Kmod-nft-offload

| Metric | Software nftables | With kmod-nft-offload | |--------|------------------|--------------------------| | PPS (64B packets) | ~1-2 Mpps | 10-100+ Mpps (hardware-dependent) | | CPU usage | 100% (one core) | ~0% for forwarded packets | | Latency | Microseconds | Nanoseconds (wire speed) |

✅ Ideal for:

nft list ruleset

| Supported | Not Supported | |-----------|----------------| | IPv4/IPv6 forwarding | Dynamic NAT (SNAT/DNAT with port mapping) | | Simple VLAN tagging | Bridge port isolation | | Basic conntrack (established/related) | Rules with log, queue, limit | | Matching on input/output interfaces | Stateful expressions (e.g., ct state new in same flow) |

Turn on the hardware offload feature for your interface.

sudo ethtool -K eth0 hw-tc-offload on
sudo ethtool -K eth1 hw-tc-offload on

kmod-nft-offload is a Linux kernel module that allows nftables rules to be offloaded directly to network hardware (smart NICs or switches) that support flow offloading.

In simple terms:

🔧 kmod = kernel module
🔧 nft = nftables framework
🔧 offload = push work to hardware

To use nft-offload, you define a flowtable in your nftables configuration and associate it with a specific network interface.

Example nft configuration syntax:

table ip filter 
    # 1. Define the flowtable
    flowtable f1 
        hook ingress priority 0;
        devices =  eth0, eth1 ;
chain forward 
    type filter hook forward priority 0; policy accept;
# 2. Standard policy
    ct state established, related accept
# 3. Offload the established connection to the hardware
    # The 'offload' keyword triggers the hardware offload
    meta l4proto tcp ct state established flow add @f1 accept

What happens here?

Benefits:

Trade-offs / limitations:

The kmod-nft-offload kernel module is a hidden gem in the Linux networking stack. It bridges the gap between high-level configuration via nftables and the blistering speed of modern SmartNICs.

Key Takeaways:

By mastering kmod-nft-offload, you transform your Linux server from a packet processor into a high-performance switching fabric, all while maintaining the open-source, flexible tooling you already love.

Further Reading:

Once upon a time in the digital kingdom of OpenWrt, there was a quiet but powerful hero named kmod-nft-offload

. This hero was not a soldier who fought every battle, but a master strategist who knew how to make the kingdom run faster and cooler. The Problem of the Overworked King

In this kingdom, the CPU was the King. Every piece of data—called a "packet"—that entered the kingdom had to be inspected by the King. He had to check their passports (IP addresses), their luggage (ports), and decide where they were allowed to go based on the Laws of the Land (the Firewall rules).

As the kingdom grew and more people used high-speed fiber-optic roads, the King became exhausted. He spent all his time looking at packets, leaving him no energy to run other important programs like VPNs or file servers. The kingdom's internet speed began to slow down, and the King’s palace (the router) started to get very hot. Enter the Strategist: kmod-nft-offload

One day, a new advisor arrived: kmod-nft-offload. This was a specialized kernel module designed for the modern nftables firewall.

The strategist made a simple observation: "Many of these packets are part of the same long conversation. Once the King has approved the first packet of a video stream or a large download, why must he look at every single one that follows?" How the Magic Worked The strategist implemented a plan called Flow Offloading: kmod-nft-offload

First Contact: The King still inspected the first packet to ensure it was safe.

The Shortcut: Once approved, kmod-nft-offload created a "fast lane" directly in the network hardware or a specialized software shortcut.

The Offload: All following packets in that conversation bypassed the King entirely. They zipped through the kingdom at lightning speed, handled by the strategist’s specialized shortcuts. The Result

The King was finally free! With kmod-nft-offload handling the heavy lifting, the King’s workload dropped from 100% down to nearly nothing. The kingdom's roads could now handle Gigabit speeds without breaking a sweat, and the palace stayed cool.

From that day on, whenever a citizen of OpenWrt wanted to reach maximum speed on their router, they made sure to invite the hero kmod-nft-offload to their system. wget / SSL issues when updating packages #17385 - GitHub

Understanding kmod-nft-offload in OpenWrt kmod-nft-offload is a specialized Linux kernel module primarily used within the OpenWrt ecosystem to provide hardware and software flow offloading capabilities for the nf_tables (nftables) firewall framework. Core Functionality and Architecture

This module acts as a bridge between the Linux networking stack and specialized hardware accelerators or optimized software paths.

Purpose: It supports routing and NAT offloading by allowing established network flows to bypass certain parts of the standard kernel processing.

Dependencies: To function correctly, it typically requires other kernel modules, including: kmod-nf-flow: Handles the core flow table logic.

kmod-nft-nat: Required for offloading Network Address Translation (NAT) operations.

Hardware vs. Software: While it supports generic software offloading (which reduces CPU load), its primary value lies in hardware flow offloading, where the networking hardware itself handles packet forwarding for established connections at near-line speeds. Performance Impact and Use Cases

In high-bandwidth scenarios, such as gigabit fiber connections, standard CPU-based firewall processing can become a bottleneck. | Metric | Software nftables | With kmod-nft-offload

Speed Gains: Users have reported significant performance differences; for instance, turning offload on can increase connection speeds from 300 Mbps to over 700 Mbps on supported hardware.

CPU Efficiency: By offloading flow processing, the main system CPU is freed up for other tasks like VPN encryption, storage management, or running applications. Common Implementation Issues

Despite its benefits, users often encounter technical challenges when deploying kmod-nft-offload:

Regression Issues: Some kernel versions (notably 4.19 and later) have seen performance regressions where enabling offload actually decreased throughput compared to older kernels.

Conntrack Synchronization: A known issue involves the desynchronization between the kernel's connection tracking (conntrack) table and the offloading engine's table, which can lead to dropped packets or broken long-lived connections.

Compatibility: On certain chipsets, such as the ipq40xx, performance may not reach expected levels due to driver-level bugs or configuration errors in the nftables implementation. Managing the Module in OpenWrt

The module is usually included in standard OpenWrt releases (like 22.03.0 or 23.05.0) and can be managed via the opkg package manager. Installation: opkg update && opkg install kmod-nft-offload

Configuration: Typically enabled through the firewall configuration file at /etc/config/firewall by setting option flow_offloading '1'. kmod-nft-offload - [OpenWrt Wiki] package

This report outlines the purpose, technical specifications, and performance impact of the kmod-nft-offload kernel module within the OpenWrt ecosystem 1. Executive Summary kmod-nft-offload package provides Netfilter nf_tables routing and NAT offload support

. It is a critical component for routers with limited CPU power, as it allows established network flows to bypass the standard, CPU-intensive Linux networking stack after the initial connection setup. 2. Technical Specifications Module Name: kmod-nft-offload Dependencies: kmod-nf-flow kmod-nft-nat Functionality: It enables the flow offload ) action in

, which instructs the kernel to move specific TCP or UDP flows into a fast-path flowtable 3. Performance Impact Throughput Can increase forwarding bandwidth by for software offload. OpenWrt Wiki

Significantly reduces CPU load by bypassing the L3 network stack for established packets. YouTube Guide Latency/Jitter nft list ruleset | Supported | Not Supported

Generally improves overall latency by relieving a fully loaded CPU. OpenWrt Wiki 4. Limitations & Known Issues Software flow offloading implications - OpenWrt Forum