[Firehol-support] marks and speed

Tsaousis, Costa costa at tsaousis.gr
Sat Jan 24 13:12:30 GMT 2015

Hi all,

Today we merged a version of FireHOL in the main tree with the
following changes:

1. Speed improvements
2. Marks, Connmarks and custom Marks

Speed Improvements

FireHOL is now twice as fast. On all configurations we tested the new
FireHOL achieved 45% to 55% speed increase.

Marks, Connmarks and custom Marks

The FireHOL suite (firehol, fireqos, link-balancer) now supports
internally 2 types of marks: usermarks and connmarks.

- Connmarks are used by link-balancer to mark the interfaces traffic
came in order to send the replies back via the same path. All tools
support (by default) 64 connmarks.

- Usermarks are used by all tools to mark traffic the user wants. The
mark firehol helper, the mark firehol match, the mark fireqos match
and the mark link-balancer policy based routing match, they all refer
to usermarks. All tools support (by default) 128 usermarks.

Marks and connmarks are now bitmasked and co-exist.

FireHOL always saves and restores marks for each connection. New marks
are assigned on NEW connections and saved to connection state when the
packet leaves the machine. Marks are restored on ESTABLISHED and
RELATED connections when a packet is received.

The user may match an arbitrary mark, bypassing the new bitmasking
mechanism, by requesting a rawmark match. Rawmark matching works on
all tools. Rawmark syntax is exactly the same with mark, for each

The user may re-define how mark bitmasking works by editing
/etc/firehol/firehol-defaults.conf (this file will be auto-generated
on first firehol run).

The default bitmasking is:

markdef connmark 64
markdef usermark 128

The user may change the numbers to specify more of less marks for each
kind. The value must be a power of two.

The user may also define additional mark types by adding markdef
lines. These custom marks can then be used by using the custommark
match on all tools (firehol must be activated before the other tools
get the changes). custommark works exactly like mark, but its first
parameter must be the name given to the markdef line. Additionally,
FireHOL defines the custommark helper to assign custom marks to

The above mean that each connection may now have connmark 1, usermark
5 and a number of custom marks attached to it.

So, we are now able to mark traffic with different marks in firehol
and, for example, take routing decisions based on connmark, classify
traffic for QoS based on usermark and possibly add more types of marks
for other uses.

The latest source tree is at https://github.com/ktsaou/firehol

Keep in mind that in order to test these tools you only need:


Each tool can be run directly after downloaded.

If you find any problems, please let us know.



More information about the Firehol-support mailing list