1. [BRAS][PPPoE] Fixed: ping of inactive client with Echo requests
2. Support for service profiles 19 (DNS response substitution). Description
3. For service 19, ability to specify AAAA records and support for wildcard (*) for domains. Description
4. Fixed: for profile 18, it is not required to set both DSCP and TBF simultaneously

1. Fixed: IP:PORT priority over IP and CIDR for custom protocol definitions
2. Modified: custom protocols have higher priority than cloud protocols
3. Fixed: length of AAAA records in service 19
4. Added: mask 8 in block_options - do not generate rst blocking and redirection packets for packets directed from inet-→subs. Description

1. [DPI] Improved: analysis of out-of-order packets.
2. [DPI] Fixed: recognition of DOT protocol.
3. [CTRL] Added: new format for policing output:

   fdpi_ctrl list profile --policing --profile.name htb_6 --outformat=json2

4. [CTRL] Added: loading of policing profiles with the new format (including value and unit).
5. [BRAS][IPv6] Added: upon receiving a DHCPv6 confirm from the client and if there is no session in the BRAS database, a response with the status "NotOnLink" is sent.
6. [FastPCRF][DHCPv6] Fixed: an error causing the current IPv6 accounting session to close and reopen when processing DHCPv6 requests from the client to renew the address lease.

1. [DPI] Added: updating asnum.bin from the cloud, the asnum_download parameter is similar to the set of values in federal_black_list.
2. [DPI] CUSTOM protocols now have priority over others downloaded from the cloud.
3. [DPI] Added: setting the number of buffers for processing out-of-order packets.
4. Added: parameter mem_ssl_savebl (cold). Specifies the number of buffers saved for SSL parsing during packet reordering.
   Default = 10% of mem_ssl_parsers. If the value == 0, saving and processing do not occur.
   The first value is from the conf file, in parentheses is the value used.
   Example output from alert:
   1. Parameter not set

          mem_ssl_parsers              : 320000
          mem_ssl_savebl               : -1 (32000)

   2. mem_ssl_savebl=1234 is set

          mem_ssl_parsers              : 320000
          mem_ssl_savebl               : 1234 (1234)

5. Added: utilization statistics for saving SSL request parsing buffers

       [STAT    ][2024/08/07-13:33:16:262335] Detailed statistics on SSL_SAVEBL :
                thread_slave= 0 : 1522/1/32000 0/0/0/0/0/ 1/1/348 348/348/348
                Total : 1522/1/32000 0/0/0/0/0/ 1/1/348 348/348/348

   Let's denote: a1/a2/a3 b1/b2/b3/b4/b5 c1/c2/c3 d1/d2/d3
a1 — allocated memory size for saving the record of subsequent parsing (matches snaplen)
   a2 — records allocated
   a3 — records used
   
   b1 — total number of errors during packet saving processing
   b2 — buffer size read is too large
   b3 — an incorrect isbl_t ind_ was passed to the function
   b4 — error adding a record to arw — no space to save the list of used buffers
   b5 — error adding data to p_data (unable to save buffer)
   
   c1 — number of requests for data saving
   c2 — saved packets released
   c3 — total size of packets that were saved
   
   d1 — average size of saved TCP packet
   d2 — min size of saved TCP packet
   d3 — max size of saved TCP packet

6. [BRAS][DHCPv6] Added the ability to extract option 37 and option 38 from the client packet.
7. [Router][tap] Fixed: initialization of bridge status at fastDPI startup. The TAP device for through LAG is in the Up state if at least one port in the through LAG is Up and its other end in the bridge is also Up. The bridge status (Up/Down) was previously calculated only on link Up/Down events, and at fastDPI startup, the bridge status was assumed to be Down. This patch initializes the bridge status (Up/Down) at router startup based on the current port status.
8. [BRAS] Fixed: local interconnect is allowed only if srcIP is a known subscriber. Previously, it was not checked whether srcIP was a known subscriber, which could lead to IP address spoofing of a subscriber and DDoS attacks from this spoofed IP against other local subscribers marked as local interconnect.
9. Added: CLI command permit.

1. [DPI] Fixed buffer exhaustion for processing out-of-order packets
2. [CLI][Ping] Changed: error message if subs IP not found
3. [CLI] Added: boolean flag on_stick added to the JSON output of the dev xstat command
4. [CLI] Changed: JSON output of the dev info command for on-stick devices.
   For an on-stick device, it was:

   "pci_address": "on-stick based on 82:00.3"

   Now:

       // base device address
       "pci_address": "82:00.3"
       // on-stick flag
       "on-stick": "true|false"

5. Changed: statistics format

       [STAT    ][2024/08/19-17:26:05:599912] Detailed statistics on SSL_SAVEBL:
                thread_slave= 0 : 1522/1/32000 0/0/0/0/0/ 6/6/2561 426/348/556 1/1/32000
                Total: 1522/1/32000 0/0/0/0/0/ 6/6/2561 426/348/556 1/1/32000

   Explanation: a1/a2/a3 b1/b2/b3/b4/b5 c1/c2/c3 d1/d2/d3 e1/e2/e3
a1 — memory size allocated for saving the record of the subsequent analysis (matches snaplen)
   a2 — records allocated
   a3 — records used
   
   b1 — total number of errors in packet save processing
   b2 — read buffer size is too large
   b3 — invalid isbl_t ind_ passed to the function
   b4 — error adding records to arw — no space to save the list of used buffers
   b5 — error adding data to p_data (unable to save buffer)
   
   c1 — number of requests to save data
   c2 — saved packets freed
   c3 — total size of packets that were saved
   
   d1 — average size of the saved TCP packet
   d2 — min size of the saved TCP packet
   d3 — max size of the saved TCP packet
   
   e1 — records used in the arw queue
   e2 — free records (can be reused)
   e3 — records allocated in the queue

6. Removed fake yandex sni from TELEGRAM_TLS

1. [DPI] Added support for fragmented QUIC IETF processing
2. Added parameter mem_quic_ietf_savebl. Specifies the number of buffers for parsing quic_ietf requests consisting of multiple packets. Default value is 15% of mem_ssl_parsers
3. [DPI] Added protocols:

"HLS VIDEO"          49298  
"ICMP TUNNEL"        49299  
"DNS TUNNEL"         49300  
"FORTICLIENT_VPN"    49301  

1. Added the ability to send DNS query via IPFIX
2. [DPDK] Added read-only engines: RSS and port dispatcher
3. [BRAS][SHCV] Fixed SHCV invocation before full pipeline startup. This was possible in multi-port configurations where pipeline startup time is relatively long.
4. [DPDK] Added output of mempool type created at fastDPI startup
5. [Router] Added statistics for TAP devices. The CLI command router vrf show output now includes statistics on TAP devices: how many packets/bytes were read from TAP, how many were written to the port from TAP, how many were sent to TAP, the number of events, and errors.
6. [Router] Changed packet sending behavior for TAP devices: the selected slave thread for writing is bound to the TAP interface for the next 5 seconds, which should significantly reduce reordering during high traffic from the TAP interface.

You can check the current installed version with the command below

yum info fastdpi

If you have CentOS 6.x or CentOS 8.x installed, then switch the repository once with the command:

sed -i -e '/^mirrorlist=http:\/\//d' -e 's/^# *baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/vault .centos.org/' /etc/yum.repos.d/CentOS-*.repo

and then update as usual.

To install the test version, you should issue the following command:

yum --enablerepo vasexperts-beta update fastdpi

Downgrade to 13.1:

yum downgrade fastdpi-13.1 fastpcrf-13.1