Kmod-nft-offload

As 100GbE and 400GbE NICs become common, software-only packet processing simply can’t keep up. Offloading isn’t a luxury — it’s the only way forward.

kmod-nft-offload is particularly useful in scenarios where high network performance and efficiency are critical, such as:

The packet is handed to the Linux kernel, which traverses the nftables (or iptables ) ruleset.

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. kmod-nft-offload - [OpenWrt Wiki] package

chain forward type filter hook forward priority filter ct state established flow add @fb

Not all rules can offload: ✅ Supported: IP forwarding, MAC rewrite, basic VLAN ❌ Unsupported: Stateful matching (ct), logging, dynamic sets, NAT (on some hardware)

Then, a rule is added to populate this hardware flowtable. Note that the rule's syntax is identical to the software case:

Certain architectures, such as older Qualcomm IPQ40xx targets, occasionally encounter bugs or regression loops under nftables -based offloading. Users might experience poor network performance or dropouts if the silicon drivers do not fully align with the standard Netfilter flow layout. How to Enable and Verify Offloading Option A: Using the LuCI Web Interface Open your web browser and log into the . Navigate to Network ➔ Firewall . Locate the Routing/NAT Flow Offloading section. Check Software flow offloading .

This file may show the number of offloaded flows, packet counters, and other relevant information.