If you have version of CentOS 6.x or CentOS 8.x installed, switch the repository once with the command:

sed -i -e '/^mirrorlist=http:\/\//d' -e 's/^# *baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/vault.centos.org/' /etc/yum.repos.d/CentOS-*.repo

Then run updates as usual:

yum update fastdpi

After updating, restart the DPI:

service fastdpi restart

and other dependent procoesses (PCRF/Radius), but only if they are actually used and their configuration is valid:

service fastpcrf restart
service fdpi_radius restart

You can update the operating system components Do not update the kernel version and its dependent utilities!
For CentOS 6.x:

yum --exclude=kernel*,util-linux-ng,libuuid,libblkid update

For CentOS 8.x:

yum update

Note for users running the DPI in a virtual environment, using old CPU (release of 2009) and AMD CPU:
Run the following command before the update:

touch /etc/dpi/noprioadj

and it causes the DPI process to be launched with normal priority (not the realtime), thus significantly reducing the consumption of CPU system (sys) resourses, but slightly increasing the latency on the platform.

13.0 Congo ¹⁾

You can check the current installed version with the command:

yum info fastdpi

Rollback to 12.4:

yum downgrade fastdpi-12.4-0 fastpcrf-12.4-0

After an update or version change, a restart of the service is required:

service fastdpi restart

If PCRF and/or Radius are used, they should also be restarted. The following order is preferred for restarting PCRF:

service fastdpi stop
service fastpcrf restart
service fastdpi start

Do not perform Linux kernel upgrades. Newer versions of the kernel may break binary compatibility with the Kernel ABI and the network driver will not load after the upgrade. If you do upgrade, set the GRUB boot loader to load the previous version of the kernel: set the default=1 parameter in the /etc/grub.conf file while the problem is being resolved.

If the update displays a message that the update was not found or there are dependency issues, run the command before updating:

yum clean all

1. On-stick support for LAG/LACP. Description
2. Transition to DPDK 23.11
3. Modified: for QUIC and QUIC_IETF: if no SNI is detected - check by AS
4. Modified: when analyzing STUN, AS from Facebook is checked - define FACEBOOK_VIDEO, not WHATSAPP_VOICE
5. Setting RSS hash flags for UDP and TCP
6. Modified: openvpn protocol definition
7. Fixed: SIGHUP processing only if fastDPI is fully initialized. Possible crash if SIGHUP is received during fastDPI startup process
8. Trace/debug packet recording moved to new API
9. Added: wechat protocol support for UDP
10. Support for additional markup of autonomous systems mark1, mark2, mark3. Description
11. Prioritize SNI detection in custom signatures for autonomous systems marked as mark1. Description
12. Prioritize more specific custom SNI signatures.
    Example: for host a.b.c.d, if the signatures *.d, *.c.d and *.b.c.d are present, the protocol defined by the signature *.b.c.d will be selected works only for signatures with *. Description
13. Support for hard locks (despite hostname/SNI) - set in an additional field in the address blacklist, example: 1.1.1.1 443 hard. Description
14. Improved detection of YOUTUBE, SIGNAL
15. Added the DPITUNNEL protocol, which includes traffic anomalies commonly used for DPI traversal
16. Updating dpiutils
17. New protocols VK_CDN_VIDEO, META_CHAT
18. Improved signatures of FACEBOOK_VIDEO, META_CALLS protocols
19. Fixed protocol name VK_CDN_VIDEO
20. Fixed: SNI decoding in QUIC IETF and possibility of crusting in exceptional cases
21. Fixed: clearing search structures when deleting CUSTOM protocols
22. Added ability to add comments (#) and blank lines in input files for utilities lst2dscp, lst2tbf
23. Added protocols QUIC_UNKNOWN - QUIC without SNI and QUIC_UNKNOWN_MARKED - QUIC without SNI and AS labeled MARK2. Description
24. Fixed: stun character definition for TCP
25. Modified: if the stun packet viewing limit is reached - set this protocol with AS in mind
26. Updated utilities to support new protocols
27. Improvements in QUIC_UNKNOWN, QUIC_UNKNOWN_MARKED, SIGNAL, DpiTunnel protocols
28. SNI/HOST embedded protocol definitions are cloud-based, SNI/IP prioritization is supported
29. Modified: SNI comparison is case-insensitive
30. Added LANTERN_WEAK protocol signature
31. Improved IMAP protocol recognition
32. Corrects LPM when selecting channel by IP/CIDR
33. Added: to DNS text file record format - format vchnl - virtual channel number.
34. Added: to the IPFIX data transfer template for DNS channel number. Description
35. Fixed: crash on DNS trace
36. Improved VIBER_VSTREAMS protocol definition
37. Fixed: fastDPI does not accept or process any ctl requests during fastDPI stop process
38. Added SSTP protocol (49296)
39. Added ANYDESK protocol (54273)
40. LANTERN recognition improved

1. Added: accounting of DHCP packets from subscriber in billing statistics: subscriber CPE (i.e. Wi-Fi router) without clients (e.g. at night) - sends only license renewal requests. Since these requests were intercepted by BRAS and were not included in the accounting, the session was terminated by idle timeout
2. Corrected: actions when QinQ/VLAN is changed for a subscriber
3. Fixed: framed-pool renew
   In some cases, incorrect DHCP responses were generated. Added trace to DHCP packets log for framed-pool renew.
4. Fixed: receiving packets from relay. Previously it was checked that relay was on the fc::/7 network. Now this check is unnecessary and has been removed - relay can have any address.
5. Fixed: DHCPv6 options parsing from Radius
6. The subs prop show active command has been added. The command outputs a dump of L2 properties of all active (not-expired) subscribers. Description
7. Modified: Prohibit calling CLI commands while stopped
8. Fixed: idle-timeout for session. For PPPoE sessions idle timeout should be taken from the bras_ppp_idle_timeout setting if not explicitly set in the authorization response (Idle-Timeout attribute).
9. Added priority forwarding with DSCP translation. Description
10. Corrected: Adding unnecessary option 61 (Client-Id) to fastDPI response when distributing address from Framed-Pool
11. Fixed: Logging of DHCP server IP addresses
12. Fixed: Enabling services with profiles. The `VasExperts-Service-Profile` attribute (service profile name, implicitly enables the service) has higher priority than `VasExperts-Enable-Service` (enabling/disabling a service without specifying a profile).
13. Added ping inet command on behalf of subscribers through the entire BRAS/NAT/ROUTER processing chain. The prompt is fdpi_cli ping inet ?. Description
14. Fixed: call of subscriber IP address deanounce when acct idle. Added new flag to router option router_subs_announce: 0x10000 - deanounce L3 subscriber at acct idle (closing acct session by idle timeout). Description
15. Added support for specifying the profile of service 18 during authorization. Enabling service 18 in the Access-Accept Radius response is set in the usual way for a service with a mandatory profile (here serv18 is the profile name):

    VasExperts-Service-Profile = "18:serv18"

16. A search by MAC and subs_id has been added to the subs prop show command. The result of a search by MAC or subs_id can be multi-valued - several different entries for the same MAC/subs_id. The result of the subs prop show active command has been changed, which may be critical when parsing the command's json wiggle. Description
17. Fixed: setting link up/down flag for ports that do not support link up/down interrupts (e.g. af_packet)
18. The return code of the uptime command. The CLI command uptime can be used to check if fastDPI is fully started: it returns result=0 (Success) only when fastDPI is fully initialized and all worker threads are started. Upon receiving a response from fastDPI to the fdpi_cli uptime command, the fdpi_cli utility itself checks the result of the execution and if result!=0 - sets a non-zero return code.
19. Corrected: If VRF (service 254) was present in Access-Accept, the packet was incorrectly logged as invalid.
20. Restoring UDR operation after calling a command with a large number of parameters

1. Added a checknat utility to check the distribution of white addresses. Description
2. Fixed online change of nat_private_cidr parameter

1. Added L2 traffic balancer mode. This enhancement allows to use SCAT as a traffic balancer based on IP addresses owned by AS and defined as local in asnum.dscp. Description
2. Added mqrx_lb_engine, which is activated when dpdk_engine=2. Description

1. Mempool allocation for emit packets: we do not allow the pool to be completely exhausted, there should be at least 256 free elements in the pool
2. The error of route deletion errno=3 (No record found) has been moved to TRACE to avoid clogging the log
3. Fixed the order of router components termination
4. Changed: system error when clearing route tables. Cleaning of route tables (deleting all entries added by SCAT) is done at stop and start of fastDPI. During cleaning process EBUSY error may occur, which is fatal for netlink socket, socket should be closed.
5. Fixed: TAP link down in LAG. If a port enters a lag, TAP this port to Link down state only when ALL LAG ports are down.
6. Fixed: control of selfgen mempool exhaustion
7. Optimization of data readout from TAP
8. Fixed LAG+On-stick: put TAP in link down state. TAP is set to link down only when all ports in LAG are in down state. If there is at least one port in Up state - TAP should be in Link Up state.
9. Corrected: Traffic diversion in router for on-stick device in LAG. When forming VRF topology, it was not taken into account that the LAG includes the base (physical) device, and the on-stick (virtual) device is specified in the router description.
10. Fixed: Read all data from TAP device. At fastDPI startup there were possible situations when router is not fully initialized yet and TAP is already monitored but not read out.
11. The router_subs_announce option is made hot (hot)
12. Fixed: mbuf leak on fastDPI startup

1. The storage_tag value is set based on directional priority or protocol priority

1. Added the ability to work with standard linux interfaces using libpcap. Description

1. Global code refactoring - discontinued support for pf_ring
2. Added: service 19 - DNS response substitution. Description
3. Modified: minimum PCAP file size to 100 MB. PCAP file rotation on reload Description
4. Modified: improved DROP event tracing
5. Fixed: erroneous ERROR level message appearing for certain fdpi_ctrl requests
6. Fixed: incorrect TLS (SNI) parsing when multiple 'ALPN Protocols' are specified
7. Modified: mechanism for updating AS and IP compliance lists. Description

1. Fixed: subscriber activity control via unicast ARP Request. Previously, it was a broadcast ARP Request, which is not optimal for the network. Description
2. Added: SHCV (Subscriber Host Connectivity Verification) — DHCP subscriber activity control. Considered scenario for an already "closed" record to prevent repeated SHCV trigger and increase in the 'SHCV: session closed by inactivity' counter. Description
3. Added: ARP Proxy for known routes (router mode only). This feature is applied only if the ARP request initiator is a known subscriber. A new flag - 0x0004 has been added to the bras_arp_proxy option. Description
4. Fixed: help() for IPv6 addresses in the subs prop show command
5. Fixed: error in parsing parameters for the subs prop del command, which resulted in the inability to delete properties by IP with the error

   ERROR: Result code=9: No subscriber IP address

6. Added: CLI command dhcp disconnect. This is a CLI analog of CoA Disconnect. The disconnect mode is set by the bras_dhcp_disconnect option.
   1. dhcp disconnect all - disconnect all DHCP sessions
   2. dhcp disconnect [ mac=X | ip=X ] - disconnect specified session
7. Fixed: sending L3 reauth for L2 subscriber in advance, not waiting for session timeout
8. Added: number of sessions closed due to inactivity (SHCV) in the dhcp show stat CLI command
9. Fixed: error in intercepting and processing ICMPv6 packets, checksum not recalculated in some cases when modifying ICMPv6 packet

1. Modified: tracing in vdpi_new_flow_nat_ipv4 is always output
2. Fixed: based on the value of nat_exclude_private, additionally checking the pair CHECK_AS_LOCAL or CHECK_AS_PEER for AS in local interconnect

1. Added: ARP management. Description
2. Fixed: port selection for recording in a pass-through LAG. If LAG passes through fastDPI, port selection for recording from TAP should consider the Link Up/Down state of both bridge sides of the port
3. Fixed: announcing NAT profile subnets upon addition
4. Added: CLI command router vrf dump. The command outputs the list of VRFs set in the system and their properties
5. Fixed: do not consider term by AS when announcing NAT subnets. The term_by_AS mode applies to subscribers, not to NAT profiles, hence it should not be considered when announcing a NAT subnet
6. Fixed: order of packet interception from the general processing pipeline
7. Fixed: increased number of mbuf in selfgen mempool if router enabled: if router disabled: mempool size=512 * number_of_slaves_in_cluster, if router enabled: mempool size=8 * 1024 * number_of_slaves_in_cluster

1. Fixed: zeroing the array when building a new list of active ports. The error leads to array overflow and memory corruption
2. Added: logging of the "no mbuf" error when sending LACP