Version 12 Machu Picchu

12.0 Machu Picchu 1)

Changes in version 12.0

  1. Changed: switch to DPDK 22.11 LTS
  2. Added: parsing of 'Chaos Protection' header to QUIC IETF
  3. Added: cold parameter nat_transcode_cidr , which specifies CIDR of provider's public addresses. It is possible to use 2 CIDR parameters when re-coding from public to private for NAT 1:1. Any public address can be assigned to the private address for NAT 1:1.
  4. Changed: hash function for distribution by worker threads: ( crc( ip_src ) % nthread + crc( ip_dst ) % nthread ) % nthread
  5. Changed: public address allocation algorithm for CG-NAT: crc( private ) % nthread + crc( public ) % nthread
  6. Changed: the message '[NFLW] very long operation ….' is always displayed no matter how many times the message is repeated
  7. Changed: the name of the file record directory - added stream
  8. Added: information output statistics for sending NetFlow/IPFIX
        [STAT    ][2022/11/20-17:55:03:213770] Statistics on NFLW_export : {a/b/c%/d/e}
    
        a - the number of cycles of sending executed
        b - the number of cycles of sending, when the time spent on sending exceeded the period of execution of cycles
        c - percentage of exceeding the number of the cycles: 100 * b/a
        d - time of the maximum duration of the cycle microseconds
        e - time of the period of sending statistics, microseconds (''netflow_timeout'' parameter value (is set in seconds))
    
        E.g.:
        [STAT    ][2022/11/20-17:55:03:213770] Statistics on NFLW_export : {7/0/0.00%/45297us/30008163us}
  9. [PCRF][PPPoE] Fixed: previously, if Radius responded with an IPv6 address instead of a prefix, we did not make the prefix from the address, which led to recreation of the acct-sessions. Newly created acct-sessions used to be without login and other important attributes for ISPs.
  10. [BRAS][L3-AUTH] Changed: Framed-Route is no longer applied to PD-prefix
  11. [PCRF][ACCT] Fixed: previously, when an entry was unlinked from a multisession, the IP addresses for the multisession were not corrected. Unlink occurs during aggregation. As a result, other entries, which had no relation to this multisession, may have been bound to it later.
  12. [PCRF][DHCPv6-Pool] Fixed: Forming the Link-Address field for Relay-Fwd when sending a request to a specific DHCPv6 server
  13. [BRAS][PPPoE-IP6] IPv6 address request from Framed-IPv6-Pool is performed when the first IP6CP Cfg-Req comes from the client
  14. [CLI][ACCT] Added: fastdpi-server NAS attributes output in pcrf acct show commands
  15. [BRAS][DHCP] Fixed: Sending a NAK to a DHCP-Request for another server
  16. Added: support for DDP profiles for Intel 700-series NICs (i40e driver) for PPPoE/GTP/MPLS tunnel balancing when using dpdk_engine=2. DDP is loaded from /lib/firmware/intel/i40e/ddp/i40e.pkg file during i40e ports initialization. Lifetime of the loaded DDP profile: until the server is rebooted.
  17. Changed: algorithm for selecting a server for recording SDS
  18. [CLI] Added: setting L2 subs_id in the subs prop set command
  19. [BRAS][DHCP-Relay] Added: support for L2 subs_id
  20. [BRAS][AUTH] Added: support for l2subs_id for L3-authorization, since the L3 auth response from the Radius may indicate that it is an L2 subscriber
  21. [BRAS][ARP-AUTH] Added: support for l2subs_id
  22. [BRAS][PPPoE][CLI] Added: l2lan_id attribute for PPPoE sessions
  23. [BRAS][PPPoE] Removed support for MAC authorization, without login and password, removing bras_ppp_mac_auth option
  24. [PPPoE][CLI] Added: support for the subs_id parameter that identifies the PPPoE session
  25. [BRAS] Added: l2lan_id class - L2 network identifier. l2lan_id is intended for separating subscribers by VLAN. The l2lan_id is derived from the l2subs_id, i.e. its formation is set by the same bras_subs_id option. Basically, l2lan_id is a VLAN prefix from l2subs_id.
  26. [BRAS][DHCP] All internal DHCP session databases now consider l2lan_id - it is included in their MAC and Client-Id key. That is, two subscribers with the same MAC-address, but in different VLANs, are considered different subscribers (if bras_subs_id is set to consider VLANs). Opt82 and Q-in-Q secondary keys do not consider l2lan_id. Read more about bras_subs_id
  27. Added: configuration parameter rx_dispatcher flow hashing method by worker threads; 0 - old method is used by default (ip_src+ipdst)%N ) & ip_mask; 1 - new method is used with recoding support for NAT1:1 (CRC(IP SRC)%N+CRC(IP_DST)%N)%N
  28. [Radius monitor] Added: support for exporting NAS address and port and other attributes
  29. [Radius monitor] Added: connection of service 12
  30. [BRAS] Added: setting bras_ppp_lcp_start_timeout

Changes in version 12.1

  1. Added: NAT diagnostic information
  2. Added: On-Stick mode support
  3. Minor changes in CG-NAT
  4. Support for service 12 2) on VCHANNEL
  5. Support for protocols with names that can be downloaded from the cloud
  6. SDS: transfer data in pcapng format

Changes in version 12.2

  1. Corrections to the CG-NAT utilization statistics output
  2. Parsing the new GQUIC versions
  3. New service 16 – allow list (captive portal) without access of subscribers to the Internet (due to failure of uplinks, subscriber in long-term blocking, etc.)
  4. New dpdkinfo utility. Description

Changes in version 12.3

  1. PPPoE authorization management service based on Service-name field. Description under PPPoE Authorization Setup
    fdpi_cli help vlan group
    vlan group : manage <add|delete|show> vlan group authorization  policy
      vlan group <group-id> ...       - manage <group-id>
      vlan group 2          ...       - manage <group-id> = <2>
      vlan group 2 deny  auth  pppoe  - deny authorization by pppoe and delete all its properties
      vlan group 2 allow auth  pppoe  - allow authorization by pppoe
      vlan group 2 show  auth  pppoe  - show policy for authorization by pppoe
      vlan group 2 show  auth  all    - show policy for all authorization protocols
      vlan group 2 show  all          - show all properties for group
      vlan group 0 show  all          - show all properties for all groups - full scan and print udr
      vlan group 2 auth  pppoe allow add service-name name=sname delay=3 - allow authorization by pppoe for service-name  sname with podo-delay=3
      vlan group 2 auth  pppoe deny add service-name name=sname delay=3 - deny authorization by pppoe for service-name  vlan group 2 auth  pppoe delete service-name name=sname - delete service-name  sname and its properties  vlan group 2 auth  pppoe show service-name all - show service-name policy for authorization by pppoe
      vlan group 2 drop               - drop packet without any analysis
      vlan group 2 pass               - passthrough packet without any analysis
  2. Added: support for sending heartbeat for external bypass
  3. Added: extract and transfer to IPFIX of cookies from Set-Cookie
  4. Improved: blocking of the short TCP protocol freezes in IPFIX threads via additional user timeout setting (in addition to the standard tcp keep alive mechanism)
  5. Added: performant rx_dispatcher=2 with even balancing over an arbitrary number of flows (but no support for nat1:1 with the requirement to assign specific addresses). Description under Settings and management
  6. [BRAS][PPPoE] Fixed: dual-stack: adding IP addresses to an existing acct session
  7. [PCRF] Fixed: switch persist queue to "connected" mode
  8. [CLI] Added CLI command fdpi_cli pcrf persist queue reconnect, which allows to make a reconnect to fastDPI without resetting the queue. Can be applied to a specific connection or to all connections. Description under FastPCRF Management
  9. [PCRF][PPPoE][Framed-Pool] Fixed: create acct-session with session_id announced during authorization
  10. Added support for pcapng format for recording to storage
  11. [CoA] Added processing of CoA Update by l2subs_id. Description under Radius CoA
  12. Added: saving ICMP protocol translations in NAT exports
  13. Changed: nat_exclude_private parameter and corresponding support: int nat_exclude_private;
    Bitmask to avoid NAT for private addresses:
    0 - always do private → public conversion
    1 - do not do NAT for private addresses (ip_src and ip_dst are private or are in psz_prms_user_private)
    2 - ip_src is private given psz_prms_user_private and AS for dst_ip = local
    4 - ip_src - private with prms_user_private and AS for dst_ip = peer. Description under Settings and management
  14. [CoA] Added processing of CoA Reauth by l2subs_id. Description under Radius CoA
  15. [CoA] Added CoA Disconnect processing by l2subs_id. Description under Radius CoA
  16. [fDPI] Maximal number of clusters increased from 10 to 12
  17. [PCRF][ACCT] Added: pass VasExperts-L2-SubsId attribute to Acct Start/Interim/Stop. Description under Radius attributes
  18. [DPDK] Added: disable Ethernet Flow Control on port startup
  19. [PCRF][DHCPv6-POOL] Fixed generation of Client-DUID when composing DHCP6-RENEW for Framed-IPv6-Pool
    The Client-DUID must be immutable throughout the DHCPv6 session, otherwise the DHCPv6 server may issue a different IPv6 prefix on Renew, resulting in PPPoE session closure. To achieve immutability, the Client-DUID is now formed from the subscriber's l2subs_id.
  20. [PCRF][DHCP-POOL] Fixed 'request-response' identification when working with DHCP pools.
    The identifier used is:
    For DHCPv4 – subscriber MAC address (chaddr) + request xid \\For DHCPv6 – Client-Id option and xid of the request.
    The server is required to pass the Client-Id option in the response, unlike other request options.
  21. [BRAS] Added CLI command dhcp show stat vrf
    Display the number of DHCP subscribers by VRF
  22. [PCRF] Added CLI-command pcrf radius enable/disable
  23. [PCRF] Added CLI command pcrf radius ping
  24. [PCRF] Added CLI command pcrf radius status
  25. Changed: if session has no public address - CG-NAT is enabled.
  26. Added: if service 11 is removed, NAT is disabled and resources are released. Occurs only if there is read data on flow
  27. [BRAS][DHCP] Use the subscriber MAC address from DHCP request for l2subs_id.
    The srcMAC from the ethernet header of the packet is used to generate the L2 subscriber ID (see bras_subs_id). In case DHCP requests go through DHCP Relay, the srcMAC in the ethernet header of the DHCP packet is no longer the MAC address of the subscriber. DHCP requests of all subscribers passing through DHCP Relay have the same MAC in the ethernet header and the same subs_id.
    Solution: to generate the L2 identifier, the subscriber's MAC address is now taken from the DHCP packet, chaddr field.
  28. [PCRF] watchdog - new Radius server monitor. Description under Full list of settings
    New fastpcrf.conf parameters:
    • Radius-servers ping timeout, in seconds.
      If there are no authorization requests, fastPCRF periodically pings Radius servers by sending a Server-Status or Access-Request. If the server responds, it is considered available. The default value is 60 seconds. radius_keepalive=60
    • User-Name (radius_ping_user_name) and Password (radius_ping_user_password) of the pseudo-subscriber for ping requests.
      FastPCRF attempts to maintain a connection to all described Radius servers by periodically sending a ping request to the servers.
      A ping request is a Status-Server request (if Radius supports it) or a regular Access-Request with User-Name and Password specified. These parameters set User-Name and Password for Access-Request ping requests (Server-Status does not use these parameters). For the FastDPI process, the fact itself that the server responds to the ping request is important, the content of the response (Access/Reject and their attributes) is not analyzed. If User-Name and Password data are not specified – the Access-Request ping request will still be sent, but without User-Name and Password attributes. There are no default values. The radius_revive_period parameter has been removed for unnecessary.
  29. Modified: For flow the sign p_flow_ → cmn.bts_check_ip |= ntconnt::bts_nat_must_whip is set.
    The sign indicates that a call is coming from a private address and a public address is required for this flow. If no public address is assigned – attempts to allocate a public address continue (For TCP – only if SYN). This is because requests may come from a private address and only then service 11 appears, but the flow already exists and will never work.
  30. Modified: If a public address is set for flow, the presence of 11 services is checked. If there is no service, the public address is released.
  31. [Router] Added: error message in fastdpi_alert.log "VRF has no TAP"
    If VRF does not have any device – it is impossible to announce address in such VRF. This error is displayed in fastdpi_alert.log not more than once per hour for each VRF
  32. Added: fdpi_cli commands: nat dump transcode, nat dump translater [profile name], nat dump translater data [profile name]
  33. New policing profile name – BV###NNNNNNN[#MMMM][#++++--], where NNNNNN - incoming traffic rate in kbps, MMMM - outgoing traffic rate in kbps, + - class enabled, - class disabled. Description under Subscriber authorization attributes
  34. [PCRF] Added: new chaddr@opt60 value for radius_user_name_dhcp option
    Example: radius_user_user_name_dhcp=chaddr@opt60, User-Name in Access-Request is formed from MAC-address of DHCP packet header (chaddr field) and option 60 if this option is in DHCP-request. Description under DHCP Radius proxy - Access-Request
  35. Changed: improved FACEBOOK VIDEO detection
  36. Fixed: when parsing quic_ietf for the first CRYPTO packet, if offset==0 is set - checks for possible fragmentation
  37. Added: parsing changes - minding the changes in Google QUIC versions: before version 34 there was an additional field "Private Flags". The SSG did not parse such packets. Since version 39 - changed byte order for "Data Length" record
  38. Added policing and service 16 on values from profile name. Description under Subscriber authorization attributes
  39. [BRAS] Added: new bras_ip_filtering option
    [hot] Traffic filtering (bitmask) is disabled (=0) by default.
    Allowed flags: 0x0001 - controlling IP spoofing (restricting forged traffic). The packet on subs → inet path is dropped if subscriber's IP address (srcIP) is unknown for L2 BRAS and bras_term_by_as = 0 and subscriber's AS is not local. bras_ip_filtering=0
  40. [BRAS] Added: bras_vrf_isolation option - isolation at VRF level. Description under Soft-Router
    Added new fastdpi.conf option: [hot] VRF Isolation. By default (0), L2 BRAS does not isolate subscribers from different VRFs: If this mode is enabled (1), subscribers from different VRFs will be isolated from each other: for a subscriber from VRF1: the gateway must also be in VRF1, local interconnect will only work for subscribers from the same VRF1. bras_vrf_isolation=0
    When this option is enabled:
    • 1. ARP subscriber to gateway - processed by fastDPI only if subscriber and gateway are in the same VRF
    • 2. ICMP ping of gateway - processed by fastDPI only if the subscriber and gateway are in the same VRF
    • 3. local interconnect - applied only if both subscribers are in the same VRF.
  41. Fixed: error messages for client should not contain LF in json
  42. [BRAS][ARP] Modified: ARP processing to gateway. Respond to ARP request to gateway only if sender and gateway VRFs match (sender and GW are in the same VRF).
  43. [VRF] Modified: VRF name assignment via service 254 (Radius only). Description under Soft-Router
  44. [BRAS][DHCP-Proxy] Session-Timeout and Lease-Time for Framed-Pool.
    If an address is issued from Framed-Pool for a small amount of time (small lease-time) and a large session-timeout is specified during authorization, then all Renew/Rebind requests from the subscriber must be sent to the DHCP server via PCRF to renew the license, otherwise the DHCP server may think that the address is free. Reauthorization is done only when session-timeout is reached
  45. Added: support for service 16 - processing SYN requests and subsequent forwarding without transmitting packets to the Internet. Description under Subscriber authorization attributes
  46. [Router] Added: shared neighbor cache for VRF.
    Added: router_vrf { [cold][optional] option to VRF configuration.
    String is the default ARP cache name for this VRF, each VRF has its own ARP/Neighbor cache isolated from others.
    If you want several different VRFs to share a common ARP/Neighbor cache, you should set the same value of the neighbor_cache option in the description of these VRFs. neighbor_cache=… }. Description under Soft-Router
  47. [PCRF] fastpcrf.conf option radius_user_name_dhcp - added new value opt61@opt60: radius_user_name_dhcp=opt61@opt60. Description under DHCP Radius proxy - Access-Request
    User-Name in Access-Request is generated from DHCP options 61 and 60 if these options are present in the DHCP request.
    New fastpcrf.conf options - in which attributes to pass DHCP options to Access-Request
    [hot] Specify attributes in which DHCP options are passed. Assignment format: attr_dhcp_opt43=vendorId.attrId where vendorId is the vendor id, a number from 0 to 2^32-1.
    If vendorId !=0, the value is passed in the VSA attribute.
    If vendorId == 0, then the value is passed in the regular Radius attribute (non-VSA)
    attrId - attribute id, a number between 1 and 255
    Attributes are assumed to be of type octets (passed as is in binary form)
    Value 0.0 - do not pass this attribute to the Radius server.
    Default values are as follows: attr_dhcp_opt43=0.0, attr_dhcp_opt60=43823.34 # VasExperts-DHCP-ClassId, attr_dhcp_opt61=43823.33 # VasExperts-DHCP-ClientId
  48. Added: support for service 16 and corresponding profile - job, delete, view via fdpi_ctrl profile matches the structure for service 5
    Example of setting: fdpi_ctrl load profile -service 16 -profile.name portal_info_1 -profile.json '{ "ip_list" : "/var/lib/dpi/ip_list_1.bin", "redirect" : "http://info.test.ru" }' parameter max_profiles_serv16 - sets the maximum number of profiles. The default is 32. Description under Subscriber authorization attributes
  49. [DHCP-Proxy] Introduced CoA Disconnect processing modes. Description under Radius CoA
    Added new bras_dhcp_disconnect option, which is a bitmask of the following flags:
    • 0x0001 - disable acct stop, do not immediately send acct stop for a disconnected DHCP subscriber
    • 0x0002 - disable L3 auth, do not perform L3 authorization for disconnected DHCP subscriber
    • 0x0004 - block traffic - block all traffic from disconnected subscriber (i.e. on subs → inet path)
    • 0x0008 - respond to DHCP Request → NAK
    • 0x0010 - ignore DHCP Request (wait for DHCP Discovery)
  50. [DHCP-Proxy] Added: control of subscriber IP address change
    If a subscriber is given a different IP address, the former IP address should be de-announced
  51. [VRF][CLI] VRF support added to all router CLI commands

Changes in version 12.4

DPI

  1. Added: support for individual session rate limiting protocols and definition of traffic classes at the channel and subscriber levels. Description under Policing by session and overriding traffic classes
    #to support this service additional RAM will be required (compared to standard requirements), it is reserved by setting
    support_service_18=1 #in /etc/dpi/fastdpi.conf 
     
    speedtest cs1
    default keep
    cat dscp_prof_1.txt|lst2dscp /tmp/dscp_prof_1.dscp
     
    speedtest tbf rate 16mbit inbound.rate 16mbit
    bittorrent tbf rate 8Mbit
    signal tbf rate 1kbit inbound.rate 2kbit
    TCP Unknown tbf rate 8Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit
     
     
    cat tbf_prof_1.txt|lst2tbf /tmp/tbf_prof_1.tbf
    #reverse conversion tbf2lst /tmp/tbf_prof_1.tbf
     
    fdpi_ctrl load profile --service 18  --profile.name test_dscp --profile.json '{ "dscp" : "/tmp/dscp_prof_1.dscp", "tbf" : "/tmp/tbf_prof_1.tbf" }'
    fdpi_ctrl load --service 18  --profile.name test_dscp --login DEMO
    #or/and
    fdpi_ctrl load --service 18  --profile.name test_dscp --vchannel 1
  2. Added management of traffic processing levels at the VLAN level. The hide command allows you to do a traffic drop with pre-analysis. Description under Handling traffic by VLAN
    fdpi_cli vlan group <id> drop
    fdpi_cli vlan group <id> pass
    fdpi_cli vlan group <id> hide
  3. Fixed: when binding an IP to a login, check if this IP is already bound to this login. The mtd_bind_ip_login function for binding IP to login was unconditionally performing unbind before binding, without checking the current binding. unbind clears current services, including service 9 data (netflow, accounting), which led to quiet resetting of acct counters on subscriber reauthorization if auth and acct synchronization in fastpcrf is disabled. This commit adds a check: if IP is already associated with a valid login - bind/unbind/rebind does not need to be done, mtd_bind_ip_login function just returns "ok" result.
  4. Added "DTLS", "RTCP", "LIGHTWAY", "GOOGLE_MEET", "JITSY", "WECHAT", "DOT", "META_CALLS" protocols
  5. Improved Skype detection in STUN
  6. Added radmin-port protocol signature
  7. Added support for IPv6 channels (with reload). Description under Policing of Virtual Channel (vChannel) — setting for CIDR
    Example of an assignment:
    fe80::0/8 1
    cat ipchannels6.txt | as2bin6 /etc/dpi/ipchannels6.bin
  8. Added blocking of all IPv6 when service 4 and block_options=4 are enabled
  9. Fixed bug in TELEGRAM_TLS detector causing over-detection
  10. Added support of reload for IPv6 channels
  11. Added LiveU protocol. Changed the name of the protocol radmin-port to radmin. List of new protocol identifiers:
    DoT          49281
    RTCP         49282
    LIGHTWAY     49283
    GOOGLE_MEET  49284
    JITSY        49285
    WECHAT       49286
    DTLS         49287
    META_CALLS   49288
    LIVEU_LRT    49289
  12. Added vchannels_default= setting to put traffic unallocated on other channels into a separate channel (but not 0!). Description under Policing of Virtual Channel (vChannel) — Setting up
  13. Fixed: building structures to divert traffic to TAP (Error of sorting IPv4-address array).
  14. Added support for 18 services for vchannels
  15. Added support for 49 services for channels and subscribers: IPv6 traffic blocking. Description under Management — Activation of IPv6 traffic blocking service
    fdpi_ctrl load --service 49 --login DEMO
    fdpi_ctrl load --service 49 --vchannel 1
  16. Renamed protocol JITSY → JITSI
  17. Fixed: for virtual channels DSCP is defined only if support_service_18 parameter is set. Description under Policing by session and overriding traffic classes — SSG Configuration
  18. ASN number accounting for GOOGLE MEET detection based on DTLS
  19. Added: WECHAT protocol definition
  20. Fixed: whatsapp_voice definition for TCP transport protocol
  21. Fixed definition of custom protocols based on IPv6 addresses/CIDR
  22. Improved recognition of openvpn, holavpn, signal
  23. Added the ability to supplement the definition of a signal
  24. Added possibility to use CIDR, addresses and ports for IPv4 and IPv6 in black and white lists. If CIDR or address is set, all TCP ports are blocked (UDP with the setting udp_block=3). Description under File format with a list of IP addresses to block
  25. Added utilities to check for blacklisting checklock and custom protocol checkproto. The address or port address must be specified on the command line.
  26. Fixed: stun processing for TCP
  27. Changed definition by realm: if another protocol is specified - the protocol is changed at once.
  28. Added: service 17 (no profile) - mirroring traffic to a specified VLAN. Description under PCAP Record Management and VLAN Mirroring — Mirroring on a VLAN
    #Parameters in fastdpi.conf:
    span_vlan=123
    span_trace=1
    #For diagnostics you can use: 
    #trace_ip or span_trace or ajb_save_emit
    #if you set service 12 and 17, then in pcap we will see original recording and mirrored recording

BRAS

  1. Added extracting information from Radius avp framed-ipv6-prefix. Added sending framed-ipv6-prefix and delegated-ipv6-prefix over IPFIX
  2. Fixed: VLAN translation for ARP packets inet→subs
  3. Fixed bug with AS numbers in IPFIX
  4. Fixed framed-pool support bug
  5. Added: parameter netflow_tos_format, IPFIX TOS field data format: netflow_tos_format=0 (default value), 3 bit (priority only), 1 6-bit (full DSCP). Description under Configuring export in IPFIX (Netflow 10)
  6. Added: in ipfix fullflow added passing an additional field - original TOS from the IP header, it will be possible to build reports on external markup
  7. Fixed: dhcp nak issue
  8. Fixed channel detection in IPFIX for IPv6
  9. Adding opt125 with pool name as the first option. Reason: KEA parses only the first vendor when defining the client class (opt125). Description under IPv4 Pools Support — FastPCRF Configuration
  10. Closing DHCP sessions after CoA Disconnect. If after PoD (CoA Disconnect) there is no DHCP request before the lease time expires, the session should be closed by sending a deanonce and acct stop. It should be taken into account that the subscriber's session type may change from DHCP to StaticIP or PPPoE; in this case, the DHCP session should be closed without deanonce and acct stop. Description under Radius CoA — Disconnect-Request
  11. CLI: new parameter ts_lease_expired — lease end time — was added to the output of the dhcp show command.
  12. Added option acct_disable_interim_update — prohibit sending Interim-Update. Do not send Interim-Update: acct_disable_interim_update=1. Default acct_disable_interim_update=0 (Interim-Update is sent). Description under FastPCRF settings
  13. Added IPv6 support for CoA. Command-Code=1 - search for acct session by IP. The acct session can be searched by IPv6 prefix attributes Framed-IPv6-Prefix or Delegated-IPv6-Prefix. The command response specifies all known IP addresses of the found acct-session - Framed-IP-Address, Framed-IPv6-Prefix, Delegated-IPv6-Prefix. Description under Radius CoA — Accounting session request for given IP address
  14. Fixed: cli-command dhcp show stat vrf. Subscriber's subs_id was not checked when determining session "liveliness" - transfer of IP address to another subscriber may break this statistics
  15. Fixed: update lease expired for address from Framed-Pool
  16. Added: Huawei vendor-specific support tag 1. The value is interpreted as ADSL-Forum-Circuit-Id. If PPPoE packet contains Circuit-Id and Huawei tag 1, Circuit-Id is preferred, Huawei tag1 is ignored. Access-Request format for the PPPoE networks — Support Huawei vendor-specific tag 1
  17. Fixed: deanonization of the previous address if a new one is given to the client

NAT

  1. Fixed: crusting when public address is highlighted (rare event: when removing NAT service at the moment of public highlighting)

SDS

  1. Automatic UUID generation and saving in /var/lib/dpi/sdsuuid.dat file
1)
Machu Picchu the "Lost City of the Incas", located in the southern Peru on a 2,430-meter mountain ridge, a UNESCO World Heritage Site
2)
Record subscriber traffic in PCAP file