[Firehol-support] marks and speed

Whit Blauvelt whit at transpect.com
Sat Jan 24 14:50:20 CET 2015


On Sat, Jan 24, 2015 at 03:12:30PM +0200, Tsaousis, Costa wrote:

> The FireHOL suite (firehol, fireqos, link-balancer) now supports
> internally 2 types of marks: usermarks and connmarks.

Nice!

The way I've been enabling Openswan IPsec to work from a server with the
previous FireHOL is like this (in firehol.conf ahead of the standard stuff):
  
  # IPsec mangling
  # Mark IPsec, and allow decrypted IPsec
  
  iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
  iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
  iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
  iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
  iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT
  
  # don't SNAT IPsec
  
  rightsubnets=( 172.30.0.0/24 10.242.0.0/22 172.16.11.0/24 )
  for rightsubnet in "${rightsubnets[@]}"; do
          iptables -t nat -I POSTROUTING -d $rightsubnet -j ACCEPT
  done

What would the translation of that to the new FireHOL syntax look like?

Thanks,

Whit


More information about the Firehol-support mailing list