Kmod-nft-offload ((full)) <LIMITED>

The OpenWrt kernel module kmod-nft-offload provides Netfilter

support for routing and NAT offloading. It is a critical component for users looking to maximize network throughput by moving packet processing from the general CPU to specialized hardware or optimized software paths. What is kmod-nft-offload?

This module enables hardware or software flow offloading within the

framework. By offloading flows, the router can skip several expensive networking stack steps for established connections, significantly reducing CPU usage and increasing maximum transfer speeds—especially on Gigabit connections. Key Technical Details Dependencies : This module typically requires kmod-nf-flow kmod-nft-nat to function. Implementation : It works by utilizing the Linux kernel's nf_flow_table_offload.c

: Essential for high-speed NAT/Routing on supported hardware (like MediaTek or IPQ chipsets) or for "Software Flow Offloading" on devices without dedicated hardware engines. Common Troubleshooting Tips Missing Package Errors : If you encounter errors during a sysupgrade

or installation (e.g., "Unknown package"), ensure your package lists are updated via opkg update

. In recent OpenWrt versions (like 24.10), some related modules like kmod-nft-queue

have been built directly into the kernel, which can occasionally cause dependency conflicts for older third-party packages. PPPoE Performance kmod-nft-offload

: Users have reported that adding the physical WAN interface instead of the virtual PPPoE interface to the flowtable can lead to speed drops (e.g., from 1Gb/s to 200Mb/s). Ensure your configuration targets the correct interface. Enabling the Feature

: You can usually enable this in the OpenWrt web interface (LuCI) under Network -> Firewall -> Routing/NAT Offloading or via the UCI configuration by setting option flow_offloading '1' option hw_flow_offloading '1' this module, or do you need help configuring it for a particular router model?

Adding OpenWrt support for Xiaomi AX3600 (Part 1) - Page 325

The package kmod-nft-offload is a kernel module for OpenWrt that enables Hardware Flow Offloading for the nftables firewall. It allows the network hardware (NIC/Switch) to handle packet routing and NAT tasks directly, significantly reducing CPU load and increasing throughput. Key Details

Purpose: Offloads packet processing from the CPU to dedicated hardware logic within the network chipset.

Context: Typically used in OpenWrt versions 21.02 and newer, often in conjunction with firewall4 and nftables.

Dependencies: It usually depends on kmod-nf-flow and specific hardware-supported drivers (like those for MediaTek or Rockchip SOCs). Implementation Methods Enable only on trusted, high-bandwidth internal interfaces

You can activate this module's functionality through two primary methods:

Firewall4 (Recommended): Enable the "Hardware flow offloading" option within the OpenWrt LuCI web interface or via the UCI configuration.

Manual nftables: Define a flowtable in your nftables configuration with the offload; keyword, as documented in the Linux Kernel networking guides. Common Use Cases

Gigabit Routing: Essential for lower-powered routers to achieve full gigabit speeds without maxing out the CPU.

Custom Builds: Frequently included in OpenWrt Image Builder profiles for high-performance devices like the NanoPi R1 Plus or GL.iNet Flint 2. [MT7530/MT7621] RX speed progressively gets worse with time

9. Conclusion & Recommendations

kmod-nft-offload is production-ready for simple, high-throughput forwarding scenarios (routers, vSwitch acceleration, 5G UPF). Avoid using with complex stateful rulesets.

Recommendations:

1. Enable only on trusted, high-bandwidth internal interfaces.
2. Monitor nf_flowtable statistics to ensure offload hit rate >95%.
3. Use in conjunction with TC hardware offload for consistent policy across both subsystems.

Appendix A: Related Kernel Options

CONFIG_NFT_FLOW_OFFLOAD=y
CONFIG_NF_FLOW_TABLE=y
CONFIG_NET_FLOW_LIMIT=y   # Optional, mitigates DoS on flowtable

Appendix B: Sample Offloadable vs Non-Offloadable Rule

# Offloadable
nft add rule inet filter forward oif "eth0" ip protocol tcp offload
Step-by-Step Guide: Enabling kmod-nft-offload
Let's walk through a practical deployment on a router with a Mellanox ConnectX-5 and AlmaLinux 9 / Fedora.
Title: Introducing kmod-nft-offload – Hardware Offload for nftables
Date: [Insert date]

Author: [Your name/handle]

Category: Networking / Kernel Modules
🚀 Real-World Impact
| Metric | Software nftables | With kmod-nft-offload |
|--------|------------------|--------------------------|
| PPS (64B packets) | ~1-2 Mpps | 10-100+ Mpps (hardware-dependent) |
| CPU usage | 100% (one core) | ~0% for forwarded packets |
| Latency | Microseconds | Nanoseconds (wire speed) |
✅ Ideal for:

Routers / gateways
NFV (Network Function Virtualization)
Edge firewalls
High-frequency trading networks
Cloud load balancers


Verify offload status
nft list ruleset | grep -A1 "offload"