subnets remained attached to the old login, and all services and policing for Framed-Route subnets were taken from the old login. | |
| - [BNG] Added the ''bras_disable_l3_auth'' option — an explicit prohibition of L3 auth in L2 BNG mode for all subscribers. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_l3auth#global_disable_l3_authentication|Description]] | |
| - [BNG] Added a new subscriber flag — prohibition of L3 auth for a specific subscriber. This flag can be set or cleared only via CLI: a new parameter ''disable_l3_auth=[1:0]'' has been added to the ''subs prop set'' command. [[en:dpi:bras_bng:cli:subs#subs_prop_set|Description]] | |
| - [BNG][srcIP spoofing] Added filtering by source AS flags on the subs→inet path before packet processing to block operator-originated DDoS attacks with IP address spoofing. [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg#filtering_by_source_as_flags|Description]] | |
| - [BNG][PPP] Added database session utilization statistics to the ''ppp show stat'' command. [[en:dpi:bras_bng:cli:pppoe#pppoe_show_stat|Description]] | |
| - [BNG][PCEF][Policing] Added configuration of common policing from parameters passed in the ''VasExperts-Policing-Profile'' attribute with the ''BR##'' prefix. [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response#policing_with_absolute_value_transmission_extended_htb_format|Description]] | |
| - [BNG][PCEF][Services] Added configuration of a personal (''noname'') user profile for services from parameters passed in the ''VasExperts-Service-Profile'' attribute with the ''BP##'' prefix. [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response#example_3_overriding_traffic_classes_and_policing|Description]] | |
| - [BNG][PCEF][rating-group] New options (cold, fastDPI restart required): | |
| * ''rating_group_count'' — number of rating groups, ''0'' — RG disabled. Default value: ''0'' | |
| * ''rating_group_max_subs'' — maximum number of subscribers with RG. Default value: ''0'' (RG disabled)\\ [[en:dpi:bras_bng:radius_integration:radius_accounting#rating_group_settings|Description]] | |
| - [BNG][PCEF][rating-group][RADIUS Accounting] Output of RG statistics in RADIUS Accounting. RG statistics are transmitted in separate Interim-Update packets. Only non-zero RG data are sent. Due to the 4096-byte RADIUS packet size limit, RG data may be split across multiple Interim-Update packets.\\ To distinguish Interim-Updates containing RG data, a new VSA ''VasExperts-Acct-Type'' (id=28, vendor 43823, integer type) is used with the following values: | |
| * ''0'' — standard Interim Update Accounting | |
| * ''1'' — RG data\\ Each rating group and its counters are transmitted in *one* VSA containing the following attributes: | |
| * ''VasExperts-Acct-Rating-Group'' (new attribute of type short, 16-bit integer) — RG number; | |
| * ''VasExperts-Acct-Input-Octets-64'' | |
| * ''VasExperts-Acct-Output-Octets-64'' | |
| * ''VasExperts-Acct-Input-Packets-64'' | |
| * ''VasExperts-Acct-Output-Packets-64''\\ Packet/byte counters by direction are output according to the ''acct_swap_dir'' option (as in Accounting).\\ RG transmission specifics: | |
| * RGs are optional data and may be absent for a subscriber; accordingly, no RG accounting data will be transmitted for such a subscriber; | |
| * if receipt of an RG packet by the RADIUS server is not confirmed, it is not retransmitted — fresh data will be sent in the subscriber’s next Interim-Update; | |
| * if a subscriber has RG statistics, current RG data are sent in Interim-Update packets before sending Acct-Stop at session termination. | |
| - [BNG][PCEF][rating-group][CLI] Added the ''subs traffic stat'' CLI command. The command outputs billing statistics and rating group statistics for the specified subscriber, if enabled. [[en:dpi:bras_bng:cli:subs#subs_traffic_stat|Description]] | |
| - [BNG][PCEF][rating-group][RADIUS Accept] Added configuration of the RG service during authorization. RG statistics accumulation can be enabled only if service 9 (bill stat) is enabled for the subscriber. RG is assigned at the subscriber level during authorization by specifying a special service 9 profile named 'RG': <code>VasExperts-Service-Profile :="9:RG"</code> When service 9 is disabled, RG accumulation is also disabled.\\ Examples of configuring service 9 and RG: <code># service 9 enabled, RG disabled. Standard RADIUS Accounting is sent. | |
| VasExperts-Enable-Service :="9:on"</code> <code># service 9 enabled, RG enabled. RG data are sent in RADIUS Accounting. | |
| VasExperts-Service-Profile :="9:RG"</code> <code># service 9 disabled, RG disabled. Standard RADIUS Accounting and RG are not sent. | |
| VasExperts-Enable-Service :="9:off"</code> | |
| - [BNG][SHCV][hot] Added activity monitoring for static IP L2 subscribers (subscribers for whom RADIUS returned the ''VasExperts-L2-User=1'' flag during L3 authorization). [[en:dpi:bras_bng:bras_l2_options:subs_activity#monitoring_subscriber_activity_with_session_termination_subscriber_host_connectivity_verification|Description]] | |
| - [BNG][DHCP][hot] New values are available for the ''bras_dhcp_check_secondary_keys'' option: 2 (check only opt82) and 4 (check only QinQ). [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_secondary_keys|Description]] | |
| - [BNG][L2TP] Fixed: crash when receiving a duplicate out-of-order ctl packet | |
| - [BNG][dhcp-relay] Added the ability to preserve the siaddr field value.\\ New flag in the ''bras_dhcp_server'' option: ''keep_siaddr=1'' — preserve the DHCP packet siaddr field. Example:<code bash>bras_dhcp_server=188.227.73.42%eth0;arp_proxy=1;reply_port=67;keep_siaddr=1</code> By default, the siaddr field may be modified to hide the real DHCP server address. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_relay#configuration|Description]] | |
| - [BNG][CLI] Added the ''subs db stat'' command to display L2 BNG database statistics | |
| - [BNG][DHCP6] Fixed: crash when processing DHCPv6 with an invalid UDP header length | |
| |
| ===NAT=== | |
| - [CG-NAT] Added ''rx_dispatcher=3'' — a method with uniform load balancing across an arbitrary number of threads with support for NAT 1:1 and the requirement to assign specific addresses. [[en:dpi:opt_cgnat:сgnat_settings#parameters_and_possible_values|Description]] | |
| - [CG-NAT] Accounting of translation lifetime in the ''fdpi_ctrl list status --service 11 --login UserName (--ip IP)'' command. Additional fields were added to the command output: ''active_sess_tcp'' — number of active NAT translations for TCP and ''active_sess_udp'' — number of active NAT translations for UDP.\\ Translation activity is determined by the time of its last use and the lifetime parameter configured in the cluster options. [[en:dpi:opt_cgnat:cgnat_diagnostics#legend_for_the_nat_statistics_view_by_subscriber|Description]] | |
| - [CG-NAT][CLI] Accounting of translation lifetime in the ''nat show <internal_ip> [<lifetime>]'' command. Displays a list of all NAT translations for the specified gray IP. [[en:dpi:opt_cgnat:cgnat_diagnostics#list_of_nat_translations|Description]] | |
| |
| ===CLI=== | |
| - [CLI] Added the ''subs bind show'' command to view the list of IP addresses bound to the login ''<login>''. [[en:dpi:bras_bng:cli:subs#subs_bind_show|Description]] | |
| - [CLI] Added the ''stat http'' CLI command. This command outputs internal statistics similar to those in fastdpi_stat.log. [[en:dpi:bras_bng:cli:stat#stat_http|Description]] | |
| - [CLI] Fixed the ''list status --service 11'' (NAT) and ''nat show'' commands | |
| |
| ===IPFIX=== | |
| - [IPFIX] Storage of TTL information from the IP packet header. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]]\\ TTL statistics added to Full NetFlow in IPFIX format: | |
| * Packet TTL, id 192. The field is used for both directions: subs2inet and inet2subs | |
| * Rating group, id 2020 | |
| - [IPFIX] Fixed an error in time conversion to unix format | |
| - [IPFIX] New 64-bit fields added to Full NetFlow IPFIX. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]]\\ ''service_flags'' — information about the tags assigned to the flow in DPI. Detected tethering is reported via IPFIX in bit 1 of the service_flags field. 63 bits are available for further use.\\ ''detection_flags'' — reserved for detection methods.\\ ''action_flags'' — reserved for transmitting actions applied to the flow. | |
| - [IPFIX] Fixed TTL transmission in Full NetFlow IPFIX in a single field with identifier 192 depending on direction. [[en:dpi:dpi_options:opt_statistics:statistics_ipfix#шаблон_экспорта_в_формате_ipfix_netflow_v10_для_протокола_ipv4|Description]] | |
| |
| ===Utilities=== | |
| - [utils] Added the name2custom utility to view the list of protocols loaded from the cloud (as opposed to built-in ones) | |
| |
| ===RADIUS=== | |
| - [FastRADIUS] Added support for logging to syslog. New parameter ''syslog_level'' in fdpi_radius.conf — the level of logging messages from the alert log to syslog. ''0'' — syslog logging disabled (default). | |
| - [FastRADIUS] Added extraction of the 3GPP User Location Info RADIUS attribute and its export to IPFIX | |
| |
