Table of Contents

Version 14.0 Shooting Stars

Changes in Version 14.2.1

Starting from SSG 14.2.1, the nat_dstaddr_cache_size parameter is no longer required and should be removed from /etc/dpi/fastdpi.conf.

DPI

  1. Improved RFC standards compliance for redirects in Service 16 (HTTP redirect and IP address whitelist with TCP session termination on SSG): the ISN in SYN+ACK is replaced with an unpredictable value, and the session is terminated using the full TCP termination sequence

NAT

  1. Improved CG-NAT behavior when free ports are exhausted. If a subscriber does not have enough free ports to create new sessions, the subscriber can reuse ports previously allocated to them more aggressively. This behavior is controlled by the following new configurable timeout values, which default to the values listed below:
    • nat_whp_lifetime_min = nat_whp_lifetime / 3 — timeout for reusing allocated ports in the short queue when ports are exhausted
    • nat_whp_lifetime_min_long = nat_whp_lifetime_long / 3 — timeout for reusing allocated ports in the long queue when ports are exhausted

Utilities

  1. Added the --append option to the ip2proto utility: appends new data to an existing file

Changes in Version 14.2

DPI

  1. [DPDK] Migrated to DPDK version 25.11. Description
  2. [DPDK] Increased the maximum memory size to 256 GB.
  3. [DPDK] Note: the distribution package includes the fastdpi_dpdk2411 build based on DPDK 24.11 to support certain older Mellanox models. If this affects your deployment, please plan a network adapter upgrade, as support for these models has likely been discontinued in the current and future DPDK versions.
  4. [DPDK] New dpdk_engine=7 engine with support for explicit dispatcher assignment.
    This engine supports heterogeneous configurations where ports of different types are used within the same cluster—for example, a 100G in-dev port and multiple 10G out-dev ports. Description
  5. [DPDK] Added the new dpdk_max_memzone [cold] option for configuring the DPDK max memzone count. Description
  6. [BALANCER] Added support for using vlan rule to filter packets. Description
  7. [DNS] Fixed an issue with Service 19 processing IPv6 traffic and added the dic2dns utility. Description
  8. Added GRE ERSPAN tunnel parsing support for check_tunnels=1 mode. Description
  9. The "Can't allocate record http_state" message is now printed once every 50,000 occurrences.
  10. Added MARK2 flag verification to override the protocol with QUIC_UNKNOWN_MARKED while the QUIC protocol is still in the SNI detection stage. Description
  11. Added validated FakeTLS protocol detection.
  12. Fixed switching from QUIC_UNKNOWN to QUIC after successful SNI parsing.
  13. [LLDP] Added LLDP support. Description
  14. Added viber_cl detection by container.
  15. Fixed overriding of cloud protocols by some built-in protocols.
  16. Fixed protocol assignment by address when SNI is already present in the first packet to preserve IP/SNI priority.
  17. Fixed DSCP detection from the first packet for cloud protocols identified by address.
  18. Changed: FakeSNI checks are skipped if the protocol has already been identified by IP and mark1 is absent.
  19. Changed: after IPSNI verification, the protocol falls back to the base protocol or to the SNI-defined protocol (if identified).
  20. Changed: reduced the inspection depth for CNAME/SNI decoding attempts.
  21. Resolved TX port selection issues in multi-path configurations: return packets are preferentially sent through the same port that received the original packet.
  22. [RATING GROUP] Added Service 20: policing by rating groups (RG) and traffic volume quota control.
    Creating a Service 20 profile:
    1. Enable RG support in fastdpi.conf
      rating_group_count=0 — number of rating groups; 0 means RG is disabled. Default value: 0
    2. Prepare a text file defining TBF policing, quotas, and actions to take when the quota is reached for each rating group, for example:
      rg4 tbf rate 1Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit quota 100MB report
rg5 tbf rate 8Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit quota 1GB block

      report and block are the available actions when the quota is reached: report reports that the quota has been reached but continues forwarding traffic; block reports that the quota has been reached and blocks traffic for the corresponding rating group.

    3. Convert the text file to binary format:
      cat rg.txt | lst2rg rg.bin
    4. Copy the resulting binary file to the directory from which DPI will read it:
      cp rg.bin /var/lib/dpi/rg.bin
    5. Create the service profile:
      fdpi_ctrl load profile --service 20 --profile.name rg1 --profile.json '{ "rg_list" : "/var/lib/dpi/rg.bin" }'

      max_profiles_serv20 specifies the maximum number of profiles. The default value is 32.

      The rg2lst utility can be used to convert the binary file back into a readable format: 

      rg2lst rg.bin > rg.txt
  23. [RATING GROUP][TETHERING] Added support for assigning a rating group and controlling tethering through Service 18. The profile configuration now includes the following optional fields:
    tethN, where the possible values are:
    • teth0 — no tethering control (default)
    • teth1 — tethering control enabled: tethering detected
    • teth2 — tethering control enabled: tethering not detected

      rgN, where the possible values are:
    • rg0 — default (RG not assigned)
    • rg1 — assign rg=1
      ..
    • rg65535 — assign rg=65535

      Example of configuring Service 18:
    1. Prepare a text configuration file example.txt:
          http cs0  teth1 rg1
    https cs0  teth1 rg1
    http cs0  teth2 rg2
    https cs0  teth2 rg2

    dns  cs1  teth1 rg1
    dns  cs1  teth2 rg2

    default cs7 teth0 rg3

      :!: In this example, HTTP and HTTPS traffic is monitored for tethering, and the corresponding RG is assigned depending on the result. Note that the policing class (cs) remains the same. The same logic applies to DNS traffic. For ALL other protocols (default), tethering control is disabled and a separate RG is assigned.

    2. Convert it to the internal format:
      cat example.txt | lst2dscp /tmp/example.bin
    3. Optionally verify it by converting it back:
      dscp2lst /tmp/example.bin
    4. Create a Service 18 profile and assign it to a subscriber (or assign an unnamed profile directly):
      fdpi_ctrl load profile --service 18 --profile.name test_dscp --profile.json '{ "dscp" : "/tmp/example.bin" }'
    fdpi_ctrl load --service 18 --profile.name test_dscp --login test_subs

      Verify the assignment: 

          fdpi_ctrl list --service 18 --login test_subs

      The trace output now includes the rg=N field.

BRAS

  1. [DHCP-Dual] Added support for Lease-Time handling. Description
  2. [Router] Changed how the Linux route table is read during router startup. Description
  3. [DHCP6-Proxy] Added DHCPv6 Option 79 (Client-LinkLayer-Address), containing the subscriber's MAC address, to Relay-Forward requests sent to the Framed-Pool DHCPv6 server.
  4. [DHCP-Dual] Fixed incorrect generation of IPv6 PD prefixes for addresses from Framed-IPv6-Pool.
  5. [DHCP-Dual] Fixed a crash when enabling MAC-based tracing using bras_dhcp_trace_mac.
  6. [DHCP-Dual] Fixed an issue where requesting a DHCPv6 address followed by a DHCPv4 address resulted in redundant authorization.
  7. [DHCP-Dual] Fixed tracing of DHCPv6 responses when the subscriber's MAC address is being traced.
  8. [DHCP-Dual] Fixed IPv4 address announcement for subscribers.
  9. [VLAN-Rule][PPPoE] Added full Service-Name support for QinQ. Description
  10. [DHCPv6] Fixed periodic ICMPv6 Router Advertisement transmission for DHCPv6 subscribers.
  11. [PPPoE] Fixed src/dst MAC address modification in the Ethernet header during termination. Ethernet header termination must always be performed for PPPoE packets. However, when bras_term_by_as=1 was enabled and srcAS was not marked as term, the Ethernet src/dst MAC addresses were not modified.

NAT

  1. Added support for disabling the public address cache used for NAT translation export. Configure nat_dstaddr_cache_size=0 in /etc/dpi/fastdpi.conf.
  2. Improved session limit management: for the nat_tcp_max_sessions/nat_udp_max_sessions limits, which restrict the number of allocated public ports, fixed the decrement of the allocated port counter that could previously result in a slight exceedance of the configured limit. Updated the whpf, whp_salfs, whp_lalfs, whp_ruse, whp_ruse_salfs, whp_ruse_lalfs counters and the corresponding flow statistics counters (thr_salfs and others), as well as the output of the nat show command, so that they reflect the current actual port usage rather than cumulative usage.
  3. Fixed: added validation of NAT translations in FullCone mode when nat_whp_lifetime < lifetime_flow. If activity appears in a session after its NAT port has already been reused, a new port is allocated.
  4. Added explicit TCP connection termination when a port is reused by another subscriber.
  5. Changed public port queue handling: ports with short and long lifetimes are now maintained in separate queues. Ports are now elements of a private address subqueue. A port that has been accessed by a non-owner flow can now be reused immediately.
  6. Optimized the fdpi_ctrl list all status --service 11 statistics command.
  7. Fixed consistency issues in the private address queue.
  8. Fixed and optimized private address port queue handling:
    1. The private address port queue is now distributed across processing threads.
    2. The private address port queue is now divided into "short" and "long" queues.
  9. Optimized behavior when the private-to-public cache is full.

CLI

  1. [LLDP] New CLI commands: fdpi_cli lldp enable and fdpi_cli lldp disable — enable or disable LLDP packet generation. Description
  2. [PCAP] Added a command to capture pcap traffic from a port:
    dev pcap <dev-name> rx|tx|any|off
    • rx — capture packets received on the port
    • tx — capture packets transmitted through the port
    • any — capture both rx and tx traffic
    • off — stop capturing

      PCAP file prefixes (where dev is the port name):
    • rx-dev — for rx captures
    • tx-dev — for tx captures
  3. [RATING GROUP] Added the fdpi_cli rg show <IP> command to display the current rating group information for a subscriber.
  4. [VLAN] Added a parameter to the fdpi_cli vlan rule dump command to specify which rule type to display: fdpi_cli vlan rule dump [type]. Description
  5. [DPI] Extended the output of the fdpi_cli dump flow cache format command with additional fields. Description
  6. [VLAN-Rule][PPPoE] Added display of all Service-Name permissions to the fdpi_cli vlan rule show command. Description
  7. [VLAN-Rule][PPPoE] Refactored Service-Name support. The fdpi_cli vlan rule add/rm commands now support PPPoE and Service-Name. Description
  8. [VRF] Added support for the fdpi_cli dhcp show stat vrf command.
  9. [NAT] Fixed fdpi_cli ping for NAT subscribers.
  10. [NAT] Fixed the fdpi_cli nat show command.

IPFIX

  1. Added support for sending UDP data exceeding the MTU size (using IP fragmentation).
  2. Fixed an issue with setting the default data export timeout.
  3. Fixed an issue when changing the ipfix_dev option.
  4. [DNS] Added the ajb_save_dns_answer_types and ajb_save_dns_request_types parameters, which allow specifying DNS response and request types to save to a file and export via IPFIX. Description

Utilities

  1. Added the lst2rg and rg2lst utilities for converting Service 20 profiles.

Changes in version 14.1

DPI

  1. [DPI][ajb_save_vlan] Fixed an error when the engine operates in read-only mode
  2. [DPDK][tap_device] Fixed: setting the tx queue length using the dpdk_tx_queue_size option. Previously, the tx queue length of the TAP device was always set to 256, which caused errors on the VMware VMXNET3 Ethernet Controller: ETHDEV: Invalid value for nb_tx_desc(=256), should be: <= 4096, >= 512, and a product of 1
  3. [LAG] Fixed: added load balancing for pass packets
  4. [DPI][ip_node stg] Added statistics on bucket occupancy. The new CLI command stat storage ip4 detail outputs statistics on bucket filling in the IPv4 node storage
  5. [DPI] Added validation for the MULTIPROXY_STRONG protocol
  6. [DPI] Improved scalability on 128-core systems
  7. [DPI][log] Improved the logging subsystem in cases of log file overflow
  8. [DPI][tethering] Added tethering detection. The parameter tethering_ttl_allowed = 128:64 [hot] defines the list of allowed TTL values for subscriber traffic that are not considered tethering. Values are separated by ':'. The number of values is up to 256 (0–255). Description

BNG

  1. [BNG][framed-route] Fixed: Framed-Route delivery when a subscriber login is changed. Previously, when the login was changed, Framed-Route subnets remained attached to the old login, and all services and policing for Framed-Route subnets were taken from the old login.
  2. [BNG] Added the bras_disable_l3_auth option — an explicit prohibition of L3 auth in L2 BNG mode for all subscribers. Description
  3. [BNG] Added a new subscriber flag — prohibition of L3 auth for a specific subscriber. This flag can be set or cleared only via CLI: a new parameter disable_l3_auth=[1:0] has been added to the subs prop set command. Description
  4. [BNG][srcIP spoofing] Added filtering by source AS flags on the subs→inet path before packet processing to block operator-originated DDoS attacks with IP address spoofing. Description
  5. [BNG][PPP] Added database session utilization statistics to the ppp show stat command. Description
  6. [BNG][PCEF][Policing] Added configuration of common policing from parameters passed in the VasExperts-Policing-Profile attribute with the BR## prefix. Description
  7. [BNG][PCEF][Services] Added configuration of a personal (noname) user profile for services from parameters passed in the VasExperts-Service-Profile attribute with the BP## prefix. Description
  8. [BNG][PCEF][rating-group] New options (cold, fastDPI restart required):
    • rating_group_count — number of rating groups, 0 — RG disabled. Default value: 0
    • rating_group_max_subs — maximum number of subscribers with RG. Default value: 0 (RG disabled)
      Description
  9. [BNG][PCEF][rating-group][RADIUS Accounting] Output of RG statistics in RADIUS Accounting. RG statistics are transmitted in separate Interim-Update packets. Only non-zero RG data are sent. Description
  10. [BNG][PCEF][rating-group][CLI] Added the subs traffic stat CLI command. The command outputs billing statistics and rating group statistics for the specified subscriber, if enabled. Description
  11. [BNG][PCEF][rating-group][RADIUS Accept] Added configuration of the RG service during authorization. RG statistics accumulation can be enabled only if service 9 (bill stat) is enabled for the subscriber. Description
  12. [BNG][SHCV][hot] Added activity monitoring for static IP L2 subscribers (subscribers for whom RADIUS returned the VasExperts-L2-User=1 flag during L3 authorization). Description
  13. [BNG][DHCP][hot] New values are available for the bras_dhcp_check_secondary_keys option: 2 (check only opt82) and 4 (check only QinQ). Description
  14. [BNG][L2TP] Fixed: crash when receiving a duplicate out-of-order ctl packet
  15. [BNG][dhcp-relay] Added the ability to preserve the siaddr field value.
    New flag in the bras_dhcp_server option: keep_siaddr=1 — preserve the DHCP packet siaddr field. Example:
    bras_dhcp_server=188.227.73.42%eth0;arp_proxy=1;reply_port=67;keep_siaddr=1

    By default, the siaddr field may be modified to hide the real DHCP server address. Description

  16. [BNG][CLI] Added the subs db stat command to display L2 BNG database statistics. Description
  17. [BNG][DHCP6] Fixed: crash when processing DHCPv6 with an invalid UDP header length

NAT

  1. [CG-NAT] Added rx_dispatcher=3 — a method with uniform load balancing across an arbitrary number of threads with support for NAT 1:1 and the requirement to assign specific addresses. Description
  2. [CG-NAT] Accounting of translation lifetime in the fdpi_ctrl list status --service 11 --login UserName (--ip IP) command. Additional fields were added to the command output: active_sess_tcp — number of active NAT translations for TCP and active_sess_udp — number of active NAT translations for UDP.
    Translation activity is determined by the time of its last use and the lifetime parameter configured in the cluster options. Description
  3. [CG-NAT][CLI] Accounting of translation lifetime in the nat show <internal_ip> [<lifetime>] command. Displays a list of all NAT translations for the specified gray IP. Description

CLI

  1. [CLI] Added the subs bind show command to view the list of IP addresses bound to the login <login>. Description
  2. [CLI] Added the stat http CLI command. This command outputs internal statistics similar to those in fastdpi_stat.log. Description
  3. [CLI] Fixed the list status --service 11 (NAT) and nat show commands

IPFIX

  1. [IPFIX] Storage of TTL information from the IP packet header. Description
    TTL statistics added to Full NetFlow in IPFIX format:
    • Packet TTL, id 192. The field is used for both directions: subs2inet and inet2subs
    • Rating group, id 2020
  2. [IPFIX] Fixed an error in time conversion to unix format
  3. [IPFIX] New 64-bit fields added to Full NetFlow IPFIX. Description
    service_flags — information about the tags assigned to the flow in DPI. Detected tethering is reported via IPFIX in bit 1 of the service_flags field. 63 bits are available for further use.
    detection_flags — reserved for detection methods.
    action_flags — reserved for transmitting actions applied to the flow.
  4. [IPFIX] Fixed TTL transmission in Full NetFlow IPFIX in a single field with identifier 192 depending on direction. Description

Utilities

  1. [utils] Added the name2custom utility to view the list of protocols loaded from the cloud (as opposed to built-in ones)

RADIUS

  1. [FastRADIUS] Added support for logging to syslog. New parameter syslog_level in fdpi_radius.conf — the level of logging messages from the alert log to syslog. 0 — syslog logging disabled (default). Description
  2. [FastRADIUS] Added extraction of the 3GPP User Location Info RADIUS attribute and its export to IPFIX. Description

Changes in version 14.0

  1. [BRAS] DHCP-Dual support. Description
  2. [BRAS] Support for L2TP termination. Description
  3. [DPI] Migration to DPDK 24.11, support for new NICs (Intel E830 200G, Intel E610, Napatech SmartNIC). Description
  4. [CLI] Added support for subs_id in commands: dhcp show, dhcp reauth, dhcp6 show, dhcp6 reauth, and dhcp disconnect. Description
  5. [DPI] New protocols added: AGORA_STREAMS(49314), AZAR_CALL(49315), WECHAT_CALL(49316), TEAMS_CALL(49317). List of protocols
  6. [DPI] Improved support for LINE_CALL, VYKE_CALL protocols. List of protocols
  7. [DPI] Fixed smartdrop behavior
  8. [DPI] Added validation for complex protocols. List of protocols
  9. [DPDK] Increased the maximum number of dispatchers to 32. Description
  10. [IPFIX/Netflow] Added the ability to change IPFIX/Netflow parameters without restarting fastDPI using the ipfix_reserved parameter. Description
  11. [FastRadius] It is now possible to set both bind_ipv6_address and bind_ipv6_subnet. If the Framed-IPv6-Prefix has a /128 mask, it is not checked against the bind_ipv6_subnet restriction. Description
  12. CLI command dev info now includes the name of the LAG that the port belongs to. Description
  13. [PCRF][PPP][Framed-pool] Added: DHCP option Client-Id now includes tunnel-IP as part of the subscriber ID. For more details, see sections IPv4 Pools Support and IPv6 pools support
  14. [IPFIX] Message aggregation added for IPFIX streams: FullFlow/DNS/META/NAT
  15. [IPFIX] Added parameter ipfix_mtu_limit to restrict maximum message size for IPFIX UDP packets. Description: ClickStream export Setup, Configuring Full NetFlow Export in IPFIX Format
  16. [IPFIX DNS] New elements added to IPFIX DNS: 224 (ipTotalLength) and 43823:3206 (DNS transaction id). Description
  17. [VRRP] Fixed proper handling of the vrrp_enable option change
  18. [BRAS][PPP] PPP session key is now compound: l2subs_id + tunnel-IP. For PPPoE sessions, tunnel IP = 0. CLI commands that use subs_id as a key (subs prop show, l2tp show session, l2tp term, etc.) may now return multiple entries with the same l2subs_id. Description
  19. [DPI] Added cloud protocols with identifiers 55296..58367
  20. [IPFIX] Fixed IPFIX exporter reinitialization bugs
  21. [BRAS][subs_grooming] Fixed potential crash due to race condition during fastDPI shutdown
  22. [CLI] Added commands to display mempool properties and statistics
        hal mempool props
    hal mempool stat

    DPDK must be built with statistics collection enabled to display mempool stats

  23. [BRAS][DHCP] Fixed crash when parsing Framed-Pool Renew response if it contains no DHCP options
  24. [PCRF][Acct] Fixed: Interim-Update sending is now disabled when Acct-Interim-Interval = 0 is explicitly set in the RADIUS response. For more details, see sections acct-interim-interval, PPPoE Radius Access-Request
  25. [VASE_CLI] Created a unified CLI for managing DPI, BRAS, DHCP (KEA), ROUTER (BIRD) with support for authorization and command logging via TACACS (VEOS 8.x required). Description
  26. [SNMP] Created a module for monitoring system components via SNMP
  27. [DPI] Added DOQ 49318 protocol (DNS-over-QUIC)
  28. [Router] Announcing subscriber white addresses for 1:1 NAT individually and after authentication. Description
  29. [PCRF] Added support for service 19 "DNS spoofing", profile required. Description
  30. [DPDK] Added dpdk_engine=6 (mqrx-bridge) — number of RSS dispatchers per bridge. Description
  31. [DPDK] Removed dedicated mempools. The fastdpi.conf option dpdk_emit_mempool_size is deprecated and no longer used.
  32. [VLAN-Rule] Moved vlan group data from UDR to SDR. Global rules for vlan drop/pass/hide/permit set by the previous CLI command vlan group were converted and moved from UDR to SDR, with removal from UDR. Description
  33. Up to version 14, only one built-in database UDR (User Data Repository) is used, intended for permanent storage of data about services, policings, and other FastDPI settings.
    Starting from Version 14, UDR is split into UDR and SDR. The split occurs automatically during version update.
    SDR (System Data Repository) is intended for storing FastDPI settings not related to subscribers. It can be considered that SDR is an extension of fastdpi.conf. No special activation of SDR is required — the necessary .mdb files are created automatically when the corresponding mode is enabled in fastdpi.conf.
  34. [VLAN] VLAN rules — added CLI commands. Description
  35. [IPv6] Added direction detection in combined traffic (IN+OUT on one port) based on the local flag for IP addresses. Enabled via combined_io_direction_mode option
  36. [BRAS] Fixed compatibility with the old format of service 18, where there were fewer protocols and both fields in the profile needed to be filled
  37. [DPI] Lowered detection priority for telegram_tls
  38. [DPI] Improved detection of WECHAT and WECHAT_CALL
  39. [BRAS][Framed-Route] Fixed: possible crash when freeing memory
  40. [BRAS] Refactored PCRF connectivity: in the new implementation, all connections are equal; an error on any triggers reconnection of all connections and a switch to another PCRF. Added CLI commands:
    1. pcrf connect show — show current status and accumulated statistics for PCRF connections.
    2. Force connection to the specified PCRF pcrf connect switch [<pcrf_index>], where <pcrf_indxed> is the index of the connection line in the auth_server parameter. If <pcrf_indxed> is not specified — defaults to 0.
      Description
  41. [IPFIX DNS] Added the ability to send DNS MX responses via IPFIX. Enabled by setting bit 3 (4) of the ajb_save_dns parameter. Description
  42. [DPI] Added FakeTLS protocol (49319) with validation
  43. [BRAS][DHCP] Changed: sliding window algorithm for rate limit
  44. [BRAS] Fixed: time comparison error when loading ip_prop from UDR
  45. [VLAN-Rule] Added support for 'any' instead of '*' when describing VLAN range. Description
  46. [DPI][LOG] Messages about insufficient SSL parsers are written to the slave log not for every event, but at a frequency of 1/50000.
  47. [DPI] Added protocols ZALO_CALL(49320) and VK_CALL(49321)
  48. [DPI] Fixed blocking in hard mode for SSL
  49. [Acct] Added attribute VASExperts-Service-Type. Radius acct start/interim/stop sends the authorization type in the VASExperts-Service-Type attribute. Description
  50. [CLI] Added: stat flow ip6 command to display IPv6 flow statistics. Description
  51. [CLI] Added: stat flow ip4 command to display IPv4 flow statistics. Analogous to the output in fastdpi_stat.log. Description
  52. [IPFIX] Fixed ExportTime formation error in IPFIX Fullflow
  53. [CLI] Added stat netflow command. Displays general statistics for Netflow/IPFIX (same as in fastdpi_stat.log under the "Statistics on NFLW_export" section). Description
  54. [DNS] Added support for substitution/blocking/dropping of DNS requests A, AAAA, MX, HTTPS. Description
  55. [CLI] Added stat firewall command. Description
  56. [DPI] Added BIGO_CDN protocol (49324)
  57. [DPI] Added UDP support for BIGOTV
  58. [PCRF][L2TP] Fixed: NAS attributes for L2TP during authorization
  59. [BRAS][L2TP] Fixed: data race when closing sessions
  60. [DPDK] Removed deprecated rx channels settings and related checks
  61. [IPFIX] Added configurable sending of drop octets/packets counters when generating IPFIX fullflow. Description
  62. [PCAP] Added capability to save traffic of a specified vlan using the ajb_save_vlan parameter. Description
  63. [DPIUTILS] Updated checknat utility. Description
  64. [DPIUTILS] Updated dns2dic utility with domain blocking support. Description
  65. [BRAS][L2TP] Fixed: data race during tunnel creation
  66. [Router] Fixed: interception and diversion of IPv6 packets to tap interfaces. Link-local addresses were not diverted to tap, even if explicitly specified in the router.subnet6 settings.
  67. [BRAS][L2TP] Fixed: length field in L2TP header for data packets. According to RFC, the len field in L2TP header is optional for data packets. Some L2TP client implementations do not understand data packets with the len field in the L2TP header. This fix adjusts FastDPI's behavior: if data packets from the subscriber arrive without the len field, then SSG will also send data packets without this field. If data packets from the subscriber contain the len field, SSG will include it as well.
  68. [BRAS] Fixed: sending commands from the pending_queue. In some cases (e.g., during state transitions of the pcrf monitor initial → connected), sending commands from the pending_queue was not triggered, which caused commands to "hang" in the queue indefinitely (until reconnection due to a socket error).
  69. Fixed a recently introduced error (affecting betas 4.6 and 4.7) in the session lifecycle that leads to resource exhaustion over time; an operational update from these versions (or rollback) is recommended.