Today's hardware switches implement stateless Firewall and ACLs features. Hardware switches handle static rules and stateless processing well, as they are good at performing look ups by using bit/mask ranges/sets/tables, courtesy availability of TCAM on their hardware. Typically, rule and sets are fairly static as they do not change per packet and can be handled statelessly. However, packets themselves lead to state changes and hence have to be handled by stateful engines like in TCP.
Unfortunately, hardware switches are not suitable for performing stateful session/rule management because of memory and resource constraints. The number of connection flows supported by hardware switches is typically in the range of 32 to 64K, but the number of active sessions flowing through the wire is often far more than this. The stateful engine for each flow and rule processing is typically implemented in software to get over this limitation as it has access to almost unlimited memory.
Typical firewall rules in a datacenter are comprised of security groups, which are essentially IP sets. Hence while the rules themselves do not change, the group membership may keep changing as virtual machines (VMs) or hosts are powered up and down and the software has to look up the validity of the rules on the incoming packet based upon the source/destination address of the incoming packet belonging to these security groups/containers.
The task of identifying which security group/containers the incoming packet falls in is a very computation intensive process. Furthermore, many firewall rules in the firewall chain have to be processed in a linear order. The processing of container or security group based rules therefore adds significant amount of latency to the packet cycle that is apart from vital CPU resource utilization.