Kmod-nft-offload ((link)) -

If you have it installed, you don't usually interact with the module directly. Instead, you toggle it via the OpenWrt LuCI web interface: Navigate to Routing/NAT Offloading Check the box for Software flow offloading Hardware flow offloading if your specific device supports it). Save & Apply

kmod-nft-offload is a Linux kernel module that enables for nftables rulesets. It works by offloading flow rules to network devices that support flow block offloading (e.g., certain SmartNICs, switchdev drivers, or SoC ethernet controllers).

This uses the CPU more efficiently by bypassing the complex Linux network stack for most packets in a flow. It works on almost all hardware and can significantly increase throughput for devices that are "CPU bound".

Standard Path: [Packet In] ---> [Conntrack Evaluation] ---> [Firewall Rules Match] ---> [NAT Engine] ---> [Packet Out] (High CPU) | v (First packet creates entry in Flowtable) Offloaded Path: [Packet In] ---------> [kmod-nft-offload Flowtable Entry] ------------------------------> [Packet Out] (Low CPU) 1. Software Flow Offloading kmod-nft-offload

In strict terms, kmod-nft-offload is not a standalone piece of software you install via yum or apt-get . Instead, it is a collective term used within distributions like Fedora, CentOS, RHEL, and Arch Linux to represent the kernel module supporting the mechanism for nftables.

Essential for translating private IP addresses to public ones (and vice versa) without adding significant CPU overhead. Firewall4 (fw4): Modern OpenWrt versions use , which is based on nftables. kmod-nft-offload is a critical part of the stack that allows to communicate with the hardware layer. Troubleshooting and Modern Implementation

: Frequently included in OpenWrt Image Builder profiles for high-performance devices like the NanoPi R1 Plus or GL.iNet Flint 2 . [MT7530/MT7621] RX speed progressively gets worse with time If you have it installed, you don't usually

: Typically enabled through the firewall configuration file at /etc/config/firewall by setting option flow_offloading '1' . kmod-nft-offload - [OpenWrt Wiki] package

chain forward type filter hook forward priority filter + 1; policy accept; ip protocol tcp, udp flow add @f accept

Driven directly by kmod-nft-offload , software offloading speeds up the software stack itself. Once a connection is identified as "established," the CPU bypasses the heavy code paths of the firewall. It works by offloading flow rules to network

If you need to log every packet for security, offloading will hide that traffic from the logger. 🔧 How to Enable It

Trade-offs / limitations:

This module is a core dependency for modern OpenWrt firewall configurations ( 📦 Installation In the OpenWrt terminal, you can install it using the opkg package manager opkg update opkg install kmod-nft-offload Use code with caution. Copied to clipboard ✅ Enabling Offloading

To verify that offloading is active via the command line, check your firewall configuration file: uci show firewall @defaults[0] Use code with caution. Look for the following lines in the output: firewall.@defaults[0].flow_offloading='1' (Software active)

You can activate this module's functionality through two primary methods: