Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_components:platform:dpi_admin:testversion_install [2024/11/13 10:18] – elena.krasnobryzh
+++ en:dpi:dpi_components:platform:dpi_admin:testversion_install [2025/02/17 14:32] (current) – elena.krasnobryzh
@@ Line 1: / Line 1: @@
-====== Test version installation ======
+====== Changelog of SSG BETA-version ======
 {{indexmenu_n>3}}
-====Changes in version 13.2 BETA1====
+====Changes in version 13.3 BETA1====
-  - [BRAS][PPPoE] Fixed: ping of inactive client with Echo requests
+  - [DPI] New protocols added: BIGOTV [49305], SAYHI [49306], AZARLIVE [49307].
-  - Support for service profiles 19 (DNS response substitution). [[en:dpi:dpi_options:dns_substitution|Description]]
+  - Added: hot parameter ''smartdrop = 1''. If ''drop'' is set for the protocol, it will be deferred until the TLS is parsed or a TLS parsing error occurs.
-  - For service 19, ability to specify AAAA records and support for wildcard (*) for domains. [[en:dpi:dpi_options:dns_substitution|Description]]
+  - Fixed: Adding HTTP domains ending with '':'' (port number).
-  - Fixed: for profile 18, it is not required to set both DSCP and TBF simultaneously
+  - [Utils] Fixed: ''checkproto'' now considers MARK1 and checks if the port number is specified. For example, ''checkproto 8.8.8.8 443 www.google.com'' and ''checkproto 8.8.8.8 www.google.com'' may return different results.
+  - Changed the path for loading ASNUM from VAS Cloud (cloud.vasexperts.ru).
+  - Blacklist blocking in GTP tunnel (with the ''detect_gtp_tunnel'' setting).
+  - Fixed: HTTPS blocking with the ''hard'' option.
-====Changes in version 13.2 BETA2====
+====Changes in version 13.3 BETA2====
-  - Fixed: IP:PORT priority over IP and CIDR for custom protocol definitions
+  - [DPI] Improved Viber recognition.
-  - Modified: custom protocols have higher priority than cloud protocols
+  - Support for reload of ''/etc/dpi/asnum6.bin''.
-  - Fixed: length of AAAA records in service 19
+  - [Utils] ''bin2as'' now accepts any number of input files as arguments.
-  - Added: mask 8 in ''block_options'' - do not generate rst blocking and redirection packets for packets directed from inet-->subs. [[en:dpi:dpi_options:opt_filtration:filtration_settings#blocking_settings|Description]]
+  - [Utils] ''ascheckip'' accepts addresses for batch verification via ''stdin''.
+  - [Utils] ''bgp2bin'' works similarly to ''as2bin'', but only accepts /24 or larger subnets. It recognizes the IP1-IP2 range format as in RIPE records (extracting /24 or larger subnets from it). Subsequent entries take precedence over previous ones, creating a slightly larger file than ''as2bin''. However, in this file, subnet ranges do not overlap (as less prioritized entries are filtered out). This allows the utility to process data from multiple sources in order of priority.
+  - [BRAS][PPP] Fixed: Heterogeneous dual-stack. One address (IPv4 or IPv6) is explicitly set, while the other (IPv6 or IPv4) is assigned via framed-pool.
-====Changes in version 13.2 BETA3====
+====Changes in version 13.3 BETA3.2====
-  - [DPI] Improved: analysis of out-of-order packets.
+  - [DPI] Fixed: searching for both ''*'' and '':'' in HTTP domains simultaneously
-  - [DPI] Fixed: recognition of DOT protocol.
+  - [DPI] Fixed: removal of addresses in virtual channels during reload
-  - [CTRL] Added: new format for policing output: <code bash>fdpi_ctrl list profile --policing --profile.name htb_6 --outformat=json2</code>
+  - [DPI] Fixed: ignoring drop when the ''smartdrop'' parameter is set in case of SSL parsing errors
-  - [CTRL] Added: loading of policing profiles with the new format (including value and unit).
+  - [BRAS][PPP] Fixed: consideration of the ''bras_pppoe_trace_mac'' option when saving DHCPv6 packets in pcap. Previously, only the ''bras_dhcp_trace_mac'' option was considered. Now, for DHCPv6 packets in the PPPoE tunnel, ''bras_pppoe_trace_mac'' is also taken into account
-  - [BRAS][IPv6] Added: upon receiving a DHCPv6 confirm from the client and if there is no session in the BRAS database, a response with the status "NotOnLink" is sent.
-  - [FastPCRF][DHCPv6] Fixed: an error causing the current IPv6 accounting session to close and reopen when processing DHCPv6 requests from the client to renew the address lease.
-====Changes in version 13.2 BETA4====
+====Changes in version 13.3 BETA3.3====
-  - [DPI] Added: updating ''asnum.bin'' from the cloud, the ''asnum_download'' parameter is similar to the set of values in ''[[dpi:dpi_options:opt_filtration:filtration_settings|federal_black_list]]''.
+  - [DPI] Reduced the number of false positives for DPI TUNNEL
-  - [DPI] CUSTOM protocols now have priority over others downloaded from the cloud.
+  - [DPI] Fixed errors when assigning vchannel by IP/CIDR
-  - [DPI] Added: setting the number of buffers for processing out-of-order packets.
-  - Added: parameter ''mem_ssl_savebl'' (cold). Specifies the number of buffers saved for SSL parsing during packet reordering.\\ Default = 10% of ''mem_ssl_parsers''. If the value == 0, saving and processing do not occur.\\ The first value is from the conf file, in parentheses is the value used.\\ Example output from alert:
-    - Parameter not set<code bash>
-    mem_ssl_parsers              : 320000
-    mem_ssl_savebl               : -1 (32000)</code>
-    - ''mem_ssl_savebl=1234'' is set<code bash>
-    mem_ssl_parsers              : 320000
-    mem_ssl_savebl               : 1234 (1234)</code>
-  - Added: utilization statistics for saving SSL request parsing buffers <code bash>
-    [STAT    ][2024/08/07-13:33:16:262335] Detailed statistics on SSL_SAVEBL :
-             thread_slave= 0 : 1522/1/32000 0/0/0/0/0/ 1/1/348 348/348/348
-             Total : 1522/1/32000 0/0/0/0/0/ 1/1/348 348/348/348</code>Let's denote: ''a1/a2/a3 b1/b2/b3/b4/b5 c1/c2/c3 d1/d2/d3''\\  ''a1'' — allocated memory size for saving the record of subsequent parsing (matches snaplen)\\ ''a2'' — records allocated\\ ''a3'' — records used\\ \\ ''b1'' — total number of errors during packet saving processing\\ ''b2'' — buffer size read is too large\\ ''b3'' — an incorrect ''isbl_t ind_'' was passed to the function\\ ''b4'' — error adding a record to arw — no space to save the list of used buffers\\ ''b5'' — error adding data to ''p_data'' (unable to save buffer)\\ \\ ''c1'' — number of requests for data saving\\ ''c2'' — saved packets released\\ ''c3'' — total size of packets that were saved\\ \\ ''d1'' — average size of saved TCP packet\\ ''d2'' — min size of saved TCP packet\\ ''d3'' — max size of saved TCP packet
-  - [BRAS][DHCPv6] Added the ability to extract option 37 and option 38 from the client packet.
-  - [Router][tap] Fixed: initialization of bridge status at fastDPI startup. The TAP device for through LAG is in the Up state if at least one port in the through LAG is Up and its other end in the bridge is also Up. The bridge status (Up/Down) was previously calculated only on link Up/Down events, and at fastDPI startup, the bridge status was assumed to be Down. This patch initializes the bridge status (Up/Down) at router startup based on the current port status.
-  - [BRAS] Fixed: local interconnect is allowed only if srcIP is a known subscriber. Previously, it was not checked whether srcIP was a known subscriber, which could lead to IP address spoofing of a subscriber and DDoS attacks from this spoofed IP against other local subscribers marked as local interconnect.
-  - Added: CLI command ''permit''.
-====Changes in version 13.2 BETA5====
+====Changes in version 13.3 BETA3.4====
-  - [DPI] Fixed buffer exhaustion for processing out-of-order packets
+  - [DPI] Fixed: blocking by IP of DNS working over TCP
-  - [CLI][Ping] Changed: error message if subs IP not found
+  - [DPI] Increased packet inspection depth when searching for BIGOTV
-  - [CLI] Added: boolean flag ''on_stick'' added to the JSON output of the ''dev xstat'' command
+  - [DPI Utils] Fixed ''checkproto'' for the case of an unknown IP protocol
-  - [CLI] Changed: JSON output of the ''dev info'' command for on-stick devices.\\ For an on-stick device, it was:<code bash>"pci_address": "on-stick based on 82:00.3"</code>Now:<code bash>    // base device address
+  - Initial support for writing alert logs to syslog. Enabled with the ''syslog_level=7'' setting (defines the highest level of messages to be duplicated in syslog, default is off). Notes:
-    "pci_address": "82:00.3"
+    - By default, rsyslog replaces tab characters and newlines with their codes when writing to a text log. To disable this, create a file ''/etc/rsyslog.d/fastdpi.conf'' with the setting <code bash>global(parser.escapeControlCharactersOnReceive="off")</code> or use the ''journalctl'' utility. Example: <code bash>journalctl -t fastdpi -p 4 --since "1 hour ago" -o verbose --output-fields PRIORITY,MESSAGE</code>
-    // on-stick flag
+    - Logs can be redirected to a remote server. Example from ''/etc/rsyslog.conf'':
-    "on-stick": "true|false"</code>
+      - On the local server with fastdpi:<code bash>*.*  action(type="omfwd" target="192.0.0.1" port="10514" protocol="tcp"
-  - Changed: statistics format <code bash>
+            action.resumeRetryCount="100"
-    [STAT    ][2024/08/19-17:26:05:599912] Detailed statistics on SSL_SAVEBL:
+            queue.type="linkedList" queue.size="10000")</code>
-             thread_slave= 0 : 1522/1/32000 0/0/0/0/0/ 6/6/2561 426/348/556 1/1/32000
+      - On the remote server:<code bash>input(type="imptcp" port="10514"
-             Total: 1522/1/32000 0/0/0/0/0/ 6/6/2561 426/348/556 1/1/32000</code>Explanation: ''a1/a2/a3 b1/b2/b3/b4/b5 c1/c2/c3 d1/d2/d3 e1/e2/e3''\\ ''a1'' — memory size allocated for saving the record of the subsequent analysis (matches snaplen)\\ ''a2'' — records allocated\\ ''a3'' — records used\\ \\ ''b1'' — total number of errors in packet save processing\\ ''b2'' — read buffer size is too large\\ ''b3'' — invalid ''isbl_t ind_'' passed to the function\\ ''b4'' — error adding records to arw — no space to save the list of used buffers\\ ''b5'' — error adding data to ''p_data'' (unable to save buffer)\\ \\ ''c1'' — number of requests to save data\\ ''c2'' — saved packets freed\\ ''c3'' — total size of packets that were saved\\ \\ ''d1'' — average size of the saved TCP packet\\ ''d2'' — min size of the saved TCP packet\\ ''d3'' — max size of the saved TCP packet\\ \\ ''e1'' — records used in the arw queue\\ ''e2'' — free records (can be reused)\\ ''e3'' — records allocated in the queue
+      ruleset="writeRemoteData")
-  - Removed fake yandex sni from TELEGRAM_TLS
+ruleset(name="writeRemoteData"
+        queue.type="fixedArray"
+        queue.size="250000"
+        queue.dequeueBatchSize="4096"
+        queue.workerThreads="4"
+        queue.workerThreadMinimumMessages="60000"
+       ) {
+    action(type="omfile" file="/var/log/fastdpi.log"
+           ioBufferSize="64k" flushOnTXEnd="off"
+           asyncWriting="on")</code>
-====Changes in version 13.2 BETA6====
-  - [DPI] Added support for fragmented QUIC IETF processing
-  - Added parameter ''mem_quic_ietf_savebl''. Specifies the number of buffers for parsing ''quic_ietf'' requests consisting of multiple packets. Default value is 15% of ''mem_ssl_parsers''
-  - [DPI] Added protocols:
-<code bash>
-"HLS VIDEO"          49298
-"ICMP TUNNEL"        49299
-"DNS TUNNEL"         49300
-"FORTICLIENT_VPN"    49301
-</code>
-  - Added the ability to send DNS query via IPFIX
-  - [DPDK] Added read-only engines: RSS and port dispatcher
-  - [BRAS][SHCV] Fixed SHCV invocation before full pipeline startup. This was possible in multi-port configurations where pipeline startup time is relatively long.
-  - [DPDK] Added output of mempool type created at fastDPI startup
-  - [Router] Added statistics for TAP devices. The CLI command ''router vrf show'' output now includes statistics on TAP devices: how many packets/bytes were read from TAP, how many were written to the port from TAP, how many were sent to TAP, the number of events, and errors.
-  - [Router] Changed packet sending behavior for TAP devices: the selected slave thread for writing is bound to the TAP interface for the next 5 seconds, which should significantly reduce reordering during high traffic from the TAP interface.
-Here's the translation into English with formatting preserved:
-====Changes in version 13.2 BETA7====
-  - [DPI] Fixed detection of DNS TUNNEL
-  - [DPI] Added protocols <code bash>
-"CISCO_ANYCONNECT_VPN" 49302
-"SHADOWSOCKS_VPN"      49303
-"NOT_DNS"              49304
-</code>
-  - Changed log level for telemetry requests to INFO regardless of the request result
-====Changes in version 13.2 BETA8====
-  - [DPI] Improved detection of CISCO_ANYCONNECT_VPN, SHADOWSOCKS_VPN, DPITUNNEL
-  - [fastPCRF][ACCT] Fixed Interim-Update sending when switching to a backup RADIUS server
-====Changes in version 13.2 BETA8.1====
-  - [BRAS][CLI] Fixed: SHCV closed subscribers are now not displayed with the ''fdpi_cli subs prop show active'' command.
-  - [BRAS][Auth] Optimization of service connection/disconnection
-====Changes in version 13.2 BETA8.2====
-  - [FastRadius] Configuration file parsing moved to new engine
-  - [DPI] Improved detection of CISCO_ANYCONNECT_VPN, FORTICLIENT_VPN, SHADOWSOCKS_VPN.
-====Changes in version 13.2 BETA9====
-  - [DPI] Improved decoding of fragmented QUIC
-  - [BRAS][DHCP] Offer is sent first to bcast 255.255.255.255
-  - [BRAS][CLI] Fixed: the ''dhcp show stat vrf'' command is supported only in Radius proxy mode (in DHCP Relay mode, calling this command caused a crash)
 ====Update instructions====

Profile

Settings

Differences