In a typical packet forwarding system, an incoming packet may take one of two forwarding paths: a “fast” path or a “slow” path. The fast path is coded for maximum speed but cannot handle exceptional error conditions or perform complex operations. The slow path can handle any packet format or network protocol state, but it requires extensive processor overhead and frequently is implemented at a different operating system kernel priority level.
Increasing demand for network security has driven the development of “network firewalls.” Firewalls perform extensive validation on network packets, and the overhead from the additional validation limits network throughput. Firewalls have been implemented in the slow path because of the additional processing required and the difficulty of validating packets and comparing packets to network protocol state in the highest-priority levels of an operating system kernel.