| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:dpi_components:platform:dpi_admin:testversion_install [2024/10/15 10:23] – [Changes in version 13.2 BETA7] elena.krasnobryzh | en:dpi:dpi_components:platform:dpi_admin:testversion_install [2025/08/18 07:13] (current) – [Changes in version 14.0 BETA4.4] elena.krasnobryzh |
|---|
| ====== Test version installation ====== | ====== Changelog of SSG BETA-version ====== |
| {{indexmenu_n>3}} | {{indexmenu_n>3}} |
| |
| ====Changes in version 13.2 BETA1==== | ====Changes in version 14.0 BETA1==== |
| |
| - [BRAS][PPPoE] Fixed: ping of inactive client with Echo requests | - [BRAS] Support for L2TP termination |
| - Support for service profiles 19 (DNS response substitution). [[en:dpi:dpi_options:dns_substitution|Description]] | - [BRAS] Support for DHCP-Dual |
| - For service 19, ability to specify AAAA records and support for wildcard (*) for domains. [[en:dpi:dpi_options:dns_substitution|Description]] | - [DPI] Migration to DPDK 24.11, support for new NICs (Intel E830 200G, Intel E630, Napatech SmartNIC) |
| - Fixed: for profile 18, it is not required to set both DSCP and TBF simultaneously | - [CLI] Added support for ''subs_id'' in commands: ''dhcp show'', ''dhcp reauth'', ''dhcp6 show'', ''dhcp6 reauth'', and ''dhcp disconnect'' |
| |
| ====Changes in version 13.2 BETA2==== | ====Changes in version 14.0 BETA2==== |
| |
| - Fixed: IP:PORT priority over IP and CIDR for custom protocol definitions | - [DPI] New protocols added: AGORA_STREAMS(49314), AZAR_CALL(49315), WECHAT_CALL(49316), TEAMS_CALL(49317). [[en:dpi:dpi_options:protocols]] |
| - Modified: custom protocols have higher priority than cloud protocols | - [DPI] Improved support for LINE_CALL, VYKE_CALL protocols. [[en:dpi:dpi_options:protocols]] |
| - Fixed: length of AAAA records in service 19 | - [DPI] Fixed smartdrop behavior |
| - Added: mask 8 in ''block_options'' - do not generate rst blocking and redirection packets for packets directed from inet-->subs. [[en:dpi:dpi_options:opt_filtration:filtration_settings#blocking_settings|Description]] | - [DPI] Added validation for complex protocols. [[en:dpi:dpi_options:protocols]] |
| | - [DPDK] Increased the maximum number of dispatchers to 32 |
| | - [IPFIX/Netflow] Added the ability to change IPFIX/Netflow parameters without restarting fastDPI. A new config parameter ''ipfix_reserved'' has been added to reserve memory for enabling/changing IPFIX/Netflow parameters. If IPFIX/Netflow parameters are set in the configuration file, memory reservation for IPFIX/Netflow is automatically enabled and parameters/new exporter types can be changed without restarting fastDPI. |
| | - [FastRadius] It is now possible to set both ''bind_ipv6_address'' and ''bind_ipv6_subnet''. If the Framed-IPv6-Prefix has a /128 mask, it is not checked against the ''bind_ipv6_subnet'' restriction. |
| | - CLI command ''dev info'' now includes the name of the LAG that the port belongs to |
| | - [PCRF][PPP][Framed-pool] Added: DHCP option ''Client-Id'' now includes ''tunnel-IP'' as part of the subscriber ID. Format of DHCP option ''Client-Id'' with fastpcrf.conf option ''dhcp_client_id=1'' is as follows: <code> |
| | [conntype][subs_id][tunnel_ip] |
| |
| ====Changes in version 13.2 BETA3==== | conntype = 1 (1 byte) |
| | subs_id - 16 bytes |
| | tunnel_ip - 4 bytes</code> Tunnel IP is available in L2TP; for PPPoE, tunnel IP = 0. |
| | - [IPFIX] Message aggregation added for IPFIX streams: FullFlow/DNS/META/NAT |
| | - [IPFIX] Added parameter ''ipfix_mtu_limit'' to restrict maximum message size for IPFIX UDP packets |
| | - [IPFIX DNS] New elements added to IPFIX DNS: 224 (ipTotalLength) and 43823:3206 (DNS transaction id) |
| | - [VRRP] Fixed proper handling of the ''vrrp_enable'' option change |
| | - [BRAS][PPP] PPP session key is now compound: ''l2subs_id'' + ''tunnel-IP''. For PPPoE sessions, tunnel IP = 0. CLI commands that use ''subs_id'' as a key (''subs prop show'', ''l2tp show session'', ''l2tp term'', etc.) may now return multiple entries with the same ''l2subs_id''. |
| |
| - [DPI] Improved: analysis of out-of-order packets. | ====Changes in version 14.0 BETA3==== |
| - [DPI] Fixed: recognition of DOT protocol. | |
| - [CTRL] Added: new format for policing output: <code bash>fdpi_ctrl list profile --policing --profile.name htb_6 --outformat=json2</code> | |
| - [CTRL] Added: loading of policing profiles with the new format (including value and unit). | |
| - [BRAS][IPv6] Added: upon receiving a DHCPv6 confirm from the client and if there is no session in the BRAS database, a response with the status "NotOnLink" is sent. | |
| - [FastPCRF][DHCPv6] Fixed: an error causing the current IPv6 accounting session to close and reopen when processing DHCPv6 requests from the client to renew the address lease. | |
| |
| ====Changes in version 13.2 BETA4==== | - [DPI] Added cloud protocols with identifiers 55296..58367 |
| | - [IPFIX] Fixed IPFIX exporter reinitialization bugs |
| | - [BRAS][subs_grooming] Fixed potential crash due to race condition during fastDPI shutdown |
| | - [CLI] Added commands to display mempool properties and statistics<code> |
| | hal mempool props |
| | hal mempool stat</code>DPDK must be built with statistics collection enabled to display mempool stats |
| | - [BRAS][DHCP] Fixed crash when parsing Framed-Pool Renew response if it contains no DHCP options |
| | - [PCRF][Acct] Fixed: Interim-Update sending is now disabled when ''Acct-Interim-Interval = 0'' is explicitly set in the RADIUS response |
| | - [VASE_CLI] Created a unified CLI for managing DPI, BRAS, DHCP (KEA), ROUTER (BIRD) with support for authorization and command logging via TACACS (VEOS 8.x required) |
| | - [SNMP] Created a module for monitoring system components via SNMP |
| |
| - [DPI] Added: updating ''asnum.bin'' from the cloud, the ''asnum_download'' parameter is similar to the set of values in ''[[dpi:dpi_options:opt_filtration:filtration_settings|federal_black_list]]''. | ====Changes in version 14.0 BETA4==== |
| - [DPI] CUSTOM protocols now have priority over others downloaded from the cloud. | - [DPI] Added DOQ 49318 protocol (DNS-over-QUIC) |
| - [DPI] Added: setting the number of buffers for processing out-of-order packets. | - [Router] Announcing subscriber white addresses for 1:1 NAT individually and after authentication |
| - Added: parameter ''mem_ssl_savebl'' (cold). Specifies the number of buffers saved for SSL parsing during packet reordering.\\ Default = 10% of ''mem_ssl_parsers''. If the value == 0, saving and processing do not occur.\\ The first value is from the conf file, in parentheses is the value used.\\ Example output from alert: | - [PCRF] Added support for service 19 "DNS spoofing", profile required. |
| - Parameter not set<code bash> | - [DPDK] Added ''dpdk_engine=6'' (''mqrx-bridge'') — number of RSS dispatchers per bridge. Total number of dispatchers = ''dpdk_rss * number of bridges''. NIC configuration: RX queue count = ''dpdk_rss'', TX queue count = number of worker threads (''num_threads''). Intended for setups with many bridges (dev1:dev2:dev3:...) for 100G+ NICs, as a replacement for the cluster approach. On-stick devices are supported. |
| mem_ssl_parsers : 320000 | - [DPDK] Removed dedicated mempools. The fastdpi.conf option ''dpdk_emit_mempool_size'' is deprecated and no longer used. |
| mem_ssl_savebl : -1 (32000)</code> | - [VLAN-Rule] Moved vlan group data from UDR to SDR. Global rules for vlan drop/pass/hide/permit set by the previous CLI command ''vlan group'' were converted and moved from UDR to SDR, with removal from UDR. |
| - ''mem_ssl_savebl=1234'' is set<code bash> | - [VLAN] VLAN rules — added CLI commands: |
| mem_ssl_parsers : 320000 | - ''vlan rule add'' - add new rule to SDR |
| mem_ssl_savebl : 1234 (1234)</code> | - ''vlan rule modify'' - modify existing rule in SDR |
| - Added: utilization statistics for saving SSL request parsing buffers <code bash> | - ''vlan rule delete'' - delete rule from SDR |
| [STAT ][2024/08/07-13:33:16:262335] Detailed statistics on SSL_SAVEBL : | - ''vlan rule show'' - show all rules for the specified VLAN/QinQ |
| thread_slave= 0 : 1522/1/32000 0/0/0/0/0/ 1/1/348 348/348/348 | - ''vlan rule dump'' - dump all rules in SDR |
| Total : 1522/1/32000 0/0/0/0/0/ 1/1/348 348/348/348</code>Let's denote: ''a1/a2/a3 b1/b2/b3/b4/b5 c1/c2/c3 d1/d2/d3''\\ ''a1'' — allocated memory size for saving the record of subsequent parsing (matches snaplen)\\ ''a2'' — records allocated\\ ''a3'' — records used\\ \\ ''b1'' — total number of errors during packet saving processing\\ ''b2'' — buffer size read is too large\\ ''b3'' — an incorrect ''isbl_t ind_'' was passed to the function\\ ''b4'' — error adding a record to arw — no space to save the list of used buffers\\ ''b5'' — error adding data to ''p_data'' (unable to save buffer)\\ \\ ''c1'' — number of requests for data saving\\ ''c2'' — saved packets released\\ ''c3'' — total size of packets that were saved\\ \\ ''d1'' — average size of saved TCP packet\\ ''d2'' — min size of saved TCP packet\\ ''d3'' — max size of saved TCP packet | - ''vlan rule purge vlan''/''qinq''/''all'' - clear SDR for VLAN/QinQ or both |
| - [BRAS][DHCPv6] Added the ability to extract option 37 and option 38 from the client packet. | - ''vlan rule apply'' - apply rules; by default, rules are applied 5 minutes after the last SDR modification |
| - [Router][tap] Fixed: initialization of bridge status at fastDPI startup. The TAP device for through LAG is in the Up state if at least one port in the through LAG is Up and its other end in the bridge is also Up. The bridge status (Up/Down) was previously calculated only on link Up/Down events, and at fastDPI startup, the bridge status was assumed to be Down. This patch initializes the bridge status (Up/Down) at router startup based on the current port status. | - [IPv6] Added direction detection in combined traffic (IN+OUT on one port) based on the local flag for IP addresses. Enabled via ''combined_io_direction_mode'' option |
| - [BRAS] Fixed: local interconnect is allowed only if srcIP is a known subscriber. Previously, it was not checked whether srcIP was a known subscriber, which could lead to IP address spoofing of a subscriber and DDoS attacks from this spoofed IP against other local subscribers marked as local interconnect. | |
| - Added: CLI command ''permit''. | |
| |
| ====Changes in version 13.2 BETA5==== | ====Changes in version 14.0 BETA4.1==== |
| | - [BRAS] Fixed compatibility with the old format of service 18, where there were fewer protocols and both fields in the profile needed to be filled |
| | - [DPI] Lowered detection priority for ''telegram_tls'' |
| |
| - [DPI] Fixed buffer exhaustion for processing out-of-order packets | ====Changes in version 14.0 BETA4.2==== |
| - [CLI][Ping] Changed: error message if subs IP not found | - [DPI] Improved detection of ''WECHAT'' and ''WECHAT_CALL'' |
| - [CLI] Added: boolean flag ''on_stick'' added to the JSON output of the ''dev xstat'' command | - [BRAS][Framed-Route] Fixed: possible crash when freeing memory |
| - [CLI] Changed: JSON output of the ''dev info'' command for on-stick devices.\\ For an on-stick device, it was:<code bash>"pci_address": "on-stick based on 82:00.3"</code>Now:<code bash> // base device address | - [BRAS] Refactored PCRF connectivity: in the new implementation, all connections are equal; an error on any triggers reconnection of all connections and a switch to another PCRF. Added CLI commands: |
| "pci_address": "82:00.3" | - ''pcrf connect show'' — show current status and accumulated statistics for PCRF connections. |
| // on-stick flag | - Force connection to the specified PCRF ''pcrf connect switch [<pcrf_index>]'', where ''<pcrf_indxed>'' is the index of the connection line in the ''auth_server'' parameter. If ''<pcrf_indxed>'' is not specified — defaults to 0. |
| "on-stick": "true|false"</code> | - [IPFIX DNS] Added the ability to send DNS MX responses via IPFIX. Enabled by setting bit 3 (4) of the ''ajb_save_dns'' parameter |
| - Changed: statistics format <code bash> | |
| [STAT ][2024/08/19-17:26:05:599912] Detailed statistics on SSL_SAVEBL: | |
| thread_slave= 0 : 1522/1/32000 0/0/0/0/0/ 6/6/2561 426/348/556 1/1/32000 | |
| Total: 1522/1/32000 0/0/0/0/0/ 6/6/2561 426/348/556 1/1/32000</code>Explanation: ''a1/a2/a3 b1/b2/b3/b4/b5 c1/c2/c3 d1/d2/d3 e1/e2/e3''\\ ''a1'' — memory size allocated for saving the record of the subsequent analysis (matches snaplen)\\ ''a2'' — records allocated\\ ''a3'' — records used\\ \\ ''b1'' — total number of errors in packet save processing\\ ''b2'' — read buffer size is too large\\ ''b3'' — invalid ''isbl_t ind_'' passed to the function\\ ''b4'' — error adding records to arw — no space to save the list of used buffers\\ ''b5'' — error adding data to ''p_data'' (unable to save buffer)\\ \\ ''c1'' — number of requests to save data\\ ''c2'' — saved packets freed\\ ''c3'' — total size of packets that were saved\\ \\ ''d1'' — average size of the saved TCP packet\\ ''d2'' — min size of the saved TCP packet\\ ''d3'' — max size of the saved TCP packet\\ \\ ''e1'' — records used in the arw queue\\ ''e2'' — free records (can be reused)\\ ''e3'' — records allocated in the queue | |
| - Removed fake yandex sni from TELEGRAM_TLS | |
| |
| ====Changes in version 13.2 BETA6==== | ====Changes in version 14.0 BETA4.3==== |
| | - [DPI] Added FakeTLS protocol (49319) with validation |
| | - [BRAS][DHCP] Changed: sliding window algorithm for rate limit |
| | - [BRAS] Fixed: time comparison error when loading ip_prop from UDR |
| | - [VLAN-Rule] Added support for 'any' instead of '*' when describing VLAN range <code> |
| | '*.*' is interpreted in bash command line as a file search mask, so now instead of '*', you can specify 'any' ('*' is still supported): |
| | 'any.any' - equivalent to '*.*' |
| | 'any' - equivalent to '*' |
| | '68.any' - equivalent to '68.any' |
| | 'any.78-90' - equivalent to '*.78-90' </code> |
| | - [BRAS] Removed support for DHCP-Dual (moved to next release) |
| | - [DPI][LOG] Messages about insufficient SSL parsers are written to the slave log not for every event, but at a frequency of 1/50000. |
| |
| - [DPI] Added support for fragmented QUIC IETF processing | ====Changes in version 14.0 BETA4.4==== |
| - Added parameter ''mem_quic_ietf_savebl''. Specifies the number of buffers for parsing ''quic_ietf'' requests consisting of multiple packets. Default value is 15% of ''mem_ssl_parsers'' | - [DPI] Added protocols ZALO_CALL(49320) and VK_CALL(49321) |
| - [DPI] Added protocols: | - [DPI] Fixed blocking in hard mode for SSL |
| <code bash> | - [Acct] Added attribute ''VASExperts-Service-Type''. Radius acct start/interim/stop sends the authorization type in the ''VASExperts-Service-Type'' attribute. |
| "HLS VIDEO" 49298 | - [CLI] Added: ''stat flow ip6'' command to display IPv6 flow statistics |
| "ICMP TUNNEL" 49299 | - [CLI] Added: ''stat flow ip4'' command to display IPv4 flow statistics. Analogous to the output in ''fastdpi_stat.log''. |
| "DNS TUNNEL" 49300 | - [IPFIX] Fixed ExportTime formation error in IPFIX Fullflow |
| "FORTICLIENT_VPN" 49301 | - [CLI] Added ''stat netflow'' command. Displays general statistics for Netflow/IPFIX (same as in ''fastdpi_stat.log'' under the "Statistics on NFLW_export" section) |
| </code> | - [DNS] Added support for substitution/blocking/dropping of DNS requests A, AAAA, MX, HTTPS |
| - Added the ability to send DNS query via IPFIX | - [CLI] Added ''stat firewall'' command |
| - [DPDK] Added read-only engines: RSS and port dispatcher | |
| - [BRAS][SHCV] Fixed SHCV invocation before full pipeline startup. This was possible in multi-port configurations where pipeline startup time is relatively long. | |
| - [DPDK] Added output of mempool type created at fastDPI startup | |
| - [Router] Added statistics for TAP devices. The CLI command ''router vrf show'' output now includes statistics on TAP devices: how many packets/bytes were read from TAP, how many were written to the port from TAP, how many were sent to TAP, the number of events, and errors. | |
| - [Router] Changed packet sending behavior for TAP devices: the selected slave thread for writing is bound to the TAP interface for the next 5 seconds, which should significantly reduce reordering during high traffic from the TAP interface. | |
| | |
| Here's the translation into English with formatting preserved: | |
| | |
| ====Changes in version 13.2 BETA7==== | |
| | |
| - [DPI] Fixed detection of DNS TUNNEL | |
| - [DPI] Added protocols <code bash> | |
| "CISCO_ANYCONNECT_VPN" 49302 | |
| "SHADOWSOCKS_VPN" 49303 | |
| "NOT_DNS" 49304 | |
| </code> | |
| - Changed log level for telemetry requests to INFO regardless of the request result | |
| | |
| ====Changes in version 13.2 BETA8==== | |
| |
| - [DPI] Improved detection of CISCO_ANYCONNECT_VPN, SHADOWSOCKS_VPN, DPITUNNEL | ====Changes in Version 14.0 BETA4.5==== |
| - [fastPCRF][ACCT] Fixed Interim-Update sending when switching to a backup RADIUS server | - [DPI] Added BIGO_CDN protocol (49324) |
| | - [DPI] Added UDP support for BIGOTV |
| | - [PCRF][L2TP] Fixed: NAS attributes for L2TP during authorization |
| | - [BRAS][L2TP] Fixed: data race when closing sessions |
| | - [DPDK] Removed deprecated rx channels settings and related checks |
| ====Update instructions==== | ====Update instructions==== |
| You can check the current installed version with the command below | You can check the current installed version with the command below |
| </code> | </code> |
| | |
| Downgrade to 13.1: | Downgrade to 13.3: |
| |
| <code bash> | <code bash> |
| yum downgrade fastdpi-13.1 fastpcrf-13.1 | yum downgrade fastdpi-13.3 fastpcrf-13.3 dpiutils-13.3 fastradius-13.3 |
| </code> | </code> |
| |
