Skip to main content
cubecos

Kmod-nft-offload 💯

The Linux networking subsystem historically relied on iptables for firewalling, where the equivalent optimization package was kmod-ipt-offload . kmod-nft-offload - [OpenWrt Wiki] package

This path is heavy on CPU resource consumption. kmod-nft-offload introduces a shortcut.

Once offloaded, the hardware processes the packets independently, freeing up the CPU for other tasks (like routing, VPN encryption, or serving files).

To understand its significance, we need to look at the history of Linux firewalls. The modern replacement for iptables , nftables , is a powerful framework for packet filtering and classification. However, by default, every single packet traversing an nftables rule must be inspected by the CPU. kmod-nft-offload changes this. When installed and configured, it allows you to "offload" connection tracking decisions to the router's switch fabric or the Network Interface Controller (NIC), effectively creating a for traffic. kmod-nft-offload

Not every nftables rule qualifies. kmod-nft-offload typically supports:

: Typically used in OpenWrt versions 21.02 and newer, often in conjunction with firewall4 and nftables .

# Show nftables rules (the 'offload' flag should appear) nft list ruleset However, by default, every single packet traversing an

: While generally stable, some users on specific snapshots have noted WAN/WLAN client instabilities when combined with high CPU load or specific radio configurations.

In the world of high-performance networking, the CPU is often the bottleneck. As multi-gigabit internet speeds become more common, even powerful consumer routers struggle to keep up with the sheer volume of packets. This is where kmod-nft-offload comes into play.

: Offloading usually works only for forwarded traffic (WAN <-> LAN) and does not typically improve speeds for traffic bridged within the same interface (e.g., WLAN to LAN on the same bridge). In the world of high-performance networking

kmod-nft-offload is a specialized that provides hardware and software flow offloading support for the nftables firewall engine. By offloading network traffic processing, it bypasses some of the standard CPU-heavy networking stacks to improve overall throughput and reduce latency. Core Functionality

: Essential for lower-powered routers to achieve full gigabit speeds without maxing out the CPU.