Differences

This shows you the differences between two versions of the page.

--- en:dpi:update:start [2024/04/16 13:29] – elena.krasnobryzh
+++ en:dpi:update:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== SSG changelog and update ======
-{{indexmenu_n>9}}
-====== DPI/BNG Versions Update  ======
-<note important>As of version 12.0, DPI is only installed on CentOS 8.x and [[en:veos:installation|VEOS]]!</note>
-If you have version of CentOS 6.x or CentOS 8.x installed, switch the repository once with the command:
-<code bash>
-sed -i -e '/^mirrorlist=http:\/\//d' -e 's/^# *baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/vault.centos.org/' /etc/yum.repos.d/CentOS-*.repo
-</code>
-Then run updates as usual:
-<code bash>
-yum update fastdpi
-</code>
-<note tip>If the error ''Module yaml error'' appears during the upgrade, you should upgrade the module ''dnf upgrade libmodulemd''.</note>
-After updating, restart the DPI:
-<code bash>service fastdpi restart</code>
-and other dependent procoesses (PCRF/Radius), but only if they are actually used and their configuration is valid:
-<code bash>
-service fastpcrf restart
-service fdpi_radius restart
-</code>
-You can update the operating system components **Do not update the kernel version and its dependent utilities!**\\
-For CentOS 6.x:
-<code bash>
-yum --exclude=kernel*,util-linux-ng,libuuid,libblkid update
-</code>
-For CentOS 8.x:
-<code bash>
-yum update
-</code>
-**Note for users running the DPI in a virtual environment, using old CPU (release of 2009) and AMD CPU:**\\
-Run the following command before the update:
-<code bash>touch /etc/dpi/noprioadj</code>
-and it causes the DPI process to be launched with normal priority (not the realtime), thus significantly reducing the consumption of CPU system (sys) resourses, but slightly increasing the latency on the platform.
-<note tip>Customers using BRAS functionality should note the changes when upgrading SSG to the new version.</note>
-===== DPI platform update to version 13.0 Congo =====
-.0 Congo ((Cradle of mankind: humans have lived here for over 50,000 years))
-You can check the current installed version with the command:
-<code bash>
-yum info fastdpi
-</code>
-Rollback to 12.4:
-<code bash>
-yum downgrade fastdpi-12.4-0 fastpcrf-12.4-0
-</code>
-After an update or version change, a restart of the service is required:
-<code bash>
-service fastdpi restart
-</code>
-:!: If PCRF and/or Radius are used, they should also be restarted. The following order is preferred for restarting PCRF:
-<code bash>
-service fastdpi stop
-service fastpcrf restart
-service fastdpi start
-</code>
-:!: Do not perform Linux kernel upgrades. Newer versions of the kernel may break binary compatibility with the Kernel ABI and the network driver will not load after the upgrade. If you do upgrade, set the GRUB boot loader to load the previous version of the kernel: set the ''default=1'' parameter in the ''/etc/grub.conf'' file while the problem is being resolved.
-If the update displays a message that the update was not found or there are dependency issues, run the command before updating:
-<code bash>
-yum clean all
-</code>
-==== Changes in version 13.0 ====
-===DPI===
-  - On-stick support for LAG/LACP. [[en:dpi:dpi_components:platform:dpi_inst_spec:dpi_onstick:start|Description]]
-  - Transition to DPDK 23.11
-  - Modified: for QUIC and QUIC_IETF: if no SNI is detected - check by AS
-  - Modified: when analyzing STUN, AS from Facebook is checked - define FACEBOOK_VIDEO, not WHATSAPP_VOICE
-  - Setting RSS hash flags for UDP and TCP
-  - Modified: openvpn protocol definition
-  - Fixed: SIGHUP processing only if fastDPI is fully initialized. Possible crash if SIGHUP is received during fastDPI startup process
-  - Trace/debug packet recording moved to new API
-  - Added: wechat protocol support for UDP
-  - Support for additional markup of autonomous systems ''mark1'', ''mark2'', ''mark3''. [[en:dpi:dpi_options:opt_priority:priority_config_as:start|Description]]
-  - Prioritize SNI detection in custom signatures for autonomous systems marked as ''mark1''. [[en:dpi:dpi_options:opt_priority:priority_config_as:start|Description]]
-  - Prioritize more specific custom SNI signatures.\\ Example: for host ''a.b.c.d'', if the signatures ''*.d'', ''*.c.d'' and ''*.b.c.d'' are present, the protocol defined by the signature ''*.b.c.d'' will be selected :!: works only for signatures with ''*''. [[en:dpi:dpi_components:dpiui:user_guide:vas_cloud_services:custom_protocols:start#protocols|Description]]
-  - Support for hard locks (despite hostname/SNI) - set in an additional field in the address blacklist, example: ''1.1.1.1 443 hard''. [[en:dpi:dpi_options:opt_filtration:making_dictionary:start|Description]]
-  - Improved detection of YOUTUBE, SIGNAL
-  - Added the DPITUNNEL protocol, which includes traffic anomalies commonly used for DPI traversal
-  - Updating dpiutils
-  - New protocols VK_CDN_VIDEO, META_CHAT
-  - Improved signatures of FACEBOOK_VIDEO, META_CALLS protocols
-  - Fixed protocol name VK_CDN_VIDEO
-  - Fixed: SNI decoding in QUIC IETF and possibility of crusting in exceptional cases
-  - Fixed: clearing search structures when deleting CUSTOM protocols
-  - Added ability to add comments (#) and blank lines in input files for utilities [[en:dpi:dpi_options:opt_priority:priority_config:start#to_convert_into_an_internal_format|lst2dscp]], [[en:dpi:dpi_options:opt_shaping:shaping_session:start#configuring_policing_by_session|lst2tbf]]
-  - Added protocols QUIC_UNKNOWN - QUIC without SNI and QUIC_UNKNOWN_MARKED - QUIC without SNI and AS labeled MARK2. [[en:dpi:dpi_options:opt_priority:priority_config_as:start|Description]]
-  - Fixed: stun character definition for TCP
-  - Modified: if the stun packet viewing limit is reached - set this protocol with AS in mind
-  - Updated utilities to support new protocols
-  - Improvements in QUIC_UNKNOWN, QUIC_UNKNOWN_MARKED, SIGNAL, DpiTunnel protocols
-  - SNI/HOST embedded protocol definitions are cloud-based, SNI/IP prioritization is supported
-  - Modified: SNI comparison is case-insensitive
-  - Added LANTERN_WEAK protocol signature
-  - Improved IMAP protocol recognition
-  - Corrects LPM when selecting channel by IP/CIDR
-  - Added: to DNS text file record format - format vchnl - virtual channel number.
-  - Added: to the IPFIX data transfer template for DNS channel number. [[en:dpi:dpi_options:opt_li:li_ipfix:start#dns|Description]]
-  - Fixed: crash on DNS trace
-  - Improved VIBER_VSTREAMS protocol definition
-  - Fixed: fastDPI does not accept or process any ctl requests during fastDPI stop process
-  - Added SSTP protocol (49296)
-  - Added ANYDESK protocol (54273)
-  - LANTERN recognition improved
-===BRAS===
-  - Added: accounting of DHCP packets from subscriber in billing statistics: subscriber CPE (i.e. Wi-Fi router) without clients (e.g. at night) - sends only license renewal requests. Since these requests were intercepted by BRAS and were not included in the accounting, the session was terminated by idle timeout
-  - Corrected: actions when QinQ/VLAN is changed for a subscriber
-  - Fixed: ''framed-pool renew''\\ In some cases, incorrect DHCP responses were generated. Added trace to DHCP packets log for ''framed-pool renew''.
-  - Fixed: receiving packets from relay. Previously it was checked that relay was on the fc::/7 network. Now this check is unnecessary and has been removed - relay can have any address.
-  - Fixed: DHCPv6 options parsing from Radius
-  - The ''subs prop show active'' command has been added. The command outputs a dump of L2 properties of all active (not-expired) subscribers. [[en:dpi:bras_bng:cli:subs:start#subs_prop_show|Description]]
-  - Modified: Prohibit calling CLI commands while stopped
-  - Fixed: idle-timeout for session. For PPPoE sessions idle timeout should be taken from the ''bras_ppp_idle_timeout'' setting if not explicitly set in the authorization response (Idle-Timeout attribute).
-  - Added priority forwarding with DSCP translation. [[en:dpi:dpi_options:opt_priority:priority_settings:start#configuring_dscp_inheritance_and_conversion|Description]]
-  - Corrected: Adding unnecessary option 61 (Client-Id) to fastDPI response when distributing address from Framed-Pool
-  - Fixed: Logging of DHCP server IP addresses
-  - Fixed: Enabling services with profiles. The `VasExperts-Service-Profile` attribute (service profile name, implicitly enables the service) has higher priority than `VasExperts-Enable-Service` (enabling/disabling a service without specifying a profile).
-  - Added ''ping inet'' command on behalf of subscribers through the entire BRAS/NAT/ROUTER processing chain. The prompt is ''fdpi_cli ping inet ?''. [[en:dpi:bras_bng:cli:subs:start#subs_ping_inet|Description]]
-  - Fixed: call of subscriber IP address deanounce when acct idle. Added new flag to router option ''router_subs_announce'': ''0x10000'' - deanounce L3 subscriber at acct idle (closing acct session by idle timeout). [[en:dpi:dpi_components:router:start#subscriber_announcements_and_nat_pool|Description]]
-  - Added support for specifying the profile of service 18 during authorization. Enabling service 18 in the Access-Accept Radius response is set in the usual way for a service with a mandatory profile (here ''serv18'' is the profile name):<code bash>VasExperts-Service-Profile = "18:serv18"</code>
-  - A search by ''MAC'' and ''subs_id'' has been added to the ''subs prop show'' command. The result of a search by ''MAC'' or ''subs_id'' can be multi-valued - several different entries for the same ''MAC''/''subs_id''. The result of the ''subs prop show active'' command has been changed, which may be critical when parsing the command's json wiggle. [[en:dpi:bras_bng:cli:subs:start#subs_prop_show|Description]]
-  - Fixed: setting link up/down flag for ports that do not support link up/down interrupts (e.g. af_packet)
-  - The return code of the uptime command. The CLI command ''uptime'' can be used to check if fastDPI is fully started: it returns ''result=0'' (Success) only when fastDPI is fully initialized and all worker threads are started. Upon receiving a response from fastDPI to the ''fdpi_cli uptime'' command, the fdpi_cli utility itself checks the result of the execution and if ''result!=0'' - sets a non-zero return code.
-  - Corrected: If VRF (service 254) was present in Access-Accept, the packet was incorrectly logged as invalid.
-  - Restoring UDR operation after calling a command with a large number of parameters
-===NAT===
-  - Added a ''checknat'' utility to check the distribution of white addresses. [[en:dpi:dpi_components:utilities:management_utilities:start#checknat|Description]]
-  - Fixed online change of ''nat_private_cidr'' parameter
-===Load Balancer===
-  - Added L2 traffic balancer mode. This enhancement allows to use SCAT as a traffic balancer based on IP addresses owned by AS and defined as ''local'' in ''asnum.dscp''. [[en:dpi:load_balancer:start|Description]]
-  - Added mqrx_lb_engine, which is activated when dpdk_engine=2. [[en:dpi:load_balancer:start#setting_etc_dpi_fastdpiconf|Description]]
-===Router===
-  - Mempool allocation for emit packets: we do not allow the pool to be completely exhausted, there should be at least 256 free elements in the pool
-  - The error of route deletion ''errno=3'' (No record found) has been moved to TRACE to avoid clogging the log
-  - Fixed the order of router components termination
-  - Changed: system error when clearing route tables. Cleaning of route tables (deleting all entries added by SCAT) is done at stop and start of fastDPI. During cleaning process EBUSY error may occur, which is fatal for netlink socket, socket should be closed.
-  - Fixed: TAP link down in LAG. If a port enters a lag, TAP this port to Link down state only when ALL LAG ports are down.
-  - Fixed: control of selfgen mempool exhaustion
-  - Optimization of data readout from TAP
-  - Fixed LAG+On-stick: put TAP in link down state. TAP is set to link down only when all ports in LAG are in down state. If there is at least one port in Up state - TAP should be in Link Up state.
-  - Corrected: Traffic diversion in router for on-stick device in LAG. When forming VRF topology, it was not taken into account that the LAG includes the base (physical) device, and the on-stick (virtual) device is specified in the router description.
-  - Fixed: Read all data from TAP device. At fastDPI startup there were possible situations when router is not fully initialized yet and TAP is already monitored but not read out.
-  - The router_subs_announce option is made hot (hot)
-  - Fixed: mbuf leak on fastDPI startup
-===SDS===
-  - The ''storage_tag'' value is set based on directional priority or protocol priority
-===Radius===
-  - Added the ability to work with standard linux interfaces using ''libpcap''. [[en:dpi:dpi_components:radius:radius_config:start#linux_interfaces_setup|Description]]