If you have version of CentOS 6.x or CentOS 8.x installed, switch the repository once with the command:
sed -i -e '/^mirrorlist=http:\/\//d' -e 's/^# *baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/vault.centos.org/' /etc/yum.repos.d/CentOS-*.repo
Then run updates as usual:
yum update fastdpi
Module yaml error
appears during the upgrade, you should upgrade the module dnf upgrade libmodulemd
.
After updating, restart the DPI:
service fastdpi restart
and other dependent procoesses (PCRF/Radius), but only if they are actually used and their configuration is valid:
service fastpcrf restart service fdpi_radius restart
You can update the operating system components Do not update the kernel version and its dependent utilities!
For CentOS 6.x:
yum --exclude=kernel*,util-linux-ng,libuuid,libblkid update
For CentOS 8.x:
yum update
Note for users running the DPI in a virtual environment, using old CPU (release of 2009) and AMD CPU:
Run the following command before the update:
touch /etc/dpi/noprioadj
and it causes the DPI process to be launched with normal priority (not the realtime), thus significantly reducing the consumption of CPU system (sys) resourses, but slightly increasing the latency on the platform.
13.0 Congo 1)
You can check the current installed version with the command:
yum info fastdpi
Rollback to 12.4:
yum downgrade fastdpi-12.4-0 fastpcrf-12.4-0
After an update or version change, a restart of the service is required:
service fastdpi restart
If PCRF and/or Radius are used, they should also be restarted. The following order is preferred for restarting PCRF:
service fastdpi stop service fastpcrf restart service fastdpi start
Do not perform Linux kernel upgrades. Newer versions of the kernel may break binary compatibility with the Kernel ABI and the network driver will not load after the upgrade. If you do upgrade, set the GRUB boot loader to load the previous version of the kernel: set the
default=1
parameter in the /etc/grub.conf
file while the problem is being resolved.
If the update displays a message that the update was not found or there are dependency issues, run the command before updating:
yum clean all
mark1
. Descriptiona.b.c.d
, if the signatures *.d
, *.c.d
and *.b.c.d
are present, the protocol defined by the signature *.b.c.d
will be selected *
. Description 1.1.1.1 443 hard
. Descriptionframed-pool renew
framed-pool renew
.subs prop show active
command has been added. The command outputs a dump of L2 properties of all active (not-expired) subscribers. Descriptionbras_ppp_idle_timeout
setting if not explicitly set in the authorization response (Idle-Timeout attribute).ping inet
command on behalf of subscribers through the entire BRAS/NAT/ROUTER processing chain. The prompt is fdpi_cli ping inet ?
. Descriptionrouter_subs_announce
: 0x10000
- deanounce L3 subscriber at acct idle (closing acct session by idle timeout). Descriptionserv18
is the profile name):VasExperts-Service-Profile = "18:serv18"
MAC
and subs_id
has been added to the subs prop show
command. The result of a search by MAC
or subs_id
can be multi-valued - several different entries for the same MAC
/subs_id
. The result of the subs prop show active
command has been changed, which may be critical when parsing the command's json wiggle. Descriptionuptime
can be used to check if fastDPI is fully started: it returns result=0
(Success) only when fastDPI is fully initialized and all worker threads are started. Upon receiving a response from fastDPI to the fdpi_cli uptime
command, the fdpi_cli utility itself checks the result of the execution and if result!=0
- sets a non-zero return code.checknat
utility to check the distribution of white addresses. Descriptionnat_private_cidr
parameterlocal
in asnum.dscp
. Descriptionerrno=3
(No record found) has been moved to TRACE to avoid clogging the logstorage_tag
value is set based on directional priority or protocol prioritylibpcap
. Descriptionidle_timeout
expires.pf_ring
fdpi_ctrl
requestsbras_arp_proxy
option. Descriptionsubs prop show
commandsubs prop del
command, which resulted in the inability to delete properties by IP with the error ERROR: Result code=9: No subscriber IP address
dhcp disconnect
. This is a CLI analog of CoA Disconnect. The disconnect mode is set by the bras_dhcp_disconnect
option.dhcp disconnect all
- disconnect all DHCP sessionsdhcp disconnect [ mac=X | ip=X ]
- disconnect specified sessiondhcp show stat
CLI commandvdpi_new_flow_nat_ipv4
is always outputnat_exclude_private
, additionally checking the pair CHECK_AS_LOCAL or CHECK_AS_PEER for AS in local interconnectrouter vrf dump
. The command outputs the list of VRFs set in the system and their propertiesterm_by_AS
mode applies to subscribers, not to NAT profiles, hence it should not be considered when announcing a NAT subnetmbuf
in selfgen mempool
if router enabled: if router disabled: mempool size=512 * number_of_slaves_in_cluster
, if router enabled: mempool size=8 * 1024 * number_of_slaves_in_cluster
block_options
parameter, mask 8 — do not generate RST packets for blocking and redirection for direction inet→subs. Descriptionfdpi_ctrl list profile --policing --profile.name htb_6 --outformat=json2
NotOnLink
statusasnum.bin
from the cloud, asnum_download
parameter matches federal_black_list
in values. Descriptionmem_ssl_savebl
parameter (cold). Sets number of saved buffers for SSL packet parsing. Descriptionpermit
.on_stick
in JSON output of dev xstat
commanddev info
for on-stick devices."pci_address": "on-stick based on 82:00.3"
Now:
// base device address "pci_address": "82:00.3" // on-stick flag "on-stick": "true|false"
mem_quic_ietf_savebl
parameter. Sets number of buffers for parsing quic_ietf
requests (multi-packet). Default is 15% of mem_ssl_parsers
. Description"HLS VIDEO" 49298 "ICMP TUNNEL" 49299 "DNS TUNNEL" 49300 "FORTICLIENT_VPN" 49301 "CISCO_ANYCONNECT_VPN" 49302 "SHADOWSOCKS_VPN" 49303 "NOT_DNS" 49304
router vrf show
— number of packets/bytes read from TAP, written to port, transmitted to TAP, number of events and errorsfdpi_cli subs prop show active
dhcp show stat vrf
supported only in Radius proxy mode (previously crashed in DHCP Relay mode)checkproto
: if IP and SNI are set, result will reflect MARK1 and priority. ascheckip
: shows DSCP and MARK1:
in url2norm — allows "any port" for HTTPdhcp disconnect
commandBIGOTV 49305 SAYHI_CALL 49306 AZARLIVE 49307 LINE_CALL 49308 QQ_CALL 49309 VYKE_CALL 49310 VEEGO_STREAMS 49311 BHABI_CAM 49312 WEPARTY 49313
smartdrop
is set during SSL parsing errorsbras_pppoe_trace_mac
now respected for DHCPv6 packets in pcap. Previously only bras_dhcp_trace_mac
was usedcheckproto
when IP protocol is Unknowncheckproto
now respects MARK1 and port presence. checkproto 8.8.8.8 443 www.google.com
vs checkproto 8.8.8.8 www.google.com
may give different resultsbin2as
now accepts multiple input filesascheckip
supports group checks from stdin
bgp2bin
is a as2bin
-like tool but:as2bin
but contains no overlapping rangessyslog_level
in fastpcrf.conf — controls alert log to syslog. 0
disables (default)smartdrop = 1
— if drop set for protocol, it’s delayed until TLS is parsed or error occursdetect_gtp_tunnel
enabled)hard
optionsyslog_level=7
. Default is off. Notes:/etc/rsyslog.d/fastdpi.conf
: global(parser.escapeControlCharactersOnReceive="off")
or use journalctl
. Example:
journalctl -t fastdpi -p 4 --since "1 hour ago" -o verbose --output-fields PRIORITY,MESSAGE
/etc/rsyslog.conf
:*.* action(type="omfwd" target="192.0.0.1" port="10514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")
input(type="imptcp" port="10514" ruleset="writeRemoteData") ruleset(name="writeRemoteData" queue.type="fixedArray" queue.size="250000" queue.dequeueBatchSize="4096" queue.workerThreads="4" queue.workerThreadMinimumMessages="60000" ) { action(type="omfile" file="/var/log/fastdpi.log" ioBufferSize="64k" flushOnTXEnd="off" asyncWriting="on")