Kmod-nft-offload

It allows the router to "teach" the network interface card (NIC) or switch chip to handle established packet flows automatically.

opkg update opkg install kmod-nft-offload

| Supported | Not Supported | |-----------|----------------| | IPv4/IPv6 forwarding | Dynamic NAT (SNAT/DNAT with port mapping) | | Simple VLAN tagging | Bridge port isolation | | Basic conntrack (established/related) | Rules with log , queue , limit | | Matching on input/output interfaces | Stateful expressions (e.g., ct state new in same flow) |

kmod-nft-offload is a specialized but vital module for high-performance Linux networking. It bridges the gap between the flexibility of software-defined networking (NFTables) and the speed of hardware switching. If you are building a custom router or optimizing an OpenWrt setup, enabling this module with proper nftables rules is the key to achieving gigabit-speed firewalling. kmod-nft-offload

nft add chain inet filter forward type filter hook forward priority filter; policy drop; nft add rule inet filter forward ct state invalid drop nft add rule inet filter forward tcp dport 80, 443 ct state established flow offload @f nft add rule inet filter forward ct state established, related accept nft add rule inet filter forward accept

kmod-nft-offload is a Linux kernel module that serves as the essential bridge between the packet filtering framework and hardware-accelerated flow offloading . It is a standard component in the OpenWrt distribution, a popular Linux-based operating system for embedded devices like routers and access points. The module is included as a default package on many OpenWrt targets, such as those based on the Realtek SoC, to provide firewall4 (fw4) and nftables support out of the box.

If hardware offloading is enabled via kmod-nft-offload , the kernel sends a message to the NIC's firmware. The hardware then creates a shortcut for that specific flow. It allows the router to "teach" the network

Whether you are configuring an enterprise-grade load balancer or optimizing a home router, understanding and implementing kmod-nft-offload is a crucial step toward building an efficient and scalable network infrastructure. As networking speeds continue to increase, the strategic offloading of packet processing to hardware will remain an indispensable tool for maximizing performance per watt.

Future packets for that connection are switched or routed entirely within the NIC hardware. This drastically reduces CPU utilization and lowers latency. Key Benefits

kmod-nft-offload is a Linux kernel module specifically packaged for enterprise distributions like , CentOS , and Fedora . Its primary function is to enable hardware flow offloading for nftables , the successor to the venerable iptables framework. If you are building a custom router or

kmod-nft-offload is not a "magic button" for every home PC. It is most effective in:

The kmod-nft-offload package acts as the bridge between the Linux kernel's nftables subsystem and the underlying hardware drivers. It translates software-defined firewall rules and routing tables into instructions that the physical network hardware (such as MediaTek, Marvell, or Qualcomm processing engines) can execute. Architectural Flow