diff --git a/config/mrzcpd/etc/mrglobal.conf b/config/mrzcpd/etc/mrglobal.conf
index 75b3599..83f6c04 100644
--- a/config/mrzcpd/etc/mrglobal.conf
+++ b/config/mrzcpd/etc/mrglobal.conf
@@ -1,34 +1,23 @@
 [device]
-device=eth0,vxlan_user,vxlan_fwd
-sz_tunnel=8192
-sz_buffer=0
-
-[device:eth0]
-jumbo_frame=1
-max_rx_pkt_len=15360
-clear_tx_flags=1
-promisc=1
+device=virtio_user0
+virtio_user=virtio_user0
 
 [service]
 # lcore id for i/o service, use comma to split
-iocore=46,47
+iocore=1,2,3,4
 distmode=2
 hashmode=0
 
 [eal]
 virtaddr=0x7f40c4a00000
 loglevel=7
+no-pci=1
 
 [keepalive]
-check_spinlock=0
-
-[ctrlzone]
-ctrlzone0=tunnat,64
+check_spinlock=1
 
 [pool]
 create_mode=3
-sz_direct_pktmbuf=4194304
+sz_direct_pktmbuf=65536
 sz_indirect_pktmbuf=8192
 sz_cache=256
-sz_data=4096
-
diff --git a/config/sapp_run/etc/sapp.toml b/config/sapp_run/etc/sapp.toml
index 40f5522..a3e165b 100644
--- a/config/sapp_run/etc/sapp.toml
+++ b/config/sapp_run/etc/sapp.toml
@@ -11,7 +11,7 @@ instance_name = "sapp_v4.0"
 [CPU]
 worker_threads=4
 ### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
-bind_mask=[1,2,3,4]
+bind_mask=[5,6,7,8]
 [MEM]
 dictator_enable=1
 
@@ -23,12 +23,12 @@ dictator_enable=1
 #inject_mode_inline_device_sport=54789
 ### note, depolyment.mode options: [mirror, inline, transparent, dumpfile]
   [packet_io.depolyment]
-  mode=mirror
+  mode=inline
 
 ### note, interface.type options: [pag,pcap,marsio]
   [packet_io.internal.interface]
-  type=pcap
-  name=eth0
+  type=marsio
+  name=virtio_user0
 
   [packet_io.external.interface]
   type=pcap
diff --git a/docker-compose.yml b/docker-compose.yml
index 39de140..00d5c7b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,13 +4,13 @@ services:
     build:
       context: ./dockerfile/firewall
       dockerfile: Dockerfile
-    image: "centos7:firewallInstalled"
-    container_name: "firewall"
+    image: "tsg-firewall-v21.03"
+    container_name: "tsg-container-firewall-v21.03"
     security_opt:
      - seccomp:unconfined
     volumes:
-     - ./config/mrzcpd/etc/mrapp.sapp4.conf:/opt/mrzcpd/etc/mrapp.sapp4.conf
-     - ./config/mrzcpd/etc/mrapm.conf:/opt/mrzcpd/etc/mrapm.conf
+     - /dev/hugepages:/dev/hugepages
+     - /tmp/vhost_tsg_container_firewall:/run/usvhost/
      - ./config/mrzcpd/etc/mrglobal.conf:/opt/mrzcpd/etc/mrglobal.conf
      - ./config/sapp_run/etc/sapp.toml:/home/mesasoft/sapp_run/etc/sapp.toml
      - ./config/sapp_run/etc/sapp_log.conf:/home/mesasoft/sapp_run/etc/sapp_log.conf
diff --git a/dockerfile/firewall/Dockerfile b/dockerfile/firewall/Dockerfile
index 0728113..5cba5e1 100644
--- a/dockerfile/firewall/Dockerfile
+++ b/dockerfile/firewall/Dockerfile
@@ -1,9 +1,22 @@
 FROM docker.io/centos:7
 
+COPY mrzcpd-debug-4.3.30.cee158a-1.el7.x86_64.rpm /run/
+COPY mrzcpd-debug-debuginfo-4.3.30.cee158a-1.el7.x86_64.rpm /run/
+
 COPY MESA-Framework.repo /etc/yum.repos.d/
 COPY framework.conf  aws.conf /etc/ld.so.conf.d/
-#COPY aws.conf /etc/ld.so.conf.d/
 COPY supervisord.conf /etc/
+COPY usvhost_create.sh /tmp/
+
+RUN sed -e 's|^mirrorlist=|#mirrorlist=|g' \
+        -e 's|^#baseurl=http://mirror.centos.org|baseurl=https://mirrors.tuna.tsinghua.edu.cn|g' \
+        -i.bak /etc/yum.repos.d/CentOS-*.repo
+
+RUN yum install libpcap numactl systemd-libs -y && \
+    yum localinstall -y /run/mrzcpd-debug-4.3.30.cee158a-1.el7.x86_64.rpm && \
+    yum localinstall -y /run/mrzcpd-debug-debuginfo-4.3.30.cee158a-1.el7.x86_64.rpm
+
+RUN mkdir -p /var/run/mrzcpd/
 
 RUN yum makecache \
   && yum install -y \
@@ -22,7 +35,6 @@ RUN yum makecache \
   libWiredLB \
   lz4 \
   libbreakpad_mini \
-  mrzcpd \
   sapp \
   tcpdump_mesa \
   tsg_master \
diff --git a/dockerfile/firewall/mrzcpd-debug-4.3.30.cee158a-1.el7.x86_64.rpm b/dockerfile/firewall/mrzcpd-debug-4.3.30.cee158a-1.el7.x86_64.rpm
new file mode 100644
index 0000000..c9ac335
Binary files /dev/null and b/dockerfile/firewall/mrzcpd-debug-4.3.30.cee158a-1.el7.x86_64.rpm differ
diff --git a/dockerfile/firewall/mrzcpd-debug-debuginfo-4.3.30.cee158a-1.el7.x86_64.rpm b/dockerfile/firewall/mrzcpd-debug-debuginfo-4.3.30.cee158a-1.el7.x86_64.rpm
new file mode 100644
index 0000000..567544b
Binary files /dev/null and b/dockerfile/firewall/mrzcpd-debug-debuginfo-4.3.30.cee158a-1.el7.x86_64.rpm differ
diff --git a/dockerfile/firewall/supervisord.conf b/dockerfile/firewall/supervisord.conf
index 56e1e1c..44d39fe 100644
--- a/dockerfile/firewall/supervisord.conf
+++ b/dockerfile/firewall/supervisord.conf
@@ -147,9 +147,23 @@ serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
 ;[include]
 ;files = relative/directory/*.ini
 
+[program:usvhost0]
+command=/bin/bash -ex /tmp/usvhost_create.sh
+priority=300
+user=root
+redirect_stderr=true
+
+[program:mrzcpd]
+command=/opt/mrzcpd/bin/mrzcpd -c /opt/mrzcpd/etc/mrglobal.conf
+autostart=true
+priority=400
+user=root
+redirect_stderr=true
+
 [program:sapp]
 command=/home/mesasoft/sapp_run/sapp
 autostart=true
 directory=/home/mesasoft/sapp_run
-stdout_logfile=/tmp/sapp_stdout.log
-stderr_logfile=/tmp/sapp_stderr.log
+priority=401
+user=root
+redirect_stderr=true
diff --git a/dockerfile/firewall/usvhost_create.sh b/dockerfile/firewall/usvhost_create.sh
new file mode 100755
index 0000000..e300dfb
--- /dev/null
+++ b/dockerfile/firewall/usvhost_create.sh
@@ -0,0 +1,5 @@
+#!/bin/bash -ex
+mkdir -p /run/usvhost 
+python -c "import socket as s; sock = s.socket(s.AF_UNIX); sock.bind('/run/usvhost/usvhost0')"
+python -c "import socket as s; sock = s.socket(s.AF_UNIX); sock.bind('/run/usvhost/usvhost1')"
+exec tail -f /dev/null