Kmod-nft-offload

The kmod-nft-offload kernel module provides the necessary infrastructure to offload nftables rulesets to compatible network hardware (e.g., SmartNICs, switch ASICs). This report details its architecture, dependencies, performance implications, and deployment considerations. Enabling this module significantly reduces CPU load for high-bandwidth packet forwarding by moving flow processing from the Linux network stack to hardware.

Demystifying kmod-nft-offload: Maximizing Network Throughput in OpenWrt

Adding OpenWrt support for Xiaomi AX3600 (Part 1) - Page 325 kmod-nft-offload

Specifically, this module is part of the flow offloading mechanism, allowing the router to bypass the main CPU for packets that are part of an established, active connection. How kmod-nft-offload Improves Network Performance

Many modern network chips (especially in embedded routers and smart NICs) have dedicated hardware circuits for packet processing. kmod-nft-offload acts as the bridge between the Linux kernel's nftables rules and this hardware. It allows the kernel to "teach" the network hardware the firewall rules. It allows the kernel to "teach" the network

Some driver implementations for specific hardware (e.g., older Broadcom) may not fully support kmod-nft-offload .

Once the connection is validated and marked as "established," Nftables creates an entry in a specialized Flow Table . kmod-nft-offload

If you have a modern router running OpenWrt 22.03 or 23.05, ensuring this module is enabled is one of the best ways to upgrade your networking performance.

Kmod-nft-offload

Kmod-nft-offload

Kmod-nft-offload

Kmod-nft-offload

Kmod-nft-offload

Kmod-nft-offload

Kmod-nft-offload

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Support

Company