Kmod-nft-offload [new] -

is a kernel module for OpenWrt that provides Netfilter nf_tables routing and NAT offload support. It is a core component for improving network performance by moving packet processing from the CPU to specialized hardware or optimized software paths. Key Features and Dependencies

This module enables hardware or software flow offloading within the

: Enable the "Hardware flow offloading" option within the OpenWrt LuCI web interface or via the UCI configuration.

chain lans type filter hook forward priority filter + 1; policy accept; flow add @pft return kmod-nft-offload

Despite its benefits, configuring hardware offload can sometimes be challenging. Here's a guide to common issues and their solutions:

kmod-nft-offload is a critical component for network administrators and enthusiasts looking to maximize the performance of their Linux-based routers. By shifting the burden of packet processing for established connections from the CPU to specialized network hardware, it enables near-wire-speed forwarding, dramatically reduces CPU load, and frees up resources for other tasks. While it requires specific hardware support and has limitations, particularly concerning bridge interfaces, the performance benefits it delivers for high-throughput routing scenarios are undeniable. As the Linux kernel and driver support continue to evolve, kmod-nft-offload will undoubtedly play an increasingly central role in high-performance networking on embedded systems and beyond.

: This can be a more complex issue. One effective workaround is to explicitly list your physical ports in the devices list of the flowtable, rather than the VLAN interfaces. Then, create specific rules to exclude the uplink port (which handles the VLAN) from offloading if needed. As seen in community examples, you can create a new flowtable that includes physical ports and then manually add forwarding rules for your VLANs: is a kernel module for OpenWrt that provides

nft_flow_offload 16384 0 nf_flow_table 32768 4 nft_flow_offload,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet

The magic happens with a kernel flowtable . When a connection is deemed established, its matching criteria (a 5-tuple of IP addresses, ports, and protocol) and the associated action (such as forwarding or NAT) are translated into a "flow rule" and programmed into the network device. Once offloaded, the hardware itself identifies and forwards subsequent packets belonging to that flow, completely bypassing the main CPU's netfilter stack and drastically reducing processing overhead.

: Typically used in OpenWrt versions 21.02 and newer, often in conjunction with firewall4 and nftables . chain lans type filter hook forward priority filter

The kmod-nft-offload package provides the necessary kernel support to offload the "fast path" of network traffic from the main CPU.

The kmod-nft-offload module is often part of a broader suite of modules that build the foundation for nftables to function:

The Power of Hardware Offloading: A Deep Dive into kmod-nft-offload

: You have flow_offloading_hw '1' in /etc/config/firewall , but upon restarting the firewall, you see:

In the world of high-performance networking, the CPU is often the bottleneck. As multi-gigabit internet speeds become more common, even powerful consumer routers struggle to keep up with the sheer volume of packets. This is where kmod-nft-offload comes into play.