A flow-based software switch uses flow tables to forward, redirect, or drop packets. Each flow table entry has a match criteria and an action. When a packet matches the criteria in a flow table entry, a set of instructions included in the corresponding action are applied to the packet. The flow entries used in flow-based software switches are stateless. The flow entry rules are written based on only the fields and metadata of the packet that is currently being processed.
However, to implement a firewall, some firewall rules require knowledge of connection state. For instance, a firewall rule may allow a virtual machine to initiate connections to the Internet and those connections are allowed to send response packets in the network. However, connections that are initiated from the Internet are not allowed.
One option that has been tried is to create a new flow entry in the reverse direction for each established connection. However, creating these new flow entries for every connection can cause severe performance problems. Another technique that has been attempted is to enforce firewall rules based on transmission control protocol (TCP) flags. Firewall policies are enforced on packets that have SYN flag set, i.e., the packets that are flagged as the initial packet of a session. The packets that have ACK (acknowledge) or RST (reset the connection) flags are set are allowed. This technique is fast, however, it allows non-established flows to go through when ACK or RST flags are set. In addition, the technique is only applicable to TCP packets.