Differences

This shows you the differences between two versions of the page.

--- en:dpi:changelog:versions:ver_14 [2026/06/11 08:22] – elena.krasnobryzh
+++ en:dpi:changelog:versions:ver_14 [2026/06/15 15:24] (current) – [Changes in Version 14.2.1] elena.krasnobryzh
@@ Line 1: / Line 1: @@
 {{indexmenu_n>85}}
 ======Version 14.0 Shooting Stars======
+=====Changes in Version 14.2.1=====
+<note important>Starting from SSG **14.2.1**, the ''nat_dstaddr_cache_size'' parameter is no longer required and should be removed from ''/etc/dpi/fastdpi.conf''.</note>
+===DPI===
+  - Improved RFC standards compliance for redirects in Service 16 (HTTP redirect and IP address whitelist with TCP session termination on SSG): the ISN in SYN+ACK is replaced with an unpredictable value, and the session is terminated using the full TCP termination sequence
+===NAT===
+  - Improved CG-NAT behavior when free ports are exhausted. If a subscriber does not have enough free ports to create new sessions, the subscriber can reuse ports previously allocated to them more aggressively. This behavior is controlled by the following new configurable timeout values, which default to the values listed below:
+    * ''nat_whp_lifetime_min'' = ''nat_whp_lifetime'' / 3 — timeout for reusing allocated ports in the **short** queue when ports are exhausted
+    * ''nat_whp_lifetime_min_long'' = ''nat_whp_lifetime_long'' / 3 — timeout for reusing allocated ports in the **long** queue when ports are exhausted
+===Utilities===
+  - Added the ''--append'' option to the ip2proto utility: appends new data to an existing file
+=====Changes in Version 14.2=====
+===DPI===
+  - [DPDK] Migrated to DPDK version 25.11. [[en:dpi:dpi_brief:dpi_requirements#minimum_requirements|Description]]
+  - [DPDK] Increased the maximum memory size to 256 GB.
+  - [DPDK] Note: the distribution package includes the fastdpi_dpdk2411 build based on DPDK 24.11 to support certain older Mellanox models. If this affects your deployment, please plan a network adapter upgrade, as support for these models has likely been discontinued in the current and future DPDK versions.
+  - [DPDK] New ''dpdk_engine=7'' engine with support for explicit dispatcher assignment.\\ This engine supports heterogeneous configurations where ports of different types are used within the same cluster—for example, a 100G in-dev port and multiple 10G out-dev ports. [[en:dpi:dpi_components:platform:dpi_config#dpdk_engine_7explicit_dispatcher_configuration|Description]]
+  - [DPDK] Added the new ''dpdk_max_memzone'' [cold] option for configuring the DPDK max memzone count. [[en:dpi:dpi_components:platform:dpi_config#dpdk_engine_7explicit_dispatcher_configuration|Description]]
+  - [BALANCER] Added support for using vlan rule to filter packets. [[en:dpi:dpi_components:platform:vlan_traffic_handling#using_vlan_rule_in_balancer|Description]]
+  - [DNS] Fixed an issue with Service 19 processing IPv6 traffic and added the dic2dns utility. [[en:dpi:dpi_options:dns_substitution#configuration|Description]]
+  - Added GRE ERSPAN tunnel parsing support for ''check_tunnels=1'' mode. [[en:dpi:dpi_components:platform:dpi_inst_spec:dpi_tunnels|Description]]
+  - The "Can't allocate record http_state" message is now printed once every 50,000 occurrences.
+  - Added MARK2 flag verification to override the protocol with QUIC_UNKNOWN_MARKED while the QUIC protocol is still in the SNI detection stage. [[en:dpi:dpi_options:opt_priority:priority_config_as#file_format_of_autonomous_systems_list_and_their_priorities|Description]]
+  - Added validated FakeTLS protocol detection.
+  - Fixed switching from QUIC_UNKNOWN to QUIC after successful SNI parsing.
+  - [LLDP] Added LLDP support. [[en:dpi:dpi_components:platform:dpi_inst_spec:lldp_support|Description]]
+  - Added viber_cl detection by container.
+  - Fixed overriding of cloud protocols by some built-in protocols.
+  - Fixed protocol assignment by address when SNI is already present in the first packet to preserve IP/SNI priority.
+  - Fixed DSCP detection from the first packet for cloud protocols identified by address.
+  - Changed: FakeSNI checks are skipped if the protocol has already been identified by IP and mark1 is absent.
+  - Changed: after IPSNI verification, the protocol falls back to the base protocol or to the SNI-defined protocol (if identified).
+  - Changed: reduced the inspection depth for CNAME/SNI decoding attempts.
+  - Resolved TX port selection issues in multi-path configurations: return packets are preferentially sent through the same port that received the original packet.
+  - [RATING GROUP] Added Service 20: policing by rating groups (RG) and traffic volume quota control.\\ Creating a Service 20 profile:
+    - Enable RG support in fastdpi.conf\\ ''rating_group_count=0'' — number of rating groups; ''0'' means RG is disabled. Default value: ''0''
+    - Prepare a text file defining TBF policing, quotas, and actions to take when the quota is reached for each rating group, for example:<code>rg4 tbf rate 1Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit quota 100MB report
+rg5 tbf rate 8Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit quota 1GB block</code> ''report'' and ''block'' are the available actions when the quota is reached: ''report'' reports that the quota has been reached but continues forwarding traffic; ''block'' reports that the quota has been reached and blocks traffic for the corresponding rating group.
+    - Convert the text file to binary format:<code>cat rg.txt | lst2rg rg.bin</code>
+    - Copy the resulting binary file to the directory from which DPI will read it:<code>cp rg.bin /var/lib/dpi/rg.bin</code>
+    - Create the service profile:<code>fdpi_ctrl load profile --service 20 --profile.name rg1 --profile.json '{ "rg_list" : "/var/lib/dpi/rg.bin" }'</code> ''max_profiles_serv20'' specifies the maximum number of profiles. The default value is 32.\\ \\ The rg2lst utility can be used to convert the binary file back into a readable format:<code>rg2lst rg.bin > rg.txt</code>
+  - [RATING GROUP][TETHERING] Added support for assigning a rating group and controlling tethering through Service 18. The profile configuration now includes the following optional fields:\\ ''tethN'', where the possible values are:
+    * teth0 — no tethering control (default)
+    * teth1 — tethering control enabled: tethering detected
+    * teth2 — tethering control enabled: tethering not detected\\ \\ ''rgN'', where the possible values are:
+    * rg0 — default (RG not assigned)
+    * rg1 — assign rg=1\\ ..
+    * rg65535 — assign rg=65535\\ \\ **Example of configuring Service 18:**
+    - Prepare a text configuration file example.txt:<code>    http cs0  teth1 rg1
+    https cs0  teth1 rg1
+    http cs0  teth2 rg2
+    https cs0  teth2 rg2
+    dns  cs1  teth1 rg1
+    dns  cs1  teth2 rg2
+    default cs7 teth0 rg3</code> :!: **In this example, HTTP and HTTPS traffic is monitored for tethering, and the corresponding RG is assigned depending on the result. Note that the policing class (cs) remains the same. The same logic applies to DNS traffic. For ALL other protocols (default), tethering control is disabled and a separate RG is assigned.**
+    - Convert it to the internal format:<code>cat example.txt | lst2dscp /tmp/example.bin</code>
+    - Optionally verify it by converting it back:<code>dscp2lst /tmp/example.bin</code>
+    - Create a Service 18 profile and assign it to a subscriber (or assign an unnamed profile directly):<code>fdpi_ctrl load profile --service 18 --profile.name test_dscp --profile.json '{ "dscp" : "/tmp/example.bin" }'
+    fdpi_ctrl load --service 18 --profile.name test_dscp --login test_subs</code> Verify the assignment:<code>    fdpi_ctrl list --service 18 --login test_subs</code> The trace output now includes the ''rg=N'' field.
+===BRAS===
+  - [DHCP-Dual] Added support for ''Lease-Time'' handling. [[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:dual_dhcp#session-timeout_and_lease-time|Description]]
+  - [Router] Changed how the Linux route table is read during router startup. [[en:dpi:dpi_components:router#the_internal_router_architecture|Description]]
+  - [DHCP6-Proxy] Added DHCPv6 Option 79 (Client-LinkLayer-Address), containing the subscriber's MAC address, to Relay-Forward requests sent to the Framed-Pool DHCPv6 server.
+  - [DHCP-Dual] Fixed incorrect generation of IPv6 PD prefixes for addresses from Framed-IPv6-Pool.
+  - [DHCP-Dual] Fixed a crash when enabling MAC-based tracing using ''bras_dhcp_trace_mac''.
+  - [DHCP-Dual] Fixed an issue where requesting a DHCPv6 address followed by a DHCPv4 address resulted in redundant authorization.
+  - [DHCP-Dual] Fixed tracing of DHCPv6 responses when the subscriber's MAC address is being traced.
+  - [DHCP-Dual] Fixed IPv4 address announcement for subscribers.
+  - [VLAN-Rule][PPPoE] Added full Service-Name support for QinQ. [[en:dpi:dpi_components:platform:vlan_traffic_handling#syntax_for_vlan_qinq_range_description|Description]]
+  - [DHCPv6] Fixed periodic ICMPv6 Router Advertisement transmission for DHCPv6 subscribers.
+  - [PPPoE] Fixed src/dst MAC address modification in the Ethernet header during termination. Ethernet header termination must always be performed for PPPoE packets. However, when ''bras_term_by_as=1'' was enabled and srcAS was not marked as term, the Ethernet src/dst MAC addresses were not modified.
+===NAT===
+  - Added support for disabling the public address cache used for NAT translation export. Configure ''nat_dstaddr_cache_size=0'' in ''/etc/dpi/fastdpi.conf''.
+  - Improved session limit management: for the ''nat_tcp_max_sessions''/''nat_udp_max_sessions'' limits, which restrict the number of allocated public ports, fixed the decrement of the allocated port counter that could previously result in a slight exceedance of the configured limit. Updated the ''whpf'', ''whp_salfs'', ''whp_lalfs'', ''whp_ruse'', ''whp_ruse_salfs'', ''whp_ruse_lalfs'' counters and the corresponding flow statistics counters (''thr_salfs'' and others), as well as the output of the ''nat show'' command, so that they reflect the current actual port usage rather than cumulative usage.
+  - Fixed: added validation of NAT translations in FullCone mode when ''nat_whp_lifetime'' < ''lifetime_flow''. If activity appears in a session after its NAT port has already been reused, a new port is allocated.
+  - Added explicit TCP connection termination when a port is reused by another subscriber.
+  - Changed public port queue handling: ports with short and long lifetimes are now maintained in separate queues. Ports are now elements of a private address subqueue. A port that has been accessed by a non-owner flow can now be reused immediately.
+  - Optimized the ''fdpi_ctrl list all status --service 11'' statistics command.
+  - Fixed consistency issues in the private address queue.
+  - Fixed and optimized private address port queue handling:
+    - The private address port queue is now distributed across processing threads.
+    - The private address port queue is now divided into "short" and "long" queues.
+  - Optimized behavior when the private-to-public cache is full.
+===CLI===
+  - [LLDP] New CLI commands: ''fdpi_cli lldp enable'' and ''fdpi_cli lldp disable'' — enable or disable LLDP packet generation. [[en:dpi:dpi_components:platform:dpi_inst_spec:lldp_support|Description]]
+  - [PCAP] Added a command to capture pcap traffic from a port:<code>dev pcap <dev-name> rx|tx|any|off</code>
+    * ''rx'' — capture packets received on the port
+    * ''tx'' — capture packets transmitted through the port
+    * ''any'' — capture both rx and tx traffic
+    * ''off'' — stop capturing\\ \\ PCAP file prefixes (where ''dev'' is the port name):
+    * ''rx-dev'' — for rx captures
+    * ''tx-dev'' — for tx captures
+  - [RATING GROUP] Added the ''fdpi_cli rg show <IP>'' command to display the current rating group information for a subscriber.
+  - [VLAN] Added a parameter to the ''fdpi_cli vlan rule dump'' command to specify which rule type to display: ''fdpi_cli vlan rule dump [type]''. [[en:dpi:dpi_components:platform:vlan_traffic_handling|Description]]
+  - [DPI] Extended the output of the ''fdpi_cli dump flow cache format'' command with additional fields. [[en:dpi:dpi_components:platform:dpi_admin:flow_statistics|Description]]
+  - [VLAN-Rule][PPPoE] Added display of all Service-Name permissions to the ''fdpi_cli vlan rule show'' command. [[en:dpi:dpi_components:platform:vlan_traffic_handling#management|Description]]
+  - [VLAN-Rule][PPPoE] Refactored Service-Name support. The ''fdpi_cli vlan rule add/rm'' commands now support PPPoE and Service-Name. [[en:dpi:dpi_components:platform:vlan_traffic_handling#management|Description]]
+  - [VRF] Added support for the ''fdpi_cli dhcp show stat vrf'' command.
+  - [NAT] Fixed ''fdpi_cli ping'' for NAT subscribers.
+  - [NAT] Fixed the ''fdpi_cli nat show'' command.
+===IPFIX===
+  - Added support for sending UDP data exceeding the MTU size (using IP fragmentation).
+  - Fixed an issue with setting the default data export timeout.
+  - Fixed an issue when changing the ''ipfix_dev'' option.
+  - [DNS] Added the ''ajb_save_dns_answer_types'' and ''ajb_save_dns_request_types'' parameters, which allow specifying DNS response and request types to save to a file and export via IPFIX. [[en:dpi:dpi_options:opt_li:li_ipfix#configuring_the_export_of_dns_responses_or_dns_queries|Description]]
+===Utilities===
+  - Added the lst2rg and rg2lst utilities for converting Service 20 profiles.
 =====Changes in version 14.1=====

Profile

Settings

Differences

Differences

What were you trying to find?