Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_components:platform:subscriber_management:subsman_cmd:start [2023/12/05 14:52] – elena.krasnobryzh
+++ en:dpi:dpi_components:platform:subscriber_management:subsman_cmd:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Management of policing and services ======
-{{indexmenu_n>3}}
-Subscribers' management is handled by fdpi_ctrl utility.
-<note important>We recommend using [[en:dpi:dpi_components:platform:subscriber_management:subsman_profiles:start|Named profiles]] which simplify the services and policies management.</note>
-===== Command syntax =====
-General command format:
-<code bash>
-fdpi_ctrl command { --service service_identifier | --policing policing_description_file} [IP_list] [LOGIN_list]
-</code>
-Here 'command' is:
-<code bash>
-load : load data
-del  : remove. You have to specify 'program_identifier' for '--service'. No need to specify for policing
-list : show the information on the specified 'IP_list' or all the information if the argument is 'all'
-</code>
-service_identifier - is one of these values or their comma separated list:
-<code>
-- bonus program
-- advertising
-- block advertisements
-- block list filtering
-- allow list and Captive Portal
-- notification via HTTP redirect
-- caching
-- DDos protection passed
-- RADIUS accounting / collect netflow statistics for billing
-- DDOS protection
-- CGNAT and NAT 1:1
-- traffic recording in PCAP
-- mini-Firewall
-- traffic diversion to the TAP interface
-- specific subscriber (all traffic is placed in cs0, no filtering (4 service) is applied for vChannel and shared channel)
-- allow list and redirecting to Captive Portal when there is no access to the Internet
-- traffic mirroring to a specified VLAN
-- session policing for certain protocols and traffic class definition at channel and subscriber levels
-- destination IP spoofing for DNS traffic
-- IPv6 traffic blocking
-- member of a marketing campaign with notification via HTTP redirect
-- reserved (internal)
-- VRF
-</code>
-<note tip>When blocking services are activated (4, 16, 49), only TCP traffic is blocked. To block UDP traffic as well, you must [[en:dpi:dpi_components:platform:subscriber_management:subsman_cmd:start#configuring_tcp_and_udp_protocol_blocking|enable the]] ''[[en:dpi:dpi_components:platform:subscriber_management:subsman_cmd:start#configuring_tcp_and_udp_protocol_blocking|udp_block]]'' parameter.</note>
-IP_list  - is a sequence or one of the following options:
-<code>
---file     - a file containing IP list
---ip       - a single IP
---ip_range - inclusive IP range
---cidr     - CIDR (inclusive) CIDR~ (exclusive)
-</code>
-You can exclude reserved addresses from the CIDR range (by classless convention, these are gateway and broadcast addresses) by adding the “~” symbol to the range definition at the end of the cidr definition, for example –cidr 5.200.43.0/24~
-LOGIN_list  - is a sequence or one subscriber's name value in format:
-<code bash>
---login USER1
---login "FIRST_NAME LAST_NAME" is the option to indicate login with special symbols screening
-</code>
-IP list or LOGIN can be specified as:
-<code bash>
-.168.0.1             a single IP
-.168.0.1-192.168.0.5 inclusive IP range
-.168.0.0/30          CIDR
-"USER1"                 specify LOGIN in quotes
-'USER2'                 specify LOGIN in single quotes
-</code>
-Lines starting from '#' is as a comment.
-<note important>One can specify 'all' instead of IP/LOGIN list in commands list, del, clear. It means to apply the command to all subscribers.</note>
-===== Examples =====
-To get the policing application list:
-<code bash>
-fdpi_ctrl list all --policing
-</code>
-To get the list of subscribers with active service 1:
-<code bash>
-fdpi_ctrl list all --service 1
-</code>
-To get the information for specified IP:
-<code bash>
-fdpi_ctrl list --policing  --ip 192.168.0.1
-fdpi_ctrl list --service 1 --ip 192.168.0.1
-</code>
-To activate service 1:
-<code bash>
-fdpi_ctrl load --service 1 --ip 192.168.0.1
-or
-fdpi_ctrl load --service 1 --login USER1
-</code>
-To activate policing:
-<code bash>
-fdpi_ctrl load --policing tbf.cfg --ip 192.168.0.1
-</code>
-To disable service 1:
-<code bash>
-fdpi_ctrl del --service 1 --ip 192.168.0.1
-</code>
-One can specify several options '–file', '–ip', '–ip_range', '–cidr' when specifying IP list:
-<code bash>
-fdpi_ctrl list --service 1 --ip 192.168.0.1 --ip 192.168.0.2 --file fip_1.txt --ip_range 192.168.0.3-192.168.0.6 --login USER1
-</code>
-This action would be applied to all elements that do not cause any errors.
-<note warning>There is no undo for changes that were already implemented is made on errors.</note>
-Detailed description on policing and services' management one can find in chapters devoted to the respective [[en:dpi:dpi_options:start|options]].
-===== Configuring TCP and UDP protocol blocking =====
-The ''udp_block'' parameter is responsible for blocking the UDP protocol. If the DPI configuration file ''/etc/dpi/fastdpi.conf'' contains this parameter, then TCP+UDP blocking will take place, if not - only TCP will be blocked.
-To start blocking UDP protocols (e.g. QUIC), it is necessary to add the ''udp_block'' parameter to the configuration file with the value 2 or 3 (to start blocking after two or three packets have passed). Such values are set because there may be a large number of single packets that are not counted in the traffic, but may cause a heavy load on DPI.
-<code bash>
-udp_block=3
-</code>
-Adding a parameter does not require a DPI restart, just a reload:
-<code bash>
-service fastdpi reload
-</code>

Profile

Settings

Differences