Differences

This shows you the differences between two versions of the page.

--- en:dpi:update [2025/04/29 07:36] – elena.krasnobryzh
+++ en:dpi:update [2025/07/01 08:59] (current) – elena.krasnobryzh
@@ Line 210: / Line 210: @@
   - Fixed: zeroing the array when building a new list of active ports. The error leads to array overflow and memory corruption
   - Added: logging of the "no mbuf" error when sending LACP
+====Changes in version 13.2====
+  - [BRAS][PPPoE] Fixed: ping of inactive client via Echo requests
+  - Added: support for service profile 19 (DNS response substitution). For service 19, it is possible to specify AAAA records and use * for domains. [[en:dpi:dpi_options:dns_substitution|Description]]
+  - Fixed: service profile 18 no longer requires setting both DSCP and TBF simultaneously. [[en:dpi:dpi_options:opt_shaping:shaping_session#creating_a_service_profile|Description]]
+  - Fixed: IP:PORT takes priority over IP and CIDR for custom protocol definitions. [[en:dpi:dpi_components:dpiui:user_guide:vas_cloud_services:custom_protocols|Description]]
+  - Changed: user-defined protocol priority is now higher than cloud-defined ones. [[en:dpi:dpi_components:dpiui:user_guide:vas_cloud_services:custom_protocols|Description]]
+  - Fixed: AAAA record length in service 19
+  - Added: ''block_options'' parameter, mask 8 — do not generate RST packets for blocking and redirection for direction inet→subs. [[en:dpi:dpi_options:opt_filtration:filtration_settings#blocking_settings|Description]]
+  - [DPI] Improved: analysis of out-of-order packets (now you can set number of buffers for out-of-order handling), decryption of fragmented QUIC. Also eliminated buffer exhaustion for out-of-order packets. [[en:dpi:dpi_options:opt_filtration:filtration_common|Description]]
+  - [DPI] Fixed: DOT recognition
+  - [CTRL] Added: new output format for policing. [[en:dpi:dpi_options:opt_bandwidth_mgmt:bandwidth_json#the_second_option|Description]] <code bash>fdpi_ctrl list profile --policing --profile.name htb_6 --outformat=json2</code>
+  - [CTRL] Added: loading policing profiles with the new format (includes value and unit). [[en:dpi:dpi_options:opt_bandwidth_mgmt:bandwidth_json#the_second_option|Description]]
+  - [BRAS][IPv6] Added: when client sends DHCPv6 confirm and session is absent in BRAS DB, reply with ''NotOnLink'' status
+  - [FastPCRF][DHCPv6] Fixed: issue that caused current IPv6 accounting session to close and reopen when handling client's DHCPv6 lease renew requests
+  - [DPI] Added: update of ''asnum.bin'' from the cloud, ''asnum_download'' parameter matches ''[[en:dpi:dpi_options:opt_filtration:filtration_settings|federal_black_list]]'' in values. [[en:dpi:dpi_options:opt_priority:priority_config_as|Description]]
+  - Added: ''mem_ssl_savebl'' parameter (cold). Sets number of saved buffers for SSL packet parsing. [[en:dpi:dpi_components:platform:dpi_admin:mem_problems#mem_ssl_savebl|Description]]
+  - Added: statistics for SSL parsing buffer usage. [[en:dpi:dpi_components:platform:dpi_admin:mem_problems#ssl_parsing_buffer_save_utilization_statistics|Description]]
+  - [BRAS][DHCPv6] Added: ability to extract option 37 and option 38 from client packet
+  - [Router][tap] Fixed: bridge status initialization at fastDPI start. TAP device for LAG passthrough is Up if at least one LAG port is Up and its peer bridge port is also Up. Previously bridge status was determined only on link Up/Down events. This patch initializes bridge status at router start based on port states.
+  - [BRAS] Fixed: allow local interconnect only if srcIP belongs to a known subscriber. Previously, srcIP was not verified, which could allow IP spoofing and local DDoS with forged subscriber IPs.
+  - Added: CLI command ''permit''.
+  - [CLI][Ping] Changed: error message when subs IP not found
+  - [CLI] Added: boolean flag ''on_stick'' in JSON output of ''dev xstat'' command
+  - [CLI] Changed: JSON output of ''dev info'' for on-stick devices.\\ Previously:<code bash>"pci_address": "on-stick based on 82:00.3"</code>Now:<code bash>    // base device address
+    "pci_address": "82:00.3"
+    // on-stick flag
+    "on-stick": "true|false"</code>
+  - Removed fake Yandex SNI from TELEGRAM_TLS
+  - Added: ''mem_quic_ietf_savebl'' parameter. Sets number of buffers for parsing ''quic_ietf'' requests (multi-packet). Default is 15% of ''mem_ssl_parsers''. [[en:dpi:dpi_components:platform:dpi_admin:mem_problems#mem_quic_ietf_savebl|Description]]
+  - [DPI] Added protocols <code bash>
+"HLS VIDEO"				49298
+"ICMP TUNNEL"			49299
+"DNS TUNNEL"			49300
+"FORTICLIENT_VPN"		49301
+"CISCO_ANYCONNECT_VPN"	49302
+"SHADOWSOCKS_VPN"		49303
+"NOT_DNS"				49304
+</code>
+  - Added: support for sending DNS query over IPFIX
+  - [DPDK] Added read-only engines: RSS and port dispatcher
+  - [BRAS][SHCV] Fixed: SHCV was called before pipeline fully started, which could happen in multi-port configs with long pipeline init time
+  - [DPDK] Added mempool type output on fastDPI start
+  - [Router] Added TAP device statistics to CLI command ''router vrf show'' — number of packets/bytes read from TAP, written to port, transmitted to TAP, number of events and errors
+  - [Router] Changed: packets from TAP now use same thread for 5 seconds to reduce reordering under high load
+  - [DPI] Improved detection of DNS TUNNEL, CISCO_ANYCONNECT_VPN, SHADOWSOCKS_VPN, DPITUNNEL, FORTICLIENT_VPN
+  - Changed log level for telemetry requests to INFO regardless of outcome
+  - [fastPCRF][ACCT] Fixed: Interim-Update sent properly when switching to backup RADIUS server
+  - [BRAS][CLI] Fixed: subscribers closed via SHCV are no longer shown by ''fdpi_cli subs prop show active''
+  - [BRAS][Auth] Optimized service attach/detach
+  - [FastRadius] Config file parsing migrated to new engine
+  - [BRAS][DHCP] Offer now sent first to bcast 255.255.255.255
+  - [BRAS][CLI] Fixed: ''dhcp show stat vrf'' supported only in Radius proxy mode (previously crashed in DHCP Relay mode)
+  - [DPI] Improved recognition of DNS Tunnel and Shadowsocks
+  - [Utils] Improved tools. ''checkproto'': if IP and SNI are set, result will reflect MARK1 and priority. ''ascheckip'': shows DSCP and MARK1
+  - [Utils] Added support for hostnames ending with '':'' in url2norm — allows "any port" for HTTP
+  - [CLI] Fixed: ''dhcp disconnect'' command
+  - [DPI] Fixed: allow protocol change via CUSTOM SNI even after builtin signature match
+  - [DPI] Added integrity check for AS list file from cloud
+  - [DPI] Fixed loading of black and white lists from cloud
+  - [utils] Added support for new formats in bin2ip for converting black/white lists
+  - Fixed potential core crash
+  - Support for 128-core CPUs [[en:dpi:dpi_brief:dpi_requirements#recommended_requirements|Description]]
+====Changes in version 13.3====
+  - [DPI] Added protocols:\\ <code bash>
+BIGOTV			49305
+SAYHI_CALL		49306
+AZARLIVE		49307
+LINE_CALL		49308
+QQ_CALL			49309
+VYKE_CALL		49310
+VEEGO_STREAMS	49311
+BHABI_CAM		49312
+WEPARTY			49313
+</code>
+  - [DPI] Improved Viber recognition
+  - [DPI] Reduced false positives for DPI TUNNEL
+  - [DPI] Increased packet inspection depth for BIGOTV detection
+  - [DPI] Changed FACETIME protocol
+  - [DPI] Changed: if protocol is matched by ip/sni/cname, it is no longer overridden by built-in signatures
+  - [DPI] Streamlined protocol priority enforcement to avoid unnecessary switching
+  - [DPI] Fixed: searching both '*' and ':' in HTTP domains
+  - [DPI] Fixed: virtual channel IP removal on reload
+  - [DPI] Fixed: drop ignored when ''smartdrop'' is set during SSL parsing errors
+  - [BRAS][PPP] Fixed: ''bras_pppoe_trace_mac'' now respected for DHCPv6 packets in pcap. Previously only ''bras_dhcp_trace_mac'' was used
+  - [DPI] Fixed: errors assigning vchannel by IP/CIDR
+  - [DPI] Fixed: blocking by IP for DNS over TCP
+  - [DPI][PCRF] Changed log level from INFO to WARNING for start/stop messages
+  - [DPI Utils] Fixed: ''checkproto'' when IP protocol is Unknown
+  - [Utils] Fixed: ''checkproto'' now respects MARK1 and port presence. ''checkproto 8.8.8.8 443 www.google.com'' vs ''checkproto 8.8.8.8 www.google.com'' may give different results
+  - [Utils] ''bin2as'' now accepts multiple input files
+  - [Utils] ''ascheckip'' supports group checks from ''stdin''
+  - [Utils] ''bgp2bin'' is a ''as2bin''-like tool but:
+    * only accepts /24 and larger subnets
+    * supports IP1-IP2 range as in RIPE records
+    * later entries take precedence
+    * output is slightly larger than ''as2bin'' but contains no overlapping ranges
+  - [BRAS] L3-auth improvements:
+    * On Reject for IP bound to multi-bind login: first unbind IP, then assign services (whitelist, policing)
+    * On successful Access-Accept with a login for unbound IP: unbind all services before linking IP with new login
+  - [BRAS][PPP] Fixed: mixed dual-stack where one address is specified, the other via framed-pool
+  - [BRAS][PPP] Fixed: silently drop broadcast packets
+  - [PCRF] Added syslog support. New param ''syslog_level'' in fastpcrf.conf — controls alert log to syslog. ''0'' disables (default)
+  - Added: hot param ''smartdrop = 1'' — if drop set for protocol, it’s delayed until TLS is parsed or error occurs
+  - Fixed: adding HTTP domains ending with ':' (port number)
+  - Changed: ASNUM path from VAS Cloud (cloud.vasexperts.ru)
+  - Blocking by blacklist in GTP tunnel (with ''detect_gtp_tunnel'' enabled)
+  - Fixed: https blocking with ''hard'' option
+  - IPv6 AS reload support
+  - Initial alert log to syslog support. Enable with ''syslog_level=7''. Default is off. Notes:
+    - rsyslog replaces tab/newline with codes. To disable, add in ''/etc/rsyslog.d/fastdpi.conf'': <code bash>global(parser.escapeControlCharactersOnReceive="off")</code> or use ''journalctl''. Example: <code bash>journalctl -t fastdpi -p 4 --since "1 hour ago" -o verbose --output-fields PRIORITY,MESSAGE</code>
+    - Logs can be forwarded remotely. Example from ''/etc/rsyslog.conf'':
+      - on fastdpi server:<code bash>*.*  action(type="omfwd" target="192.0.0.1" port="10514" protocol="tcp"
+            action.resumeRetryCount="100"
+            queue.type="linkedList" queue.size="10000")</code>
+      - on remote server:<code bash>input(type="imptcp" port="10514"
+      ruleset="writeRemoteData")
+ruleset(name="writeRemoteData"
+        queue.type="fixedArray"
+        queue.size="250000"
+        queue.dequeueBatchSize="4096"
+        queue.workerThreads="4"
+        queue.workerThreadMinimumMessages="60000"
+       ) {
+    action(type="omfile" file="/var/log/fastdpi.log"
+           ioBufferSize="64k" flushOnTXEnd="off"
+           asyncWriting="on")</code>

Profile

Settings

Differences