A flow-based software switch operates by matching incoming packets with one or more flow entries. Each flow entry includes a set of matching criteria and a set of actions. The matching criteria specify a subset of the packet header values for which it requires a match. When a packet matches the set of matching criteria of a flow entry, the action or actions specified by the corresponding set of actions are performed on the packet.
Flow entries in a flow-based software switch are stateless. The flow entry rules are written over only the stateless fields and metadata of the packet that are being processed. However, to implement a firewall, some firewall rules require knowledge of connection state.
For stateful firewall rules, a record has to be kept of at least the admitted packets in order to correlate the subsequent packets to determine whether the packets belong to a previously established connection. The record can then be used, for example, to admit reply direction packets for the connections where forward direction packets were admitted. A connection tracker keeps track of logical network connections and relates the packets to the established connections.
Firewall rules can change frequently, for example every minute. As firewall rules change, the individual entries in the connection table may need to be updated. For instance, an entry may become invalid since the rule that created the entry no longer exists, or a different rule governs the entry. Since a connection tracker can contain hundreds of thousands of connections, it is a challenge to handle update of these entries.