Kmod-nft-offload

kmod-nft-offload is production-ready for simple, high-throughput forwarding scenarios (routers, vSwitch acceleration, 5G UPF). Avoid using with complex stateful rulesets.

Recommendations:

Appendix A: Related Kernel Options

CONFIG_NFT_FLOW_OFFLOAD=y
CONFIG_NF_FLOW_TABLE=y
CONFIG_NET_FLOW_LIMIT=y   # Optional, mitigates DoS on flowtable

Appendix B: Sample Offloadable vs Non-Offloadable Rule

# Offloadable
nft add rule inet filter forward oif "eth0" ip protocol tcp offload
kmod-nft-offload is a Linux kernel module that allows nftables rules to be offloaded directly to network hardware (smart NICs or switches) that support flow offloading.
In simple terms:


🔧 kmod = kernel module

🔧 nft = nftables framework

🔧 offload = push work to hardware


nft list ruleset | grep -i offload
cat /proc/net/nf_flowtable  # View hardware flows

The kmod-nft-offload kernel module is a hidden gem in the Linux networking stack. It bridges the gap between high-level configuration via nftables and the blistering speed of modern SmartNICs.

Key Takeaways:

By mastering kmod-nft-offload, you transform your Linux server from a packet processor into a high-performance switching fabric, all while maintaining the open-source, flexible tooling you already love.

Further Reading:

kmod-nft-offload is a kernel module for OpenWrt that provides Netfilter nf_tables routing and NAT offload support. It is a core component for improving network performance by moving packet processing from the CPU to specialized hardware or optimized software paths. Key Features and Dependencies kmod-nft-offload

Purpose: Enables Software Flow Offloading (Flow Offload) in the OpenWrt firewall4 (fw4) system.

Dependencies: Requires kernel, kmod-nf-flow, and kmod-nft-nat.

Performance Benefit: In supported setups, it can significantly increase throughput (e.g., jumping from ~260Mbps to ~680Mbps in certain speed tests) by bypassing intensive CPU-bound processing for established connections. Usage and Troubleshooting

Installation: You can install it via the opkg package manager: opkg update opkg install kmod-nft-offload Use code with caution. Copied to clipboard

Configuration: Typically enabled within the OpenWrt LuCI web interface under Network > Firewall > Routing/NAT Offloading. Common Issues:

Architecture Limits: Hardware offloading is SOC-specific (e.g., Mediatek mt7621/7622). Older or lower-end single-core MIPS CPUs may not see significant gains even with software offloading.

Traffic Types: Offloading usually works only for forwarded traffic (WAN <-> LAN) and does not typically improve speeds for traffic bridged within the same interface (e.g., WLAN to LAN on the same bridge).

Compatibility: Ensure you are using a modern version of OpenWrt (19.01+ or current 23.05/25.12 builds) as older kernels (prior to 4.14) do not support flow offloading.

Are you looking to improve your router's throughput for a specific ISP speed, or are you troubleshooting a installation error in OpenWrt? kmod-nft-offload - [OpenWrt Wiki] package

The OpenWrt kernel module kmod-nft-offload provides Netfilter

support for routing and NAT offloading. It is a critical component for users looking to maximize network throughput by moving packet processing from the general CPU to specialized hardware or optimized software paths. What is kmod-nft-offload?

This module enables hardware or software flow offloading within the

framework. By offloading flows, the router can skip several expensive networking stack steps for established connections, significantly reducing CPU usage and increasing maximum transfer speeds—especially on Gigabit connections. Key Technical Details Dependencies : This module typically requires kmod-nf-flow kmod-nft-nat to function. Implementation : It works by utilizing the Linux kernel's nf_flow_table_offload.c Appendix B: Sample Offloadable vs Non-Offloadable Rule #

: Essential for high-speed NAT/Routing on supported hardware (like MediaTek or IPQ chipsets) or for "Software Flow Offloading" on devices without dedicated hardware engines. Common Troubleshooting Tips Missing Package Errors : If you encounter errors during a sysupgrade

or installation (e.g., "Unknown package"), ensure your package lists are updated via opkg update

. In recent OpenWrt versions (like 24.10), some related modules like kmod-nft-queue

have been built directly into the kernel, which can occasionally cause dependency conflicts for older third-party packages. PPPoE Performance

: Users have reported that adding the physical WAN interface instead of the virtual PPPoE interface to the flowtable can lead to speed drops (e.g., from 1Gb/s to 200Mb/s). Ensure your configuration targets the correct interface. Enabling the Feature

: You can usually enable this in the OpenWrt web interface (LuCI) under Network -> Firewall -> Routing/NAT Offloading or via the UCI configuration by setting option flow_offloading '1' option hw_flow_offloading '1' this module, or do you need help configuring it for a particular router model?

Adding OpenWrt support for Xiaomi AX3600 (Part 1) - Page 325

Unlocking Network Performance: The Power of kmod-nft-offload

In the realm of networking, optimizing performance and efficiency is crucial for ensuring seamless communication and data transfer. One key component that plays a vital role in achieving this goal is kmod-nft-offload. This article aims to provide an in-depth look at kmod-nft-offload, its functionality, and how it contributes to enhancing network performance.

What is kmod-nft-offload?

kmod-nft-offload is a Linux kernel module designed to offload Network Functions (NF) to hardware, specifically network interface cards (NICs) that support nftables, a popular firewall and packet filtering tool. The module enables the Linux kernel to leverage the processing power of capable network hardware, reducing the CPU load and improving overall network performance.

How does kmod-nft-offload work?

The kmod-nft-offload module works by integrating with the nftables framework, allowing it to offload packet processing tasks to supported network hardware. When a packet arrives at the network interface, the hardware performs the necessary processing, such as filtering, routing, and other Network Functions, without involving the CPU. This offloading mechanism frees up CPU resources, reducing the overhead associated with packet processing. tell me and I’ll provide them.)

Benefits of kmod-nft-offload

The use of kmod-nft-offload offers several benefits, including:

Use cases for kmod-nft-offload

kmod-nft-offload is particularly useful in scenarios where high network performance and efficiency are critical, such as:

Conclusion

kmod-nft-offload is a valuable Linux kernel module that enables the offloading of Network Functions to hardware, improving network performance, scalability, and security. By leveraging the processing power of capable network hardware, kmod-nft-offload helps to reduce CPU load, increase throughput, and enhance overall network efficiency. As the demand for high-performance networking continues to grow, kmod-nft-offload is poised to play a critical role in unlocking the full potential of modern networks.

Here’s an engaging, tech-deep-dive-style content piece on kmod-nft-offload, tailored for Linux enthusiasts, networking engineers, and anyone curious about high-performance packet processing.

nft add rule netdev filter ingress ip protocol tcp tcp dport 22 accept offload

References and further reading

Related search suggestions (If you want additional search terms I can generate for deeper research, tell me and I’ll provide them.)

kmod-nft-offload is part of a bigger push toward Programmable Data Planes in Linux. Combined with P4, TC, and XDP, it’s turning standard servers into routing/switching beasts.

As 100GbE and 400GbE NICs become common, software-only packet processing simply can’t keep up. Offloading isn’t a luxury — it’s the only way forward.

nft add rule netdev filter ingress drop