kmod-nft-offload is a kernel module that enables the offloading of nftables rules to hardware, such as Network Interface Cards (NICs) or SmartNICs. nftables is a powerful packet filtering framework that allows administrators to define complex network rules. However, as the number of rules and network traffic increases, the CPU can become bottlenecked, leading to decreased performance.
kmod-nft-offload is a Linux kernel module and userspace integration that enables nftables to offload packet-matching and action-processing work to network hardware (NICs and smart NICs) that support flow offload capabilities. Offloading moves frequently executed datapath operations out of the kernel CPU path into the NIC, reducing CPU utilization, improving throughput, and lowering latency for high-volume packet flows such as those in data centers, cloud hosts, and edge gateways. kmod-nft-offload
: Once installed, you must enable it in the OpenWrt web interface ( LuCI ): Navigate to Network > Firewall . Look for the Routing/NAT Offloading section. kmod-nft-offload is a kernel module that enables the
While software offloading works on almost any device, Hardware Flow Offloading is specific to certain chipsets (like some MediaTek or Marvell units). kmod-nft-offload is a Linux kernel module and userspace
Not all NICs support flow offloading. You generally need enterprise-grade hardware from vendors like Mellanox (Nvidia), Intel, or Netronome.
CONFIG_NFT_FLOW_OFFLOAD=y CONFIG_NF_FLOW_TABLE=y CONFIG_NET_FLOW_LIMIT=y # Optional, mitigates DoS on flowtable