nft add rule ip filter forward iif eth0 oif eth1 ip daddr 192.168.1.0/24 offload
: The CPU processes it via nftables rules to determine its destination.
nft_flow_offload 16384 0 nf_flow_table 32768 4 nft_flow_offload,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet kmod-nft-offload
: It allows the network stack to skip certain processing steps for established connections. Reduces CPU Load
Maximizing Network Performance: A Guide to kmod-nft-offload in OpenWrt/Linux nft add rule ip filter forward iif eth0
allows the system to hand off this repetitive task to specialized hardware components—like the Network Processing Unit (NPU) or specialized switch chips—after the first few packets of a connection have been validated. Why It Matters: The Performance Leap The primary benefit of kmod-nft-offload throughput
The kmod-nft-offload module works by integrating with the nftables framework, allowing it to offload packet processing tasks to supported network hardware. When a packet arrives at the network interface, the hardware performs the necessary processing, such as filtering, routing, and other Network Functions, without involving the CPU. This offloading mechanism frees up CPU resources, reducing the overhead associated with packet processing. Why It Matters: The Performance Leap The primary
It allows the kernel to bypass the expensive task of re-evaluating every packet in a high-speed data stream against the full set of firewall rules once a connection is established.
In the world of high-speed networking, especially with gigabit fiber-to-the-home (FTTH), the bottleneck is rarely the internet connection itself—it is often the router trying to process all that traffic. When running modern firewall systems like (used by default in modern OpenWrt), the CPU can become overwhelmed, leading to high latency and lower throughput.
For routers and NAT gateways, every forwarded packet typically passes through the connection tracking system and firewall rules. Offloading this process to hardware can result in a and a significant reduction in CPU usage. This is especially beneficial for multi-gigabit connections, where software processing can easily become saturated.