Kmod-nft-offload |verified|

Many modern network chips (especially in embedded routers and smart NICs) have dedicated hardware circuits for packet processing. kmod-nft-offload acts as the bridge between the Linux kernel's nftables rules and this hardware. It allows the kernel to "teach" the network hardware the firewall rules.

To understand kmod-nft-offload , it helps to break down how Linux handles network packets:

: Once installed, you must enable it in the OpenWrt web interface ( LuCI ): Navigate to Network > Firewall . Look for the Routing/NAT Offloading section. kmod-nft-offload

kmod-nft-offload intercepts this state and programs the entry into the hardware switch chip's forwarding table.

# Enable software offloading uci set firewall.@defaults[0].flow_offloading='1' # Enable hardware offloading (if supported by your SoC) uci set firewall.@defaults[0].flow_offloading_hw='1' # Commit changes and restart the firewall uci commit firewall /etc/init.d/firewall restart Use code with caution. Conclusion Many modern network chips (especially in embedded routers

lsmod | grep nft_offload

This bypass effect is significant. Once offloaded, those packets are no longer visible to standard monitoring tools that hook into the netfilter pipeline, such as tcpdump in certain contexts, because they never reach those hooks. To understand kmod-nft-offload , it helps to break

and the raw speed of your router's hardware. If you find your CPU hitting 100% during a speed test, this module is likely the missing piece of your performance puzzle.

A device requests a webpage. The first few packets hit the router and are processed in software by nftables via the CPU.

Not every processor can use kmod-nft-offload . It requires specific hardware Media Access Control (MAC) or switch architecture drivers. Common Compatible Chips : MT7621, MT7622, MT7981, MT7986 (Filogic series). Marvell : Armada series used in high-end consumer routers. Realtek : Specific managed switch SoCs. Implementation in OpenWrt