SSG changelog and update

Update instructions

As of version 12.0, DPI is only installed on CentOS 8.x and VEOS!

If you have version of CentOS 6.x or CentOS 8.x installed, switch the repository once with the command:

sed -i -e '/^mirrorlist=http:\/\//d' -e 's/^# *baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/vault.centos.org/' /etc/yum.repos.d/CentOS-*.repo

Then run updates as usual:

yum update fastdpi
If the error Module yaml error appears during the upgrade, you should upgrade the module dnf upgrade libmodulemd.

After updating, restart the DPI:

service fastdpi restart

and other dependent procoesses (PCRF/Radius), but only if they are actually used and their configuration is valid:

service fastpcrf restart
service fdpi_radius restart

You can update the operating system components Do not update the kernel version and its dependent utilities!
For CentOS 6.x:

yum --exclude=kernel*,util-linux-ng,libuuid,libblkid update

For CentOS 8.x:

yum update

Note for users running the DPI in a virtual environment, using old CPU (release of 2009) and AMD CPU:
Run the following command before the update:

touch /etc/dpi/noprioadj

and it causes the DPI process to be launched with normal priority (not the realtime), thus significantly reducing the consumption of CPU system (sys) resourses, but slightly increasing the latency on the platform.

Customers using BRAS functionality should note the changes when upgrading SSG to the new version.

Updating SSG to Version 14.0 Shooting Stars

14.0 Shooting Stars 1)

You can check the currently installed version with the command:

yum info fastdpi

Rollback to 13.3:

yum downgrade fastdpi-13.3-0 fastpcrf-13.3-0 dpiutils-13.3 fastradius-13.3

After updating or changing the version, a service restart is required:

service fastdpi restart

:!: If PCRF and/or Radius are used, they must also be restarted. For PCRF restart, the following order is preferred:

service fastdpi stop
service fastpcrf restart
service fastdpi start

:!: Do not perform Linux kernel updates. In new kernel versions, binary compatibility with Kernel ABI may be broken, and the network driver may not load after the update. If you have already performed the update, temporarily configure the GRUB bootloader to boot the previous kernel version: in the /etc/grub.conf file, set the parameter default=1.

If during the update a message appears that the update was not found or there are dependency issues, before updating, execute the command:

yum clean all

Changes in version 14.0

  1. [BRAS] Support for L2TP termination
  2. [DPI] Migration to DPDK 24.11, support for new NICs (Intel E830 200G, Intel E610, Napatech SmartNIC). Description
  3. [CLI] Added support for subs_id in commands: dhcp show, dhcp reauth, dhcp6 show, dhcp6 reauth, and dhcp disconnect. Description
  4. [DPI] New protocols added: AGORA_STREAMS(49314), AZAR_CALL(49315), WECHAT_CALL(49316), TEAMS_CALL(49317). List of protocols
  5. [DPI] Improved support for LINE_CALL, VYKE_CALL protocols. List of protocols
  6. [DPI] Fixed smartdrop behavior
  7. [DPI] Added validation for complex protocols. List of protocols
  8. [DPDK] Increased the maximum number of dispatchers to 32. Description
  9. [IPFIX/Netflow] Added the ability to change IPFIX/Netflow parameters without restarting fastDPI. A new config parameter ipfix_reserved has been added to reserve memory for enabling/changing IPFIX/Netflow parameters. If IPFIX/Netflow parameters are set in the configuration file, memory reservation for IPFIX/Netflow is automatically enabled and parameters/new exporter types can be changed without restarting fastDPI.
  10. [FastRadius] It is now possible to set both bind_ipv6_address and bind_ipv6_subnet. If the Framed-IPv6-Prefix has a /128 mask, it is not checked against the bind_ipv6_subnet restriction. Description
  11. CLI command dev info now includes the name of the LAG that the port belongs to
  12. [PCRF][PPP][Framed-pool] Added: DHCP option Client-Id now includes tunnel-IP as part of the subscriber ID. For more details, see sections IPv4 Pools Support and IPv6 pools support
  13. [IPFIX] Message aggregation added for IPFIX streams: FullFlow/DNS/META/NAT
  14. [IPFIX] Added parameter ipfix_mtu_limit to restrict maximum message size for IPFIX UDP packets
  15. [IPFIX DNS] New elements added to IPFIX DNS: 224 (ipTotalLength) and 43823:3206 (DNS transaction id)
  16. [VRRP] Fixed proper handling of the vrrp_enable option change
  17. [BRAS][PPP] PPP session key is now compound: l2subs_id + tunnel-IP. For PPPoE sessions, tunnel IP = 0. CLI commands that use subs_id as a key (subs prop show, l2tp show session, l2tp term, etc.) may now return multiple entries with the same l2subs_id.
  18. [DPI] Added cloud protocols with identifiers 55296..58367
  19. [IPFIX] Fixed IPFIX exporter reinitialization bugs
  20. [BRAS][subs_grooming] Fixed potential crash due to race condition during fastDPI shutdown
  21. [CLI] Added commands to display mempool properties and statistics
        hal mempool props
        hal mempool stat

    DPDK must be built with statistics collection enabled to display mempool stats

  22. [BRAS][DHCP] Fixed crash when parsing Framed-Pool Renew response if it contains no DHCP options
  23. [PCRF][Acct] Fixed: Interim-Update sending is now disabled when Acct-Interim-Interval = 0 is explicitly set in the RADIUS response. For more details, see sections Subscriber authorization attributes, Access-Accept format for the PPPoE networks, Access-Reject format for PPPoE networks
  24. [VASE_CLI] Created a unified CLI for managing DPI, BRAS, DHCP (KEA), ROUTER (BIRD) with support for authorization and command logging via TACACS (VEOS 8.x required)
  25. [SNMP] Created a module for monitoring system components via SNMP
  26. [DPI] Added DOQ 49318 protocol (DNS-over-QUIC)
  27. [Router] Announcing subscriber white addresses for 1:1 NAT individually and after authentication. Description
  28. [PCRF] Added support for service 19 "DNS spoofing", profile required. Description
  29. [DPDK] Added dpdk_engine=6 (mqrx-bridge) — number of RSS dispatchers per bridge. Description
  30. [DPDK] Removed dedicated mempools. The fastdpi.conf option dpdk_emit_mempool_size is deprecated and no longer used.
  31. [VLAN-Rule] Moved vlan group data from UDR to SDR. Global rules for vlan drop/pass/hide/permit set by the previous CLI command vlan group were converted and moved from UDR to SDR, with removal from UDR. Description
  32. Up to version 14, only one built-in database UDR (User Data Repository) is used, intended for permanent storage of data about services, policings, and other FastDPI settings.
    Starting from Version 14, UDR is split into UDR and SDR. The split occurs automatically during version update.
    SDR (System Data Repository) is intended for storing FastDPI settings not related to subscribers. It can be considered that SDR is an extension of fastdpi.conf. No special activation of SDR is required — the necessary .mdb files are created automatically when the corresponding mode is enabled in fastdpi.conf.
  33. [VLAN] VLAN rules — added CLI commands:
    1. vlan rule add - add new rule to SDR
    2. vlan rule modify - modify existing rule in SDR
    3. vlan rule delete - delete rule from SDR
    4. vlan rule show - show all rules for the specified VLAN/QinQ
    5. vlan rule dump - dump all rules in SDR
    6. vlan rule purge vlan/qinq/all - clear SDR for VLAN/QinQ or both
    7. vlan rule apply - apply rules; by default, rules are applied 5 minutes after the last SDR modification
  34. [IPv6] Added direction detection in combined traffic (IN+OUT on one port) based on the local flag for IP addresses. Enabled via combined_io_direction_mode option
  35. [BRAS] Fixed compatibility with the old format of service 18, where there were fewer protocols and both fields in the profile needed to be filled
  36. [DPI] Lowered detection priority for telegram_tls
  37. [DPI] Improved detection of WECHAT and WECHAT_CALL
  38. [BRAS][Framed-Route] Fixed: possible crash when freeing memory
  39. [BRAS] Refactored PCRF connectivity: in the new implementation, all connections are equal; an error on any triggers reconnection of all connections and a switch to another PCRF. Added CLI commands:
    1. pcrf connect show — show current status and accumulated statistics for PCRF connections.
    2. Force connection to the specified PCRF pcrf connect switch [<pcrf_index>], where <pcrf_indxed> is the index of the connection line in the auth_server parameter. If <pcrf_indxed> is not specified — defaults to 0.
  40. [IPFIX DNS] Added the ability to send DNS MX responses via IPFIX. Enabled by setting bit 3 (4) of the ajb_save_dns parameter
  41. [DPI] Added FakeTLS protocol (49319) with validation
  42. [BRAS][DHCP] Changed: sliding window algorithm for rate limit
  43. [BRAS] Fixed: time comparison error when loading ip_prop from UDR
  44. [VLAN-Rule] Added support for 'any' instead of '*' when describing VLAN range
    '*.*' is interpreted in bash command line as a file search mask, so now instead of '*', you can specify 'any' ('*' is still supported):
    'any.any' - equivalent to '*.*'
    'any' - equivalent to '*'
    '68.any' - equivalent to '68.any'
    'any.78-90' - equivalent to '*.78-90' 
  45. [DPI][LOG] Messages about insufficient SSL parsers are written to the slave log not for every event, but at a frequency of 1/50000.
  46. [DPI] Added protocols ZALO_CALL(49320) and VK_CALL(49321)
  47. [DPI] Fixed blocking in hard mode for SSL
  48. [Acct] Added attribute VASExperts-Service-Type. Radius acct start/interim/stop sends the authorization type in the VASExperts-Service-Type attribute.
  49. [CLI] Added: stat flow ip6 command to display IPv6 flow statistics
  50. [CLI] Added: stat flow ip4 command to display IPv4 flow statistics. Analogous to the output in fastdpi_stat.log.
  51. [IPFIX] Fixed ExportTime formation error in IPFIX Fullflow
  52. [CLI] Added stat netflow command. Displays general statistics for Netflow/IPFIX (same as in fastdpi_stat.log under the "Statistics on NFLW_export" section)
  53. [DNS] Added support for substitution/blocking/dropping of DNS requests A, AAAA, MX, HTTPS. Description
  54. [CLI] Added stat firewall command
  55. [DPI] Added BIGO_CDN protocol (49324)
  56. [DPI] Added UDP support for BIGOTV
  57. [PCRF][L2TP] Fixed: NAS attributes for L2TP during authorization
  58. [BRAS][L2TP] Fixed: data race when closing sessions
  59. [DPDK] Removed deprecated rx channels settings and related checks
  60. [IPFIX] Added configurable sending of drop octets/packets counters when generating IPFIX fullflow. Description
  61. [PCAP] Added capability to save traffic of a specified vlan using the ajb_save_vlan parameter
  62. [DPIUTILS] Updated checknat utility
  63. [DPIUTILS] Updated dns2dic utility with domain blocking support. Description
  64. [BRAS][L2TP] Fixed: data race during tunnel creation
  65. [Router] Fixed: interception and diversion of IPv6 packets to tap interfaces. Link-local addresses were not diverted to tap, even if explicitly specified in the router.subnet6 settings.
  66. [BRAS][L2TP] Fixed: length field in L2TP header for data packets. According to RFC, the len field in L2TP header is optional for data packets. Some L2TP client implementations do not understand data packets with the len field in the L2TP header. This fix adjusts FastDPI's behavior: if data packets from the subscriber arrive without the len field, then SSG will also send data packets without this field. If data packets from the subscriber contain the len field, SSG will include it as well.
  67. [BRAS] Fixed: sending commands from the pending_queue. In some cases (e.g., during state transitions of the pcrf monitor initial → connected), sending commands from the pending_queue was not triggered, which caused commands to "hang" in the queue indefinitely (until reconnection due to a socket error).
  68. Fixed a recently introduced error (affecting betas 4.6 and 4.7) in the session lifecycle that leads to resource exhaustion over time; an operational update from these versions (or rollback) is recommended.
1)
In memory of colleagues who made a huge contribution to the development of the company and its products and will forever remain in our memory

Was this information helpful?