Utlizing SmartNICs for high performant firewalls

Thesis typeBachelor Thesis
SupervisorFlorian Ritterhoff
Starting dateAs soon as possible
SkillsLaTeX, Git, C, Linux
LanguageEnglish (preferred), German
Industry cooperationnot possible
Publish date2024-05-01

Problem and context

Processing network traffics at high speeds is a challenging task. In a normal setup this is done using the normal linux kernel which causes a high amount of interrupts and gets limited by the speed of the CPU and the capabilities of the kernel. SmartNICs are network cards that have a programmable chip on them which can be used to offload the network processing from the CPU to the network card. This can be used to process network traffic at high speeds and with low latency.

Modern linux kernels support to define flowtables using nftables that can be offloaded to special NICs. Due to the rare usage and availability of SmartNICs, the evaluation of the performance of such a setup is not evaluated in large network environments.

Beside the offloading of the connection tracking and flowhandling, SmartNICs offer the option to also handle Link Aggregation and VLANs on the NIC itself.


The goal of this thesis is to utilize SmartNICs to build a high performant, stateful firewall. This includes especially debugging and comparing several configuration options for the linux kernel, the Smart NICs themself and nftables.

Therefore we will provide you several different Mellanox SmartNICs as well as the option to work with HM’s IT department to discuss, test and evaluate the solution.

It could be possible that you have to debug some kernel code so you should be a little bit familiar with C and linux.


  1. https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
  2. https://lpc.events/event/4/contributions/463/attachments/286/485/2019-plumbers-lisboa.pdf