The programmable data plane model of software-defined networks (SDN) continues to gain adoption and support in many enterprise entities such as Google and Barefoot. This leading trend promises to enable flexible mechanisms for handling traffic on SDN switches. In the early stage of its development, few already-in-market proposals exploit the innovative features of a programmable data plane model to provide smart filters on the SDN switches against attack traffic if any. In this work, we therefore propose a security framework, so-called StateFit, which can flexibly filter attack traffic at the SDN programmable switches (data plane). The goal of StateFit is to reduce the latency and the signaling overhead that come along with the centralized architecture of SDN controllers and further provide innovative features for localized security services such as stateful monitoring. The experiment shows that our system is able to not only detect and prevent the attack traffic but also flexibly update the filtering policies and even the whole traffic interpreter onto the connected programmable switches. Following this approach, we believe that the vision of on-demand security services may come true soon.