Understanding kmod-nft-offload: Boosting Network Performance with Hardware Acceleration
In the world of modern Linux networking, efficiency is everything. As multi-gigabit connections become standard, the overhead of processing every packet through the CPU can become a significant bottleneck. This is where kmod-nft-offload comes into play—a kernel module designed to bridge the gap between high-level firewall rules and high-speed hardware processing. What is kmod-nft-offload?
kmod-nft-offload is a Linux kernel module specifically packaged for enterprise distributions like Red Hat Enterprise Linux (RHEL), CentOS, and Fedora. Its primary function is to enable hardware flow offloading for nftables, the successor to the venerable iptables framework.
While standard nftables rules are processed by the system's CPU, kmod-nft-offload allows the kernel to "offload" established network flows directly to compatible Network Interface Cards (NICs). This means once a connection is verified and established, the hardware takes over the heavy lifting, bypassing the CPU for subsequent packets in that stream. How Flow Offloading Works
To appreciate what this module does, it helps to understand the "fast path" vs. "slow path" architecture:
The Slow Path (Control Plane): When a new connection (like a TCP handshake) arrives, it is processed by the CPU. The nftables engine checks the rules, determines if the traffic is allowed, and sets up a connection tracking entry.
The Fast Path (Data Plane): If hardware offloading is enabled via kmod-nft-offload, the kernel sends a message to the NIC's firmware. The hardware then creates a shortcut for that specific flow.
Bypassing the Kernel: Future packets for that connection are switched or routed entirely within the NIC hardware. This drastically reduces CPU utilization and lowers latency. Key Benefits
Reduced CPU Overhead: By moving packet processing to the NIC, the CPU is freed up to handle application-level tasks, which is critical for high-load servers or virtualized environments.
Increased Throughput: Hardware is purpose-built for packet switching. Offloading allows systems to reach line-rate speeds (e.g., 10Gbps, 40Gbps, or 100Gbps) that might otherwise saturate a standard CPU.
Power Efficiency: Processing packets in specialized silicon is generally more power-efficient than using general-purpose CPU cycles. Prerequisites and Compatibility kmod-nft-offload
To utilize kmod-nft-offload, you typically need three things:
A Compatible Kernel: Modern Linux kernels (5.x and above) have the core infrastructure, but the specific kmod package ensures all dependencies are met for your specific distribution.
Hardware Support: Not all NICs support flow offloading. You generally need enterprise-grade hardware from vendors like Mellanox (Nvidia), Intel, or Netronome.
nftables Configuration: Your firewall rules must be written to support the flowtable directive. A typical configuration looks like this:
table inet filter flowtable f hook ingress priority 0 devices = eth0, eth1 chain forward type filter hook forward priority 0; policy accept; ip protocol tcp, udp flow offload @f Use code with caution. When to Use It
kmod-nft-offload is not a "magic button" for every home PC. It is most effective in:
Edge Routers: High-traffic gateways that move massive amounts of data between networks.
Hypervisors: Servers running multiple Virtual Machines (VMs) where networking overhead can quickly eat into available resources.
Content Delivery Networks (CDNs): Environments where low latency and high bandwidth are the top priorities. Conclusion
As networking demands continue to scale, the role of hardware acceleration becomes more vital. kmod-nft-offload provides a stable, enterprise-ready way to leverage the power of modern NICs, ensuring that your Linux infrastructure remains fast, responsive, and efficient under even the heaviest traffic loads. Kmod-nft-offload Apr 2026 Create offloadable rule nft add rule ip filter
The OpenWrt kernel module kmod-nft-offload provides Netfilter
support for routing and NAT offloading. It is a critical component for users looking to maximize network throughput by moving packet processing from the general CPU to specialized hardware or optimized software paths. What is kmod-nft-offload?
This module enables hardware or software flow offloading within the
framework. By offloading flows, the router can skip several expensive networking stack steps for established connections, significantly reducing CPU usage and increasing maximum transfer speeds—especially on Gigabit connections. Key Technical Details Dependencies : This module typically requires kmod-nf-flow kmod-nft-nat to function. Implementation : It works by utilizing the Linux kernel's nf_flow_table_offload.c
: Essential for high-speed NAT/Routing on supported hardware (like MediaTek or IPQ chipsets) or for "Software Flow Offloading" on devices without dedicated hardware engines. Common Troubleshooting Tips Missing Package Errors : If you encounter errors during a sysupgrade
or installation (e.g., "Unknown package"), ensure your package lists are updated via opkg update
. In recent OpenWrt versions (like 24.10), some related modules like kmod-nft-queue
have been built directly into the kernel, which can occasionally cause dependency conflicts for older third-party packages. PPPoE Performance
: Users have reported that adding the physical WAN interface instead of the virtual PPPoE interface to the flowtable can lead to speed drops (e.g., from 1Gb/s to 200Mb/s). Ensure your configuration targets the correct interface. Enabling the Feature
: You can usually enable this in the OpenWrt web interface (LuCI) under Network -> Firewall -> Routing/NAT Offloading or via the UCI configuration by setting option flow_offloading '1' option hw_flow_offloading '1' this module, or do you need help configuring it for a particular router model? Add an offloadable rule nft add rule ip
Adding OpenWrt support for Xiaomi AX3600 (Part 1) - Page 325
This report outlines the purpose, technical specifications, and performance impact of the kmod-nft-offload kernel module within the OpenWrt ecosystem 1. Executive Summary kmod-nft-offload package provides Netfilter nf_tables routing and NAT offload support
. It is a critical component for routers with limited CPU power, as it allows established network flows to bypass the standard, CPU-intensive Linux networking stack after the initial connection setup. 2. Technical Specifications Module Name: kmod-nft-offload Dependencies: kmod-nf-flow kmod-nft-nat Functionality: It enables the flow offload ) action in
, which instructs the kernel to move specific TCP or UDP flows into a fast-path flowtable 3. Performance Impact Throughput Can increase forwarding bandwidth by for software offload. OpenWrt Wiki
Significantly reduces CPU load by bypassing the L3 network stack for established packets. YouTube Guide Latency/Jitter
Generally improves overall latency by relieving a fully loaded CPU. OpenWrt Wiki 4. Limitations & Known Issues Software flow offloading implications - OpenWrt Forum
nft add rule ip filter forward iif eth0 oif eth1 ip daddr 192.168.1.0/24 offload
opkg install kmod-nft-offload
Turn on the hardware offload feature for your interface.
sudo ethtool -K eth0 hw-tc-offload on
sudo ethtool -K eth1 hw-tc-offload on
nft add rule ip filter forward offload ip protocol tcp counter accept