Kmod-nft-offload [WORKING]

| Supported | Not Supported | |-----------|----------------| | IPv4/IPv6 forwarding | Dynamic NAT (SNAT/DNAT with port mapping) | | Simple VLAN tagging | Bridge port isolation | | Basic conntrack (established/related) | Rules with log , queue , limit | | Matching on input/output interfaces | Stateful expressions (e.g., ct state new in same flow) |

:

For hardware offload to function, several components must work in concert. The kernel's nftables subsystem, enhanced by kmod-nft-offload , interacts with the network driver using a standardized API. Specifically, the offload logic leverages the netdev_ops->ndo_setup_tc() interface and the TC_SETUP_CLSFLOWER classifier to communicate with the driver.

Servers running multiple Virtual Machines (VMs) where networking overhead can quickly eat into available resources. kmod-nft-offload

Traditionally, every packet entering your router is processed by the CPU. The CPU inspects the packet, checks it against firewall rules (nftables), determines its destination (routing), and modifies its headers (NAT). For every single packet, this "software path" consumes CPU cycles. kmod-nft-offload

uci set firewall.@defaults[0].flow_offloading=1 uci set firewall.@defaults[0].flow_offloading_hw=1 uci commit firewall /etc/init.d/firewall restart Use code with caution. kmod-nft-offload vs. kmod-natflow

: Highly dependent on specialized hardware and proprietary or open-source vendor driver support. 3. Performance Impact: A Real-World View For every single packet, this "software path" consumes

Some nftables rules cannot be offloaded. Complex rules involving queuing or certain Mangle table operations might force traffic to return to the slow software path.

make M=net/netfilter/ modules insmod net/netfilter/nft_offload.ko

table inet filter flowtable f hook ingress priority 0 devices = eth0, eth1 chain forward type filter hook forward priority 0; policy accept; ip protocol tcp, udp flow offload @f Use code with caution. When to Use It kmod-nft-offload provides a stable

As networking demands continue to scale, the role of hardware acceleration becomes more vital. kmod-nft-offload provides a stable, enterprise-ready way to leverage the power of modern NICs, ensuring that your Linux infrastructure remains fast, responsive, and efficient under even the heaviest traffic loads. Kmod-nft-offload Apr 2026

: A relatively recent version of nftables (the userspace utility) is required to support the flags offload directive in flowtable declarations.

The most common platform where users encounter kmod-nft-offload is OpenWrt, the popular Linux distribution for embedded devices. Here's a step-by-step guide to enabling it: