Building Optimized Packet Filters with COFFi

Many companies and institutions employ packet filter firewalls in order to effectively regulate network traffic. Unfortunately, the constant growth of network bandwidth makes the task of matching packet headers against potentially large rulesets more difficult, and prohibits the sole use of entirely software-based firewalls which cannot cope with such huge amounts of traffic. Instead, high-speed firewalls are often implemented in ASICs which offer a high degree of parallelism, many opportunities for operation pipelining, and low-latency access to network data. However, due to their static nature, ASICs must provide generic filtering circuitry that is hardly able to take full advantage of firewall ruleset properties, thus leading to a waste of hardware resources. Therefore, we propose a methodology to automatically compile stateless firewall rulesets to efficient circuit descriptions in synthesizable VHDL format which can be deployed in FPGA devices. The generated filtering circuitry matches incoming packet header fields against each firewall rule in parallel and leverages a pipelined design which allows for a TCAM-like deterministic classification throughput of one packet header per clock cycle. The employed matching logic is tailored to the checks specified by the translated rules and thus compact. Furthermore, the structure of the generated circuits allows for inter-rule optimizations that are performed during logic minimization. During this process, redundant hardware representations of checks that are shared between multiple rules are removed. As opposed to previous works in this domain, we exploit the structure of the given ruleset in order to aggregate the independent match results in a priority encoder of logarithmic depth, thereby achieving short processing latencies and low hardware resource consumption. We call this approach COFFi: Custom Optimized FPGA Firewalls.