Most network devices provide more than one network function, for example, functions of network address translation (NAT) and network access control lists (ACLs). These network functions are applied to network packets in a manner according to how the network module implementing the network functions is designed. Thus, the packet processing order of the functions is predefined or fixed. For example, in most network devices, on a network flow, ACLs rules are evaluated closer to packet ingress or chronologically shortly after the packets are received, and NAT rules are applied closer to packet egress or shortly before the packets are transmitted. This packet processing order is static and fixed because it is defined at the design phase of the network module.
Since the flow processing order is static and fixed in the network module, any change of the order of processing is very costly in terms of time and money. More importantly, it is very difficult to customize the order of packet processing without major redesigning of the entire network module.