R2R NET

Menu

Kmod-nft-offload May 2026

nft list chain netdev filter ingress -a

If successful, a tool like perf or top will show near 0% CPU usage while routing traffic.

Unlocking Network Performance: The Power of kmod-nft-offload

In the realm of networking, optimizing performance and efficiency is crucial for ensuring seamless communication and data transfer. One key component that plays a vital role in achieving this goal is kmod-nft-offload. This article aims to provide an in-depth look at kmod-nft-offload, its functionality, and how it contributes to enhancing network performance.

What is kmod-nft-offload?

kmod-nft-offload is a Linux kernel module designed to offload Network Functions (NF) to hardware, specifically network interface cards (NICs) that support nftables, a popular firewall and packet filtering tool. The module enables the Linux kernel to leverage the processing power of capable network hardware, reducing the CPU load and improving overall network performance.

How does kmod-nft-offload work?

The kmod-nft-offload module works by integrating with the nftables framework, allowing it to offload packet processing tasks to supported network hardware. When a packet arrives at the network interface, the hardware performs the necessary processing, such as filtering, routing, and other Network Functions, without involving the CPU. This offloading mechanism frees up CPU resources, reducing the overhead associated with packet processing.

Benefits of kmod-nft-offload

The use of kmod-nft-offload offers several benefits, including:

Use cases for kmod-nft-offload

kmod-nft-offload is particularly useful in scenarios where high network performance and efficiency are critical, such as:

Conclusion

kmod-nft-offload is a valuable Linux kernel module that enables the offloading of Network Functions to hardware, improving network performance, scalability, and security. By leveraging the processing power of capable network hardware, kmod-nft-offload helps to reduce CPU load, increase throughput, and enhance overall network efficiency. As the demand for high-performance networking continues to grow, kmod-nft-offload is poised to play a critical role in unlocking the full potential of modern networks.

Once upon a time in the digital kingdom of OpenWrt, there was a quiet but powerful hero named kmod-nft-offload

. This hero was not a soldier who fought every battle, but a master strategist who knew how to make the kingdom run faster and cooler. The Problem of the Overworked King

In this kingdom, the CPU was the King. Every piece of data—called a "packet"—that entered the kingdom had to be inspected by the King. He had to check their passports (IP addresses), their luggage (ports), and decide where they were allowed to go based on the Laws of the Land (the Firewall rules). kmod-nft-offload

As the kingdom grew and more people used high-speed fiber-optic roads, the King became exhausted. He spent all his time looking at packets, leaving him no energy to run other important programs like VPNs or file servers. The kingdom's internet speed began to slow down, and the King’s palace (the router) started to get very hot. Enter the Strategist: kmod-nft-offload

One day, a new advisor arrived: kmod-nft-offload. This was a specialized kernel module designed for the modern nftables firewall.

The strategist made a simple observation: "Many of these packets are part of the same long conversation. Once the King has approved the first packet of a video stream or a large download, why must he look at every single one that follows?" How the Magic Worked The strategist implemented a plan called Flow Offloading:

First Contact: The King still inspected the first packet to ensure it was safe.

The Shortcut: Once approved, kmod-nft-offload created a "fast lane" directly in the network hardware or a specialized software shortcut.

The Offload: All following packets in that conversation bypassed the King entirely. They zipped through the kingdom at lightning speed, handled by the strategist’s specialized shortcuts. The Result

The King was finally free! With kmod-nft-offload handling the heavy lifting, the King’s workload dropped from 100% down to nearly nothing. The kingdom's roads could now handle Gigabit speeds without breaking a sweat, and the palace stayed cool.

From that day on, whenever a citizen of OpenWrt wanted to reach maximum speed on their router, they made sure to invite the hero kmod-nft-offload to their system. wget / SSL issues when updating packages #17385 - GitHub nft list chain netdev filter ingress -a

Turn on the hardware offload feature for your interface.

sudo ethtool -K eth0 hw-tc-offload on
sudo ethtool -K eth1 hw-tc-offload on

The module acts as a bridge between the nftables ruleset and network driver’s flow table.

[ Userspace: nft command ] 
        ||
[ Kernel: nftables core ]
        || (flow_offload infrastructure)
[ kmod-nft-offload ]  <--> [ Driver-specific offload engine (e.g., Mellanox eSwitch) ]

Workflow:

kmod-nft-offload is production-ready for simple, high-throughput forwarding scenarios (routers, vSwitch acceleration, 5G UPF). Avoid using with complex stateful rulesets.

Recommendations:

Appendix A: Related Kernel Options

CONFIG_NFT_FLOW_OFFLOAD=y
CONFIG_NF_FLOW_TABLE=y
CONFIG_NET_FLOW_LIMIT=y   # Optional, mitigates DoS on flowtable

Appendix B: Sample Offloadable vs Non-Offloadable Rule

# Offloadable
nft add rule inet filter forward oif "eth0" ip protocol tcp offload

Date: [Insert date]

Author: [Your name/handle]

Category: Networking / Kernel Modules If successful, a tool like perf or top