Table of Contents
Version 11.0 Foundation
Changes in version 11.0 Foundation
11.0 Foundation 1)
- Added support for user defined signatures based on SNI, IP[:PORT] or SUBNET
- Added traffic recording to storage
- Added protocols FACETIME,NORD_VPN,EXPRESS_VPN,PRIVATETUNNEL_VPN,VPNUNLIMITED,PSIPHON3,CLUBHOUSE,TLS_UNKNOWN,QUIC_IETF,SPEEDTEST
- Changed: for service 12, data is written to pcap and after detection of session close
- [dpi engine] Add configurable IP recheck timeout
- [sort engine] New config prmt for amount of meta_parser
- Changed: If the ssl_reply parameter is set to the protocol version, set the value from the protocol content_type=0x16
- Changed: protocol definitions ssl_unknown and tls_unknown are defined as: sni is empty and cname is empty - look at the ServerHello header version (from the first 5 bytes). If version ⇐0x0300 is ssl_unknown otherwise it is tls_unknown. If the tls13_unknown parameter is set, we always look at ServerHello and if version 0x0304 is there, it is always the tls_unknown protocol (regardless of sni/cname)
- Fixed: in the layout files, the flags field is set to: 2 - if this is a service record or flow is not defined yet, otherwise set 1- dir_data
- Changed: if ssl_parse_reply is set, cname is searched
- Changed : 3 new fields added to ajb_save_sslreply_format format tphost ( host type - always 2 ), host ( cname ), evers - version from Extensions ( only defined if tls13_unknown=1 is set otherwise 0 ).
- Changed : Clickstream ssl-reply format. Added fields: 1011 - type_host - number is in host - always 2 and 1005 cname
- Changed: messages when tracing DPI(DEF_PROTO,CHANGE_PROTO,STORED_PROTO) - added field cntr_fin, direction
- Fixed: after closing the connection, the record was not placed in the short queue for tcp
- Added : Added queue change message (short/long) when tracing for TCP connections messages
- Changed : output format of fdpi_cli dump flow cache command
- Added : parameter ajb_save_fragment - sets the recording of fragmented packets in pcap
- Changed : TLS protocol parsing
- [PCRF][DHCP] Fixed: transfer opt82 circuit/remote id to accounting
- Added: for storage_agent parameter engine_bind_cores which sets binding of write streams to cores
- [BRAS][DHCPv6] Fixed: drop on DHCP-Confirm packet without specifying IPv6 addresses in IA_NA option
- Fixed: tap_mode=1 - should not send packets
- Fixed: crash when parsing L2 headers for eher_type=0xFFFF
- [PCRF][framed-pool] Fixed: when added to an already existing opt125 option, it was not taken into account that dhcp_poolname_opt=0 is the same as dhcp_poolname_opt=2. This resulted in adding opt125 for VasExperts with dhcp_poolname_opt=0
- [BRAS][ARP] Added: support for segmentation of subscribers in a common VLAN on the access network (isolation of subscribers on the switch, i.e. subscribers are not delivered traffic between each other even in the same vlan) Added fastdpi.conf parameter bras_arp_vlan_segmentation: Taken into account only when flag 1 is set in bras_arp_proxy for ARP requests from one subscriber to another. off (typical case) - subscribers A and B in the same VLAN can interact directly with each other, SSG does not process the ARP request from subscriber A "who has target subscriber B IP" on - isolation of subscribers located in the same VLAN is enabled on the switch, therefore SSG must itself answer the ARP request from subscriber A "who has target subscriber B IP"
- [cfg] Fixed: set_packet_priority parameter value in fastdpi.conf was not taken into account
- Changed: statistics SDS_AGENTS_ - added total number of errors and percentage
- Changed: support for multiple SDS_AJB queues
- Added: parameters sds_ajb_num - number of queues sds_ajb ( default 1 ) sds_ajb_bind_cores - sets the cores to which threads should be bound. If not set, cores are assigned automatically. Example sds_ajb_bind_cores=1:1:2:2
Changes in version 11.1 Foundation
- [fastpcrf] Fixed: pass opt82 to accounting with L3 auth
- [PCRF] Fixed: passing opt82 remoteId attribute value to accounting
- [PCRF] Added: ability to set attributes for opt82. New parameters in fastpcrf.conf: attr_opt82_remoteid=vendorId.attrId where vendorId - vendor id. If vendorId != 0, then the value is passed in the VSA attribute. If vendorId == 0, then the value is passed in a regular Radius attribute (non-VSA) attrId - attribute id, a number from 1 to 255. If these parameters are not set, then opt82 is passed in the following attributes: acct: circuitId: ADSL VSA 3561.1 , remoteId: ADSL VSA 3561.2 auth: circuitId: VasExperts VSA 43823.39, remoteId: VasExperts VSA 43823.33 Job example: attr_opt82_remoteid=15.34 attr_opt82_circuitid=15.35
- [DPI] Added protocols ZOOM,NETFLIX,TIKTOK,TWITCH,INSTAGRAM,TWITTER,LINKEDIN,AMAZON VIDEO,APPLE STORE,APPLE ICLOUD,APPLE UPDATES,APPLE PUSH,APPLE SIRI,APPLE MAIL
- [DPI] GOOGLEVIDEO protocol name changed to YOUTUBE
- [DPI] Improved the reliability of the http protocol dissector with a large number of losses/retransmissions
- [DPI] Fixed reload error when setting lag
Changes in version 11.2 Foundation
- [DPI] Support for SNI decoding in QUIC IETF protocol (HTTP/3)
- [DPI] Improved Telegram TLS signature
- [PCRF] Added new VSA attribute to Acct-Stop: [26] VasExperts-Acct-Terminate-Cause [integer] - acct stop internal code. Can be useful when analyzing Radius logs
- [pppoe] Added deletion of PPPoE sessions from the database at the end of work
- [pppoe] Fixed: bras_pppoe_ac_name and bras_pppoe_service_name options were not taken into account when loading
- [PCRF] Fixed: when switching to another Radius server, we send Acct-On on behalf of all fastDPI servers. If the PCRF serves multiple fastDPI, multiple Acct-Ons will be sent, with a separate Acct-On for each fastDPI.
- [DHCPv6] Fixed: Sending Renew/Rebind requests to Radius before expired timeout, causing current acct session to close and start a new one.
- [CoA] Fixed: CoA Disconnect could close a hung session created after sending CoA Disconnect.
- [PCRF] Added: NAS-Port-Id attribute is also added for single-VLAN networks and contains the string "0/vlan"
- [CoA] Changed: CoA Disconnect now closes all acct sessions for the specified credentials.
- [fastpcrf] Fixed: Error processing L3 auth over IPv6
Changes in version 11.3 Foundation
- CGNAT significantly redesigned: clients with the same public IP address will reuse each other's sessions more actively
- Added support for BNG/BRAS redundancy in L2 mode (switching is done via vrrp/keepalived service)
- [fastpcrf] fixed: when switching to another Radius server, an Acct-On is sent from all fastdpi servers. If PCRF serves several fastdpi, several Acct-On will be sent, - a separate Acct-On for each fastdpi.
- [DHCPv6] Fixed: sending Renew/Rebind requests to Radius before expired timeout
- [CoA] fixed: Previously CoA Disconnect could close "frozen" session created after sending CoA Disconnect
- [PCRF] NAS-Port-Id attribute is added for single-VLANs and contains "0/vlan" string. For single-VALN networks, the NAS-Port attribute containing VLAN is also added, as before
- [CoA] changed: CoA Disconnect now closes all acct sessions with specified properties
- [fastpcrf] fixed: error during processing of L3 auth over IPv6
- [router] fixed: deleting of the route at end of PPPoE session
- CGNAT fixed based on BETA1 results
- Added new protocols HUAWEI CLOUD, WOT WARGAMING, PUBG KRAFTON, LoL RIOTGAMES, FORTNITE EPIC
- Fixed service 5 on VCHANNEL
- [router][lag] Fixed: choosing the next device from LAG in case of link down
- [PCRF] If Framed-Pool and IP address are specified in the authorization response, Framed-Pool is ignored. This applies to PPP, DHCP, DHCPv6 authorization.
- [ppp] Fixed: if Radius authorization response contains assigned IP-addresses together with Framed-Pool, - Framed-Pool attributes are ignored and are not passed to PPPoE BRAS. The presence of framed-pool in PPPoE BRAS changes the PPPoE logic - BRAS starts monitoring the leasing time and sends DHCP Renew to the DHCP servers. In the case of an explicitly assigned IP address, this may cause the PPPoE session to be closed if the DHCP server responds with NAK.
- [dhcp6] Fixed: sending acct even if service 9 is disabled
Changes in version 11.4 Foundation
- Added service 15 (Special Subscriber): when the service is activated, the subscriber's traffic is prioritized by the special_dscp parameter (0 by default)
- Added nat_gcache_slice_k100 parameter which defines how many ports are allocated per slice (125 by default)
- Added seqno to clickstream
- Improved processing of "empty" radius response
- Added IP/CIDR based vchannels
- [router] Added: if "Termination by AS" mode is enabled (bras_term_by_as=1), then routing is applied only to those subscriber AS that are terminated. If the AS is not terminated, no routing is applied to the packet. The same applies to subscriber address announcements: if the address belongs to a non-terminated AS, such address is not announced
- [router] Added: de-announcing Framed-Route subnets when de-announcing a subscriber
- Upgraded to DPDK 21.11 LTS
- Tested installation on ROSA Linux Chrome and VEOS 8.6
- Increased the number of supported ports to 24
- Fixed: cli command router fib dump shows subnets smaller than /24
- [router] Fixed crash on unscheduled cleaning of router ARP cache
- [BRAS][L3-auth] Fixed: removed Acct-Start sending from backup fastdpi when L3-auth on main fastdpi
- Fixed size of batch buffer for DPDK 21.11 with mellanox driver
Changes in version 11.4.1 Foundation
- Fixed TAP interfaces support
- [BRAS][pppoe] Added new conf parameter bras_ppp_padi_recreate_timeout. Time interval (seconds) during which repeated session creation requests (PADI) coming from a subscriber do not lead to creation of a new session (the previously created session object is used). This parameter is designed to protect against a storm of PADI requests from a subscriber and recreating session objects. Some routers send multiple PADI when creating a session, without waiting for a response from BRAS. Default: 5. Value 0 is no control
- [PCRF][acct] fixed: Refer to removed data
- [PCRF][acct][cli] Added pending response type output for acct record
- [BRAS][CoA] fixed: search by login in CoA update. If in CoA update (change of subscriber profile - connection or disconnection of services) login and IP are specified, and subscriber cannot not found by login, the search is performed by IP. Previously, search by login was the highest priority, if no subscriber was found - CoA update was not processed.
- [PCRF] Radius attribute dictionary updated
Changes in version 11.4.2 Foundation
- changed: when connecting service 15, channel blacklist (or default) filtering is disabled
- changed: tbf rate 8bit optimized to drop
- improved: RTP and SIP protocol recognition
- modified: common and channel policing is now applied in read only mode (for pre-filter purposes)
- changed: service 12 is applied after channel and subscriber policing
- added cache for public address: when exporting NAT data, real data from cache are used when public port is released (before: no value was transmitted, i.e. =0). nat_dstaddr_cache_size parameter sets number of dst_ip:dst_port stored in public address for UDP. Default is 0xffff * 2 (not relevant for TCP).
- changed: When a resource is blocked, flow is released faster (flow is moved to a 'short' queue).
Upgrade Instructions
You can check the currently installed version with the command
yum info fastdpi
Rollback at 11.2:
yum downgrade fastdpi-11.2 fastpcrf-11.2 fastradius-11.1
After updating or changing the version, restart of the service is required:
service fastdpi restart
If PCRF and/or Radius are used, they also need to be restarted, the following order is preferable for restarting pcrf:
service fastdpi stop setvice fastpcrf restart service fastdpi start
Do not update the Linux kernel. In new versions of the kernel, binary compatibility with the Kernel ABI may be broken and the network driver will not load after the update. If you did upgrade, then while solving the problem, configure the grub bootloader to load the previous version of the kernel (in the /etc/grub.conf file, set the default=1 parameter).
If you receive a message during the update that the update was not found or there are problems with dependencies, then before updating, run the command
yum clean all