Version 12 Machu Picchu
12.0 Machu Picchu 1)
Changes in version 12.0
- Changed: switch to DPDK 22.11 LTS
- Added: parsing of 'Chaos Protection' header to QUIC IETF
- Added: cold parameter
nat_transcode_cidr
, which specifies CIDR of provider's public addresses. It is possible to use 2 CIDR parameters when re-coding from public to private for NAT 1:1. Any public address can be assigned to the private address for NAT 1:1. - Changed: hash function for distribution by worker threads: ( crc( ip_src ) % nthread + crc( ip_dst ) % nthread ) % nthread
- Changed: public address allocation algorithm for CG-NAT: crc( private ) % nthread + crc( public ) % nthread
- Changed: the message '[NFLW] very long operation ….' is always displayed no matter how many times the message is repeated
- Changed: the name of the file record directory - added stream
- Added: information output statistics for sending NetFlow/IPFIX
[STAT ][2022/11/20-17:55:03:213770] Statistics on NFLW_export : {a/b/c%/d/e} a - the number of cycles of sending executed b - the number of cycles of sending, when the time spent on sending exceeded the period of execution of cycles c - percentage of exceeding the number of the cycles: 100 * b/a d - time of the maximum duration of the cycle microseconds e - time of the period of sending statistics, microseconds (''netflow_timeout'' parameter value (is set in seconds)) E.g.: [STAT ][2022/11/20-17:55:03:213770] Statistics on NFLW_export : {7/0/0.00%/45297us/30008163us}
- [PCRF][PPPoE] Fixed: previously, if Radius responded with an IPv6 address instead of a prefix, we did not make the prefix from the address, which led to recreation of the acct-sessions. Newly created acct-sessions used to be without login and other important attributes for ISPs.
- [BRAS][L3-AUTH] Changed: Framed-Route is no longer applied to PD-prefix
- [PCRF][ACCT] Fixed: previously, when an entry was unlinked from a multisession, the IP addresses for the multisession were not corrected. Unlink occurs during aggregation. As a result, other entries, which had no relation to this multisession, may have been bound to it later.
- [PCRF][DHCPv6-Pool] Fixed: Forming the Link-Address field for Relay-Fwd when sending a request to a specific DHCPv6 server
- [BRAS][PPPoE-IP6] IPv6 address request from Framed-IPv6-Pool is performed when the first IP6CP Cfg-Req comes from the client
- [CLI][ACCT] Added: fastdpi-server NAS attributes output in pcrf acct show commands
- [BRAS][DHCP] Fixed: Sending a NAK to a DHCP-Request for another server
- Added: support for DDP profiles for Intel 700-series NICs (i40e driver) for PPPoE/GTP/MPLS tunnel balancing when using dpdk_engine=2. DDP is loaded from /lib/firmware/intel/i40e/ddp/i40e.pkg file during i40e ports initialization. Lifetime of the loaded DDP profile: until the server is rebooted.
- Changed: algorithm for selecting a server for recording SDS
- [CLI] Added: setting L2 subs_id in the
subs prop set
command - [BRAS][DHCP-Relay] Added: support for L2
subs_id
- [BRAS][AUTH] Added: support for
l2subs_id
for L3-authorization, since the L3 auth response from the Radius may indicate that it is an L2 subscriber - [BRAS][ARP-AUTH] Added: support for
l2subs_id
- [BRAS][PPPoE][CLI] Added:
l2lan_id
attribute for PPPoE sessions - [BRAS][PPPoE] Removed support for MAC authorization, without login and password, removing
bras_ppp_mac_auth
option - [PPPoE][CLI] Added: support for the
subs_id
parameter that identifies the PPPoE session - [BRAS] Added:
l2lan_id
class - L2 network identifier.l2lan_id
is intended for separating subscribers by VLAN. Thel2lan_id
is derived from thel2subs_id
, i.e. its formation is set by the samebras_subs_id
option. Basically,l2lan_id
is a VLAN prefix froml2subs_id
. - [BRAS][DHCP] All internal DHCP session databases now consider
l2lan_id
- it is included in their MAC and Client-Id key. That is, two subscribers with the same MAC-address, but in different VLANs, are considered different subscribers (ifbras_subs_id
is set to consider VLANs). Opt82 and Q-in-Q secondary keys do not considerl2lan_id
. Read more about bras_subs_id - Added: configuration parameter
rx_dispatcher
flow hashing method by worker threads; 0 - old method is used by default (ip_src+ipdst)%N ) & ip_mask; 1 - new method is used with recoding support for NAT1:1 (CRC(IP SRC)%N+CRC(IP_DST)%N)%N - [Radius monitor] Added: support for exporting NAS address and port and other attributes
- [Radius monitor] Added: connection of service 12
- [BRAS] Added: setting
bras_ppp_lcp_start_timeout
Changes in version 12.1
- Added: NAT diagnostic information
- Added: On-Stick mode support
- Minor changes in CG-NAT
- Support for service 12 2) on VCHANNEL
- Support for protocols with names that can be downloaded from the cloud
- SDS: transfer data in pcapng format
Changes in version 12.2
- Corrections to the CG-NAT utilization statistics output
- Parsing the new GQUIC versions
- New service 16 – allow list (captive portal) without access of subscribers to the Internet (due to failure of uplinks, subscriber in long-term blocking, etc.)
- New
dpdkinfo
utility. Description
Changes in version 12.3
- Added: VRF support in router
- PPPoE authorization management service based on Service-name field. Description under PPPoE Authorization Setup
fdpi_cli help vlan group vlan group : manage <add|delete|show> vlan group authorization policy vlan group <group-id> ... - manage <group-id> vlan group 2 ... - manage <group-id> = <2> vlan group 2 deny auth pppoe - deny authorization by pppoe and delete all its properties vlan group 2 allow auth pppoe - allow authorization by pppoe vlan group 2 show auth pppoe - show policy for authorization by pppoe vlan group 2 show auth all - show policy for all authorization protocols vlan group 2 show all - show all properties for group vlan group 0 show all - show all properties for all groups - full scan and print udr vlan group 2 auth pppoe allow add service-name name=sname delay=3 - allow authorization by pppoe for service-name sname with podo-delay=3 vlan group 2 auth pppoe deny add service-name name=sname delay=3 - deny authorization by pppoe for service-name vlan group 2 auth pppoe delete service-name name=sname - delete service-name sname and its properties vlan group 2 auth pppoe show service-name all - show service-name policy for authorization by pppoe vlan group 2 drop - drop packet without any analysis vlan group 2 pass - passthrough packet without any analysis
- Added: support for sending heartbeat for external bypass
- Added: extract and transfer to IPFIX of cookies from
Set-Cookie
- Improved: blocking of the short TCP protocol freezes in IPFIX threads via additional
user timeout
setting (in addition to the standardtcp keep alive
mechanism) - Added: performant
rx_dispatcher=2
with even balancing over an arbitrary number of flows (but no support fornat1:1
with the requirement to assign specific addresses). Description under Settings and management - [BRAS][PPPoE] Fixed:
dual-stack
: adding IP addresses to an existingacct session
- [PCRF] Fixed: switch
persist queue
to "connected" mode - [CLI] Added CLI command
fdpi_cli pcrf persist queue reconnect
, which allows to make a reconnect to fastDPI without resetting the queue. Can be applied to a specific connection or to all connections. Description under FastPCRF Management - [PCRF][PPPoE][Framed-Pool] Fixed: create acct-session with
session_id
announced during authorization - Added support for
pcapng
format for recording to storage - [CoA] Added processing of CoA Update by
l2subs_id
. Description under Radius CoA - Added: saving ICMP protocol translations in NAT exports
- Changed:
nat_exclude_private
parameter and corresponding support:int nat_exclude_private
;
Bitmask to avoid NAT for private addresses:
0 - always do private → public conversion
1 - do not do NAT for private addresses (ip_src
andip_dst
are private or are inpsz_prms_user_private
)
2 -ip_src
is private givenpsz_prms_user_private
and AS fordst_ip = local
4 -ip_src
- private withprms_user_private
and AS fordst_ip = peer
. Description under Settings and management - [CoA] Added processing of CoA Reauth by
l2subs_id
. Description under Radius CoA - [CoA] Added CoA Disconnect processing by
l2subs_id
. Description under Radius CoA - [fDPI] Maximal number of clusters increased from 10 to 12
- [PCRF][ACCT] Added: pass
VasExperts-L2-SubsId
attribute toAcct Start/Interim/Stop
. Description under Radius attributes - [DPDK] Added:
disable Ethernet Flow Control
on port startup - [PCRF][DHCPv6-POOL] Fixed generation of Client-DUID when composing DHCP6-RENEW for Framed-IPv6-Pool
The Client-DUID must be immutable throughout the DHCPv6 session, otherwise the DHCPv6 server may issue a different IPv6 prefix on Renew, resulting in PPPoE session closure. To achieve immutability, the Client-DUID is now formed from the subscriber'sl2subs_id
. - [PCRF][DHCP-POOL] Fixed 'request-response' identification when working with DHCP pools.
The identifier used is:
For DHCPv4 – subscriber MAC address(chaddr)
+ requestxid
\\For DHCPv6 –Client-Id
option andxid
of the request.
The server is required to pass theClient-Id
option in the response, unlike other request options. - [BRAS] Added CLI command
dhcp show stat vrf
Display the number of DHCP subscribers by VRF - [PCRF] Added CLI-command
pcrf radius enable/disable
- [PCRF] Added CLI command
pcrf radius ping
- [PCRF] Added CLI command
pcrf radius status
- Changed: if session has no public address - CG-NAT is enabled.
- Added: if service 11 is removed, NAT is disabled and resources are released. Occurs only if there is read data on flow
- [BRAS][DHCP] Use the subscriber MAC address from DHCP request
for l2subs_id
.
ThesrcMAC
from the ethernet header of the packet is used to generate the L2 subscriber ID (seebras_subs_id
). In case DHCP requests go through DHCP Relay, thesrcMAC
in the ethernet header of the DHCP packet is no longer the MAC address of the subscriber. DHCP requests of all subscribers passing through DHCP Relay have the same MAC in the ethernet header and the samesubs_id
.
Solution: to generate the L2 identifier, the subscriber's MAC address is now taken from the DHCP packet,chaddr
field. - [PCRF] watchdog - new Radius server monitor. Description under Full list of settings
New fastpcrf.conf parameters:- Radius-servers ping timeout, in seconds.
If there are no authorization requests, fastPCRF periodically pings Radius servers by sending a Server-Status or Access-Request. If the server responds, it is considered available. The default value is 60 seconds.radius_keepalive=60
- User-Name (
radius_ping_user_name
) and Password (radius_ping_user_password
) of the pseudo-subscriber for ping requests.
FastPCRF attempts to maintain a connection to all described Radius servers by periodically sending a ping request to the servers.
A ping request is a Status-Server request (if Radius supports it) or a regular Access-Request with User-Name and Password specified. These parameters set User-Name and Password for Access-Request ping requests (Server-Status does not use these parameters). For the FastDPI process, the fact itself that the server responds to the ping request is important, the content of the response (Access/Reject and their attributes) is not analyzed. If User-Name and Password data are not specified – the Access-Request ping request will still be sent, but without User-Name and Password attributes. There are no default values. Theradius_revive_period
parameter has been removed for unnecessary.
- Modified: For flow the sign
p_flow_ → cmn.bts_check_ip |= ntconnt::bts_nat_must_whip
is set.
The sign indicates that a call is coming from a private address and a public address is required for this flow. If no public address is assigned – attempts to allocate a public address continue (For TCP – only if SYN). This is because requests may come from a private address and only then service 11 appears, but the flow already exists and will never work. - Modified: If a public address is set for flow, the presence of 11 services is checked. If there is no service, the public address is released.
- [Router] Added: error message in
fastdpi_alert.log
"VRF has no TAP"
If VRF does not have any device – it is impossible to announce address in such VRF. This error is displayed infastdpi_alert.log
not more than once per hour for each VRF - Added: fdpi_cli commands:
nat dump transcode
,nat dump translater [profile name]
,nat dump translater data [profile name]
- New policing profile name –
BV###NNNNNNN[#MMMM][#++++--]
, where NNNNNN - incoming traffic rate in kbps, MMMM - outgoing traffic rate in kbps, + - class enabled, - class disabled. Description under Subscriber authorization attributes - [PCRF] Added: new
chaddr@opt60 value
forradius_user_name_dhcp
option
Example:radius_user_user_name_dhcp=chaddr@opt60
, User-Name in Access-Request is formed from MAC-address of DHCP packet header (chaddr
field) and option 60 if this option is in DHCP-request. Description under DHCP Radius proxy - Access-Request - Changed: improved FACEBOOK VIDEO detection
- Fixed: when parsing
quic_ietf
for the first CRYPTO packet, ifoffset==0
is set - checks for possible fragmentation - Added: parsing changes - minding the changes in Google QUIC versions: before version 34 there was an additional field "Private Flags". The SSG did not parse such packets. Since version 39 - changed byte order for "Data Length" record
- Added policing and service 16 on values from profile name. Description under Subscriber authorization attributes
- [BRAS] Added: new
bras_ip_filtering
option
[hot] Traffic filtering (bitmask) is disabled (=0) by default.
Allowed flags:0x0001
- controlling IP spoofing (restricting forged traffic
). The packet on subs → inet path is dropped if subscriber's IP address (srcIP) is unknown for L2 BRAS and bras_term_by_as = 0 and subscriber's AS is notlocal. bras_ip_filtering=0
- [BRAS] Added:
bras_vrf_isolation
option - isolation at VRF level. Description under Soft-Router
Added newfastdpi.conf
option: [hot] VRF Isolation. By default (0), L2 BRAS does not isolate subscribers from different VRFs: If this mode is enabled (1), subscribers from different VRFs will be isolated from each other: for a subscriber from VRF1: the gateway must also be in VRF1,local interconnect
will only work for subscribers from the same VRF1.bras_vrf_isolation=0
When this option is enabled:- 1. ARP subscriber to gateway - processed by fastDPI only if subscriber and gateway are in the same VRF
- 2. ICMP ping of gateway - processed by fastDPI only if the subscriber and gateway are in the same VRF
- 3.
local interconnect
- applied only if both subscribers are in the same VRF.
- Fixed: error messages for client should not contain LF in json
- [BRAS][ARP] Modified: ARP processing to gateway. Respond to ARP request to gateway only if sender and gateway VRFs match (
sender
and GW are in the same VRF). - [VRF] Modified: VRF name assignment via service 254 (Radius only). Description under Soft-Router
- [BRAS][DHCP-Proxy] Session-Timeout and Lease-Time for Framed-Pool.
If an address is issued from Framed-Pool for a small amount of time (smalllease-time
) and a large session-timeout is specified during authorization, then all Renew/Rebind requests from the subscriber must be sent to the DHCP server via PCRF to renew the license, otherwise the DHCP server may think that the address is free. Reauthorization is done only whensession-timeout
is reached - Added: support for service 16 - processing SYN requests and subsequent forwarding without transmitting packets to the Internet. Description under Subscriber authorization attributes
- [Router] Added:
shared neighbor
cache for VRF.
Added:router_vrf { [cold][optional]
option to VRF configuration.
String is the default ARP cache name for this VRF, each VRF has its own ARP/Neighbor cache isolated from others.
If you want several different VRFs to share a common ARP/Neighbor cache, you should set the same value of theneighbor_cache
option in the description of these VRFs.neighbor_cache=… }
. Description under Soft-Router - [PCRF] fastpcrf.conf option
radius_user_name_dhcp
- added new valueopt61@opt60: radius_user_name_dhcp=opt61@opt60
. Description under DHCP Radius proxy - Access-Request
User-Name in Access-Request is generated from DHCP options 61 and 60 if these options are present in the DHCP request.
New fastpcrf.conf options - in which attributes to pass DHCP options to Access-Request
[hot] Specify attributes in which DHCP options are passed. Assignment format:attr_dhcp_opt43=vendorId.attrId
where vendorId is the vendor id, a number from 0 to 2^32-1.
IfvendorId !=0
, the value is passed in the VSA attribute.
IfvendorId == 0
, then the value is passed in the regular Radius attribute (non-VSA)
attrId - attribute id, a number between 1 and 255
Attributes are assumed to be of type octets (passed as is in binary form)
Value 0.0 - do not pass this attribute to the Radius server.
Default values are as follows:attr_dhcp_opt43=0.0
,attr_dhcp_opt60=43823.34 # VasExperts-DHCP-ClassId, attr_dhcp_opt61=43823.33 # VasExperts-DHCP-ClientId
- Added: support for service 16 and corresponding profile - job, delete, view via
fdpi_ctrl
profile matches the structure for service 5
Example of setting:fdpi_ctrl load profile -service 16 -profile.name portal_info_1 -profile.json '{ "ip_list" : "/var/lib/dpi/ip_list_1.bin", "redirect" : "http://info.test.ru" }'
parametermax_profiles_serv16
- sets the maximum number of profiles. The default is 32. Description under Subscriber authorization attributes - [DHCP-Proxy] Introduced CoA Disconnect processing modes. Description under Radius CoA
Added newbras_dhcp_disconnect
option, which is a bitmask of the following flags:0x0001 - disable acct stop
, do not immediately sendacct stop
for a disconnected DHCP subscriber0x0002 - disable L3 auth
, do not perform L3 authorization for disconnected DHCP subscriber0x0004 - block traffic
- block all traffic from disconnected subscriber (i.e. onsubs → inet
path)0x0008
- respond to DHCP Request → NAK0x0010
- ignore DHCP Request (wait for DHCP Discovery)
- [DHCP-Proxy] Added: control of subscriber IP address change
If a subscriber is given a different IP address, the former IP address should be de-announced - [VRF][CLI] VRF support added to all router CLI commands
Changes in version 12.4
DPI
- Added: support for individual session rate limiting protocols and definition of traffic classes at the channel and subscriber levels. Description under Policing by session and overriding traffic classes
#to support this service additional RAM will be required (compared to standard requirements), it is reserved by setting support_service_18=1 #in /etc/dpi/fastdpi.conf speedtest cs1 default keep cat dscp_prof_1.txt|lst2dscp /tmp/dscp_prof_1.dscp speedtest tbf rate 16mbit inbound.rate 16mbit bittorrent tbf rate 8Mbit signal tbf rate 1kbit inbound.rate 2kbit TCP Unknown tbf rate 8Mbit burst 1Mbit inbound.rate 8Mbit inbound.burst 1Mbit cat tbf_prof_1.txt|lst2tbf /tmp/tbf_prof_1.tbf #reverse conversion tbf2lst /tmp/tbf_prof_1.tbf fdpi_ctrl load profile --service 18 --profile.name test_dscp --profile.json '{ "dscp" : "/tmp/dscp_prof_1.dscp", "tbf" : "/tmp/tbf_prof_1.tbf" }' fdpi_ctrl load --service 18 --profile.name test_dscp --login DEMO #or/and fdpi_ctrl load --service 18 --profile.name test_dscp --vchannel 1
- Added management of traffic processing levels at the VLAN level. The
hide
command allows you to do a traffic drop with pre-analysis. Description under Handling traffic by VLANfdpi_cli vlan group <id> drop fdpi_cli vlan group <id> pass fdpi_cli vlan group <id> hide
- Fixed: when binding an IP to a login, check if this IP is already bound to this login. The
mtd_bind_ip_login
function for binding IP to login was unconditionally performingunbind
before binding, without checking the current binding.unbind
clears current services, including service 9 data (netflow
,accounting
), which led to quiet resetting of acct counters on subscriber reauthorization if auth and acct synchronization in fastpcrf is disabled. This commit adds a check: if IP is already associated with a valid login -bind
/unbind
/rebind
does not need to be done,mtd_bind_ip_login
function just returns "ok" result. - Added "DTLS", "RTCP", "LIGHTWAY", "GOOGLE_MEET", "JITSY", "WECHAT", "DOT", "META_CALLS" protocols
- Improved Skype detection in STUN
- Added
radmin-port
protocol signature - Added support for IPv6 channels (with reload). Description under Policing of Virtual Channel (vChannel) — setting for CIDR
Example of an assignment:fe80::0/8 1 cat ipchannels6.txt | as2bin6 /etc/dpi/ipchannels6.bin
- Added blocking of all IPv6 when service 4 and
block_options=4
are enabled - Fixed bug in TELEGRAM_TLS detector causing over-detection
- Added support of reload for IPv6 channels
- Added LiveU protocol. Changed the name of the protocol
radmin-port
toradmin
. List of new protocol identifiers:DoT 49281 RTCP 49282 LIGHTWAY 49283 GOOGLE_MEET 49284 JITSY 49285 WECHAT 49286 DTLS 49287 META_CALLS 49288 LIVEU_LRT 49289
- Added
vchannels_default=
setting to put traffic unallocated on other channels into a separate channel (but not 0!). Description under Policing of Virtual Channel (vChannel) — Setting up - Fixed: building structures to divert traffic to TAP (Error of sorting IPv4-address array).
- Added support for 18 services for vchannels
- Added support for 49 services for channels and subscribers: IPv6 traffic blocking. Description under Management — Activation of IPv6 traffic blocking service
fdpi_ctrl load --service 49 --login DEMO fdpi_ctrl load --service 49 --vchannel 1
- Renamed protocol JITSY → JITSI
- Fixed: for virtual channels DSCP is defined only if
support_service_18
parameter is set. Description under Policing by session and overriding traffic classes — SSG Configuration - ASN number accounting for GOOGLE MEET detection based on DTLS
- Added: WECHAT protocol definition
- Fixed: whatsapp_voice definition for TCP transport protocol
- Fixed definition of custom protocols based on IPv6 addresses/CIDR
- Improved recognition of openvpn, holavpn, signal
- Added the ability to supplement the definition of a signal
- Added possibility to use CIDR, addresses and ports for IPv4 and IPv6 in black and white lists. If CIDR or address is set, all TCP ports are blocked (UDP with the setting
udp_block=3
). Description under File format with a list of IP addresses to block - Added utilities to check for blacklisting
checklock
and custom protocolcheckproto
. The address or port address must be specified on the command line. - Fixed: stun processing for TCP
- Changed definition by realm: if another protocol is specified - the protocol is changed at once.
- Added: service 17 (no profile) - mirroring traffic to a specified VLAN. Description under PCAP Record Management and VLAN Mirroring — Mirroring on a VLAN
#Parameters in fastdpi.conf: span_vlan=123 span_trace=1 #For diagnostics you can use: #trace_ip or span_trace or ajb_save_emit #if you set service 12 and 17, then in pcap we will see original recording and mirrored recording
BRAS
- Added extracting information from Radius avp
framed-ipv6-prefix
. Added sendingframed-ipv6-prefix
anddelegated-ipv6-prefix
over IPFIX - Fixed: VLAN translation for ARP packets inet→subs
- Fixed bug with AS numbers in IPFIX
- Fixed framed-pool support bug
- Added: parameter
netflow_tos_format
, IPFIX TOS field data format:netflow_tos_format=0
(default value), 3 bit (priority only), 1 6-bit (full DSCP). Description under Configuring export in IPFIX (Netflow 10) - Added: in
ipfix fullflow
added passing an additional field - original TOS from the IP header, it will be possible to build reports on external markup - Fixed:
dhcp nak issue
- Fixed channel detection in IPFIX for IPv6
- Adding opt125 with pool name as the first option. Reason: KEA parses only the first vendor when defining the client class (opt125). Description under IPv4 Pools Support — FastPCRF Configuration
- Closing DHCP sessions after CoA Disconnect. If after PoD (CoA Disconnect) there is no DHCP request before the lease time expires, the session should be closed by sending a deanonce and acct stop. It should be taken into account that the subscriber's session type may change from DHCP to StaticIP or PPPoE; in this case, the DHCP session should be closed without deanonce and acct stop. Description under Radius CoA — Disconnect-Request
- CLI: new parameter
ts_lease_expired
— lease end time — was added to the output of thedhcp show
command. - Added option
acct_disable_interim_update
— prohibit sending Interim-Update. Do not send Interim-Update:acct_disable_interim_update=1
. Defaultacct_disable_interim_update=0
(Interim-Update is sent). Description under FastPCRF settings - Added IPv6 support for CoA.
Command-Code=1
- search for acct session by IP. The acct session can be searched by IPv6 prefix attributesFramed-IPv6-Prefix
orDelegated-IPv6-Prefix
. The command response specifies all known IP addresses of the found acct-session -Framed-IP-Address
,Framed-IPv6-Prefix
,Delegated-IPv6-Prefix
. Description under Radius CoA — Accounting session request for given IP address - Fixed: cli-command
dhcp show stat vrf
. Subscriber'ssubs_id
was not checked when determining session "liveliness" - transfer of IP address to another subscriber may break this statistics - Fixed: update
lease expired
for address from Framed-Pool - Added: Huawei vendor-specific support tag 1. The value is interpreted as
ADSL-Forum-Circuit-Id
. If PPPoE packet contains Circuit-Id and Huawei tag 1, Circuit-Id is preferred, Huawei tag1 is ignored. Access-Request format for the PPPoE networks — Support Huawei vendor-specific tag 1 - Fixed: deanonization of the previous address if a new one is given to the client
NAT
- Fixed: crusting when public address is highlighted (rare event: when removing NAT service at the moment of public highlighting)
SDS
- Automatic UUID generation and saving in
/var/lib/dpi/sdsuuid.dat
file