Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| en:dpi:update [2025/07/01 08:59] – elena.krasnobryzh | en:dpi:update [2025/10/22 10:34] (current) – elena.krasnobryzh | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| {{indexmenu_n> | {{indexmenu_n> | ||
| - | ====== DPI/BNG Versions | + | ===== Update |
| <note important> | <note important> | ||
| Line 43: | Line 43: | ||
| <note tip> | <note tip> | ||
| - | ===== DPI platform update to version 13.0 Congo ===== | ||
| - | 13.0 Congo ((Cradle of mankind: humans have lived here for over 50,000 years)) | + | ===== Updating SSG to Version 14.0 Shooting Stars ===== |
| - | You can check the current | + | 14.0 Shooting Stars ((In memory of colleagues who made a huge contribution to the development of the company and its products and will forever remain in our memory)) |
| + | |||
| + | You can check the currently | ||
| <code bash> | <code bash> | ||
| yum info fastdpi | yum info fastdpi | ||
| </ | </ | ||
| - | Rollback to 12.4: | + | Rollback to 13.3: |
| <code bash> | <code bash> | ||
| - | yum downgrade fastdpi-12.4-0 fastpcrf-12.4-0 | + | yum downgrade fastdpi-13.3-0 fastpcrf-13.3-0 dpiutils-13.3 fastradius-13.3 |
| </ | </ | ||
| - | After an update | + | After updating |
| <code bash> | <code bash> | ||
| service fastdpi restart | service fastdpi restart | ||
| </ | </ | ||
| - | :!: If PCRF and/or Radius are used, they should | + | :!: If PCRF and/or Radius are used, they must also be restarted. |
| <code bash> | <code bash> | ||
| service fastdpi stop | service fastdpi stop | ||
| Line 69: | Line 70: | ||
| </ | </ | ||
| - | :!: Do not perform Linux kernel | + | :!: Do not perform Linux kernel |
| - | If the update | + | If during |
| <code bash> | <code bash> | ||
| yum clean all | yum clean all | ||
| </ | </ | ||
| - | ==== Changes in version | + | ====Changes in version |
| - | ===DPI=== | + | |
| - | - On-stick support for LAG/LACP. [[en: | + | |
| - | - Transition to DPDK 23.11 | + | |
| - | - Modified: for QUIC and QUIC_IETF: if no SNI is detected - check by AS | + | |
| - | - Modified: when analyzing STUN, AS from Facebook is checked - define FACEBOOK_VIDEO, | + | |
| - | - Setting RSS hash flags for UDP and TCP | + | |
| - | - Modified: openvpn protocol definition | + | |
| - | - Fixed: SIGHUP processing only if fastDPI is fully initialized. Possible crash if SIGHUP is received during fastDPI startup process | + | |
| - | - Trace/debug packet recording moved to new API | + | |
| - | - Added: wechat protocol support for UDP | + | |
| - | - Support for additional markup of autonomous systems '' | + | |
| - | - Prioritize SNI detection in custom signatures for autonomous systems marked as '' | + | |
| - | - Prioritize more specific custom SNI signatures.\\ Example: for host '' | + | |
| - | - Support for hard locks (despite hostname/ | + | |
| - | - Improved detection of YOUTUBE, SIGNAL | + | |
| - | - Added the DPITUNNEL protocol, which includes traffic anomalies commonly used for DPI traversal | + | |
| - | - Updating dpiutils | + | |
| - | - New protocols VK_CDN_VIDEO, | + | |
| - | - Improved signatures of FACEBOOK_VIDEO, | + | |
| - | - Fixed protocol name VK_CDN_VIDEO | + | |
| - | - Fixed: SNI decoding in QUIC IETF and possibility of crusting in exceptional cases | + | |
| - | - Fixed: clearing search structures when deleting CUSTOM protocols | + | |
| - | - Added ability to add comments (#) and blank lines in input files for utilities [[en: | + | |
| - | - Added protocols QUIC_UNKNOWN - QUIC without SNI and QUIC_UNKNOWN_MARKED - QUIC without SNI and AS labeled MARK2. [[en: | + | |
| - | - Fixed: stun character definition for TCP | + | |
| - | - Modified: if the stun packet viewing limit is reached - set this protocol with AS in mind | + | |
| - | - Updated utilities to support new protocols | + | |
| - | - Improvements in QUIC_UNKNOWN, | + | |
| - | - SNI/HOST embedded protocol definitions are cloud-based, | + | |
| - | - Modified: SNI comparison is case-insensitive | + | |
| - | - Added LANTERN_WEAK protocol signature | + | |
| - | - Improved IMAP protocol recognition | + | |
| - | - Corrects LPM when selecting channel by IP/CIDR | + | |
| - | - Added: to DNS text file record format - format vchnl - virtual channel number. | + | |
| - | - Added: to the IPFIX data transfer template for DNS channel number. [[en: | + | |
| - | - Fixed: crash on DNS trace | + | |
| - | - Improved VIBER_VSTREAMS protocol definition | + | |
| - | - Fixed: fastDPI does not accept or process any ctl requests during fastDPI stop process | + | |
| - | - Added SSTP protocol (49296) | + | |
| - | - Added ANYDESK protocol (54273) | + | |
| - | - LANTERN recognition improved | + | |
| - | ===BRAS=== | + | |
| - | | + | - [DPI] |
| - | - Corrected: actions when QinQ/VLAN is changed | + | - [CLI] Added support for '' |
| - | - Fixed: '' | + | - [DPI] New protocols added: AGORA_STREAMS(49314), AZAR_CALL(49315), WECHAT_CALL(49316), TEAMS_CALL(49317). [[en: |
| - | - Fixed: receiving packets from relay. Previously it was checked that relay was on the fc::/7 network. Now this check is unnecessary and has been removed - relay can have any address. | + | - [DPI] Improved support for LINE_CALL, VYKE_CALL protocols. [[en:dpi:dpi_options:protocols]] |
| - | - Fixed: DHCPv6 options parsing from Radius | + | - [DPI] Fixed smartdrop behavior |
| - | - The '' | + | - [DPI] Added validation for complex protocols. [[en:dpi:dpi_options: |
| - | - Modified: Prohibit calling CLI commands while stopped | + | - [DPDK] Increased the maximum number of dispatchers to 32. [[en:dpi:dpi_components: |
| - | - Fixed: idle-timeout for session. For PPPoE sessions idle timeout should be taken from the '' | + | - [IPFIX/ |
| - | - Added priority forwarding with DSCP translation. | + | - [FastRadius] It is now possible to set both '' |
| - | - Corrected: Adding unnecessary option 61 (Client-Id) | + | - CLI command |
| - | - Fixed: Logging of DHCP server IP addresses | + | - [PCRF][PPP][Framed-pool] Added: DHCP option |
| - | - Fixed: Enabling services with profiles. The `VasExperts-Service-Profile` attribute | + | - [IPFIX] Message aggregation added for IPFIX streams: FullFlow/ |
| - | - Added '' | + | - [IPFIX] Added parameter |
| - | - Fixed: call of subscriber IP address deanounce when acct idle. Added new flag to router option '' | + | - [IPFIX DNS] New elements added to IPFIX DNS: 224 (ipTotalLength) and 43823:3206 (DNS transaction id). [[en:dpi:dpi_options:opt_li:li_ipfix# |
| - | - Added support for specifying the profile of service 18 during authorization. Enabling service 18 in the Access-Accept Radius response is set in the usual way for a service with a mandatory profile (here '' | + | - [VRRP] Fixed proper handling of the '' |
| - | - A search by '' | + | - [BRAS][PPP] PPP session key is now compound: '' |
| - | - Fixed: setting link up/down flag for ports that do not support link up/down interrupts | + | - [DPI] Added cloud protocols with identifiers 55296..58367 |
| - | - The return code of the uptime command. The CLI command '' | + | - [IPFIX] |
| - | - Corrected: If VRF (service 254) was present in Access-Accept, the packet was incorrectly logged as invalid. | + | - [BRAS][subs_grooming] |
| - | - Restoring UDR operation after calling a command with a large number of parameters | + | - [CLI] Added commands to display mempool properties and statistics< |
| - | + | | |
| - | ===NAT=== | + | hal mempool |
| - | - Added a '' | + | - [BRAS][DHCP] |
| - | - Fixed online change of '' | + | - [PCRF][Acct] Fixed: |
| - | + | - [VASE_CLI] Created a unified CLI for managing DPI, BRAS, DHCP (KEA), ROUTER (BIRD) with support for authorization and command logging via TACACS (VEOS 8.x required). [[en: | |
| - | ===Load Balancer=== | + | - [SNMP] Created a module for monitoring system components via SNMP |
| - | - Added L2 traffic balancer mode. This enhancement allows to use SSG as a traffic balancer based on IP addresses owned by AS and defined as '' | + | - [DPI] Added DOQ 49318 protocol |
| - | - Added mqrx_lb_engine, | + | - [Router] Announcing subscriber white addresses |
| - | + | - [PCRF] Added support | |
| - | ===Router=== | + | - [DPDK] Added '' |
| - | - Mempool allocation for emit packets: we do not allow the pool to be completely exhausted, there should be at least 256 free elements in the pool | + | - [DPDK] Removed dedicated mempools. The fastdpi.conf option |
| - | - The error of route deletion | + | - [VLAN-Rule] Moved vlan group data from UDR to SDR. Global rules for vlan drop/ |
| - | - Fixed the order of router components termination | + | - Up to version 14, only one built-in database UDR (User Data Repository) is used, intended for permanent storage of data about services, policings, and other FastDPI settings.\\ Starting from Version 14, UDR is split into UDR and SDR. The split occurs automatically during version update.\\ SDR (System Data Repository) is intended |
| - | - Changed: system error when clearing route tables. Cleaning of route tables (deleting all entries added by SSG) is done at stop and start of fastDPI. During cleaning process EBUSY error may occur, which is fatal for netlink socket, socket should be closed. | + | - [VLAN] VLAN rules — added CLI commands. [[en: |
| - | - Fixed: TAP link down in LAG. If a port enters a lag, TAP this port to Link down state only when ALL LAG ports are down. | + | - [IPv6] Added direction detection in combined traffic (IN+OUT on one port) based on the local flag for IP addresses. Enabled via '' |
| - | - Fixed: control of selfgen mempool exhaustion | + | - [BRAS] Fixed compatibility with the old format of service 18, where there were fewer protocols |
| - | - Optimization of data readout from TAP | + | - [DPI] Lowered detection priority for '' |
| - | - Fixed LAG+On-stick: | + | - [DPI] Improved detection of '' |
| - | | + | - [BRAS][Framed-Route] Fixed: possible crash when freeing memory |
| - | - Fixed: Read all data from TAP device. At fastDPI startup there were possible situations when router | + | |
| - | - The router_subs_announce option is made hot (hot) | + | |
| - | - Fixed: mbuf leak on fastDPI startup | + | - Force connection to the specified PCRF '' |
| - | + | - [IPFIX DNS] Added the ability to send DNS MX responses via IPFIX. Enabled by setting bit 3 (4) of the '' | |
| - | ===SDS=== | + | - [DPI] Added FakeTLS protocol (49319) with validation |
| - | - The '' | + | - [BRAS][DHCP] Changed: |
| - | + | - [BRAS] Fixed: | |
| - | ===Radius=== | + | - [VLAN-Rule] Added support for 'any' |
| - | - Added the ability to work with standard linux interfaces using '' | + | - [DPI][LOG] Messages about insufficient SSL parsers are written |
| - | + | - [DPI] Added protocols ZALO_CALL(49320) and VK_CALL(49321) | |
| - | + | - [DPI] Fixed blocking in hard mode for SSL | |
| - | ====Changes in Version 13.1==== | + | - [Acct] Added attribute |
| - | <note warning> | + | - [CLI] Added: '' |
| - | ===DPI=== | + | - [CLI] Added: '' |
| - | - Global code refactoring | + | - [IPFIX] Fixed ExportTime formation error in IPFIX Fullflow |
| - | | + | - [CLI] Added '' |
| - | - Modified: minimum PCAP file size to 100 MB. PCAP file rotation on reload | + | - [DNS] Added support for substitution/blocking/ |
| - | - Modified: improved DROP event tracing | + | - [CLI] Added '' |
| - | - Fixed: erroneous ERROR level message appearing for certain | + | - [DPI] Added BIGO_CDN protocol (49324) |
| - | - Fixed: incorrect TLS (SNI) parsing when multiple 'ALPN Protocols' | + | - [DPI] Added UDP support |
| - | - Modified: mechanism | + | - [PCRF][L2TP] Fixed: NAS attributes for L2TP during authorization |
| - | + | - [BRAS][L2TP] Fixed: | |
| - | ===BRAS=== | + | - [DPDK] Removed deprecated rx channels settings and related checks |
| - | - Fixed: subscriber activity control via unicast ARP Request. Previously, it was a broadcast ARP Request, which is not optimal for the network. | + | - [IPFIX] Added configurable sending of drop octets/ |
| - | - Added: SHCV (Subscriber Host Connectivity Verification) — DHCP subscriber activity control. Considered scenario for an already " | + | - [PCAP] Added capability to save traffic of a specified vlan using the '' |
| - | - Added: ARP Proxy for known routes (router mode only). This feature is applied only if the ARP request initiator is a known subscriber. A new flag - 0x0004 has been added to the '' | + | - [DPIUTILS] Updated checknat utility. |
| - | - Fixed: help() for IPv6 addresses in the '' | + | - [DPIUTILS] Updated dns2dic utility with domain blocking support. [[en:dpi:dpi_options:dns_substitution|Description]] |
| - | - Fixed: error in parsing parameters for the '' | + | - [BRAS][L2TP] Fixed: |
| - | - Added: | + | - [Router] Fixed: |
| - | - '' | + | - [BRAS][L2TP] Fixed: length field in L2TP header |
| - | - '' | + | - [BRAS] |
| - | - Fixed: sending L3 reauth for L2 subscriber in advance, not waiting for session timeout | + | - Fixed a recently introduced error (affecting betas 4.6 and 4.7) in the session lifecycle that leads to resource exhaustion over time; an operational update from these versions |
| - | - Added: number of sessions closed due to inactivity (SHCV) in the '' | + | |
| - | - Fixed: error in intercepting and processing ICMPv6 packets, checksum not recalculated in some cases when modifying ICMPv6 packet | + | |
| - | + | ||
| - | ===NAT=== | + | |
| - | - Modified: tracing in '' | + | |
| - | - Fixed: based on the value of '' | + | |
| - | + | ||
| - | ===Router=== | + | |
| - | - Added: ARP management. [[en:dpi:dpi_components:router# | + | |
| - | - Fixed: port selection for recording in a pass-through LAG. If LAG passes through fastDPI, port selection for recording from TAP should consider the Link Up/Down state of both bridge sides of the port | + | |
| - | - Fixed: announcing NAT profile subnets upon addition | + | |
| - | - Added: CLI command '' | + | |
| - | - Fixed: do not consider term by AS when announcing NAT subnets. The '' | + | |
| - | - Fixed: order of packet interception from the general processing pipeline | + | |
| - | - Fixed: increased number of '' | + | |
| - | + | ||
| - | ===LAG=== | + | |
| - | - Fixed: zeroing the array when building a new list of active ports. The error leads to array overflow and memory corruption | + | |
| - | | + | |
| - | + | ||
| - | ====Changes in version 13.2==== | + | |
| - | - [BRAS][PPPoE] Fixed: | + | |
| - | | + | |
| - | - Fixed: service profile 18 no longer requires setting both DSCP and TBF simultaneously. [[en:dpi: | + | |
| - | - Fixed: IP:PORT takes priority over IP and CIDR for custom protocol definitions. | + | |
| - | - Changed: user-defined protocol priority is now higher than cloud-defined ones. [[en: | + | |
| - | - Fixed: AAAA record length in service 19 | + | |
| - | - Added: '' | + | |
| - | - [DPI] Improved: analysis of out-of-order packets | + | |
| - | - [DPI] Fixed: DOT recognition | + | |
| - | - [CTRL] Added: new output format | + | |
| - | - [CTRL] Added: loading policing profiles with the new format | + | |
| - | - [BRAS][IPv6] Added: when client sends DHCPv6 confirm and session is absent in BRAS DB, reply with '' | + | |
| - | - [FastPCRF][DHCPv6] Fixed: issue that caused current IPv6 accounting session | + | |
| - | - [DPI] Added: update of '' | + | |
| - | - Added: '' | + | |
| - | - Added: statistics for SSL parsing buffer usage. [[en: | + | |
| - | - [BRAS][DHCPv6] Added: ability to extract option 37 and option 38 from client packet | + | |
| - | - [Router][tap] Fixed: bridge status initialization at fastDPI start. TAP device for LAG passthrough is Up if at least one LAG port is Up and its peer bridge port is also Up. Previously bridge status was determined only on link Up/Down events. This patch initializes bridge status at router start based on port states. | + | |
| - | - [BRAS] Fixed: allow local interconnect only if srcIP belongs to a known subscriber. Previously, srcIP was not verified, which could allow IP spoofing | + | |
| - | - Added: CLI command | + | |
| - | - [CLI][Ping] Changed: error message when subs IP not found | + | |
| - | - [CLI] Added: boolean flag '' | + | |
| - | - [CLI] Changed: JSON output of '' | + | |
| - | | + | |
| - | | + | |
| - | " | + | |
| - | - Removed fake Yandex SNI from TELEGRAM_TLS | + | |
| - | - Added: | + | |
| - | - [DPI] Added protocols <code bash> | + | |
| - | "HLS VIDEO" | + | |
| - | "ICMP TUNNEL" | + | |
| - | "DNS TUNNEL" | + | |
| - | " | + | |
| - | " | + | |
| - | " | + | |
| - | " | + | |
| - | </ | + | |
| - | - Added: support for sending DNS query over IPFIX | + | |
| - | - [DPDK] Added read-only engines: RSS and port dispatcher | + | |
| - | - [BRAS][SHCV] Fixed: SHCV was called before pipeline fully started, which could happen in multi-port configs with long pipeline init time | + | |
| - | - [DPDK] Added mempool type output on fastDPI start | + | |
| - | - [Router] Added TAP device statistics to CLI command '' | + | |
| - | - [Router] Changed: | + | |
| - | - [DPI] Improved detection of DNS TUNNEL, CISCO_ANYCONNECT_VPN, | + | |
| - | - Changed log level for telemetry requests to INFO regardless of outcome | + | |
| - | - [fastPCRF][ACCT] Fixed: | + | |
| - | - [BRAS][CLI] Fixed: subscribers closed via SHCV are no longer shown by '' | + | |
| - | - [BRAS][Auth] Optimized service attach/ | + | |
| - | - [FastRadius] Config file parsing migrated to new engine | + | |
| - | - [BRAS][DHCP] Offer now sent first to bcast 255.255.255.255 | + | |
| - | - [BRAS][CLI] Fixed: '' | + | |
| - | - [DPI] Improved recognition of DNS Tunnel and Shadowsocks | + | |
| - | - [Utils] Improved tools. | + | |
| - | - [Utils] Added support for hostnames ending with '' | + | |
| - | - [CLI] Fixed: '' | + | |
| - | - [DPI] Fixed: allow protocol change via CUSTOM SNI even after builtin signature match | + | |
| - | - [DPI] Added integrity check for AS list file from cloud | + | |
| - | - [DPI] Fixed loading of black and white lists from cloud | + | |
| - | - [utils] Added support for new formats in bin2ip for converting black/white lists | + | |
| - | - Fixed potential core crash | + | |
| - | - Support for 128-core CPUs [[en:dpi:dpi_brief:dpi_requirements# | + | |
| - | + | ||
| - | ====Changes in version 13.3==== | + | |
| - | + | ||
| - | - [DPI] Added protocols:\\ <code bash> | + | |
| - | BIGOTV 49305 | + | |
| - | SAYHI_CALL 49306 | + | |
| - | AZARLIVE 49307 | + | |
| - | LINE_CALL 49308 | + | |
| - | QQ_CALL 49309 | + | |
| - | VYKE_CALL 49310 | + | |
| - | VEEGO_STREAMS 49311 | + | |
| - | BHABI_CAM 49312 | + | |
| - | WEPARTY 49313 | + | |
| - | </ | + | |
| - | - [DPI] Improved Viber recognition | + | |
| - | - [DPI] Reduced false positives for DPI TUNNEL | + | |
| - | - [DPI] Increased packet inspection depth for BIGOTV | + | |
| - | - [DPI] Changed FACETIME protocol | + | |
| - | - [DPI] Changed: if protocol is matched by ip/ | + | |
| - | - [DPI] Streamlined protocol priority enforcement to avoid unnecessary switching | + | |
| - | - [DPI] Fixed: | + | |
| - | - [DPI] Fixed: virtual channel IP removal on reload | + | |
| - | - [DPI] Fixed: | + | |
| - | - [BRAS][PPP] Fixed: '' | + | |
| - | - [DPI] Fixed: errors assigning vchannel by IP/CIDR | + | |
| - | - [DPI] Fixed: blocking by IP for DNS over TCP | + | |
| - | - [DPI][PCRF] Changed log level from INFO to WARNING for start/stop messages | + | |
| - | - [DPI Utils] Fixed: | + | |
| - | - [Utils] Fixed: '' | + | |
| - | - [Utils] '' | + | |
| - | - [Utils] '' | + | |
| - | - [Utils] '' | + | |
| - | * only accepts /24 and larger subnets | + | |
| - | * supports IP1-IP2 range as in RIPE records | + | |
| - | * later entries take precedence | + | |
| - | * output is slightly larger than '' | + | |
| - | - [BRAS] L3-auth improvements: | + | |
| - | * On Reject for IP bound to multi-bind login: first unbind IP, then assign services (whitelist, policing) | + | |
| - | * On successful Access-Accept with a login for unbound IP: unbind all services before linking IP with new login | + | |
| - | - [BRAS][PPP] Fixed: | + | |
| - | - [BRAS][PPP] Fixed: | + | |
| - | - [PCRF] Added syslog support. New param '' | + | |
| - | - Added: hot param '' | + | |
| - | - Fixed: adding HTTP domains ending | + | |
| - | - Changed: ASNUM path from VAS Cloud (cloud.vasexperts.ru) | + | |
| - | - Blocking by blacklist in GTP tunnel (with '' | + | |
| - | - Fixed: | + | |
| - | - IPv6 AS reload support | + | |
| - | - Initial alert log to syslog support. Enable with '' | + | |
| - | - rsyslog replaces tab/newline with codes. To disable, add in '' | + | |
| - | - Logs can be forwarded remotely. Example | + | |
| - | - on fastdpi server:< | + | |
| - | action.resumeRetryCount=" | + | |
| - | | + | |
| - | - on remote server:< | + | |
| - | ruleset=" | + | |
| - | ruleset(name=" | + | |
| - | queue.type=" | + | |
| - | queue.size=" | + | |
| - | queue.dequeueBatchSize=" | + | |
| - | queue.workerThreads=" | + | |
| - | queue.workerThreadMinimumMessages=" | + | |
| - | ) { | + | |
| - | action(type=" | + | |
| - | | + | |
| - | | + | |