{{indexmenu_n>13}}
====== Version 12 Machu Picchu ======
12.0 Machu Picchu ((Machu Picchu the "Lost City of the Incas", located in the southern Peru on a 2,430-meter mountain ridge, a UNESCO World Heritage Site))

===== Changes in version 12.0=====
  - Changed: switch to DPDK 22.11 LTS
  - Added: parsing of 'Chaos Protection' header to QUIC IETF
  - Added: cold parameter ''[[dpi:opt_cgnat:сgnat_settings:start|nat_transcode_cidr]]'' , which specifies CIDR of provider's public addresses. It is possible to use 2 CIDR parameters when re-coding from public to private for NAT 1:1. Any public address can be assigned to the private address for NAT 1:1. 
  - Changed: hash function for distribution by worker threads: ( crc( ip_src ) % nthread + crc( ip_dst ) % nthread ) % nthread
  - Changed: public address allocation algorithm for CG-NAT: crc( private ) % nthread + crc( public ) % nthread
  - Changed: the message '[NFLW] very long operation ....' is always displayed no matter how many times the message is repeated
  - Changed: the name of the file record directory - added stream
  - Added: information output statistics for sending NetFlow/IPFIX<code>
    [STAT    ][2022/11/20-17:55:03:213770] Statistics on NFLW_export : {a/b/c%/d/e}

    a - the number of cycles of sending executed
    b - the number of cycles of sending, when the time spent on sending exceeded the period of execution of cycles
    c - percentage of exceeding the number of the cycles: 100 * b/a
    d - time of the maximum duration of the cycle microseconds
    e - time of the period of sending statistics, microseconds (''netflow_timeout'' parameter value (is set in seconds))

    E.g.:
    [STAT    ][2022/11/20-17:55:03:213770] Statistics on NFLW_export : {7/0/0.00%/45297us/30008163us}
</code>
  - [PCRF][PPPoE] Fixed: previously, if Radius responded with an IPv6 address instead of a prefix, we did not make the prefix from the address, which led to recreation of the acct-sessions. Newly created acct-sessions used to be without login and other important attributes for ISPs.
  - [BRAS][L3-AUTH] Changed: Framed-Route is no longer applied to PD-prefix
  - [PCRF][ACCT] Fixed: previously, when an entry was unlinked from a multisession, the IP addresses for the multisession were not corrected. Unlink occurs during aggregation. As a result, other entries, which had no relation to this multisession, may have been bound to it later.
  - [PCRF][DHCPv6-Pool] Fixed: Forming the Link-Address field for Relay-Fwd when sending a request to a specific DHCPv6 server
  - [BRAS][PPPoE-IP6] IPv6 address request from Framed-IPv6-Pool is performed when the first IP6CP Cfg-Req comes from the client 
  - [CLI][ACCT] Added: fastdpi-server NAS attributes output in pcrf acct show commands
  - [BRAS][DHCP] Fixed: Sending a NAK to a DHCP-Request for another server
  - Added: support for DDP profiles for Intel 700-series NICs (i40e driver) for PPPoE/GTP/MPLS tunnel balancing when using dpdk_engine=2. DDP is loaded from /lib/firmware/intel/i40e/ddp/i40e.pkg file during i40e ports initialization. Lifetime of the loaded DDP profile: until the server is rebooted.
  - Changed: algorithm for selecting a server for recording SDS
  - [CLI] Added: setting L2 subs_id in the ''subs prop set'' command
  - [BRAS][DHCP-Relay] Added: support for L2 ''subs_id''
  - [BRAS][AUTH] Added: support for ''l2subs_id'' for L3-authorization, since the L3 auth response from the Radius may indicate that it is an L2 subscriber
  - [BRAS][ARP-AUTH] Added: support for ''l2subs_id''
  - [BRAS][PPPoE][CLI] Added: ''l2lan_id'' attribute for PPPoE sessions
  - [BRAS][PPPoE] Removed support for MAC authorization, without login and password, removing ''bras_ppp_mac_auth'' option
  - [PPPoE][CLI] Added: support for the ''subs_id'' parameter that identifies the PPPoE session
  - [BRAS] Added: ''l2lan_id'' class - L2 network identifier. ''l2lan_id'' is intended for separating subscribers by VLAN. The ''l2lan_id'' is derived from the ''l2subs_id'', i.e. its formation is set by the same ''bras_subs_id'' option. Basically, ''l2lan_id'' is a VLAN prefix from ''l2subs_id''.
  - [BRAS][DHCP] All internal DHCP session databases now consider ''l2lan_id'' - it is included in their MAC and Client-Id key. That is, two subscribers with the same MAC-address, but in different VLANs, are considered different subscribers (if ''bras_subs_id'' is set to consider VLANs). Opt82 and Q-in-Q secondary keys do not consider ''l2lan_id''. Read more about [[dpi:bras_bng:bras_l2_subs_id:start|bras_subs_id]]
  - Added: configuration parameter ''[[dpi:opt_cgnat:сgnat_settings:start|rx_dispatcher]]''  flow hashing method by worker threads; 0 - old method is used by default (ip_src+ipdst)%N ) & ip_mask; 1 - new method is used with recoding support for NAT1:1 (CRC(IP SRC)%N+CRC(IP_DST)%N)%N
  - [Radius monitor] Added: support for exporting NAS address and port and other attributes
  - [Radius monitor] Added: connection of service 12
  - [BRAS] Added: setting ''bras_ppp_lcp_start_timeout''

===== Changes in version 12.1 =====
  - Added: NAT diagnostic information
  - Added: On-Stick mode support
  - Minor changes in CG-NAT
  - Support for [[dpi:dpi_options:opt_li:start|service 12]] ((Record subscriber traffic in PCAP file)) on VCHANNEL
  - Support for protocols with names that can be downloaded from the cloud
  - SDS: transfer data in pcapng format

===== Changes in version 12.2 =====
  - Corrections to the CG-NAT utilization statistics output
  - Parsing the new GQUIC versions
  - New service 16 – allow list (captive portal) without access of subscribers to the Internet (due to failure of uplinks, subscriber in long-term blocking, etc.) 
  - New ''dpdkinfo'' utility. [[dpi:dpi_components:utilities:management_utilities:start|Description]]

===== Changes in version 12.3 =====
    - Added: [[dpi:dpi_components:router:start|VRF support in router]]
    - PPPoE authorization management service based on Service-name field. Description under [[dpi:bras_bng:bras_pppoe:start#configuring_service-name_for_vlan|PPPoE Authorization Setup]]<code bash>
fdpi_cli help vlan group
vlan group : manage <add|delete|show> vlan group authorization  policy
  vlan group <group-id> ...       - manage <group-id>
  vlan group 2          ...       - manage <group-id> = <2>
  vlan group 2 deny  auth  pppoe  - deny authorization by pppoe and delete all its properties
  vlan group 2 allow auth  pppoe  - allow authorization by pppoe
  vlan group 2 show  auth  pppoe  - show policy for authorization by pppoe
  vlan group 2 show  auth  all    - show policy for all authorization protocols
  vlan group 2 show  all          - show all properties for group
  vlan group 0 show  all          - show all properties for all groups - full scan and print udr
  vlan group 2 auth  pppoe allow add service-name name=sname delay=3 - allow authorization by pppoe for service-name  sname with podo-delay=3
  vlan group 2 auth  pppoe deny add service-name name=sname delay=3 - deny authorization by pppoe for service-name  vlan group 2 auth  pppoe delete service-name name=sname - delete service-name  sname and its properties  vlan group 2 auth  pppoe show service-name all - show service-name policy for authorization by pppoe
  vlan group 2 drop               - drop packet without any analysis
  vlan group 2 pass               - passthrough packet without any analysis</code>
    - Added: support for sending heartbeat for external bypass
    - Added: extract and transfer to IPFIX of cookies from ''Set-Cookie''
    - Improved: blocking of the short TCP protocol freezes in IPFIX threads via additional ''user timeout'' setting (in addition to the standard ''tcp keep alive'' mechanism)
    - Added: performant ''rx_dispatcher=2'' with even balancing over an arbitrary number of flows (but no support for ''nat1:1'' with the requirement to assign specific addresses). Description under [[dpi:opt_cgnat:сgnat_settings:start#additional_settings|Settings and management]]
    - [BRAS][PPPoE] Fixed: ''dual-stack'': adding IP addresses to an existing ''acct session''
    - [PCRF] Fixed: switch ''persist queue'' to "connected" mode
    - [CLI] Added CLI command ''fdpi_cli pcrf persist queue reconnect'', which allows to make a reconnect to fastDPI without resetting the queue. Can be applied to a specific connection or to all connections. Description under [[dpi:bras_bng:cli:pcrfctl:start#pcrf_persist_queue_reconnect|FastPCRF Management]]
    - [PCRF][PPPoE][Framed-Pool] Fixed: create acct-session with ''session_id'' announced during authorization
    - Added support for ''pcapng'' format for recording to storage
    - [CoA] Added processing of CoA Update by ''l2subs_id''. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa:start]]
    - Added: saving ICMP protocol translations in NAT exports
    - Changed: ''[[dpi:opt_cgnat:сgnat_settings:start|nat_exclude_private]]'' parameter and corresponding support: ''int nat_exclude_private'';\\ Bitmask to avoid NAT for private addresses: \\ 0 - always do private -> public conversion \\ 1 - do not do NAT for private addresses (''ip_src'' and ''ip_dst'' are private or are in ''psz_prms_user_private'') \\ 2 - ''ip_src'' is private given ''psz_prms_user_private'' and AS for ''dst_ip = local'' \\ 4 - ''ip_src'' - private with ''prms_user_private'' and AS for ''dst_ip = peer''. Description under [[dpi:opt_cgnat:сgnat_settings:start#additional_settings|Settings and management]]
    - [CoA] Added processing of CoA Reauth by ''l2subs_id''. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa:start]]
    - [CoA] Added CoA Disconnect processing by ''l2subs_id''. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa:start]]
    - [fDPI] Maximal number of clusters increased from 10 to 12
    - [PCRF][ACCT] Added: pass ''VasExperts-L2-SubsId'' attribute to ''Acct Start/Interim/Stop''. Description under [[dpi:bras_bng:radius_integration:radius_accounting:radius_attr:start]]
    - [DPDK] Added: ''disable Ethernet Flow Control'' on port startup
    - [PCRF][DHCPv6-POOL] Fixed generation of Client-DUID when composing DHCP6-RENEW for Framed-IPv6-Pool \\ The Client-DUID must be immutable throughout the DHCPv6 session, otherwise the DHCPv6 server may issue a **different** IPv6 prefix on Renew, resulting in PPPoE session closure. To achieve immutability, the Client-DUID is now formed from the subscriber's ''l2subs_id''.
    - [PCRF][DHCP-POOL] Fixed 'request-response' identification when working with DHCP pools. \\ The identifier used is: \\ For DHCPv4 – subscriber MAC address ''(chaddr)'' + request ''xid'' \\For DHCPv6 – ''Client-Id'' option and ''xid'' of the request. \\ The server is required to pass the ''Client-Id'' option in the response, unlike other request options.
    - [BRAS] Added CLI command ''dhcp show stat vrf'' \\ Display the number of DHCP subscribers by VRF
    - [PCRF] Added CLI-command ''pcrf radius enable/disable''
    - [PCRF] Added CLI command ''pcrf radius ping''
    - [PCRF] Added CLI command ''pcrf radius status''
    - Changed: if session has no public address - CG-NAT is enabled.
    - Added: if service 11 is removed, NAT is disabled and resources are released. Occurs only if there is read data on flow
    - [BRAS][DHCP] Use the subscriber MAC address from DHCP request ''for l2subs_id''. \\ The ''srcMAC'' from the ethernet header of the packet is used to generate the L2 subscriber ID (see ''bras_subs_id''). In case DHCP requests go through DHCP Relay, the ''srcMAC'' in the ethernet header of the DHCP packet is no longer the MAC address of the subscriber. DHCP requests of all subscribers passing through DHCP Relay have the same MAC in the ethernet header and the same ''subs_id''. \\ Solution: to generate the L2 identifier, the subscriber's MAC address is now taken from the DHCP packet, ''chaddr'' field.
    - [PCRF] watchdog - new Radius server monitor. Description under [[dpi:bras_bng:radius_integration:radius_auth_fastpcrf_setup:radius_auth_fastpcrf_setup_full:start]]\\ New fastpcrf.conf parameters:
        * Radius-servers ping timeout, in seconds. \\ If there are no authorization requests, fastPCRF periodically pings Radius servers by sending a Server-Status or Access-Request. If the server responds, it is considered available. The default value is 60 seconds. ''radius_keepalive=60''
        * User-Name (''radius_ping_user_name'') and Password (''radius_ping_user_password'') of the pseudo-subscriber for ping requests. \\ FastPCRF attempts to maintain a connection to all described Radius servers by periodically sending a ping request to the servers. \\ A ping request is a Status-Server request (if Radius supports it) or a regular Access-Request with User-Name and Password specified. These parameters set User-Name and Password for Access-Request ping requests (Server-Status does not use these parameters). For the FastDPI process, the fact itself that the server responds to the ping request is important, the content of the response (Access/Reject and their attributes) is not analyzed. If User-Name and Password data are not specified – the Access-Request ping request will still be sent, but without User-Name and Password attributes. There are no default values. The ''radius_revive_period'' parameter has been removed for unnecessary.
    - Modified: For flow the sign ''p_flow_ → cmn.bts_check_ip |= ntconnt::bts_nat_must_whip'' is set. \\ The sign indicates that a call is coming from a private address and a public address is required for this flow. If no public address is assigned – attempts to allocate a public address continue (For TCP – only if SYN). This is because requests may come from a private address and only then service 11 appears, but the flow already exists and will never work.
    - Modified: If a public address is set for flow, the presence of 11 services is checked. If there is no service, the public address is released.
    - [Router] Added: error message in ''fastdpi_alert.log'' "VRF has no TAP" \\ If VRF does not have any device – it is impossible to announce address in such VRF. This error is displayed in ''fastdpi_alert.log'' not more than once per hour for each VRF
    - Added: fdpi_cli commands: ''nat dump transcode'', ''nat dump translater [profile name]'', ''nat dump translater data [profile name]''
    - New policing profile name – ''BV###NNNNNNN[#MMMM][#++++--]'', where NNNNNN - incoming traffic rate in kbps, MMMM - outgoing traffic rate in kbps, + - class enabled, - class disabled. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response:start#vasexperts-policing-profile|Subscriber authorization attributes]]
    - [PCRF] Added: new ''chaddr@opt60 value'' for ''radius_user_name_dhcp'' option \\ Example: ''radius_user_user_name_dhcp=chaddr@opt60'', User-Name in Access-Request is formed from MAC-address of DHCP packet header (''chaddr'' field) and option 60 if this option is in DHCP-request. Description under [[dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_pcrf:start]]
    - Changed: improved FACEBOOK VIDEO detection
    - Fixed: when parsing ''quic_ietf'' for the first CRYPTO packet, if ''offset==0'' is set - checks for possible fragmentation
    - Added: parsing changes - minding the changes in Google QUIC versions: before version 34 there was an additional field "Private Flags". The SSG did not parse such packets. Since version 39 - changed byte order for "Data Length" record
    - Added policing and service 16 on values from profile name. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response:start#vasexperts-service-profile|Subscriber authorization attributes]]
    - [BRAS] Added: new ''bras_ip_filtering'' option \\ [hot] Traffic filtering (bitmask) is disabled (=0) by default. \\ Allowed flags: ''0x0001'' - controlling IP spoofing (''restricting forged traffic''). The packet on subs → inet path is dropped if subscriber's IP address (srcIP) is unknown for L2 BRAS and bras_term_by_as = 0 and subscriber's AS is not ''local. bras_ip_filtering=0''
    - [BRAS] Added: ''bras_vrf_isolation'' option - isolation at VRF level. Description under [[dpi:dpi_components:router:start#ssg_settings|Soft-Router]] \\ Added new ''fastdpi.conf'' option: [hot] VRF Isolation. By default (0), L2 BRAS does not isolate subscribers from different VRFs: If this mode is enabled (1), subscribers from different VRFs will be isolated from each other: for a subscriber from VRF1: the gateway must also be in VRF1, ''local interconnect'' will only work for subscribers from the same VRF1. ''bras_vrf_isolation=0'' \\ When this option is enabled:
      * 1. ARP subscriber to gateway - processed by fastDPI only if subscriber and gateway are in the same VRF
      * 2. ICMP ping of gateway - processed by fastDPI only if the subscriber and gateway are in the same VRF
      * 3. ''local interconnect'' - applied only if both subscribers are in the same VRF.
    - Fixed: error messages for client should not contain LF in json
    - [BRAS][ARP] Modified: ARP processing to gateway. Respond to ARP request to gateway only if sender and gateway VRFs match (''sender'' and GW are in the same VRF).
    - [VRF] Modified: VRF name assignment via service 254 (Radius only). Description under [[dpi:dpi_components:router:start#ssg_settings|Soft-Router]]
    - [BRAS][DHCP-Proxy] Session-Timeout and Lease-Time for Framed-Pool. \\ If an address is issued from Framed-Pool for a small amount of time (small ''lease-time'') and a large session-timeout is specified during authorization, then all Renew/Rebind requests from the subscriber must be sent to the DHCP server via PCRF to renew the license, otherwise the DHCP server may think that the address is free. Reauthorization is done only when ''session-timeout'' is reached
    - Added: support for service 16 - processing SYN requests and subsequent forwarding without transmitting packets to the Internet. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response:start#vasexperts-service-profile|Subscriber authorization attributes]]
    - [Router] Added: ''shared neighbor'' cache for VRF. \\ Added: ''router_vrf { [cold][optional]'' option to VRF configuration. \\ String is the default ARP cache name for this VRF, each VRF has its own ARP/Neighbor cache isolated from others. \\ If you want several different VRFs to share a common ARP/Neighbor cache, you should set the same value of the ''neighbor_cache'' option in the description of these VRFs. ''neighbor_cache=... }''. Description under [[dpi:dpi_components:router:start#ssg_settings|Soft-Router]]
    - [PCRF] fastpcrf.conf option ''radius_user_name_dhcp'' - added new value ''opt61@opt60: radius_user_name_dhcp=opt61@opt60''. Description under [[dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_pcrf:start]] \\ User-Name in Access-Request is generated from DHCP options 61 and 60 if these options are present in the DHCP request. \\ New fastpcrf.conf options - in which attributes to pass DHCP options to Access-Request \\ [hot] Specify attributes in which DHCP options are passed. Assignment format: ''attr_dhcp_opt43=vendorId.attrId'' where vendorId is the vendor id, a number from 0 to 2^32-1. \\ If ''vendorId !=0'', the value is passed in the VSA attribute. \\ If ''vendorId == 0'', then the value is passed in the regular Radius attribute (non-VSA) \\ attrId - attribute id, a number between 1 and 255 \\ Attributes are assumed to be of type octets (passed as is in binary form) \\ Value 0.0 - do not pass this attribute to the Radius server. \\ Default values are as follows: ''attr_dhcp_opt43=0.0'', ''attr_dhcp_opt60=43823.34 # VasExperts-DHCP-ClassId, attr_dhcp_opt61=43823.33 # VasExperts-DHCP-ClientId''
    - Added: support for service 16 and corresponding profile - job, delete, view via ''fdpi_ctrl'' profile matches the structure for service 5 \\ Example of setting: ''fdpi_ctrl load profile -service 16 -profile.name portal_info_1 -profile.json '{ "ip_list" : "/var/lib/dpi/ip_list_1.bin", "redirect" : "http://info.test.ru" }' '' parameter ''max_profiles_serv16'' - sets the maximum number of profiles. The default is 32. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response:start#vasexperts-service-profile|Subscriber authorization attributes]]
    - [DHCP-Proxy] Introduced CoA Disconnect processing modes. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa:start#flag_to_deny_allow_sending_acct_stop|Radius CoA]] \\ Added new ''bras_dhcp_disconnect'' option, which is a bitmask of the following flags:
        * ''0x0001 - disable acct stop'', do not immediately send ''acct stop'' for a disconnected DHCP subscriber
        * ''0x0002 - disable L3 auth'', do not perform L3 authorization for disconnected DHCP subscriber
        * ''0x0004 - block traffic'' - block all traffic from disconnected subscriber (i.e. on ''subs → inet'' path)
        * ''0x0008'' - respond to DHCP Request → NAK
        * ''0x0010'' - ignore DHCP Request (wait for DHCP Discovery)
    - [DHCP-Proxy] Added: control of subscriber IP address change \\ If a subscriber is given a different IP address, the former IP address should be de-announced
    - [VRF][CLI] VRF support added to all router CLI commands

===== Changes in version 12.4 =====
===DPI===
  - Added: support for individual session rate limiting protocols and definition of traffic classes at the channel and subscriber levels. Description under [[dpi:dpi_options:opt_shaping:shaping_session:start]]<code bash>
#to support this service additional RAM will be required (compared to standard requirements), it is reserved by setting
support_service_18=1 #in /etc/dpi/fastdpi.conf 

speedtest cs1
default keep
cat dscp_prof_1.txt|lst2dscp /tmp/dscp_prof_1.dscp

speedtest tbf rate 16mbit inbound.rate 16mbit
bittorrent tbf rate 8Mbit
signal tbf rate 1kbit inbound.rate 2kbit
TCP Unknown tbf rate 8Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit


cat tbf_prof_1.txt|lst2tbf /tmp/tbf_prof_1.tbf
#reverse conversion tbf2lst /tmp/tbf_prof_1.tbf

fdpi_ctrl load profile --service 18  --profile.name test_dscp --profile.json '{ "dscp" : "/tmp/dscp_prof_1.dscp", "tbf" : "/tmp/tbf_prof_1.tbf" }'
fdpi_ctrl load --service 18  --profile.name test_dscp --login DEMO
#or/and
fdpi_ctrl load --service 18  --profile.name test_dscp --vchannel 1
</code>
  - Added management of traffic processing levels at the VLAN level. The ''hide'' command allows you to do a traffic drop with pre-analysis. Description under [[dpi:dpi_components:platform:vlan_traffic_handling:start]]<code bash>fdpi_cli vlan group <id> drop
fdpi_cli vlan group <id> pass
fdpi_cli vlan group <id> hide</code>
  - Fixed: when binding an IP to a login, check if this IP is already bound to this login. The ''mtd_bind_ip_login'' function for binding IP to login was unconditionally performing ''unbind'' before binding, without checking the current binding. ''unbind'' clears current services, including service 9 data (''netflow'', ''accounting''), which led to quiet resetting of acct counters on subscriber reauthorization if auth and acct synchronization in fastpcrf is disabled. This commit adds a check: if IP is already associated with a valid login - ''bind''/''unbind''/''rebind'' does not need to be done, ''mtd_bind_ip_login'' function just returns "ok" result.
  - Added "DTLS", "RTCP", "LIGHTWAY", "GOOGLE_MEET", "JITSY", "WECHAT", "DOT", "META_CALLS" protocols
  - Improved Skype detection in STUN
  - Added ''radmin-port'' protocol signature
  - Added support for IPv6 channels (with reload). Description under [[dpi:dpi_options:opt_shaping:shaping_multi:start#for_cidr|Policing of Virtual Channel (vChannel) — setting for CIDR]]\\ Example of an assignment:<code bash>
fe80::0/8 1
cat ipchannels6.txt | as2bin6 /etc/dpi/ipchannels6.bin
</code>
  - Added blocking of all IPv6 when service 4 and ''block_options=4'' are enabled
  - Fixed bug in TELEGRAM_TLS detector causing over-detection
  - Added support of reload for IPv6 channels
  - Added LiveU protocol. Changed the name of the protocol ''radmin-port'' to ''radmin''. List of new protocol identifiers:<code bash>
DoT          49281
RTCP         49282
LIGHTWAY     49283
GOOGLE_MEET  49284
JITSY        49285
WECHAT       49286
DTLS         49287
META_CALLS   49288
LIVEU_LRT    49289
</code>
  - Added ''vchannels_default='' setting to put traffic unallocated on other channels into a separate channel (but not 0!). Description under [[dpi:dpi_options:opt_shaping:shaping_multi:start#setting_up|Policing of Virtual Channel (vChannel) — Setting up]]
  - Fixed: building structures to divert traffic to TAP (Error of sorting IPv4-address array). 
  - Added support for 18 services for vchannels
  - Added support for 49 services for channels and subscribers: IPv6 traffic blocking. Description under [[dpi:dpi_options:opt_filtration:filtration_ctrl:start#activation_of_ipv6_traffic_blocking_service|Management — Activation of IPv6 traffic blocking service]]<code bash>fdpi_ctrl load --service 49 --login DEMO
fdpi_ctrl load --service 49 --vchannel 1</code>
  - Renamed protocol JITSY -> JITSI 
  - Fixed: for virtual channels DSCP is defined only if ''support_service_18'' parameter is set. Description under [[dpi:dpi_options:opt_shaping:shaping_session:start#ssg_configuration|Policing by session and overriding traffic classes — SSG Configuration]]
  - ASN number accounting for GOOGLE MEET detection based on DTLS
  - Added: WECHAT protocol definition
  - Fixed: whatsapp_voice definition for TCP transport protocol
  - Fixed definition of custom protocols based on IPv6 addresses/CIDR
  - Improved recognition of openvpn, holavpn, signal
  - Added the ability to supplement the definition of a signal
  - Added possibility to use CIDR, addresses and ports for IPv4 and IPv6 in black and white lists. If CIDR or address is set, all TCP ports are blocked (UDP with the setting ''udp_block=3''). Description under [[dpi:dpi_options:opt_filtration:making_dictionary:start#file_format_with_a_list_of_ip_addresses_to_block|File format with a list of IP addresses to block]]
  - Added utilities to check for blacklisting ''[[dpi:dpi_options:opt_filtration:making_dictionary:start|checklock]]'' and custom protocol ''checkproto''. The address or port address must be specified on the command line.
  - Fixed: stun processing for TCP
  - Changed definition by realm: if another protocol is specified - the protocol is changed at once.
  - Added: service 17 (no profile) - mirroring traffic to a specified VLAN. Description under [[dpi:dpi_options:opt_li:li_ctrl:start#mirroring_on_a_vlan|PCAP Record Management and VLAN Mirroring — Mirroring on a VLAN]]<code bash>
#Parameters in fastdpi.conf:
span_vlan=123
span_trace=1
#For diagnostics you can use: 
#trace_ip or span_trace or ajb_save_emit
#if you set service 12 and 17, then in pcap we will see original recording and mirrored recording
</code>

===BRAS===
  - Added extracting information from Radius avp ''framed-ipv6-prefix''. Added sending ''framed-ipv6-prefix'' and ''delegated-ipv6-prefix'' over IPFIX
  - Fixed: VLAN translation for ARP packets inet->subs
  - Fixed bug with AS numbers in IPFIX
  - Fixed framed-pool support bug
  - Added: parameter ''netflow_tos_format'', IPFIX TOS field data format: ''netflow_tos_format=0'' (default value), 3 bit (priority only), 1 6-bit (full DSCP). Description under [[dpi:dpi_options:opt_statistics:statistics_ipfix:start]]
  - Added: in ''ipfix fullflow'' added passing an additional field - [[dpi:dpi_options:opt_statistics:statistics_ipfix:start|original TOS from the IP header]], it will be possible to build reports on external markup
  - Fixed: ''dhcp nak issue''
  - Fixed channel detection in IPFIX for IPv6
  - Adding opt125 with pool name as the first option. Reason: KEA parses only the first vendor when defining the client class (opt125). Description under [[dpi:bras_bng:ip_pool:ipv4:start#fastpcrf_configuration|IPv4 Pools Support — FastPCRF Configuration]]
  - Closing DHCP sessions after CoA Disconnect. If after PoD (CoA Disconnect) there is no DHCP request before the lease time expires, the session should be closed by sending a deanonce and acct stop. It should be taken into account that the subscriber's session type may change from DHCP to StaticIP or PPPoE; in this case, the DHCP session should be closed without deanonce and acct stop. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa:start#disconnect-request|Radius CoA — Disconnect-Request]]
  - CLI: new parameter ''ts_lease_expired'' — lease end time — was added to the output of the ''dhcp show'' command.
  - Added option ''acct_disable_interim_update'' — prohibit sending Interim-Update. Do not send Interim-Update: ''acct_disable_interim_update=1''. Default ''acct_disable_interim_update=0'' (Interim-Update is sent). Description under [[dpi:bras_bng:radius_integration:radius_accounting:setup:start]]
  - Added IPv6 support for CoA. ''Command-Code=1'' - search for acct session by IP. The acct session can be searched by IPv6 prefix attributes ''Framed-IPv6-Prefix'' or ''Delegated-IPv6-Prefix''. The command response specifies all known IP addresses of the found acct-session - ''Framed-IP-Address'', ''Framed-IPv6-Prefix'', ''Delegated-IPv6-Prefix''. Description under [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa:start#accounting_session_request_for_given_ip_address|Radius CoA — Accounting session request for given IP address]] 
  - Fixed: cli-command ''dhcp show stat vrf''. Subscriber's ''subs_id'' was not checked when determining session "liveliness" - transfer of IP address to another subscriber may break this statistics
  - Fixed: update ''lease expired'' for address from Framed-Pool
  - Added: Huawei vendor-specific support tag 1. The value is interpreted as ''ADSL-Forum-Circuit-Id''. If PPPoE packet contains Circuit-Id and Huawei tag 1, Circuit-Id is preferred, Huawei tag1 is ignored.  [[dpi:bras_bng:bras_pppoe:bras_pppoe_radius:bras_pppoe_radius_req:start#support_huawei_vendor-specific_tag_1|Access-Request format for the PPPoE networks — Support Huawei vendor-specific tag 1]]
  - Fixed: deanonization of the previous address if a new one is given to the client

===NAT===
  - Fixed: crusting when public address is highlighted (rare event: when removing NAT service at the moment of public highlighting) 

===SDS===
  - Automatic UUID generation and saving in ''/var/lib/dpi/sdsuuid.dat'' file