[Firehol-support] marks and speed

Tsaousis, Costa costa at tsaousis.gr
Sat Jan 24 13:27:45 GMT 2015

yes ok.

FireHOL achieved 90% to 110% speed increase. 45% to 55% less time to
activate to firewall.


On Sat, Jan 24, 2015 at 3:12 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi all,
> Today we merged a version of FireHOL in the main tree with the
> following changes:
> 1. Speed improvements
> 2. Marks, Connmarks and custom Marks
> Speed Improvements
> FireHOL is now twice as fast. On all configurations we tested the new
> FireHOL achieved 45% to 55% speed increase.
> Marks, Connmarks and custom Marks
> The FireHOL suite (firehol, fireqos, link-balancer) now supports
> internally 2 types of marks: usermarks and connmarks.
> - Connmarks are used by link-balancer to mark the interfaces traffic
> came in order to send the replies back via the same path. All tools
> support (by default) 64 connmarks.
> - Usermarks are used by all tools to mark traffic the user wants. The
> mark firehol helper, the mark firehol match, the mark fireqos match
> and the mark link-balancer policy based routing match, they all refer
> to usermarks. All tools support (by default) 128 usermarks.
> Marks and connmarks are now bitmasked and co-exist.
> FireHOL always saves and restores marks for each connection. New marks
> are assigned on NEW connections and saved to connection state when the
> packet leaves the machine. Marks are restored on ESTABLISHED and
> RELATED connections when a packet is received.
> The user may match an arbitrary mark, bypassing the new bitmasking
> mechanism, by requesting a rawmark match. Rawmark matching works on
> all tools. Rawmark syntax is exactly the same with mark, for each
> tool.
> The user may re-define how mark bitmasking works by editing
> /etc/firehol/firehol-defaults.conf (this file will be auto-generated
> on first firehol run).
> The default bitmasking is:
> markdef connmark 64
> markdef usermark 128
> The user may change the numbers to specify more of less marks for each
> kind. The value must be a power of two.
> The user may also define additional mark types by adding markdef
> lines. These custom marks can then be used by using the custommark
> match on all tools (firehol must be activated before the other tools
> get the changes). custommark works exactly like mark, but its first
> parameter must be the name given to the markdef line. Additionally,
> FireHOL defines the custommark helper to assign custom marks to
> traffic.
> The above mean that each connection may now have connmark 1, usermark
> 5 and a number of custom marks attached to it.
> So, we are now able to mark traffic with different marks in firehol
> and, for example, take routing decisions based on connmark, classify
> traffic for QoS based on usermark and possibly add more types of marks
> for other uses.
> The latest source tree is at https://github.com/ktsaou/firehol
> Keep in mind that in order to test these tools you only need:
> sbin/firehol.in
> sbin/fireqos.in
> sbin/link-balancer.in
> Each tool can be run directly after downloaded.
> If you find any problems, please let us know.
> Regards,
> Costa

More information about the Firehol-support mailing list