SSG changelog and update

DPI/BNG Versions Update

As of version 12.0, DPI is only installed on CentOS 8.x and VEOS!

If you have version of CentOS 6.x or CentOS 8.x installed, switch the repository once with the command:

sed -i -e '/^mirrorlist=http:\/\//d' -e 's/^# *baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/vault.centos.org/' /etc/yum.repos.d/CentOS-*.repo

Then run updates as usual:

yum update fastdpi
If the error Module yaml error appears during the upgrade, you should upgrade the module dnf upgrade libmodulemd.

After updating, restart the DPI:

service fastdpi restart

and other dependent procoesses (PCRF/Radius), but only if they are actually used and their configuration is valid:

service fastpcrf restart
service fdpi_radius restart

You can update the operating system components Do not update the kernel version and its dependent utilities!
For CentOS 6.x:

yum --exclude=kernel*,util-linux-ng,libuuid,libblkid update

For CentOS 8.x:

yum update

Note for users running the DPI in a virtual environment, using old CPU (release of 2009) and AMD CPU:
Run the following command before the update:

touch /etc/dpi/noprioadj

and it causes the DPI process to be launched with normal priority (not the realtime), thus significantly reducing the consumption of CPU system (sys) resourses, but slightly increasing the latency on the platform.

Customers using BRAS functionality should note the changes when upgrading SSG to the new version.

DPI platform update to version 13.0 Congo

13.0 Congo 1)

You can check the current installed version with the command:

yum info fastdpi

Rollback to 12.4:

yum downgrade fastdpi-12.4-0 fastpcrf-12.4-0

After an update or version change, a restart of the service is required:

service fastdpi restart

:!: If PCRF and/or Radius are used, they should also be restarted. The following order is preferred for restarting PCRF:

service fastdpi stop
service fastpcrf restart
service fastdpi start

:!: Do not perform Linux kernel upgrades. Newer versions of the kernel may break binary compatibility with the Kernel ABI and the network driver will not load after the upgrade. If you do upgrade, set the GRUB boot loader to load the previous version of the kernel: set the default=1 parameter in the /etc/grub.conf file while the problem is being resolved.

If the update displays a message that the update was not found or there are dependency issues, run the command before updating:

yum clean all

Changes in version 13.0

DPI

  1. On-stick support for LAG/LACP. Description
  2. Transition to DPDK 23.11
  3. Modified: for QUIC and QUIC_IETF: if no SNI is detected - check by AS
  4. Modified: when analyzing STUN, AS from Facebook is checked - define FACEBOOK_VIDEO, not WHATSAPP_VOICE
  5. Setting RSS hash flags for UDP and TCP
  6. Modified: openvpn protocol definition
  7. Fixed: SIGHUP processing only if fastDPI is fully initialized. Possible crash if SIGHUP is received during fastDPI startup process
  8. Trace/debug packet recording moved to new API
  9. Added: wechat protocol support for UDP
  10. Support for additional markup of autonomous systems mark1, mark2, mark3. Description
  11. Prioritize SNI detection in custom signatures for autonomous systems marked as mark1. Description
  12. Prioritize more specific custom SNI signatures.
    Example: for host a.b.c.d, if the signatures *.d, *.c.d and *.b.c.d are present, the protocol defined by the signature *.b.c.d will be selected :!: works only for signatures with *. Description
  13. Support for hard locks (despite hostname/SNI) - set in an additional field in the address blacklist, example: 1.1.1.1 443 hard. Description
  14. Improved detection of YOUTUBE, SIGNAL
  15. Added the DPITUNNEL protocol, which includes traffic anomalies commonly used for DPI traversal
  16. Updating dpiutils
  17. New protocols VK_CDN_VIDEO, META_CHAT
  18. Improved signatures of FACEBOOK_VIDEO, META_CALLS protocols
  19. Fixed protocol name VK_CDN_VIDEO
  20. Fixed: SNI decoding in QUIC IETF and possibility of crusting in exceptional cases
  21. Fixed: clearing search structures when deleting CUSTOM protocols
  22. Added ability to add comments (#) and blank lines in input files for utilities lst2dscp, lst2tbf
  23. Added protocols QUIC_UNKNOWN - QUIC without SNI and QUIC_UNKNOWN_MARKED - QUIC without SNI and AS labeled MARK2. Description
  24. Fixed: stun character definition for TCP
  25. Modified: if the stun packet viewing limit is reached - set this protocol with AS in mind
  26. Updated utilities to support new protocols
  27. Improvements in QUIC_UNKNOWN, QUIC_UNKNOWN_MARKED, SIGNAL, DpiTunnel protocols
  28. SNI/HOST embedded protocol definitions are cloud-based, SNI/IP prioritization is supported
  29. Modified: SNI comparison is case-insensitive
  30. Added LANTERN_WEAK protocol signature
  31. Improved IMAP protocol recognition
  32. Corrects LPM when selecting channel by IP/CIDR
  33. Added: to DNS text file record format - format vchnl - virtual channel number.
  34. Added: to the IPFIX data transfer template for DNS channel number. Description
  35. Fixed: crash on DNS trace
  36. Improved VIBER_VSTREAMS protocol definition
  37. Fixed: fastDPI does not accept or process any ctl requests during fastDPI stop process
  38. Added SSTP protocol (49296)
  39. Added ANYDESK protocol (54273)
  40. LANTERN recognition improved

BRAS

  1. Added: accounting of DHCP packets from subscriber in billing statistics: subscriber CPE (i.e. Wi-Fi router) without clients (e.g. at night) - sends only license renewal requests. Since these requests were intercepted by BRAS and were not included in the accounting, the session was terminated by idle timeout
  2. Corrected: actions when QinQ/VLAN is changed for a subscriber
  3. Fixed: framed-pool renew
    In some cases, incorrect DHCP responses were generated. Added trace to DHCP packets log for framed-pool renew.
  4. Fixed: receiving packets from relay. Previously it was checked that relay was on the fc::/7 network. Now this check is unnecessary and has been removed - relay can have any address.
  5. Fixed: DHCPv6 options parsing from Radius
  6. The subs prop show active command has been added. The command outputs a dump of L2 properties of all active (not-expired) subscribers. Description
  7. Modified: Prohibit calling CLI commands while stopped
  8. Fixed: idle-timeout for session. For PPPoE sessions idle timeout should be taken from the bras_ppp_idle_timeout setting if not explicitly set in the authorization response (Idle-Timeout attribute).
  9. Added priority forwarding with DSCP translation. Description
  10. Corrected: Adding unnecessary option 61 (Client-Id) to fastDPI response when distributing address from Framed-Pool
  11. Fixed: Logging of DHCP server IP addresses
  12. Fixed: Enabling services with profiles. The `VasExperts-Service-Profile` attribute (service profile name, implicitly enables the service) has higher priority than `VasExperts-Enable-Service` (enabling/disabling a service without specifying a profile).
  13. Added ping inet command on behalf of subscribers through the entire BRAS/NAT/ROUTER processing chain. The prompt is fdpi_cli ping inet ?. Description
  14. Fixed: call of subscriber IP address deanounce when acct idle. Added new flag to router option router_subs_announce: 0x10000 - deanounce L3 subscriber at acct idle (closing acct session by idle timeout). Description
  15. Added support for specifying the profile of service 18 during authorization. Enabling service 18 in the Access-Accept Radius response is set in the usual way for a service with a mandatory profile (here serv18 is the profile name):
    VasExperts-Service-Profile = "18:serv18"
  16. A search by MAC and subs_id has been added to the subs prop show command. The result of a search by MAC or subs_id can be multi-valued - several different entries for the same MAC/subs_id. The result of the subs prop show active command has been changed, which may be critical when parsing the command's json wiggle. Description
  17. Fixed: setting link up/down flag for ports that do not support link up/down interrupts (e.g. af_packet)
  18. The return code of the uptime command. The CLI command uptime can be used to check if fastDPI is fully started: it returns result=0 (Success) only when fastDPI is fully initialized and all worker threads are started. Upon receiving a response from fastDPI to the fdpi_cli uptime command, the fdpi_cli utility itself checks the result of the execution and if result!=0 - sets a non-zero return code.
  19. Corrected: If VRF (service 254) was present in Access-Accept, the packet was incorrectly logged as invalid.
  20. Restoring UDR operation after calling a command with a large number of parameters

NAT

  1. Added a checknat utility to check the distribution of white addresses. Description
  2. Fixed online change of nat_private_cidr parameter

Load Balancer

  1. Added L2 traffic balancer mode. This enhancement allows to use SCAT as a traffic balancer based on IP addresses owned by AS and defined as local in asnum.dscp. Description
  2. Added mqrx_lb_engine, which is activated when dpdk_engine=2. Description

Router

  1. Mempool allocation for emit packets: we do not allow the pool to be completely exhausted, there should be at least 256 free elements in the pool
  2. The error of route deletion errno=3 (No record found) has been moved to TRACE to avoid clogging the log
  3. Fixed the order of router components termination
  4. Changed: system error when clearing route tables. Cleaning of route tables (deleting all entries added by SCAT) is done at stop and start of fastDPI. During cleaning process EBUSY error may occur, which is fatal for netlink socket, socket should be closed.
  5. Fixed: TAP link down in LAG. If a port enters a lag, TAP this port to Link down state only when ALL LAG ports are down.
  6. Fixed: control of selfgen mempool exhaustion
  7. Optimization of data readout from TAP
  8. Fixed LAG+On-stick: put TAP in link down state. TAP is set to link down only when all ports in LAG are in down state. If there is at least one port in Up state - TAP should be in Link Up state.
  9. Corrected: Traffic diversion in router for on-stick device in LAG. When forming VRF topology, it was not taken into account that the LAG includes the base (physical) device, and the on-stick (virtual) device is specified in the router description.
  10. Fixed: Read all data from TAP device. At fastDPI startup there were possible situations when router is not fully initialized yet and TAP is already monitored but not read out.
  11. The router_subs_announce option is made hot (hot)
  12. Fixed: mbuf leak on fastDPI startup

SDS

  1. The storage_tag value is set based on directional priority or protocol priority

Radius

  1. Added the ability to work with standard linux interfaces using libpcap. Description

Changes in Version 13.1

Warning! An error has been detected in version 13.1. PPPoE sessions do not close when idle_timeout expires.
The fix is planned for the next release.

DPI

  1. Global code refactoring - discontinued support for pf_ring
  2. Added: service 19 - DNS response substitution. Description
  3. Modified: minimum PCAP file size to 100 MB. PCAP file rotation on reload Description
  4. Modified: improved DROP event tracing
  5. Fixed: erroneous ERROR level message appearing for certain fdpi_ctrl requests
  6. Fixed: incorrect TLS (SNI) parsing when multiple 'ALPN Protocols' are specified
  7. Modified: mechanism for updating AS and IP compliance lists. Description

BRAS

  1. Fixed: subscriber activity control via unicast ARP Request. Previously, it was a broadcast ARP Request, which is not optimal for the network. Description
  2. Added: SHCV (Subscriber Host Connectivity Verification) — DHCP subscriber activity control. Considered scenario for an already "closed" record to prevent repeated SHCV trigger and increase in the 'SHCV: session closed by inactivity' counter. Description
  3. Added: ARP Proxy for known routes (router mode only). This feature is applied only if the ARP request initiator is a known subscriber. A new flag - 0x0004 has been added to the bras_arp_proxy option. Description
  4. Fixed: help() for IPv6 addresses in the subs prop show command
  5. Fixed: error in parsing parameters for the subs prop del command, which resulted in the inability to delete properties by IP with the error
    ERROR: Result code=9: No subscriber IP address
  6. Added: CLI command dhcp disconnect. This is a CLI analog of CoA Disconnect. The disconnect mode is set by the bras_dhcp_disconnect option.
    1. dhcp disconnect all - disconnect all DHCP sessions
    2. dhcp disconnect [ mac=X | ip=X ] - disconnect specified session
  7. Fixed: sending L3 reauth for L2 subscriber in advance, not waiting for session timeout
  8. Added: number of sessions closed due to inactivity (SHCV) in the dhcp show stat CLI command
  9. Fixed: error in intercepting and processing ICMPv6 packets, checksum not recalculated in some cases when modifying ICMPv6 packet

NAT

  1. Modified: tracing in vdpi_new_flow_nat_ipv4 is always output
  2. Fixed: based on the value of nat_exclude_private, additionally checking the pair CHECK_AS_LOCAL or CHECK_AS_PEER for AS in local interconnect

Router

  1. Added: ARP management. Description
  2. Fixed: port selection for recording in a pass-through LAG. If LAG passes through fastDPI, port selection for recording from TAP should consider the Link Up/Down state of both bridge sides of the port
  3. Fixed: announcing NAT profile subnets upon addition
  4. Added: CLI command router vrf dump. The command outputs the list of VRFs set in the system and their properties
  5. Fixed: do not consider term by AS when announcing NAT subnets. The term_by_AS mode applies to subscribers, not to NAT profiles, hence it should not be considered when announcing a NAT subnet
  6. Fixed: order of packet interception from the general processing pipeline
  7. Fixed: increased number of mbuf in selfgen mempool if router enabled: if router disabled: mempool size=512 * number_of_slaves_in_cluster, if router enabled: mempool size=8 * 1024 * number_of_slaves_in_cluster

LAG

  1. Fixed: zeroing the array when building a new list of active ports. The error leads to array overflow and memory corruption
  2. Added: logging of the "no mbuf" error when sending LACP
1)
Cradle of mankind: humans have lived here for over 50,000 years