Repository logo

HyPaFilter - A versatile hybrid FPGA packet filter

Accepted version


Conference Object

Change log


Fiessler, A 
Hager, S 
Scheuermann, B 
Moore, AW 


With network traffic rates continuously growing, security systems like firewalls are facing increasing challenges to process incoming packets at line speed without sacrificing protection. Accordingly, specialized hardware firewalls are increasingly used in high-speed environments. Hardware solutions, though, are inherently limited in terms of the complexity of the policies they can implement, often forcing users to choose between throughput and comprehensive analysis. On the contrary, complex rules typically constitute only a small fraction of the rule set. This motivates the combination of massively parallel, yet complexity-limited specialized circuitry with a slower, but semantically powerful software firewall. The key challenge in such a design arises from the dependencies between classification rules due to their relative priorities within the rule set: complex rules requiring software-based processing may be interleaved at arbitrary positions between those where hardware processing is feasible. We therefore discuss approaches for partitioning and transforming rule sets for hybrid packet processing, and propose HyPaFilter, a hybrid classification system based on tailored circuitry on an FPGA as an accelerator for a Linux netfilter firewall. Our evaluation demonstrates 30-fold performance gains in comparison to software-only processing.



Packet classification, FPGA hardware accelerator, Firewall

Journal Title

ANCS 2016 - Proceedings of the 2016 Symposium on Architectures for Networking and Communications Systems

Conference Name

ANCS '16: Symposium on Architectures for Networking and Communications Systems

Journal ISSN

Volume Title


European Commission Horizon 2020 (H2020) Industrial Leadership (IL) (644866)
Horizon 2020 (Grant ID: SSICLOPS project, 644866)