Kmod-nft-offload -

kmod-nft-offload translates this flow table entry into instructions that the underlying hardware switch chip or NIC network processor understands.

kmod-nft-offload is a Linux kernel module that enables for nftables rulesets. It works by offloading flow rules to network devices that support flow block offloading (e.g., certain SmartNICs, switchdev drivers, or SoC ethernet controllers).

Without hardware offloading, gigabit routing requires significant CPU power. Software Routing Hardware Offloading ( kmod-nft-offload ) High (often 100% on gigabit lines) Extremely Low (1-5%) Throughput Limited by CPU clock speed Capped only by physical port limits Router Temperature High under heavy load Cool and stable Bufferbloat Higher risk due to CPU queues Minimalized Supported Hardware Architecture

To use nft-offload , you define a flowtable in your nftables configuration and associate it with a specific network interface.

: On specific hardware like the ipq40xx, alternative solutions like kmod-natflow have been shown to outperform kmod-nft-offload , reaching over 900 Mbps . Compatibility & Stability kmod-nft-offload

The legacy framework that processed packets through sequential rules, which strained the CPU at high speeds.

Ensure the command is persistent across reboots.

For routers and NAT gateways, every forwarded packet typically passes through the connection tracking system and firewall rules. Offloading this process to hardware can result in a and a significant reduction in CPU usage. This is especially beneficial for multi-gigabit connections, where software processing can easily become saturated.

Traffic shaping tools like luci-app-sqm rely on inspecting and queuing every packet. Because offloaded traffic bypasses this mechanism, enabling offloading usually disables active traffic shaping. The CPU applies firewall rules

# Add this to /etc/nftabled.d/abc.nft (any name .nft) flowtable pft hook ingress priority filter devices = lan1, lan2, lan3, lan4, lan5 flags offload counter

Some open-source Wi-Fi or switch drivers experience race conditions when hardware offloading is active. If your router reboots during large torrent downloads or speed tests, disable but keep Software flow offloading active. Software offloading offers a reliable middle ground for performance. To help optimize your router setup, tell me: What router model or SoC are you currently using? What is your total internet bandwidth speed?

At high speeds (>1 Gbps), this process consumes massive amounts of CPU cycles, bottlenecking the network throughput. The Solution: Hardware Offload with kmod-nft-offload

The Linux networking subsystem historically relied on iptables for firewalling, where the equivalent optimization package was kmod-ipt-offload . kmod-nft-offload - [OpenWrt Wiki] package routes the packet

In OpenWrt, offloading is typically categorized into two types, both of which utilize the capabilities provided by this module:

: The main CPU inspects every network packet. The CPU applies firewall rules, routes the packet, and modifies headers. This process consumes significant CPU cycles.

The return statement is crucial; it hands the packet back to fw4 for further processing if it wasn't offloaded, ensuring that the firewall rules are still respected.

The kernel module changes this dynamic. It relies on a structural chain of dependencies within the OpenWrt kernel subsystem :