12.0 Machu Picchu 1)
nat_transcode_cidr
, which specifies CIDR of provider's public addresses. It is possible to use 2 CIDR parameters when re-coding from public to private for NAT 1:1. Any public address can be assigned to the private address for NAT 1:1. [STAT ][2022/11/20-17:55:03:213770] Statistics on NFLW_export : {a/b/c%/d/e} a - the number of cycles of sending executed b - the number of cycles of sending, when the time spent on sending exceeded the period of execution of cycles c - percentage of exceeding the number of the cycles: 100 * b/a d - time of the maximum duration of the cycle microseconds e - time of the period of sending statistics, microseconds (''netflow_timeout'' parameter value (is set in seconds)) E.g.: [STAT ][2022/11/20-17:55:03:213770] Statistics on NFLW_export : {7/0/0.00%/45297us/30008163us}
subs prop set
commandsubs_id
l2subs_id
for L3-authorization, since the L3 auth response from the Radius may indicate that it is an L2 subscriberl2subs_id
l2lan_id
attribute for PPPoE sessionsbras_ppp_mac_auth
optionsubs_id
parameter that identifies the PPPoE sessionl2lan_id
class - L2 network identifier. l2lan_id
is intended for separating subscribers by VLAN. The l2lan_id
is derived from the l2subs_id
, i.e. its formation is set by the same bras_subs_id
option. Basically, l2lan_id
is a VLAN prefix from l2subs_id
.l2lan_id
- it is included in their MAC and Client-Id key. That is, two subscribers with the same MAC-address, but in different VLANs, are considered different subscribers (if bras_subs_id
is set to consider VLANs). Opt82 and Q-in-Q secondary keys do not consider l2lan_id
. Read more about bras_subs_idrx_dispatcher
flow hashing method by worker threads; 0 - old method is used by default (ip_src+ipdst)%N ) & ip_mask; 1 - new method is used with recoding support for NAT1:1 (CRC(IP SRC)%N+CRC(IP_DST)%N)%Nbras_ppp_lcp_start_timeout
dpdkinfo
utility. Descriptionfdpi_cli help vlan group vlan group : manage <add|delete|show> vlan group authorization policy vlan group <group-id> ... - manage <group-id> vlan group 2 ... - manage <group-id> = <2> vlan group 2 deny auth pppoe - deny authorization by pppoe and delete all its properties vlan group 2 allow auth pppoe - allow authorization by pppoe vlan group 2 show auth pppoe - show policy for authorization by pppoe vlan group 2 show auth all - show policy for all authorization protocols vlan group 2 show all - show all properties for group vlan group 0 show all - show all properties for all groups - full scan and print udr vlan group 2 auth pppoe allow add service-name name=sname delay=3 - allow authorization by pppoe for service-name sname with podo-delay=3 vlan group 2 auth pppoe deny add service-name name=sname delay=3 - deny authorization by pppoe for service-name vlan group 2 auth pppoe delete service-name name=sname - delete service-name sname and its properties vlan group 2 auth pppoe show service-name all - show service-name policy for authorization by pppoe vlan group 2 drop - drop packet without any analysis vlan group 2 pass - passthrough packet without any analysis
Set-Cookie
user timeout
setting (in addition to the standard tcp keep alive
mechanism)rx_dispatcher=2
with even balancing over an arbitrary number of flows (but no support for nat1:1
with the requirement to assign specific addresses). Description under Settings and managementdual-stack
: adding IP addresses to an existing acct session
persist queue
to "connected" modefdpi_cli pcrf persist queue reconnect
, which allows to make a reconnect to fastDPI without resetting the queue. Can be applied to a specific connection or to all connections. Description under FastPCRF Managementsession_id
announced during authorizationpcapng
format for recording to storagel2subs_id
. Description under Radius CoAnat_exclude_private
parameter and corresponding support: int nat_exclude_private
;ip_src
and ip_dst
are private or are in psz_prms_user_private
) ip_src
is private given psz_prms_user_private
and AS for dst_ip = local
ip_src
- private with prms_user_private
and AS for dst_ip = peer
. Description under Settings and managementl2subs_id
. Description under Radius CoAl2subs_id
. Description under Radius CoAVasExperts-L2-SubsId
attribute to Acct Start/Interim/Stop
. Description under Radius attributesdisable Ethernet Flow Control
on port startupl2subs_id
.(chaddr)
+ request xid
\\For DHCPv6 – Client-Id
option and xid
of the request. Client-Id
option in the response, unlike other request options.dhcp show stat vrf
pcrf radius enable/disable
pcrf radius ping
pcrf radius status
for l2subs_id
. srcMAC
from the ethernet header of the packet is used to generate the L2 subscriber ID (see bras_subs_id
). In case DHCP requests go through DHCP Relay, the srcMAC
in the ethernet header of the DHCP packet is no longer the MAC address of the subscriber. DHCP requests of all subscribers passing through DHCP Relay have the same MAC in the ethernet header and the same subs_id
. chaddr
field.radius_keepalive=60
radius_ping_user_name
) and Password (radius_ping_user_password
) of the pseudo-subscriber for ping requests. radius_revive_period
parameter has been removed for unnecessary.p_flow_ → cmn.bts_check_ip |= ntconnt::bts_nat_must_whip
is set. fastdpi_alert.log
"VRF has no TAP" fastdpi_alert.log
not more than once per hour for each VRFnat dump transcode
, nat dump translater [profile name]
, nat dump translater data [profile name]
BV###NNNNNNN[#MMMM][#++++--]
, where NNNNNN - incoming traffic rate in kbps, MMMM - outgoing traffic rate in kbps, + - class enabled, - class disabled. Description under Subscriber authorization attributeschaddr@opt60 value
for radius_user_name_dhcp
option radius_user_user_name_dhcp=chaddr@opt60
, User-Name in Access-Request is formed from MAC-address of DHCP packet header (chaddr
field) and option 60 if this option is in DHCP-request. Description under DHCP Radius proxy - Access-Requestquic_ietf
for the first CRYPTO packet, if offset==0
is set - checks for possible fragmentationbras_ip_filtering
option 0x0001
- controlling IP spoofing (restricting forged traffic
). The packet on subs → inet path is dropped if subscriber's IP address (srcIP) is unknown for L2 BRAS and bras_term_by_as = 0 and subscriber's AS is not local. bras_ip_filtering=0
bras_vrf_isolation
option - isolation at VRF level. Description under Soft-Router fastdpi.conf
option: [hot] VRF Isolation. By default (0), L2 BRAS does not isolate subscribers from different VRFs: If this mode is enabled (1), subscribers from different VRFs will be isolated from each other: for a subscriber from VRF1: the gateway must also be in VRF1, local interconnect
will only work for subscribers from the same VRF1. bras_vrf_isolation=0
local interconnect
- applied only if both subscribers are in the same VRF.sender
and GW are in the same VRF).lease-time
) and a large session-timeout is specified during authorization, then all Renew/Rebind requests from the subscriber must be sent to the DHCP server via PCRF to renew the license, otherwise the DHCP server may think that the address is free. Reauthorization is done only when session-timeout
is reachedshared neighbor
cache for VRF. router_vrf { [cold][optional]
option to VRF configuration. neighbor_cache
option in the description of these VRFs. neighbor_cache=… }
. Description under Soft-Routerradius_user_name_dhcp
- added new value opt61@opt60: radius_user_name_dhcp=opt61@opt60
. Description under DHCP Radius proxy - Access-Request attr_dhcp_opt43=vendorId.attrId
where vendorId is the vendor id, a number from 0 to 2^32-1. vendorId !=0
, the value is passed in the VSA attribute. vendorId == 0
, then the value is passed in the regular Radius attribute (non-VSA) attr_dhcp_opt43=0.0
, attr_dhcp_opt60=43823.34 # VasExperts-DHCP-ClassId, attr_dhcp_opt61=43823.33 # VasExperts-DHCP-ClientId
fdpi_ctrl
profile matches the structure for service 5 fdpi_ctrl load profile -service 16 -profile.name portal_info_1 -profile.json '{ "ip_list" : "/var/lib/dpi/ip_list_1.bin", "redirect" : "http://info.test.ru" }'
parameter max_profiles_serv16
- sets the maximum number of profiles. The default is 32. Description under Subscriber authorization attributesbras_dhcp_disconnect
option, which is a bitmask of the following flags:0x0001 - disable acct stop
, do not immediately send acct stop
for a disconnected DHCP subscriber0x0002 - disable L3 auth
, do not perform L3 authorization for disconnected DHCP subscriber0x0004 - block traffic
- block all traffic from disconnected subscriber (i.e. on subs → inet
path)0x0008
- respond to DHCP Request → NAK0x0010
- ignore DHCP Request (wait for DHCP Discovery)#to support this service additional RAM will be required (compared to standard requirements), it is reserved by setting support_service_18=1 #in /etc/dpi/fastdpi.conf speedtest cs1 default keep cat dscp_prof_1.txt|lst2dscp /tmp/dscp_prof_1.dscp speedtest tbf rate 16mbit inbound.rate 16mbit bittorrent tbf rate 8Mbit signal tbf rate 1kbit inbound.rate 2kbit TCP Unknown tbf rate 8Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit cat tbf_prof_1.txt|lst2tbf /tmp/tbf_prof_1.tbf #reverse conversion tbf2lst /tmp/tbf_prof_1.tbf fdpi_ctrl load profile --service 18 --profile.name test_dscp --profile.json '{ "dscp" : "/tmp/dscp_prof_1.dscp", "tbf" : "/tmp/tbf_prof_1.tbf" }' fdpi_ctrl load --service 18 --profile.name test_dscp --login DEMO #or/and fdpi_ctrl load --service 18 --profile.name test_dscp --vchannel 1
hide
command allows you to do a traffic drop with pre-analysis. Description under Handling traffic by VLANfdpi_cli vlan group <id> drop fdpi_cli vlan group <id> pass fdpi_cli vlan group <id> hide
mtd_bind_ip_login
function for binding IP to login was unconditionally performing unbind
before binding, without checking the current binding. unbind
clears current services, including service 9 data (netflow
, accounting
), which led to quiet resetting of acct counters on subscriber reauthorization if auth and acct synchronization in fastpcrf is disabled. This commit adds a check: if IP is already associated with a valid login - bind
/unbind
/rebind
does not need to be done, mtd_bind_ip_login
function just returns "ok" result.radmin-port
protocol signaturefe80::0/8 1 cat ipchannels6.txt | as2bin6 /etc/dpi/ipchannels6.bin
block_options=4
are enabledradmin-port
to radmin
. List of new protocol identifiers:DoT 49281 RTCP 49282 LIGHTWAY 49283 GOOGLE_MEET 49284 JITSY 49285 WECHAT 49286 DTLS 49287 META_CALLS 49288 LIVEU_LRT 49289
vchannels_default=
setting to put traffic unallocated on other channels into a separate channel (but not 0!). Description under Policing of Virtual Channel (vChannel) — Setting upfdpi_ctrl load --service 49 --login DEMO fdpi_ctrl load --service 49 --vchannel 1
support_service_18
parameter is set. Description under Policing by session and overriding traffic classes — SSG Configurationudp_block=3
). Description under File format with a list of IP addresses to blockchecklock
and custom protocol checkproto
. The address or port address must be specified on the command line.#Parameters in fastdpi.conf: span_vlan=123 span_trace=1 #For diagnostics you can use: #trace_ip or span_trace or ajb_save_emit #if you set service 12 and 17, then in pcap we will see original recording and mirrored recording
framed-ipv6-prefix
. Added sending framed-ipv6-prefix
and delegated-ipv6-prefix
over IPFIXnetflow_tos_format
, IPFIX TOS field data format: netflow_tos_format=0
(default value), 3 bit (priority only), 1 6-bit (full DSCP). Description under Configuring export in IPFIX (Netflow 10)ipfix fullflow
added passing an additional field - original TOS from the IP header, it will be possible to build reports on external markupdhcp nak issue
ts_lease_expired
— lease end time — was added to the output of the dhcp show
command.acct_disable_interim_update
— prohibit sending Interim-Update. Do not send Interim-Update: acct_disable_interim_update=1
. Default acct_disable_interim_update=0
(Interim-Update is sent). Description under FastPCRF settingsCommand-Code=1
- search for acct session by IP. The acct session can be searched by IPv6 prefix attributes Framed-IPv6-Prefix
or Delegated-IPv6-Prefix
. The command response specifies all known IP addresses of the found acct-session - Framed-IP-Address
, Framed-IPv6-Prefix
, Delegated-IPv6-Prefix
. Description under Radius CoA — Accounting session request for given IP address dhcp show stat vrf
. Subscriber's subs_id
was not checked when determining session "liveliness" - transfer of IP address to another subscriber may break this statisticslease expired
for address from Framed-PoolADSL-Forum-Circuit-Id
. If PPPoE packet contains Circuit-Id and Huawei tag 1, Circuit-Id is preferred, Huawei tag1 is ignored. Access-Request format for the PPPoE networks — Support Huawei vendor-specific tag 1/var/lib/dpi/sdsuuid.dat
file