P4SF: A High-Performance Stateful Firewall on Commodity P4-Programmable Switch

This paper presents a high-performance stateful firewall called P4SF that runs on a commodity P4-programmable switch and uses an extended finite state machine to provide match-state-action in the forwarding plane for stateful processing while significantly reducing the controller's workload. P4SF is composed of three key blocks (i.e. Match Block, State Block, Action Block) that are responsible for reading/writing flow states, maintaining state transitions, and forwarding packets. Preemptive data caching is also realized into a buffer called State Pre-Fetch in P4SF for hiding transmission delay during state updates of flows. As a result, P4SF is successfully exercised on a commodity P4-programmable switch, and can be scaled to support 384,000 entries (120,000 under the three-way handshake in TCP connections) for TCP flows, achieving the 100Gb/s linerate speed for packet forwarding.